top of page

Microsoft 365 Subscriptions and Leaver (Inactive) Data

Handling inactive data correctly can save you both money and legal/regulatory risk

What should companies do with “leaver” data once they have left the organization? Many companies close out the subscription and reassign it to a new employee. Organizations do this mainly for one reason: to save on the annual subscription cost or to reassign it to a new employee so they don’t need to pay for a new one. Both are great reasons, but many companies overlook an important detail - what to do with all the departed employee’s Microsoft 365 data?”

As most IT and corporate legal departments well know, inactive and departed employee data, including inactive Microsoft 365 mailboxes, OneDrive accounts, SharePoint data, and Teams data, can put a strain on the IT department, including the costly consumption of Microsoft 365 licenses, non-compliant regulatory retention, rising privacy risk, and expensive eDiscovery response. 

So, when employees depart, what should be done with all their data, including that data in their Microsoft 365 subscription?

When an employee is terminated or leaves for greener pastures, many organizations don’t have a policy or set procedures addressing the departed employee’s work data, so they will indiscriminately close out or reassign the departed employees' Microsoft 365 accounts, causing all the departing employee’s data to be quickly and unrecoverably deleted.

Who cares?

The problem with letting a departing employee’s data be deleted is two-fold:  

  1. Valuable data will be lost. Many/most knowledge workers are employed to capture, interpret, share, and act on data for the company. Unthinkingly deleting an employee’s entire corpus of data without review and consideration is wasteful because some of the data could contain insights the company could use in the future.

  2. Deleting an employee’s entire collection of work data that has accumulated for years, including emails, Teams content, etc., could put the company in a legally tricky situation if the employee files a wrongful termination or other lawsuit sometime in the future.


Most companies have not developed a standardized process to collect and secure departing employee data. Or they do, but the IT department has it as a low priority and instead chooses to keep the departed employee’s mailbox and Microsoft 365 account “as is” until they eventually get around to it. Eventually, the accounting department notices the cost of the growing number of departed employees' Microsoft 365 mailboxes the company is paying for and raises the alarm.

For example, a city noticed they were paying for 15,000 Microsoft 365 departed employee E5 licenses. They had estimated that the 15,000 inactive mailboxes cost them approximately $5 million annually in subscription costs. In another example, a mid-size U.S. city complained that over 55% of their Microsoft 365 subscriptions were from departed employees.

Shared mailboxes versus inactive mailboxes

Note: the discussion on shared and inactive mailboxes does not address the entirety of data in a Microsoft 365 individual subscription.

When an employee leaves, many organizations will quickly reassign the employee’s Microsoft 365 account to pass the license to another employee or cancel it altogether to save on cost. Once reassigned or deleted, the departed employee's mailbox data is automatically retained within Microsoft 365 for 30 days. During this period, the company can still recover the subscription data by undeleting the account. However, after 30 days, the data is permanently deleted – raising the risk of non-compliance or destruction of evidence/spoliation claims if the data is potentially responsive in current or anticipated litigation.

Shared Mailboxes

An alternate method for preserving departed employee data is converting their Microsoft 365 mailbox to a “shared mailbox.” The main driver for this strategy is that Microsoft 365 shared mailboxes are free (under certain circumstances). For example, a shared mailbox can store up to 50GB of data without a license.  After that, a license must be purchased for the mailbox to receive, send, or store more data.

However, there are several complicating issues with shared mailboxes. If any of the following scenarios are present, then an Exchange Online Plan 2 license must be purchased:

  • The shared mailbox has more than 50 GB of storage in use

  • The shared mailbox uses in-place archiving

  • The shared mailbox needs to be placed on litigation hold

Additionally, shared mailboxes:

  1. do not guarantee immutability – a legal defensibility issue due to the potential destruction of evidence/spoliation

  2. can't prevent people from deleting messages in a shared mailbox – again, a legal and compliance issue

  3. can't encrypt email sent from a shared mailbox. This is because a shared mailbox does not have its own security context (username/password), so it cannot be assigned a key

Depending on access rights to the shared mailbox, approved employees can still delete/edit content in a shared mailbox - a legal defensibility issue. To mitigate the risk of data loss due to delegates deleting shared mailbox content, the company should apply read-only access policies instead of the default full mailbox access. However, this does not apply immutability to the data and could cause the data to be questioned later by regulators, auditors, or opposing counsel in a litigation setting.

The immutability issue (#1 above) can catch many by surprise, especially corporate attorneys. If immutability is required for legal reasons, i.e., proof that evidence has not been altered, the shared mailbox should have an “In-Place Hold” applied, which requires a costly Office 365 license.

Furthermore, the shared mailbox size limitation (50GB) will force the creation of additional shared mailboxes.

Inactive mailboxes

Alternatively, the Microsoft-recommended method for preserving departed employee mailbox data is by declaring (systematically) the mailbox inactive. Declaring a mailbox inactive is also free and releases the corresponding Office 365 license.

