The short version
Employee changes are access changes.
Most small offices are careful about keys, alarms, and paperwork. The technology side deserves the same attention because one forgotten mailbox, synced folder, phone extension, or shared password can create confusion later.
The goal is not to make HR complicated. It is to have a simple checklist so new people can work on day one, role changes do not pile up extra permissions, and departures do not leave loose ends behind.
1. Start with the account plan
Before a new employee starts, decide what account they actually need. That usually means a Microsoft 365 user, the right license, MFA from the beginning, and access to the files, mailboxes, apps, printers, scanners, phone system, and shared resources that match the job.
This is also the best time to avoid the bad habit of sharing someone else’s login. A separate account makes support, security, auditing, and cleanup much easier later.
2. Prepare the device and daily tools
A good first day is easier when the computer, email profile, Microsoft 365 apps, browser bookmarks, printer access, scanner shortcuts, line-of-business software, and phone or VoIP app are already thought through.
Small details matter here. If someone needs a desk phone, mobile app, voicemail, shared caller ID, or a spot in a call group, it is better to know that before they are sitting at the desk waiting.
3. Review access when someone changes roles
Role changes often create permission creep. A person gets access to new files, a new mailbox, or a new app, but the old access never gets removed because nobody wants to break something during a busy week.
When someone changes jobs inside the business, review what they still need in Microsoft 365, SharePoint, OneDrive, Teams, shared folders, vendor portals, phone groups, and business apps. Adding access is easy; cleaning it up later is where things usually get missed.
4. Handle departures without losing business data
When someone leaves, the account should be blocked or disabled at the right time, active sessions should be revoked, company devices should come back, and passwords or shared credentials should be reviewed. The business also needs to preserve useful email and files before anything is deleted.
Shared Mailboxes are often the right tool for preserving and delegating access to an old mailbox. They can let the business keep receiving mail, search old messages, and give another employee access without leaving the former employee’s normal sign-in active.
Licensing needs a little care. A converted Shared Mailbox usually does not need a paid license if it is under Microsoft’s size limits and does not need features that require one. But OneDrive is different: files tied to the user’s OneDrive may need to be copied, reassigned, backed up, or temporarily kept under a licensed account long enough to preserve the data properly.
5. Check the hidden access points
The obvious account is only part of the picture. Look for MFA devices, email forwarding rules, browser-saved passwords, local computer accounts, cloud app seats, vendor portals, password managers, scanner address books, shared folders, and phone-system access.
This is where a short checklist helps. The things that get missed are rarely dramatic on their own, but they can create billing waste, lost files, awkward client communication, or access nobody intended to leave open.
6. Preserve what the business may need later
Email history, customer conversations, project files, calendar items, contacts, and local documents may still matter after someone leaves. Decide who should own them, how long they should be kept, and whether they are covered by the backup plan.
This is especially important when a user had information stored in OneDrive, on a desktop, in a Downloads folder, or inside a business app. Do the cleanup deliberately instead of discovering six months later that the only copy was tied to an account that no longer exists.
7. Clean up licenses and document the change
After the access and data questions are handled, review licenses, app subscriptions, phone seats, backup coverage, security tools, and documentation. Removing a license too early can create recovery problems; leaving everything licensed forever wastes money.
The useful middle ground is to document what changed, confirm who has access now, and set a reminder to finish any delayed cleanup after the data has been preserved.