Why poor account setup leads to data loss when staff leave

The “leaver data loss” problem usually starts months earlier

Most small businesses only think about data when someone hands in their notice.

But the real cause of “we lost files/emails when they left” is almost always earlier:

• business files were stored in a person’s OneDrive
• important conversations lived only in their mailbox
• shared work happened through personal sharing links and ad-hoc permissions
• no clear offboarding routine existed

Everything seems fine… right until a deadline hits and you realise nobody can find the client folder or the history of what was agreed.

What breaks first when account setup is messy

Data loss doesn’t always mean “bits deleted forever”. In real life it usually means:

• loss of access: links break, shared folders disappear, nobody can open what they need
• loss of continuity: the team can’t see what was promised to customers or suppliers
• loss of accountability: nobody can prove who sent what, when
• time-boxed recovery: you only notice after the easy recovery window has passed

Core concepts: why leavers cause data loss in Microsoft 365

1) Deleting a user is not “tidying up” — it starts a clock

Microsoft’s own offboarding guidance recommends giving someone else access to the leaver’s OneDrive and Outlook before deleting the account. It also notes that after deleting an employee’s account, their OneDrive and Outlook content is retained for a limited period (commonly 30 days) during which the account can be restored.

If you wait until later, you may be trying to recover from a position where recovery is harder, slower, or no longer possible.

2) Mailboxes have a limited recovery window

In Exchange Online, when you delete a user account, the mailbox is deleted too and is typically recoverable only within a limited period (commonly 30 days). After that, it’s not recoverable via normal restore.

3) OneDrive access can vanish even if the files still exist somewhere in the background

Microsoft documents OneDrive retention/deletion behaviour after a user is deleted, including that the OneDrive can move into recycle-bin states where normal user access to shared content stops.

So you can end up in the worst situation: the data technically exists, but your team can’t access it and you’re stuck needing admin-level recovery steps.

4) The safest “leaver-proof” pattern is business ownership

If business-critical files live in team-owned storage (and business functions use shared mailboxes), staff changes become routine instead of panic.

Step-by-step: how to stop leaver data loss (without being technical)

This is not a portal walkthrough. It’s the structure and habits that prevent chaos.

Step 1: Decide what must be business-owned

Client folders. Finance. Operations. Policies. Templates. Anything that the business must keep even if someone leaves tomorrow.

If those live in a person’s OneDrive, you’ve baked risk into the company.

Step 2: Move shared work out of personal storage

Team files should live in team-owned storage (typically SharePoint/Teams channel libraries), not in someone’s personal OneDrive with a bunch of sharing links.

Step 3: Use shared mailboxes for shared business functions

If multiple people need to handle an address like accounts@ or support@, that’s a shared function.

Microsoft provides shared mailboxes for this exact purpose, so access is delegated to people without sharing a password.

Step 4: Before anyone leaves, hand over access deliberately

Microsoft’s offboarding guidance is blunt: before deleting an employee’s account, give another user access to the leaver’s OneDrive and Outlook.

This is where “poor account setup” usually shows itself, because there isn’t a clean place to hand things over from.

Step 5: If you need to preserve a mailbox long-term, plan for it

Microsoft’s own offboarding steps include options like placing a hold or exporting mailbox data when long-term preservation matters.

The key point: decide this during offboarding, not months later when recovery windows have expired.

Real-world scenarios where businesses lose data

Scenario 1: The entire client folder lives in the account manager’s OneDrive

They leave. The team loses access to the folder structure and the “shared links” stop working.

Now you’re in emergency recovery mode instead of simply continuing the work.

Scenario 2: “We deleted the user to save licence cost”

That’s common — and it’s fine if you’ve already handed over access and moved business-owned data to business-owned locations.

But if you delete first and think later, you’re working against limited retention/recovery windows for OneDrive and mailboxes.

Scenario 3: A shared function address was set up as a normal user mailbox

People share the password. Nobody owns it properly. Offboarding becomes a mess because the address is treated like a person.

Shared mailboxes exist so the function survives staff changes cleanly.

Scenario 4: You only notice missing email history after a dispute

Now you need message history, attachments, or proof of what was agreed — and the mailbox is beyond easy recovery.

That’s why preservation decisions (holds/exports) must happen during offboarding when needed.

Advanced considerations (worth knowing)

“We can recover it later” is not a strategy

Microsoft documents limited recovery windows and deletion/retention behaviour. You want a process that doesn’t rely on heroics.

Convert vs preserve: don’t guess

Some businesses convert a leaver’s mailbox to a shared mailbox for continuity (where appropriate). Microsoft documents shared mailbox conversion and how it’s used to keep mailbox data while changing how it’s accessed.

For legal or compliance requirements, you may need holds/exports instead.

Summary and key takeaways

• Poor account setup causes leaver “data loss” because business data is tied to personal accounts.
• Deleting users starts time-limited recovery windows for mailboxes and OneDrive content.
• The fix is structural: business-owned files in business-owned storage, shared functions as shared mailboxes, and a deliberate offboarding handover.

Useful next steps:

• Get the free Microsoft 365 Starter Kit
• Microsoft 365 setup basics for small businesses
• Microsoft 365 Setup Guide

FAQ

Is data definitely deleted the moment we delete a user?

Not always immediately, but access and recovery are time-limited. Microsoft documents limited retention and recovery windows (often 30 days) for restoring user accounts and mailboxes, and OneDrive deletion/retention behaviour that can remove normal access to shared content.

What’s the fastest way to prevent leaver data loss?

Stop storing business-critical work in personal locations. Move shared work into team-owned storage and use shared mailboxes for shared functions.

Should we keep paying for licences just to keep data?

Sometimes you don’t need to — but you do need an offboarding plan. Microsoft provides options such as handing over access before deletion, shared mailbox approaches in some cases, and preservation options like holds/exports when needed.

What should we do before deleting an employee account?

Microsoft’s offboarding guidance recommends giving another user access to the leaver’s OneDrive and Outlook before deleting the account.

What’s the most common mistake?

Deleting first to “tidy up” or save a licence, then realising weeks later that a key folder or email thread was only in the leaver’s account.