User Onboarding

User onboarding provisions the IT accounts, access rights, devices, and security credentials that new staff members require to perform their roles. The procedure spans identity creation in the directory service, assignment to appropriate groups based on job function, provisioning of email and collaboration tools, allocation of application-specific access, device configuration, and enrollment in multi-factor authentication. A complete onboarding produces a staff member who can authenticate to all required systems on their first working day with appropriate access levels and functioning equipment.

The onboarding procedure begins when HR confirms the new hire and provides start date, job title, department, reporting manager, and work location. IT provisioning runs in parallel with other onboarding activities and completes before the staff member’s first day. For standard hires with 5 or more working days notice, all provisioning completes 24 hours before start date. For urgent hires with less than 5 days notice, core access (identity, email, essential applications) completes by start of first day with remaining access following within 48 hours.

Prerequisites

The following information and approvals must be in place before starting the onboarding procedure.

Required information

The access request form (see template below) captures all required information. HR initiates this form during the hiring process. The form requires:

Personal details for identity creation: legal first name, legal surname, preferred display name if different, personal email address for pre-start communication, mobile phone number for MFA enrollment.

Employment details for access determination: job title, department, cost centre, reporting manager, employment type (permanent, fixed-term, intern), contracted hours (full-time or part-time percentage), start date, end date if fixed-term, primary work location (office, field site, or remote).

Access requirements for provisioning scope: role template if one exists for this job title, specific applications required beyond role template, data classification level for role (standard, confidential, highly confidential), whether the role requires privileged access to any systems.

Required approvals

The reporting manager approves the access request form, confirming the access requirements match the job responsibilities. For roles requiring access to confidential or highly confidential data, the data owner for each relevant dataset provides secondary approval. For roles requiring privileged access, the IT security lead provides secondary approval.

System readiness

Before provisioning, verify the following systems are accessible and functioning:

The identity provider (Keycloak, Microsoft Entra ID, or equivalent) accepts new user creation and the appropriate organisational unit exists for the user’s department. The email system has available licences and the appropriate mailbox type (shared, user, or resource) is clear. The collaboration platform has available licences. All applications listed in the access requirements are operational and accepting new user provisioning. Device stock includes an appropriate device for the role and work location, or a purchase order is in progress with delivery before start date.

Procedure

Create identity record

1. Create the user account in the identity provider.

   In Keycloak, navigate to the appropriate realm, select Users, and click Add User. Enter the username following the organisational standard (typically firstname.surname). Set email to the organisational email address that will be created. Enable Email Verified since you control the email domain. Set Required User Actions to include Update Password if using password-based initial authentication.

   Username: amara.okonkwo
   Email: amara.okonkwo@example.org
   Email Verified: ON
   First Name: Amara
   Last Name: Okonkwo
   Required User Actions: Update Password

In Microsoft Entra ID, navigate to Users > New User > Create User. Select the appropriate domain suffix. Set the display name to the preferred name, the user principal name to the standard format, and generate a temporary password.

   New-MgUser -DisplayName "Amara Okonkwo" `
     -UserPrincipalName "amara.okonkwo@example.org" `
     -MailNickname "amara.okonkwo" `
     -Department "Programmes" `
     -JobTitle "Programme Officer" `
     -UsageLocation "GB" `
     -PasswordProfile @{
       Password = (New-Guid).ToString().Substring(0,16) + "!Aa1"
       ForceChangePasswordNextSignIn = $true
     } `
     -AccountEnabled $true

Record the temporary password securely for transmission to the new staff member.

2. Set user attributes for access control and directory information.

   Populate the attributes that drive group membership and appear in the directory:

   Department: Programmes
   Job Title: Programme Officer
   Manager: james.mensah@example.org
   Office: Nairobi
   Employee Type: permanent
   Cost Centre: PRG-001
   Start Date: 2025-02-03

These attributes feed dynamic group membership rules and appear in the organisational directory. The Manager attribute enables approval workflows and delegation of authority.