To make a mailbox inactive, you must first apply an In-Place Hold on the entire mailbox. Any licenses assigned to the user will be released for reuse at that stage. However, non-mailbox data, such as OneDrive, Teams, and SharePoint, will eventually be lost.

Designating mailboxes as inactive can be helpful when your organization needs to retain the mailbox content of former employees for regulatory or legal reasons. Placing a legal hold on an entire mailbox will force a mailbox to be made inactive when a user account is deleted. Once the deleted account’s legal hold is placed, the contents of the inactive mailbox will be retained for the time frame of the retention period specified before the user account was deleted. Remember that inactive mailbox data can only be accessed by performing an eDiscovery search, guaranteeing that only people with eDiscovery access rights can access it.

The above discussion about shared and inactive mailboxes is important to note in that many assume that these strategies save the entire Microsoft 365 subscription data set – it does not… All departing employee data should be consolidated and protected for compliance and legal reasons. This includes all data resident on employee devices such as laptops, cloud accounts, and company-supplied smartphones.

Another Way - Today’s Best Practices

The shared and inactive mailbox processes have been the go-to strategy for companies wishing to address their growing departed employee email data problem. However, as mentioned above, they are not a complete regulatory and litigation compliance solution.

Instead, consolidating and managing all inactive/departing employee data in a centralized and secure corporate cloud, including not just mailboxes but also other Microsoft and non-Microsoft data not addressed by using shared or inactive mailboxes, is now the preferred strategy which ensures data immutability, protection against ransomware, copy of record status, and retention/disposition management - which can be accomplished quickly and inexpensively.

In the past, I worked with a large multinational company, which relied on a low-tech and risky process for data retention in legal situations.  Their process for collecting departing employee data included gathering and storing the physical devices from departed employees, including laptops, desktop workstations, and company-supplied smartphones, in a locked room - retaining them for three years (the local statute of limitations for wrongful termination lawsuits) - in case the legal department needed the data in a future lawsuit or audit. An obvious issue with this process is that it ties up expensive hardware for long periods while running the risk of equipment obsolescence and data loss the longer it is stored.

Additionally, computer hard disks should be powered up occasionally; otherwise, hard disk operation can be affected, potentially causing data recovery issues. This company wanted a complaint, lower cost solution and now creates an image of the data on each piece of equipment and stores each image in a secure cloud for legal search when needed.

restorVault virtualized and secure low-cost cloud storage for leaver-data

As I pointed out at the beginning of this blog, the main reason for retaining departed employee data is for legal and regulatory compliance. The probability is high that some percentage of a departed employee’s dataset is considered a “regulated record” or tied to anticipated or current litigation.  Because of this, all leaver data should be consolidated and stored in a centralized storage location that is secure and searchable by legal, HR, Compliance, and business teams (for reference/reuse).

Secure on-prem or cloud-based file shares are an obvious storage location for these files. However, depending on the estimated amount of data that will be stored in the coming years, utilizing low-cost cloud-based storage virtualization would better address the various issues storage administrators have with moving large amounts of data from a managed SaaS platform (Microsoft 365) to on-prem storage resources.

Securing departed employee data before their Microsoft 365 account is deleted is a crucial task that requires careful planning and execution. By following the best practices discussed in another blog post, you can ensure that your data is protected from unauthorized access, misuse, and corruption, that you have a copy of your data for future reference or backup purposes, that you can access or delete your data permanently and securely when needed, and that you comply with your legal and regulatory requirements for data retention and deletion.

restorVault cloud storage virtualization for leaver data 

restorVault’s Storage virtualization solution replaces a file (based on policies) in an on-prem active repository, such as a file share, with a pointer or virtual data file that points to the original file in the restorVault cloud. Whenever a user clicks on a virtual data file (pointer) in their file explorer, the actual file is instantly retrieved from the restorVault CCA cloud platform (see below) for viewing and continued work. This storage virtualization into the immutable restorVault trusted cloud repository also eliminates the wasteful need for backups of inactive data.

It also frees up large amounts of costly enterprise storage for priority use by active data. With your inactive data automatically stored and managed in a trusted and inexpensive cloud repository, your enterprise backups will be approximately 20% of their current size. This will enable you to restore data faster and free up costly enterprise storage. For every TB of restorVault virtual cloud storage, you could recoup 3 TB from primary, backup, and other cloud platforms - a 300% increase in usable storage capacity.


A properly configured virtualized file system can also make moving leaver datasets to a secure cloud repository fast, easy, and convenient.


The restorVault patented cloud platform provides two ways to store your inactive unstructured data as well as other high-value unstructured data safely and inexpensively in a trusted cloud vault:

  • The Compliant Cloud Archive (CCA) provides long-term information management and on-demand access to virtualized unstructured data, with an option to store your data in an immutable cloud storage tier for ransomware/extortionware protection.

  • The Tamperproof Cloud Storage solution (TCS) provides a hot standby-like protected storage repository that allows for complete disaster or ransomware recovery in minutes, not days.

Contact us today to learn how restorVault can help your company save money by storing and managing your leaver data while increasing data security and storage capacity!


bottom of page