Employee Training Checklist

Pull the role definition from HR and confirm whether this hire needs Tier 1 (helpdesk), Tier 2 (engineer), or Tier 3 (senior / privileged) access. Tier 0 / Domain Admin requests require CAB approval and a separate Privileged Access Workstation — never grant Tier 0 by default.

Create the Entra ID user, assign to the role-appropriate security groups via SCIM or a provisioning runbook, and apply the standard conditional access policy. Avoid copying an existing user's group memberships — that's how access creep starts.

Use Autopilot (Windows) or Apple Business Manager / DEP (macOS) for zero-touch enrollment. Confirm BitLocker or FileVault is on, the recovery key escrows to Entra ID, and the EDR agent (CrowdStrike, SentinelOne, or Defender) reports healthy.

Cover Outlook signature, Teams channels for the on-call rotation and change announcements, OneDrive sync, and the shared mailbox conventions. Point out that personal email forwarding rules are blocked at the transport rule level.

Walk through the AUP, data classification tiers (public / internal / confidential / regulated), and the rules on personal cloud storage and removable media. For MSPs, cover per-client data segregation and the prohibition on cross-client credential reuse.

Assign the new-hire training module in KnowBe4 (or Hoxhunt / Proofpoint Security Awareness — whichever your stack uses) and capture the baseline click rate. Repeat-clicker policy kicks in at the third missed simulation.

Issue a YubiKey (or equivalent FIDO2 key) plus Microsoft Authenticator as the backup factor. SMS-based MFA is not permitted for staff accounts. Confirm legacy basic-auth is blocked org-wide so the MFA enrollment isn't bypassable.

Create the user's vault, assign the role-appropriate shared folders, and walk through the prohibition on storing credentials in browsers or sticky notes. For MSP technicians, confirm per-client vault separation — one client's credentials never appear in another client's folder.

Cover the PagerDuty escalation chain, the SEV1/SEV2 definitions, and the rule that suspected phishing or compromise gets reported within 15 minutes — never quietly remediated. Include the after-hours on-call number and the MDR contact.

Pair the new hire with a Tier 2 engineer for a half-day in the PSA queue (ConnectWise, Autotask, or Halo). Cover ticket categorization, SLA timers, and time-entry discipline — billable hours that aren't logged the same day disappear.

Cover NinjaOne / Datto RMM / Kaseya VSA agent deployment, scripting basics, and ScreenConnect or Splashtop remote sessions. Emphasize the discipline of getting end-user consent before unattended access on personal-mode endpoints.

Hands-on lab covering ping, traceroute, DNS lookups, VLAN tagging, and reading firewall logs from FortiGate or Meraki. Include the standard layer-1-up troubleshooting pattern and the gotcha that 80% of "network" tickets are DNS or DHCP.

Restore a Veeam, Datto, or Acronis backup into the isolated lab environment end-to-end. The drill is not complete until the restored VM boots and a test user logs in. Backups that are never restored are not backups — this lesson is the point.

Cover normal vs. standard vs. emergency changes, the CAB cadence, and the requirement that every change carries a written rollback plan. Include the GPO-on-Friday-afternoon cautionary tale.

Walk through which client books are HIPAA (BAA-bound), PCI DSS, SOC 2, or CMMC, and which controls the technician is personally responsible for executing — access reviews, change tickets, evidence collection.

Required for any technician supporting healthcare clients under a BAA. Cover the minimum-necessary access principle, breach notification timelines (60 days under the HIPAA Breach Notification Rule), and the audit-logging requirements for ePHI access.

Cover Microsoft, VMware, and Adobe licensing rules, the prohibition on copying license keys between clients, and the SAM cadence. Vendor true-up audits are six-figure events — the discipline is daily, not annual.

Walk through the SOC 2 / SOX-aligned quarterly access review — pulling group memberships, manager attestation, and removing stale access. Note the AD security group bloat anti-pattern: groups added for one project, never removed.

Walk through P1/P2/P3/P4 definitions, response and resolution targets per client tier (managed vs. co-managed vs. break-fix), and the after-hours rate structure. SLA breach reporting is automated through BrightGauge or the PSA's native reporting.

Document a sample resolution end-to-end — problem statement, environment details, steps tried, root cause, resolution, and links to runbook updates. Tickets without documentation are tickets that get re-opened in 90 days by a different tech.

Practice the standard scripts: locked Entra ID account, MFA token reset, mailbox quota, VPN connection failure, and the "my computer is slow" call. Cover the verification questions that confirm the caller is who they claim before any password reset.

Cover the PagerDuty rotation, when to wake a Tier 3 engineer, the SEV1 war-room bridge, and the rule that customer-impacting outages get a status page update within 15 minutes. Include the contact path for the MDR and the cyber insurance hotline.

The IT manager or service coordinator confirms the new hire is ready for unsupervised ticket work, identifies any remaining training gaps, and schedules the 60-day and 90-day check-ins.