3. Assign the user to groups based on role template.

   The role template defines which groups a job title receives by default. For a Programme Officer in the Programmes department, the template specifies:

   Group	Purpose	Access granted
   all-staff	Base access	Intranet, internal communications
   programmes-department	Department resources	Programme shared drives, department channels
   programmes-officers	Role-specific	Programme management system, M&E platform
   nairobi-office	Location-specific	Local printer, office WiFi, building systems

   Add the user to each group. In Keycloak, navigate to the user, select Groups, and click Join for each group. In Microsoft Entra ID, navigate to each group and add the user as a member, or wait for dynamic group rules to evaluate if using attribute-based membership.

   # Add to static groups
   $userId = (Get-MgUser -UserId "amara.okonkwo@example.org").Id
   Add-MgGroupMember -GroupId $allStaffGroupId -DirectoryObjectId $userId
   Add-MgGroupMember -GroupId $programmesDeptGroupId -DirectoryObjectId $userId
   Add-MgGroupMember -GroupId $nairobiOfficeGroupId -DirectoryObjectId $userId

4. Configure additional attributes for specific access requirements.

   For users requiring access beyond the role template, add the specific group memberships or attribute values that grant that access. Document the justification from the approved access request form.

   If the user requires access to confidential data classifications, verify the secondary approval from the data owner is recorded, then add the user to the appropriate data access group.

Provision email and collaboration

1. Create the mailbox and assign licence.

   For Microsoft 365, the licence assignment triggers mailbox creation automatically. Assign the appropriate licence tier based on role requirements:

   # Assign Microsoft 365 E3 licence
   Set-MgUserLicense -UserId "amara.okonkwo@example.org" `
     -AddLicenses @{SkuId = "05e9a617-0261-4cee-bb44-138d3ef5d965"} `
     -RemoveLicenses @()

For Google Workspace, create the user in the Admin Console or via API, which provisions the mailbox:

   gam create user amara.okonkwo@example.org \
     firstname Amara surname Okonkwo \
     password "$(openssl rand -base64 16)" \
     changepassword on \
     org "/Staff/Programmes"

For self-hosted mail (Mailcow, Mail-in-a-Box), create the mailbox through the administration interface, setting the quota appropriate for the role (standard: 10GB, managers: 25GB, executives: 50GB).

2. Configure mailbox settings.

   Set the display name that appears in the global address list. Configure the regional settings including time zone and date format. Set the default language based on user preference.

   For users who will receive email before their start date (for pre-start communications), configure an auto-reply indicating the start date:

   Thank you for your message. I will be joining [Organisation] on [Start Date]
   and will respond to your email after that date. For urgent matters before
   then, please contact [Manager Name] at [Manager Email].

3. Add to distribution lists and shared mailboxes.

   The role template specifies standard distribution list membership. For a Programme Officer:

   • programmes-all@example.org (department distribution list)
   • nairobi-office@example.org (location distribution list)
   • programme-updates@example.org (functional mailing list)

   If the role requires access to shared mailboxes (such as a programme inbox), grant the appropriate permission level (read-only, send-as, or full access) as specified in the access request.

4. Provision collaboration platform access.

   For Microsoft Teams, the licence assignment makes the user available in Teams. Add the user to the appropriate teams based on role template:

   # Add to Programmes team as member
   Add-MgTeamMember -TeamId $programmesTeamId `
     -Roles @("member") `
     -AdditionalProperties @{
       "@odata.type" = "#microsoft.graph.aadUserConversationMember"
       "user@odata.bind" = "https://graph.microsoft.com/v1.0/users/$userId"
     }

For Slack, invite the user to the workspace and add to the default channels for their department. For Mattermost, create the user account and add to the appropriate teams and channels.

For shared file storage (SharePoint, Google Drive, Nextcloud), the group membership configured earlier provides access to departmental and team folders. Verify the user appears in the appropriate folder permissions.

