I'm dealing with a tricky situation here. An employee is leaving the company after many years, and I've been asked to immediately revoke their access to Email, Teams, and OneDrive. However, they need to remain connected to their Intune-joined laptop for now because it's their lifeline during this tough time. Normally, I change their password, block their account, and convert their mailbox to a shared one for monitoring. But given the circumstances, I can't do that this time. Can anyone help me with a strategy to remove their access while keeping their laptop functional? I've already removed them from all Teams and restricted email access, but I'm unsure how to manage their OneDrive files efficiently without disrupting their access to personal data. Any suggestions on how to handle this?
5 Answers
Why not just do a factory reset on the laptop? Have HR let the user know they need to back up their personal stuff beforehand. This keeps the company’s data secure and you avoid any potential compliance issues.
To be honest, this sounds like a complicated request that could lead to more issues down the line. If they have personal data, maybe just ask them to back it up on a USB stick before you reconfigure the laptop. You'll definitely want to wipe it clean later, so clarify this with HR to avoid future confusion.
Totally agree! Making sure their data is backed up should be their responsibility.
Have you considered just switching them to a local profile on that laptop? You could transfer their necessary personal files while they use it for now. It keeps things simpler and avoids the headache of juggling permissions. Just some food for thought!
That sounds like a good plan! Local profiles often simplify things when you’re dealing with mixed usage.
Sounds like you've already done a good job limiting access to their email and teams. I would just stick with setting up a new local account for the laptop. This lets them keep using it for personal stuff without over-complicating the access issue. Just make sure you document everything for future reference.
Good call! Keeping things documented makes it easier if HR comes back with more demands later.
You can block access to the apps in the Office 365 admin center under the licenses section. This way, their mailbox stays intact for anyone who needs to monitor it without the user having access. It’s a bit clunky, but it avoids the mess of changing passwords right now.
Yeah, I did that, and it worked well when I had users with mailboxes on an Exchange server.
Exactly, wiping the laptop avoids any use of company resources while letting them keep their personal files manageable!