Employee Onboarding Checklist
IT operational workflow for provisioning a new hire — identity, endpoint, application access, and security training — from HR handoff through Day-1 sign-off. Run by the IT / sysadmin team in coordination with HR and the hiring manager.
Pre-Day-1 Provisioning Intake
-
Confirm role and start date with HR
Pull the HR handoff packet — name, title, manager, department, legal start date, and access-tier classification. Tier 0/1 admin roles trigger the privileged-access path; standard roles do not. Common gotcha: HR sends only the title and IT guesses the tier — don't guess, ask.
Collects list -
Capture work location and shipping address
Remote hires need the laptop shipped 3+ business days before start; on-site hires get the workstation staged at their desk. Hybrid follows the remote path. Confirm the shipping address against HR's record — sending to the wrong state is the most common Day-1 blocker.
Collects list -
Reserve username per naming standard
Apply the documented UPN convention (firstname.lastname or first initial + lastname) and check Entra ID for collisions. Reserve the SMTP alias at the same time so the mailbox provisions cleanly.
Identity and Account Setup
-
Create Entra ID account in target OU
Provision via the HR-driven SCIM flow if available; otherwise create manually in the correct OU so GPOs and Conditional Access policies apply. Set the account to disabled until the start date — enabling early is a common audit finding.
-
Assign role-based security groups
Use the role-to-group mapping in IT Glue / Hudu — never copy permissions from another user (the source-of-truth drift is how Domain Users ends up with file-share access nobody can revoke). Avoid nested-group sprawl; assign the role group, not the underlying app groups.
-
Enroll MFA with FIDO2 or Authenticator
Default to a YubiKey or Microsoft Authenticator push; SMS fallback is disabled per Conditional Access. Confirm legacy basic-auth is blocked at the tenant level — MFA on top of allowed basic-auth is bypassable.
-
Enroll in PAM with JIT elevation
Privileged-tier accounts use a separate Tier 0 identity in CyberArk or BeyondTrust with just-in-time elevation — never standing Domain Admin. Issue a Privileged Access Workstation or enforce PAW policies; cached domain-admin credentials on a help-desk laptop is the pass-the-hash gift.
Endpoint and Hardware Deployment
-
Image laptop via Autopilot or JAMF zero-touch
Windows hardware ships through Autopilot with the user pre-assigned; Macs run through Apple Business Manager and Automated Device Enrollment into JAMF or Kandji. Verify the device serial is registered before the OS first boots — manual enrollment after-the-fact loses the supervised flag.
-
Archive BitLocker or FileVault recovery key
Confirm the recovery key escrowed to Entra ID (BitLocker) or to the MDM (FileVault PRK). The first time you need this is at 2 AM during a lockout — having it not be there is a career-shortening event.
Collects text -
Enroll device in Intune or JAMF MDM
Confirm the device shows compliant in the MDM console — disk encryption, EDR (CrowdStrike or Defender for Endpoint) reporting, OS version current. Conditional Access blocks non-compliant devices from M365, so a missed enrollment surfaces as a Day-1 login failure.
-
Ship laptop to remote home address
Use the carrier with signature confirmation; include the printed Day-1 quick-start (login URL, MFA enrollment QR, helpdesk number). Track delivery against the start date — late laptop = lost Day 1.
Application and Access Provisioning
-
Provision SSO app assignments via SCIM
Push assignments through Okta or Entra ID against the role's app catalog — M365, Salesforce, Slack, GitHub, etc. Manual app-by-app provisioning is how an offboarding three years from now leaves an orphan account in Box that nobody remembers.
-
Configure VPN or ZTNA access profile
Prefer per-app ZTNA (Zscaler, Cloudflare, Tailscale) over full-tunnel VPN; if legacy IPsec/SSL VPN is required, scope the user to the minimum subnet group. Always-on VPN with split-tunnel disabled for sensitive resources is the baseline.
-
Grant shared-drive permissions per RBAC matrix
Add to SharePoint sites and shared drives via the role's security group — never via direct individual ACL. Direct ACLs are invisible to the quarterly access review and are the source of every "how does Bob still have access?" finding.
-
Enroll new hire in password manager vault
Provision the user's vault in 1Password / Keeper / Bitwarden Business and assign only the role-scoped collections. Send the activation invite to their corporate mailbox, never personal email.
Security Training and Acceptable Use
-
Assign KnowBe4 cybersecurity awareness module
Enroll in the new-hire training campaign with a 14-day completion deadline. Schedule the Day-30 phishing simulation baseline at the same time so we have a starting click-rate per user.
-
Capture signed acceptable use policy
Countersigned AUP, data classification policy, and BYOD addendum get archived to the personnel folder. Auditors (SOC 2, HIPAA) sample for these — missing signatures are a control deficiency, not a paperwork nit.
Collects file -
Walk through phishing-report and incident playbook
Show the Report Phish button in Outlook, the security@ alias, and the after-hours pager number. Reinforce: report first, contain second; do not forward suspicious mail to colleagues to ask if it's real.
Day-1 Orientation and IT Sign-Off
-
Verify login and MFA on Day 1
Sit with the user (in person or via ScreenConnect / Teams) for the first login, MFA enrollment, and password set. Most onboarding tickets land in the first two hours of Day 1 — front-load the support, don't wait for the ticket.
-
Introduce helpdesk and on-call escalation paths
Show how to file a ticket in ServiceNow / Freshservice / the PSA portal, the SLA for P1 vs P3, and the after-hours pager rotation. Walk through one real example so they don't email the IT director with a printer issue.
-
Complete IT provisioning sign-off
Final review by the IT manager: every checklist item closed, exceptions documented, and screenshots / confirmations attached. This is the artifact pulled during SOC 2 user-provisioning sample testing.
Collects list Collects paragraph Collects file