On this page

Emergency Staff Deployment

Emergency staff deployment provisions IT access for surge personnel responding to humanitarian crises, natural disasters, or organisational emergencies. Standard onboarding procedures requiring 3-5 business days become untenable when staff must be operational within hours. This task establishes parallel provisioning pathways that maintain security baselines while compressing timelines from days to hours.

The procedures apply when an emergency has been formally declared and surge staff require immediate IT access. Surge staff include emergency roster personnel, redeployed staff from other offices, secondees from partner organisations, and newly contracted emergency responders. The provisioning model differs from standard onboarding in three ways: pre-configured account templates replace individual configuration, pre-staged device kits eliminate procurement delays, and abbreviated training focuses on immediate operational needs rather than comprehensive orientation.

Prerequisites

Before beginning emergency provisioning, confirm the following conditions are met:

Requirement	Detail	Verification
Emergency declaration	Formal emergency or surge activation from authorised personnel	Written confirmation from Country Director, Emergency Coordinator, or equivalent
Surge roster	List of personnel to be deployed with role assignments	Roster received from HR or emergency coordination
Approval authority	Named individual authorised to approve emergency access	Documented in emergency activation message
Identity provider access	Administrative access to create accounts	Test login to admin console before starting
Pre-staged devices	Confirmed availability of emergency device kits	Physical inventory check
Network connectivity	Ability to reach provisioning systems	Verify IdP, MDM, and email systems accessible

HR coordination required

Emergency provisioning does not bypass HR verification. Obtain written confirmation that each individual on the surge roster is authorised for deployment before creating accounts. This confirmation can be email from HR or inclusion on an officially distributed roster.

Gather the following information for each surge staff member before provisioning:

Full legal name (as it will appear in organisational systems)
Personal email address (for initial credential delivery)
Mobile phone number (for MFA enrollment)
Deployment location (field office, headquarters, remote)
Role and required system access
Expected deployment duration
Manager or supervisor for the deployment

Emergency account templates

Account templates pre-configure group memberships, application assignments, and access permissions for common emergency roles. Creating accounts from templates reduces per-user configuration from 15-20 minutes to under 3 minutes.

Maintain templates for these standard emergency roles:

Template: emergency-programme-officer
├── Groups: all-staff, emergency-response, programme-read
├── Applications: email, collaboration, programme-management, data-collection
├── Access level: standard user
└── Default expiry: 90 days

Template: emergency-logistics
├── Groups: all-staff, emergency-response, logistics, procurement-read
├── Applications: email, collaboration, supply-chain, fleet-management
├── Access level: standard user
└── Default expiry: 90 days

Template: emergency-finance
├── Groups: all-staff, emergency-response, finance-emergency
├── Applications: email, collaboration, erp-emergency-module
├── Access level: standard user with elevated finance
└── Default expiry: 90 days

Template: emergency-coordinator
├── Groups: all-staff, emergency-response, emergency-leadership
├── Applications: email, collaboration, all-programme-systems, reporting
├── Access level: elevated with approval workflows
└── Default expiry: 90 days

Template: emergency-it-support
├── Groups: all-staff, emergency-response, it-support-emergency
├── Applications: email, collaboration, helpdesk, mdm-limited, monitoring-read
├── Access level: elevated IT with emergency scope
└── Default expiry: 90 days

Templates include automatic expiry dates. The 90-day default covers most emergency deployments. Extend or shorten based on deployment duration at creation time.

Template configuration in identity providers

For Microsoft Entra ID, create templates as administrative units with pre-assigned group memberships:

# Create emergency role template group
New-MgGroup -DisplayName "Template-Emergency-Programme-Officer" `
  -MailEnabled:$false `
  -SecurityEnabled:$true `
  -MailNickname "template-epo" `
  -Description "Template for emergency programme officer provisioning"

# Assign template group to application access groups
Add-MgGroupMember -GroupId $templateGroupId -DirectoryObjectId $programmeReadGroupId
Add-MgGroupMember -GroupId $templateGroupId -DirectoryObjectId $emergencyResponseGroupId

For Keycloak, define roles that bundle permissions:

{
  "name": "emergency-programme-officer",
  "composite": true,
  "composites": {
    "realm": ["basic-user", "emergency-response"],
    "client": {
      "programme-management": ["read", "write-own"],
      "data-collection": ["collector", "viewer"]
    }
  }
}

