User Onboarding Checklist

Pull the new-hire ticket from HR (Workday, BambooHR, or your HRIS) and confirm legal name, manager, start date, role title, work location, and any access exceptions. Capture work location and role tier here — both drive conditional steps later (remote shipping, privileged-access provisioning). Don't start provisioning before HR confirms — start-date slips and rescinded offers happen, and a half-provisioned account is harder to clean up than a delayed one.

Reference the role-to-access matrix (IT Glue / Hudu / SharePoint) for this job title — Entra ID security groups, M365 license SKU (E3 vs E5 vs F3), and SaaS app entitlements. If this is a brand-new role with no matrix entry, get manager + InfoSec sign-off on the proposed access before provisioning. Group-bloat is the #1 source of access-review findings.

Reserve a laptop matching the role's hardware tier (developer vs standard knowledge worker vs field). If stock is empty, place the vendor PO immediately — Apple and Dell lead times can run 2-4 weeks and miss start dates. Tag the device in asset management as reserved to this hire so it doesn't get re-allocated.

Use the standard naming convention (firstname.lastname) and place the user in the OU that matches their department — OU placement drives GPO and conditional access policy inheritance. Set the account expiration to 14 days past start date if the hire hasn't shown up yet; that prevents orphaned active accounts for no-shows.

Add to dynamic groups where possible (department-driven) and explicit groups only where dynamic membership doesn't apply. Avoid dropping anyone into Domain Users-derived shares; that's how project access turns into company-wide access five years later.

Assign the license SKU identified in the role mapping. Confirm mailbox provisioning completed (can take 15-60 minutes after license assignment) before sending the welcome email. Set the default OWA timezone and add the user to the appropriate distribution lists.

Confirm the user is in scope of the org-wide CA policy that blocks IMAP, POP, SMTP-AUTH, and other legacy authentication endpoints. MFA on modern auth is bypassable if basic-auth endpoints stay open — this is the single most exploited misconfiguration in M365 tenants.

Confirm the hardware hash is registered with the Autopilot service and the device is assigned to the correct deployment profile (kiosk vs standard vs developer). For Macs, use the equivalent Jamf/Kandji DEP enrollment. The goal is a zero-touch experience — the user signs in and the device configures itself.

Verify the BitLocker recovery key (or FileVault PRK on Mac) escrowed to Entra ID / Intune. A device with no recovery key in escrow is a device you cannot recover when the user forgets their PIN — and the data-loss risk is on you, not them.

Verify the EDR agent (CrowdStrike, SentinelOne, or Defender for Endpoint depending on your stack) is installed, registered to the tenant, and reporting healthy in the console before the device leaves IT's hands. A laptop deployed without EDR is invisible to your SOC.

Use a tracked carrier with signature required. Include the peripherals kit (keyboard, mouse, headset, dock) and a printed Day-1 quick-start card with the IT helpdesk number. Confirm the home address with HR — never ship to an address pulled from email, phishing-induced shipping fraud is real.

Confirm the user is provisioned to Okta via SCIM from Entra ID (or your HRIS, depending on your source-of-truth) and that role-based app assignments fired correctly. Spot-check 2-3 critical apps (Salesforce, GitHub, Slack) appear in the user's Okta dashboard.

Walk through MFA enrollment live (Duo Push or Microsoft Authenticator) — don't email a self-enrollment link without a deadline. Push-fatigue and SMS-fallback are common bypass paths; require a hardware token (YubiKey) for privileged or executive tier per the role matrix.

Privileged-tier hires get a separate Tier 1 / Tier 0 admin account, never permanent rights on their daily-driver account. Enroll the admin account in CyberArk (or Delinea / BeyondTrust) with JIT elevation and require a Privileged Access Workstation for Tier 0 work. Standing Domain Admin is how pass-the-hash compromises one laptop and owns the domain.

Have the user authenticate to ZTNA (Zscaler, Cloudflare Access, Twingate) or the VPN (FortiGate, Meraki, GlobalProtect) from the issued device while you watch. Confirm conditional access policies fire correctly — an unmanaged device should be blocked. First login is when posture-check misconfigurations surface.

30-minute live walkthrough: helpdesk ticketing portal, password manager (1Password / Keeper / Bitwarden) and how to use the company vault, MFA recovery procedures, the data-classification handling rules, and what NOT to put in personal email or cloud accounts. Reference the most recent real internal incident (anonymized) so the rules feel concrete.

Enroll the user in the new-hire training campaign (KnowBe4, Hoxhunt, Proofpoint, or your platform). Set a 14-day completion deadline with manager-cc reminder. The phishing simulation cadence starts after baseline training completes — don't simulate-attack a user who hasn't been trained.

Log the device in asset management (IT Glue, Hudu, Snipe-IT) with serial, asset tag, and assigned user. Capture the user's signature on the Acceptable Use Policy and have them sign the equipment-receipt acknowledgment. The signed AUP is the document HR / Legal will ask for at termination — don't skip it.

30 days in, pull the user's actual group memberships and SaaS entitlements and reconcile against the role matrix. Standing access drift starts in week 2 — a Slack channel here, a shared drive there. Catching it at 30 days is much cheaper than catching it at the annual SOC 2 access review.