Overview
Removing user access is a critical security task that should be completed promptly when users no longer require Microsoft Advertising access. Common scenarios include employee termination, contractor completion, role changes, and security incidents.
When to Remove Access
Required Removal Scenarios
Employee Termination:
- Timing: Same day as termination
- Priority: High - security risk
- Process: Coordinate with IT for all system access removal
Contractor End of Engagement:
- Timing: On contract end date
- Priority: High
- Process: Verify contract end date, document removal
Role Change (No Longer Needs Access):
- Timing: Within 24 hours of role change
- Priority: Medium
- Process: Confirm new role doesn't require access
Security Incident:
- Timing: Immediate (within minutes)
- Priority: Critical
- Process: Emergency removal, investigation follows
Remove User from Individual Account
Step 1: Navigate to User Management
- Sign in to Microsoft Advertising
- Click your account name in top right
- Select Accounts & Billing
- Click User management in left sidebar
Alternative Path:
- Click Tools icon (gear)
- Under "Accounts," select User management
Step 2: Locate User
- User list displays all active users
- Use search box to filter by name or email
- Identify user to remove
Step 3: Remove User
- Click on user's name or email
- User details page opens
- Click Remove user button
- Confirmation dialog appears
- Click Confirm or Remove
- User immediately loses access
Step 4: Verify Removal
- User no longer appears in User management list
- User cannot sign in to account
- User's name remains in change history (for audit trail)
Offboarding Checklist
Complete these steps when removing user access:
Before Removal
- Verify business justification
- Obtain manager approval
- Document reason for removal
- Identify knowledge transfer needs
- Reassign ownership of:
- Automated rules
- Scheduled reports
- Custom conversion goals
During Removal
- Remove user from Microsoft Advertising
- Verify removal successful
- Remove from Manager Account (if applicable)
- Cancel pending invitations (if any)
- Revoke API access/OAuth tokens (if applicable)
After Removal
- Document removal in access log:
- Date and time
- Removed by (admin name)
- Reason for removal
- Stakeholder approval
- Review change history for user's recent actions
- Monitor account for 24-48 hours
- Update team contact lists
Emergency Access Removal
For security incidents requiring immediate action:
Immediate Removal Steps
- Sign in immediately to Microsoft Advertising
- Navigate directly to User management
- Locate compromised user
- Click Remove - confirm immediately
- Verify removal - user disappears from list
- Document action: Time, date, reason
Post-Removal Security Actions
Review change history:
- Filter by removed user
- Look for suspicious changes in last 24-48 hours
- Document unauthorized actions
Reset credentials (if user had API access):
- Revoke OAuth tokens
- Regenerate developer tokens
Notify stakeholders:
- Security team
- Manager/leadership
- Affected clients (if agency)
Monitor account:
- Watch for unusual activity in next 7 days
- Review spend and campaign changes daily
Verify Removal
Confirmation Steps
User list check:
- Navigate to User management
- Search for removed user
- Should return "No users found"
Change history:
- User's past actions still visible (for audit)
- User's name appears as "[User Name] (Removed)"
- No new actions possible
Common Removal Issues & Solutions
Cannot Remove User (Button Greyed Out)
Causes & Solutions:
| Cause | Solution |
|---|---|
| Insufficient permissions | Only Admin/Super Admin can remove users |
| User is account owner | Transfer ownership first, then remove |
| Last Super Admin | Add another Super Admin first |
| Session expired | Sign out and sign back in |
User Still Has Access After Removal
Troubleshooting:
- Verify removal completed - Check User management list
- User may be cached - Have user sign out and clear cache
- User has access via Manager Account - Remove from Manager Account
- Multiple Microsoft accounts - Search for alternate email addresses
Removed User by Mistake
Recovery Steps:
- Re-add immediately using standard invitation process
- User accepts invitation - Access restored
- Note: Historical change history preserved
Post-Removal Access Audit
After removing user, verify no access remains:
Microsoft Advertising Access
- User removed from all individual accounts
- User removed from Manager Accounts
- Pending invitations canceled
- User cannot sign in
Related Systems
- Google Tag Manager access removed
- Analytics platform access removed
- CRM access removed
- Slack/Teams channels removed
- Email distribution lists updated
API and Integrations
- OAuth tokens revoked
- API access removed
- Developer token deactivated
- Third-party tool access removed
Compliance and Legal Considerations
Audit Trail
Document removals for compliance:
Required Information:
- User's full name and email
- Date and time of removal
- Removed by (admin name)
- Reason for removal
- Approver (if required)
- Access level being removed
Retention: Maintain access logs for minimum 7 years.
Best Practices
Timing
- Employee termination: Same day, coordinated with IT
- Contractor end: On contract end date
- Role change: Within 24 hours
- Security incident: Immediate (within minutes)
Documentation
- Maintain access removal log
- Document business justification
- Obtain approvals when required
- Archive user's campaign documentation
Security
- Remove all access simultaneously
- Revoke API and OAuth access
- Monitor account for 24-48 hours post-removal
- Review change history for unauthorized actions
Next Steps
- Add new user access for replacement team members
- Update existing user access for role changes
- Schedule quarterly access reviews