Procedure

Phase 1: Account creation

Access the identity provider admin console and navigate to user creation.
For Entra ID: https://entra.microsoft.com → Users → New user → Create new user
For Keycloak: https://auth.example.org/admin → Users → Add user
Create the user account with emergency naming convention.
Use the format firstname.lastname for the username. For duplicate names, append a number: jane.smith2.
Set the following attributes:

   Display name: [Full name]
   User principal name: firstname.lastname@example.org
   Department: Emergency Response
   Job title: [Role from roster]
   Manager: [Deployment supervisor]
   Employee type: Emergency/Temporary
   Account expires: [Deployment end date + 7 days buffer]

Apply the appropriate emergency template.
In Entra ID, add the user to the template group:

   Add-MgGroupMember -GroupId $templateGroupId -DirectoryObjectId $newUserId

In Keycloak, assign the composite role:

   kcadm.sh add-roles -r example-realm --uusername firstname.lastname \
     --rolename emergency-programme-officer

Generate a temporary password and record it securely.
Use a password generator producing 16+ character passwords:

   openssl rand -base64 16

Record the password in your password manager or encrypted notes. You will communicate this to the user separately from their username.

Configure the account to require password change on first login.
In Entra ID, this is the default for new accounts. Verify the setting:

   Get-MgUser -UserId $newUserId | Select-Object Id, DisplayName,
     @{N='ForceChangePassword';E={$_.PasswordProfile.ForceChangePasswordNextSignIn}}

In Keycloak, set the required action:

   kcadm.sh set-required-actions -r example-realm --username firstname.lastname \
     --add UPDATE_PASSWORD

Verify application access by checking group memberships and licence assignments.

   # Check group memberships
   Get-MgUserMemberOf -UserId $newUserId | Select-Object Id, DisplayName

   # Check licence assignment
   Get-MgUserLicenseDetail -UserId $newUserId | Select-Object SkuPartNumber

Expected output includes the template group, emergency-response group, and appropriate licence (e.g., ENTERPRISEPACK for Microsoft 365 E3).

Phase 2: MFA enrollment preparation

Multi-factor authentication remains mandatory for emergency accounts. The enrollment process differs from standard onboarding because the user may not have access to organisational email to receive enrollment instructions.

Enable the Temporary Access Pass (TAP) feature if not already configured.
In Entra ID, navigate to Security → Authentication methods → Temporary Access Pass and enable the policy.
Configure TAP settings for emergency use:

   Minimum lifetime: 1 hour
   Maximum lifetime: 24 hours
   Default lifetime: 8 hours
   One-time use: No (allow multiple uses during validity)

Generate a Temporary Access Pass for the new user.

   $tap = New-MgUserAuthenticationTemporaryAccessPassMethod -UserId $newUserId `
     -LifetimeInMinutes 480 `
     -IsUsableOnce:$false

   $tap.TemporaryAccessPass

Record the TAP value. This allows the user to sign in and complete MFA enrollment without needing a pre-existing authentication method.

Prepare MFA enrollment instructions specific to emergency context.
The user will need:
- Temporary Access Pass (from step 2)
- Link to MFA enrollment: https://aka.ms/mfasetup (for Entra ID)
- Mobile phone for authenticator app installation
For users deploying to areas with limited mobile data, configure phone call or SMS as backup MFA methods during enrollment.

Phase 3: Device allocation

Pre-staged emergency device kits eliminate procurement and configuration delays. Each kit contains a laptop, power adapters, and accessories configured with standard security baselines.

Retrieve a device kit from emergency stock.
Verify kit contents against the standard inventory:

   Emergency Device Kit Contents:
   ├── Laptop (pre-enrolled in MDM, encrypted)
   ├── Power adapter (universal or region-appropriate)
   ├── USB-C hub (if laptop has limited ports)
   ├── Ethernet adapter (for unreliable WiFi scenarios)
   ├── Security key (FIDO2, as backup MFA)
   └── Quick start card (login instructions, support contacts)

Record the device serial number and assign it to the user in asset management.

   # Example asset assignment in Snipe-IT
   curl -X POST "https://assets.example.org/api/v1/hardware/123/checkout" \
     -H "Authorization: Bearer $API_KEY" \
     -H "Content-Type: application/json" \
     -d '{
       "checkout_to_type": "user",
       "assigned_user": "456",
       "expected_checkin": "2024-05-15",
       "note": "Emergency deployment - Response XYZ"
     }'

Verify MDM enrollment status.
The device should already be enrolled in MDM from pre-staging. Confirm enrollment:
For Microsoft Intune:

   Get-MgDeviceManagementManagedDevice -Filter "serialNumber eq 'ABC123'" |
     Select-Object DeviceName, EnrolledDateTime, ComplianceState

Expected output shows compliant status. If the device shows as non-compliant or unenrolled, use the fallback procedure in Troubleshooting.

