Employee Onboarding Checklist

Pull the HR handoff packet — name, title, manager, department, legal start date, and access-tier classification. Tier 0/1 admin roles trigger the privileged-access path; standard roles do not. Common gotcha: HR sends only the title and IT guesses the tier — don't guess, ask.

Remote hires need the laptop shipped 3+ business days before start; on-site hires get the workstation staged at their desk. Hybrid follows the remote path. Confirm the shipping address against HR's record — sending to the wrong state is the most common Day-1 blocker.

Apply the documented UPN convention (firstname.lastname or first initial + lastname) and check Entra ID for collisions. Reserve the SMTP alias at the same time so the mailbox provisions cleanly.

Provision via the HR-driven SCIM flow if available; otherwise create manually in the correct OU so GPOs and Conditional Access policies apply. Set the account to disabled until the start date — enabling early is a common audit finding.

Use the role-to-group mapping in IT Glue / Hudu — never copy permissions from another user (the source-of-truth drift is how Domain Users ends up with file-share access nobody can revoke). Avoid nested-group sprawl; assign the role group, not the underlying app groups.

Default to a YubiKey or Microsoft Authenticator push; SMS fallback is disabled per Conditional Access. Confirm legacy basic-auth is blocked at the tenant level — MFA on top of allowed basic-auth is bypassable.

Privileged-tier accounts use a separate Tier 0 identity in CyberArk or BeyondTrust with just-in-time elevation — never standing Domain Admin. Issue a Privileged Access Workstation or enforce PAW policies; cached domain-admin credentials on a help-desk laptop is the pass-the-hash gift.

Windows hardware ships through Autopilot with the user pre-assigned; Macs run through Apple Business Manager and Automated Device Enrollment into JAMF or Kandji. Verify the device serial is registered before the OS first boots — manual enrollment after-the-fact loses the supervised flag.

Confirm the recovery key escrowed to Entra ID (BitLocker) or to the MDM (FileVault PRK). The first time you need this is at 2 AM during a lockout — having it not be there is a career-shortening event.

Confirm the device shows compliant in the MDM console — disk encryption, EDR (CrowdStrike or Defender for Endpoint) reporting, OS version current. Conditional Access blocks non-compliant devices from M365, so a missed enrollment surfaces as a Day-1 login failure.

Use the carrier with signature confirmation; include the printed Day-1 quick-start (login URL, MFA enrollment QR, helpdesk number). Track delivery against the start date — late laptop = lost Day 1.

Push assignments through Okta or Entra ID against the role's app catalog — M365, Salesforce, Slack, GitHub, etc. Manual app-by-app provisioning is how an offboarding three years from now leaves an orphan account in Box that nobody remembers.

Prefer per-app ZTNA (Zscaler, Cloudflare, Tailscale) over full-tunnel VPN; if legacy IPsec/SSL VPN is required, scope the user to the minimum subnet group. Always-on VPN with split-tunnel disabled for sensitive resources is the baseline.

Add to SharePoint sites and shared drives via the role's security group — never via direct individual ACL. Direct ACLs are invisible to the quarterly access review and are the source of every "how does Bob still have access?" finding.

Provision the user's vault in 1Password / Keeper / Bitwarden Business and assign only the role-scoped collections. Send the activation invite to their corporate mailbox, never personal email.

Enroll in the new-hire training campaign with a 14-day completion deadline. Schedule the Day-30 phishing simulation baseline at the same time so we have a starting click-rate per user.

Countersigned AUP, data classification policy, and BYOD addendum get archived to the personnel folder. Auditors (SOC 2, HIPAA) sample for these — missing signatures are a control deficiency, not a paperwork nit.

Show the Report Phish button in Outlook, the security@ alias, and the after-hours pager number. Reinforce: report first, contain second; do not forward suspicious mail to colleagues to ask if it's real.

Sit with the user (in person or via ScreenConnect / Teams) for the first login, MFA enrollment, and password set. Most onboarding tickets land in the first two hours of Day 1 — front-load the support, don't wait for the ticket.

Show how to file a ticket in ServiceNow / Freshservice / the PSA portal, the SLA for P1 vs P3, and the after-hours pager rotation. Walk through one real example so they don't email the IT director with a printer issue.

Final review by the IT manager: every checklist item closed, exceptions documented, and screenshots / confirmations attached. This is the artifact pulled during SOC 2 user-provisioning sample testing.