Why You Wait 30 Days Before Deleting an Account

Disabling is immediate. Deletion only happens after 30 days. That's not an arbitrary deadline — here's the reasoning, the risks, and what needs to happen during those 30 days.

On the last working day: account disabled. Only 30 days later: deleted. So what actually happens in those 30 days?

The purpose of the 30-day period

• Email forwarding stays active. Clients who still email the old address are automatically routed to the successor. See email forwarding.
• Recovering files. Sometimes a shared OneDrive folder turns out to still be in use, or a proposal draft exists that nobody else has a copy of.
• Reclaiming licences. The M365 licence only becomes available after 30 days, or a temporary workaround expires.
• Legal retention period. Some collective agreements or NDAs specify a minimum retention period.

What you do NOT do during those 30 days

• Reactivate the account to "quickly check something". Every reactivation is an audit finding.
• Hand the password to the successor so they can log in. Use delegation or forwarding instead.
• Casually copy files for the departing employee's personal use. That's a GDPR issue.

After 30 days

• Archive email in line with policy (typically 1–7 years, depending on sector).
• Transfer OneDrive / Google Drive content to a team location or archive it.
• Permanently delete the account.
• Reassign or cancel the licence.
• Add an incident log entry: offboarding successfully completed, date, evidence link.

See also: offboarding pillar, legal framework.