Provision application access

1. Identify required applications from role template and access request.

   The role template lists standard applications for the job title. The access request form lists additional applications beyond the template. Compile the complete list:

   Application	Access level	Provisioning method
   Programme management system	Standard user	Group membership (programmes-officers)
   M&E platform	Data entry	Group membership (programmes-officers)
   Finance system	View own cost centre	Manual provisioning with approval
   CRM	Contact management	SSO auto-provisioning on first login
   Data collection platform	Project admin	Manual role assignment

2. Provision SSO-integrated applications.

   Applications integrated with the identity provider via SAML or OIDC provision access automatically based on group membership or on first login. Verify the user’s group memberships will grant access, then no manual provisioning is required.

   For applications using SCIM (System for Cross-domain Identity Management), the user creation in the identity provider triggers automatic provisioning. Verify the user appears in the application within 15 minutes.

3. Provision applications with manual user management.

   For applications not integrated with SSO, create the user account directly in the application. Use the same username format as the primary identity where possible. For applications requiring email-based accounts, use the primary organisational email.

   Application: Data Collection Platform
   Username: amara.okonkwo
   Email: amara.okonkwo@example.org
   Role: Project Administrator
   Projects: [Assigned by programme manager after start]

Generate a temporary password and record it for secure transmission with other credentials.

4. Request privileged access where required.

   For roles requiring administrative access to any system, submit the privileged access request following the separate privileged access workflow. Do not provision administrative access through the standard onboarding process. Document that privileged access provisioning is pending and will complete after the user completes required training.

Allocate and configure device

1. Select appropriate device from inventory.

   Match the device specification to the role requirements and work location:

   Role type	Device specification	Rationale
   Office-based standard	Laptop, standard spec	General productivity
   Field-based	Laptop, ruggedised or SSD-only	Durability, offline use
   Data-intensive	Laptop, high spec	Processing capacity
   Mobile data collection	Tablet + keyboard case	Portability, touch interface
   Shared device context	Configured for shared use	Multi-user field locations

   Retrieve the device from inventory, recording the asset tag, serial number, and model against the user record.

2. Enroll device in mobile device management.

   Before configuring the device for the user, ensure it is enrolled in the MDM platform (Microsoft Intune, Jamf, or equivalent). New devices from vendor should arrive pre-enrolled. For devices from stock, verify enrollment status:

   # Check Intune enrollment status
   Get-MgDeviceManagementManagedDevice | Where-Object {
     $_.SerialNumber -eq "SERIAL123456"
   } | Select-Object DeviceName, EnrollmentState, ComplianceState

If not enrolled, initiate enrollment following the MDM enrollment procedure. Device enrollment must complete before user assignment.

3. Assign device to user in MDM.

   Associate the device with the user account. This assignment determines which policies apply and enables user-specific configuration:

   # Assign primary user in Intune
   $device = Get-MgDeviceManagementManagedDevice | Where-Object {
     $_.SerialNumber -eq "SERIAL123456"
   }

   Update-MgDeviceManagementManagedDevice -ManagedDeviceId $device.Id `
     -UserPrincipalName "amara.okonkwo@example.org"

4. Configure device for user.

   For devices using Autopilot or zero-touch enrollment, configuration completes automatically when the user first signs in. The device downloads policies, installs required applications, and applies security configurations.

   For devices requiring manual configuration, sign in with the user’s credentials (or a provisioning account that will be removed), allow policy synchronisation to complete, and verify installed applications match the required list. Install any applications not deployed via MDM.

   Configure device-specific settings:

   • Set the device name to include user identifier and asset tag: NBO-AOKONKWO-L4521
   • Verify full-disk encryption is enabled and recovery key is escrowed
   • Confirm endpoint protection is installed and reporting healthy
   • Test VPN or ZTNA client connectivity if required for role

5. Prepare device for handover.

   Sign out of any provisioning accounts. Clear browser data if any test logins were performed. Apply asset label with asset tag number. Package device with power adapter and any accessories (dock, mouse, headset as appropriate for role).