Assign the device to the user in MDM.

   # Get device ID
   $device = Get-MgDeviceManagementManagedDevice -Filter "serialNumber eq 'ABC123'"

   # Update primary user
   Update-MgDeviceManagementManagedDevice -ManagedDeviceId $device.Id `
     -UserPrincipalName "firstname.lastname@example.org"

Power on the device and verify it receives current policies.
Connect the device to network and wait for policy sync (typically 5-15 minutes on first connection after assignment). Verify by checking the device compliance dashboard in MDM.

Phase 4: Credential delivery

Credential delivery to surge staff requires secure channels when face-to-face handoff is not possible. Split credentials across multiple channels to reduce interception risk.

Determine the delivery method based on deployment location.

Scenario	Username delivery	Password delivery	TAP delivery
Same location	In person	In person	In person
Remote, known number	Email to personal address	SMS to verified mobile	Voice call
Remote, unverified	Encrypted message via Signal	Voice call to number provided by HR	Separate voice call
Partner secondee	Via partner IT contact	Via partner IT contact	Via partner IT contact

Send the username via the first channel.
For email delivery:

   Subject: Your emergency deployment account

   Your account for emergency deployment has been created:

   Username: firstname.lastname@example.org

   You will receive your temporary password separately.

   Device: A laptop has been assigned to you and will be provided
   at [location/via courier].

   Questions: Contact IT support at +44 20 xxxx xxxx or
   emergency-it@example.org

Deliver the temporary password via the second channel.
For SMS delivery:

   Emergency IT: Your temp password is [password].
   You must change this on first login.

For voice call delivery, read the password using the phonetic alphabet and have the user read it back.

Deliver the Temporary Access Pass via the third channel.

   Your one-time code for MFA setup is: [TAP]
   Valid for 8 hours from now.
   Use this when prompted during first sign-in.

Confirm receipt of all credentials.
Request the user reply “received” via any channel to confirm they have username, password, and TAP. Document confirmation in the deployment record.

Phase 5: Remote provisioning for field deployment

When surge staff deploy directly to field locations without passing through headquarters, complete provisioning remotely.

Arrange device shipment to the deployment location.
Ship the emergency device kit via courier with tracking. Include a printed quick-start card with:
- Username (but not password)
- WiFi configuration for the field office (if known)
- MFA enrollment URL
- IT support contact numbers (including WhatsApp if available)
- Instructions to contact IT before first login
Schedule a provisioning call with the user.
Coordinate a 30-minute call when the device arrives. Ensure you have:
- Access to the identity provider admin console
- The user’s temporary password ready to communicate verbally
- A Temporary Access Pass generated (valid from call start time)
- Remote support tool access (if available)
Guide the user through first login during the call.
Walk through:
- Power on and network connection
- Sign in with username and temporary password
- Password change to user-selected password (verify they record it securely)
- MFA enrollment using the Temporary Access Pass
- Verification of email and collaboration tool access
Remain on call until the user successfully accesses email and confirms MFA is working.
Complete MDM sync verification.
After the user signs in, verify from the admin console that:
- Device shows as compliant
- User assignment updated
- Required applications are installing

   Get-MgDeviceManagementManagedDevice -Filter "userPrincipalName eq 'firstname.lastname@example.org'" |
     Select-Object DeviceName, ComplianceState, LastSyncDateTime

Document the remote provisioning completion.
Record in the deployment tracker:
- Date and time of successful first login
- MFA method enrolled
- Any issues encountered and resolutions
- User confirmation of access to required systems

Phase 6: Essential training delivery

Emergency staff receive abbreviated training focused on immediate operational needs. Full training follows when the emergency stabilises.

Provide the emergency quick-reference guide.
The guide covers:
- Password reset self-service URL
- MFA troubleshooting (lost phone, new device)
- Key applications and their URLs
- Data handling requirements (what can be stored where)
- Security essentials (phishing recognition, incident reporting)
- IT support contact information
Deliver as PDF and send to user’s new email address.
Complete mandatory security acknowledgement.
Emergency staff must acknowledge:
- Acceptable use policy
- Data protection responsibilities
- Incident reporting requirements
Use a simplified electronic acknowledgement rather than the full onboarding training. Record acknowledgement in HR or training system.
Schedule full onboarding training for post-emergency.
Add the user to the standard onboarding training queue with a delayed start date matching expected emergency conclusion. Training requirements remain pending but do not block emergency access.

