IT Turnover Advice

Question

It has been one heck of a week; We had our senior IT staff leave, and I am trying to learn what I need to learn through this transition.

We use AAD and Exchange Online (hybrid with on-prem mailboxes), and I guess I have 3 main concerns.

1. What should I check specifically relating to AAD and Exchange online to make sure turning their accounts off isn't going to break anything (specifically email).
2. How do I verify that I have access (or request access) to manage these services during the transition, and hand off to an appropriate contractor or new boss when the time comes (lol, I am not ready to take that job)! I believe I have domain admin rights locally, and Global Admin rights in AAD, so I think I have access to everything, but want to make sure I am not overlooking something important.
3. More generally, are there any good resources or checklists that I can use or reference to get ahead of any access or transition issues? I am relatively technical and can figure things out, but lack experience and trying not to get blind-sided by something that could be easily prevented. And as I am stressed and not sleeping particularly well, I'm just trying to find resources to make sure I am not overlooking the obvious.

Thankfully, our C-level people are working on getting appropriate consultants on-board, so in the medium-term I think we are going to be just fine, but in the short term I'm just a little paranoid that something simple is going to blind-side me. Any practical pointers or info would be appreciated.

Answer 1

I will answer your questions in order. Remember, we have no insight into your environment so these are educated guesses:

1. Turning off their accounts should not break anything with the on-prem Exchange server. They only thing I can think of that might be linked is your backup system whether it is Veeam or some other software and/or your Azure AD Connect. I'd try disabling their accounts, let a night cycle run through and see what happened. With Azure AD Connect, you might just have to reconfigure it if it was tied to their accounts.
2. With Domain and/or Enterprise Administrator (on-prem) and Global Administrator, you have the most access you'd ever need. As stated in the previous you might have some backup software running, which you should ensure you have access to that software. Additionally, if you are running VMs such as VMWare with ESXi hosts, you should ensure you have all the necessary passwords for that.
3. There is no such checklist as every environment is different. Deal with the problems as they come. There is a lot of support out there and surely experienced consultants will be able to deal with issues as they arise.

Good luck and try to stop worrying too much.

---

If this is helpful please accept answer.

Answer 2

An additional suggestion:

As you go up the Microsoft license chain, there are several features that can automate or make it easier for you to keep an eye on privileged users.

PIM - Privileged Identity Management - ensures all of your assigned privileged users will get their privileges revoked after a short period of time. To get back their access they will need to use 2FA or get permission from another admin.

Purview - you can lock out all tagged data owned by users that are no longer with your organization. So when they try to open files they will be locked out.

AAD User Rights Reviews - Run an audit on users to verify all of their permissions have been revoked.

Good luck!