   Create a device setup sheet including:

   • WiFi network name and instructions for connecting
   • VPN client instructions if applicable
   • First login instructions
   • Password and MFA setup instructions
   • IT support contact information

Enroll in multi-factor authentication

1. Determine MFA method based on work context.

   The default MFA method depends on the user’s work location and device access:

   Context	Primary MFA method	Backup method
   Office-based, smartphone user	Authenticator app (TOTP)	Hardware token
   Field-based, smartphone user	Authenticator app (TOTP)	SMS (if network available)
   Field-based, no personal smartphone	Hardware token (FIDO2)	Backup codes
   Shared device context	Hardware token (FIDO2)	Backup codes

2. Prepare MFA enrollment materials.

   For authenticator app enrollment, no hardware is needed; the user enrolls using their personal smartphone during first login.

   For hardware token enrollment, retrieve a token from inventory. Record the serial number against the user record. For FIDO2 tokens (YubiKey or similar), no pre-configuration is needed; the user registers the token during enrollment.

   For backup codes, these generate during the enrollment process.

3. Configure conditional access for first login.

   The user’s first login must be possible before MFA is fully enrolled. Configure a time-limited exception or use a registration flow that allows initial authentication with password only:

   Conditional Access Policy: MFA Enrollment Grace Period
   Users: New users (employment start date within 7 days)
   Applications: MFA Registration Portal
   Grant: Allow without MFA
   Session: Sign-in frequency 1 hour

This policy allows new users to access the MFA registration portal without existing MFA, with a short session to complete enrollment promptly.

4. Document enrollment instructions for user.

   Include MFA enrollment instructions in the welcome materials:

   Multi-Factor Authentication Setup

   You must enable MFA within 24 hours of your first login.

   1. Sign in to https://account.example.org
   2. Navigate to Security > Multi-Factor Authentication
   3. Click "Add method" and select "Authenticator app"
   4. Open your authenticator app (Microsoft Authenticator, Authy,
      or any TOTP app) and scan the QR code
   5. Enter the 6-digit code displayed in your app to confirm
   6. Click "Add method" again and select "Backup codes"
   7. Download and store your backup codes securely

   Contact IT support if you need a hardware token instead of
   an authenticator app.

Complete security requirements

1. Verify security awareness training is scheduled.

   New staff must complete security awareness training within 14 days of start date. Verify the training platform (KnowBe4, or equivalent) has the user enrolled and the training assignment is active.

   For users starting before the next scheduled training cohort, enrol them in the self-paced online module with completion deadline of 14 days from start.

2. Configure data handling acknowledgment requirement.

   Users accessing confidential or highly confidential data must acknowledge data handling requirements before access activates. Configure the acknowledgment workflow:

   • On first login to systems containing protected data, present the data handling agreement
   • Require explicit acknowledgment before proceeding
   • Log the acknowledgment with timestamp for compliance records

3. Apply acceptable use policy acknowledgment.

   The acceptable use policy acknowledgment is required for all users. This acknowledgment typically presents during first login to the primary collaboration platform or intranet.

Communicate with new staff member

1. Send pre-start welcome communication.

   Send welcome email to the personal email address 3-5 days before start date. Include:

   • Confirmation of IT setup completion
   • Instructions for collecting device (if office-based) or delivery tracking (if remote)
   • First login instructions
   • Temporary password (if not using passwordless)
   • IT support contact for first-day issues

   Subject: Welcome to [Organisation] - Your IT Setup is Ready

   Dear Amara,

   Welcome to [Organisation]. Your IT access is ready for your start
   on Monday 3 February.

   Your username is: amara.okonkwo@example.org
   Your temporary password is: [sent separately for security]

   On your first day:
   1. Collect your laptop from IT (Room 204) or [delivery instructions]
   2. Sign in using your username and temporary password
   3. Follow the prompts to set your permanent password
   4. Complete MFA enrollment when prompted

   If you have any questions before you start, contact IT support at
   it-support@example.org or +44 20 7123 4567.