Verification

After completing provisioning, verify each component:

Component	Verification method	Expected result
Account exists	Query identity provider	User appears with correct attributes
Group membership	Check user groups	Template groups and emergency-response group present
Licence assignment	Check licence status	Appropriate licence assigned
MFA enrolled	Check authentication methods	At least one MFA method registered
Device enrolled	Query MDM	Device shows compliant, assigned to user
Email access	User confirmation	User can send and receive email
Application access	User confirmation	User can access required applications
Expiry configured	Check account properties	Account expires on deployment end date

Run the verification checklist for each provisioned user:

# Comprehensive verification script
$user = Get-MgUser -UserId "firstname.lastname@example.org" -Property *
$groups = Get-MgUserMemberOf -UserId $user.Id
$licences = Get-MgUserLicenseDetail -UserId $user.Id
$authMethods = Get-MgUserAuthenticationMethod -UserId $user.Id
$devices = Get-MgDeviceManagementManagedDevice -Filter "userPrincipalName eq '$($user.UserPrincipalName)'"

Write-Host "User: $($user.DisplayName)"
Write-Host "Account enabled: $($user.AccountEnabled)"
Write-Host "Account expires: $($user.AccountExpires)"
Write-Host "Groups: $($groups.Count)"
Write-Host "Licences: $($licences.SkuPartNumber -join ', ')"
Write-Host "Auth methods: $($authMethods.Count)"
Write-Host "Devices: $($devices.Count)"
Write-Host "Device compliance: $($devices.ComplianceState)"

All verification checks must pass before marking provisioning complete. Document any exceptions with justification and remediation timeline.

Timeline comparison

Emergency provisioning compresses standard timelines through parallel execution and pre-configuration:

STANDARD ONBOARDING (3-5 business days)
|
Day 1     Day 2     Day 3     Day 4     Day 5
|---------|---------|---------|---------|---------|
[HR verification      ]
          [Account creation]
                    [Licence assignment]
                    [Device procurement  ]
                              [Device config]
                                        [Training]
                                        [Go-live]

EMERGENCY PROVISIONING (2-4 hours)
|
Hour 0    Hour 1    Hour 2    Hour 3    Hour 4
|---------|---------|---------|---------|---------|
[HR confirm] (pre-verified via surge roster)
[Account from template]
[Pre-staged device allocation]
[Credential delivery]
          [First login + MFA enrollment]
                    [Essential training]
                    [Go-live]

Target times for emergency provisioning:

Activity	Target duration	Maximum duration
Account creation	10 minutes	20 minutes
Device allocation	15 minutes	30 minutes
Credential delivery	15 minutes	45 minutes
First login and MFA	30 minutes	60 minutes
Essential training	20 minutes	45 minutes
Total per user	90 minutes	3 hours

For multiple simultaneous deployments, parallelize account creation across IT staff. One administrator can provision 8-10 accounts per hour using templates.

Transition to standard access

Emergency provisioning creates accounts with temporary configurations that must transition to standard access when the emergency stabilises.

Schedule transition reviews at 30, 60, and 90 days after deployment:

30-day review:

Confirm deployment continuing
Extend account expiry if needed
Address any access gaps identified during operations
Schedule full onboarding training

60-day review:

Complete full onboarding training
Review access against actual role (adjust if role evolved)
Transition from emergency groups to standard groups if appropriate

90-day review:

Determine ongoing employment status
Convert to permanent account or initiate offboarding
Remove emergency-specific access
Complete full asset assignment documentation

To transition an account from emergency to standard configuration:

# Remove from emergency template group
Remove-MgGroupMember -GroupId $emergencyTemplateGroupId -DirectoryObjectId $userId

# Add to standard role group
Add-MgGroupMember -GroupId $standardRoleGroupId -DirectoryObjectId $userId

# Update employee type
Update-MgUser -UserId $userId -EmployeeType "Employee"

# Extend or remove expiry
Update-MgUser -UserId $userId -AccountExpires $null  # Remove expiry for permanent
# OR
Update-MgUser -UserId $userId -AccountExpires (Get-Date).AddDays(365)  # Extend

De-provisioning at emergency end

When deployments conclude, de-provision emergency access promptly to prevent orphaned accounts.

