Office 365 Warning: Terminated users may still be able to read and send emails!!

This article is a warning for Network admins that implement and maintain Office365 Exchange Online service for business customers.

What to do when a user is terminated:

There are many ways to approach the termination of an employee when you are using Exchange on-premises or hosted with Office365; you may choose to export the mailbox to a PST, delete the account, and then attach the PST to another user, simply reset the password, or perhaps you decide to convert the mailbox to a shared one, so there are no license fees, and the messages stay accessible on the cloud.

If you choose to migrate the user mailbox to a shared mailbox in exchange 2016/2019 on-premises, the user account is disabled, and the mailbox is no longer associated with that user, but here is the rub:

In office365, the engineers decided that there could be cases where a user has multiple services on the account and that converting the mailbox to shared does not necessarily imply that the user no longer needs any of the other services, and therefore the behaviour is different from what one would expect.

With Office365 Exchange, if a user mailbox is converted to a shared mailbox, the user account will STILL HAVE ACCESS to that mailbox!! Yes, that's right, that terminated employee will still be able to send and receive emails because on the back-end, that user account is still linked to the shared mailbox, so BEWARE!!

The simple solution is to reset the user's password before converting to a shared mailbox, and all is well, but keep in mind that if you do not, that user will continue to have access to their mailbox from Outlook desktop, Outlook Web Access and mobile devices, even without a license. 

This functionality is not well-documented, but very important to be aware of.