   We look forward to working with you.

   IT Team

2. Send temporary password securely.

   Send the temporary password through a separate channel from the username to reduce interception risk. Options:

   • SMS to mobile number on file
   • Separate email with password only (no username)
   • Encrypted email if user has existing encryption capability
   • Phone call for high-risk contexts

3. Brief first-day support.

   Notify the IT service desk of the new starter, start date, and any special requirements. Include:

   • User name and contact details
   • Device allocated (for recognition at pickup)
   • Any known issues or special configurations
   • Escalation contact if complex issues arise

Verification

After completing the onboarding procedure, verify all components are functioning before the user’s first day.

Identity verification

Confirm the user account exists and has correct attributes:

# Microsoft Entra ID verification
Get-MgUser -UserId "amara.okonkwo@example.org" | Select-Object `
  DisplayName, UserPrincipalName, Department, JobTitle, `
  AccountEnabled, CreatedDateTime

# Expected output:
# DisplayName      : Amara Okonkwo
# UserPrincipalName: amara.okonkwo@example.org
# Department       : Programmes
# JobTitle         : Programme Officer
# AccountEnabled   : True
# CreatedDateTime  : 2025-01-29T10:30:00Z

Verify group memberships match the role template:

Get-MgUserMemberOf -UserId "amara.okonkwo@example.org" | Select-Object `
  @{N='GroupName';E={(Get-MgGroup -GroupId $_.Id).DisplayName}}

# Expected: all-staff, programmes-department, programmes-officers, nairobi-office

Email verification

Send a test email to the new address and verify delivery:

echo "Mailbox test - please ignore" | mail -s "Test" amara.okonkwo@example.org

Check the mailbox via admin portal or EWS/Graph API to confirm the message arrived.

Application access verification

For each application in the access list, verify the user can authenticate:

For SSO applications, simulate the SSO flow (or verify group membership grants access). For non-SSO applications, confirm the user account exists with correct role assignment.

Document verification results:

Device verification

Power on the device and verify:

• Operating system boots without errors
• Device name is set correctly
• Encryption status shows enabled:

  # Windows BitLocker verification
  manage-bde -status C:
  # Expected: Protection Status: Protection On

• MDM enrollment shows compliant:

  Get-MgDeviceManagementManagedDevice | Where-Object {
    $_.UserPrincipalName -eq "amara.okonkwo@example.org"
  } | Select-Object DeviceName, ComplianceState

  # Expected: ComplianceState: Compliant

• Required applications are installed
• Network connectivity works (WiFi and VPN/ZTNA if applicable)

Troubleshooting

First-day checklist

The service desk uses this checklist to confirm successful onboarding when the user contacts IT on their first day:

First-Day Verification Call

User: ____________________  Date: ____________

[ ] User can sign in to primary device
[ ] User has set permanent password
[ ] User has enrolled in MFA
[ ] User can access email and send test message
[ ] User can access collaboration platform (Teams/Slack/etc.)
[ ] User can access intranet
[ ] User can access role-specific applications (list below)
    [ ] Application 1: ________________
    [ ] Application 2: ________________
    [ ] Application 3: ________________
[ ] User knows how to contact IT support
[ ] User is aware of security awareness training requirement

Issues identified: ________________________________________

Resolution: ______________________________________________

Completed by: ________________  Time: ____________

Access request form template

This template initiates the onboarding process. HR completes the form and routes to IT after manager approval.

Access Request Form: New Staff Member

Section 1: Personal Details

Section 2: Employment Details

Section 3: Access Requirements

Section 4: Justification for Non-Standard Access

If requesting access beyond the role template, provide business justification:

Section 5: Approvals

Section 6: IT Processing

See also

• Identity and Access Management for identity lifecycle concepts
• User Offboarding for departure procedures
• Role Change Processing for internal transfers
• Contractor and Temporary Access for non-permanent staff
• Access Control Standard for access policy framework
• MDM Rollout for device management setup