Workflow Templates for Systems Administration: Employee Onboarding Checklist

Pre-Day-1 Provisioning Intake

Confirm role and start date with HR

Pull the HR handoff packet — name, title, manager, department, legal start date, and access-tier classification. Tier 0/1 admin roles trigger the privileged-access path; standard roles do not. Common gotcha: HR sends only the title and IT guesses the tier — don't guess, ask.

Capture work location and shipping address

Remote hires need the laptop shipped 3+ business days before start; on-site hires get the workstation staged at their desk. Hybrid follows the remote path. Confirm the shipping address against HR's record — sending to the wrong state is the most common Day-1 blocker.

Reserve username per naming standard

Apply the documented UPN convention (firstname.lastname or first initial + lastname) and check Entra ID for collisions. Reserve the SMTP alias at the same time so the mailbox provisions cleanly.

Identity and Account Setup

Create Entra ID account in target OU

Provision via the HR-driven SCIM flow if available; otherwise create manually in the correct OU so GPOs and Conditional Access policies apply. Set the account to disabled until the start date — enabling early is a common audit finding.

Assign role-based security groups

Use the role-to-group mapping in IT Glue / Hudu — never copy permissions from another user (the source-of-truth drift is how Domain Users ends up with file-share access nobody can revoke). Avoid nested-group sprawl; assign the role group, not the underlying app groups.

Enroll MFA with FIDO2 or Authenticator

Default to a YubiKey or Microsoft Authenticator push; SMS fallback is disabled per Conditional Access. Confirm legacy basic-auth is blocked at the tenant level — MFA on top of allowed basic-auth is bypassable.

Enroll in PAM with JIT elevation

Privileged-tier accounts use a separate Tier 0 identity in CyberArk or BeyondTrust with just-in-time elevation — never standing Domain Admin. Issue a Privileged Access Workstation or enforce PAW policies; cached domain-admin credentials on a help-desk laptop is the pass-the-hash gift.

Endpoint and Hardware Deployment

Image laptop via Autopilot or JAMF zero-touch

Windows hardware ships through Autopilot with the user pre-assigned; Macs run through Apple Business Manager and Automated Device Enrollment into JAMF or Kandji. Verify the device serial is registered before the OS first boots — manual enrollment after-the-fact loses the supervised flag.

Archive BitLocker or FileVault recovery key

Confirm the recovery key escrowed to Entra ID (BitLocker) or to the MDM (FileVault PRK). The first time you need this is at 2 AM during a lockout — having it not be there is a career-shortening event.

Enroll device in Intune or JAMF MDM

Confirm the device shows compliant in the MDM console — disk encryption, EDR (CrowdStrike or Defender for Endpoint) reporting, OS version current. Conditional Access blocks non-compliant devices from M365, so a missed enrollment surfaces as a Day-1 login failure.

Ship laptop to remote home address

Use the carrier with signature confirmation; include the printed Day-1 quick-start (login URL, MFA enrollment QR, helpdesk number). Track delivery against the start date — late laptop = lost Day 1.

Application and Access Provisioning

Provision SSO app assignments via SCIM

Push assignments through Okta or Entra ID against the role's app catalog — M365, Salesforce, Slack, GitHub, etc. Manual app-by-app provisioning is how an offboarding three years from now leaves an orphan account in Box that nobody remembers.

Configure VPN or ZTNA access profile

Prefer per-app ZTNA (Zscaler, Cloudflare, Tailscale) over full-tunnel VPN; if legacy IPsec/SSL VPN is required, scope the user to the minimum subnet group. Always-on VPN with split-tunnel disabled for sensitive resources is the baseline.

Grant shared-drive permissions per RBAC matrix

Add to SharePoint sites and shared drives via the role's security group — never via direct individual ACL. Direct ACLs are invisible to the quarterly access review and are the source of every "how does Bob still have access?" finding.

Enroll new hire in password manager vault

Provision the user's vault in 1Password / Keeper / Bitwarden Business and assign only the role-scoped collections. Send the activation invite to their corporate mailbox, never personal email.

Security Training and Acceptable Use

Assign KnowBe4 cybersecurity awareness module

Enroll in the new-hire training campaign with a 14-day completion deadline. Schedule the Day-30 phishing simulation baseline at the same time so we have a starting click-rate per user.

Capture signed acceptable use policy

Countersigned AUP, data classification policy, and BYOD addendum get archived to the personnel folder. Auditors (SOC 2, HIPAA) sample for these — missing signatures are a control deficiency, not a paperwork nit.

Walk through phishing-report and incident playbook

Show the Report Phish button in Outlook, the security@ alias, and the after-hours pager number. Reinforce: report first, contain second; do not forward suspicious mail to colleagues to ask if it's real.

Day-1 Orientation and IT Sign-Off

Verify login and MFA on Day 1

Sit with the user (in person or via ScreenConnect / Teams) for the first login, MFA enrollment, and password set. Most onboarding tickets land in the first two hours of Day 1 — front-load the support, don't wait for the ticket.

Introduce helpdesk and on-call escalation paths

Show how to file a ticket in ServiceNow / Freshservice / the PSA portal, the SLA for P1 vs P3, and the after-hours pager rotation. Walk through one real example so they don't email the IT director with a printer issue.

Complete IT provisioning sign-off

Final review by the IT manager: every checklist item closed, exceptions documented, and screenshots / confirmations attached. This is the artifact pulled during SOC 2 user-provisioning sample testing.