Run weekly reports during active emergencies to identify:

Accounts past their expiry date
Accounts for staff who have departed (cross-reference with HR)
Devices not synced in 14+ days

For concluded deployments:

Obtain confirmed list of staff whose deployment has ended.
Source this from HR or the emergency coordinator. Do not rely solely on account expiry dates.
Disable accounts immediately upon deployment end confirmation.

   Update-MgUser -UserId $userId -AccountEnabled:$false

Retain disabled accounts for 30 days before deletion.
This allows recovery if the departure was reported in error or the staff member is redeployed.
Recover devices when staff return or redeploy.
Track device status in asset management. For staff not returning to a location where devices can be collected:
- Remote wipe if device contains sensitive data
- Arrange courier return for device recovery
- Write off if recovery cost exceeds device value
Transfer to standard offboarding after 30-day retention.
Follow User Offboarding for account deletion, email handling, and data retention.

Pre-staging emergency device kits

Maintain a stock of pre-configured emergency device kits to eliminate procurement delays during surge activations. The quantity depends on organisation size and emergency response frequency.

Recommended stock levels:

Organisation profile	Minimum stock	Recommended stock
Single country, small	5 devices	10 devices
Single country, medium	10 devices	20 devices
Multi-country, regional	15 devices per region	25 devices per region
Global operations	50 devices at HQ + 10 per region	100 devices at HQ + 20 per region

Pre-configuration requirements:

Each device in emergency stock must be:

Enrolled in MDM with baseline policies applied
Encrypted (BitLocker, FileVault, or equivalent)
Updated to current OS patch level (refresh monthly)
Configured with standard applications
Stored securely with tamper-evident seals

Monthly maintenance for emergency stock:

Power on each device and connect to network
Allow MDM policy sync and software updates
Verify compliance status in MDM console
Replace batteries in accessories if applicable
Verify kit contents against checklist
Reseal and return to secure storage

Document maintenance in the asset management system to ensure audit trail.

Troubleshooting

Symptom	Cause	Resolution
User cannot sign in with temporary password	Password expired or typed incorrectly	Reset password in admin console; regenerate and re-deliver
MFA enrollment fails	Temporary Access Pass expired or already used	Generate new TAP; verify one-time setting if repeatedly failing
Device shows non-compliant in MDM	Policy not synced or compliance violation	Force sync from MDM console; check specific compliance failures
User cannot access expected application	Group membership missing or licence not assigned	Verify template applied correctly; manually add missing groups
Device not appearing in MDM	Device not enrolled or enrollment failed	Re-enroll device; verify MDM agent installed
Email not provisioning	Licence assignment delay or mailbox not created	Wait 15-30 minutes; force licence reassignment if persistent
User locked out after MFA setup	Authenticator misconfigured or time drift on device	Use break-glass process to bypass MFA; re-enroll MFA method
Pre-staged device encrypted without known key	Previous user or misconfigured pre-staging	Recover key from MDM if escrowed; otherwise reimage device
Cannot reach user to deliver credentials	Contact information outdated or user in transit	Contact HR for alternate contact; hold credentials for user to collect
Field office has no internet for first login	Connectivity not available at deployment location	Configure device for offline domain join if available; delay provisioning until connectivity
Template missing required application access	Template outdated or application added after template creation	Update template; manually add application to user
Account shows disabled after creation	Conflicting automation or duplicate detection	Check for automation rules; verify account not flagged as duplicate

Device enrollment recovery

If a pre-staged device fails MDM enrollment or shows as unenrolled:

# Check enrollment status
Get-MgDeviceManagementManagedDevice -Filter "serialNumber eq 'ABC123'"

# If not found, device needs re-enrollment
# For Windows Autopilot-registered devices, reset and re-deploy:
# 1. Factory reset the device
# 2. Connect to network during OOBE
# 3. Device should auto-enroll via Autopilot

# For manually enrolled devices:
# 1. Open Settings > Accounts > Access work or school
# 2. Remove existing enrollment if present
# 3. Connect to work or school account
# 4. Complete enrollment wizard

Break-glass access for provisioning systems

If the identity provider admin console is unavailable during an emergency:

Use break-glass administrator account (see Emergency Access)
If break-glass account also unavailable, contact identity provider support with emergency escalation
Document incident and restore normal admin access as soon as possible

For extended outages, consider:

Requesting temporary admin access from partner organisation
Using backup identity provider if configured
Deploying local accounts as last resort (requires later migration)