The first 60 minutes of a new employee’s first day at your company set the tone for everything that follows — and IT is responsible for almost all of it. A laptop that is not ready, a missing M365 license, an MFA enrollment that requires a 30-minute helpdesk ticket, or a Slack/Teams account that has not been created yet, all generate the same impression: “this place isn’t ready for me.” This guide is the practical 2026 checklist for IT-side employee onboarding — security-first, repeatable, automated where it should be, and personal where it has to be.

The Pre-Day-1 Checklist (T-7 Days to T-1 Day)
| Day | Owner | Action |
|---|---|---|
| T-7 | HR | Send IT the new-hire intake form: legal name, role, manager, start date, location, hardware preference, accessibility needs |
| T-7 | IT | Order hardware if not in stock; image laptop from gold image; generate temporary access pass |
| T-5 | IT | Create Entra ID / AD account; assign group memberships per role-based access matrix |
| T-5 | IT | Provision M365 / Google Workspace license; enable mailbox; assign phone extension |
| T-3 | IT | Provision SaaS apps per role; confirm SSO works |
| T-2 | IT | Enroll laptop in MDM/Intune; deploy required apps; verify EDR is reporting |
| T-1 | IT | Test login end-to-end with test user; verify MFA prompts; print welcome instructions |
| T-1 | HR + Manager | Confirm logistics: laptop pickup or shipment, badge, parking, first-day schedule |
Day 1 — The 60-Minute Onboarding Window
- Welcome and laptop pickup. 10 minutes.
- First login + MFA enrollment. 15 minutes via temporary access pass.
- Email and calendar walkthrough. 10 minutes.
- Collaboration tools. 10 minutes (Teams or Slack, OneDrive or Drive, project tracker).
- Security awareness brief. 10 minutes (phish-report button, helpdesk contact).
- First helpdesk ticket. 5 minutes — open and close one ticket so they know the flow.

Role-Based Access — The Access Matrix
| Role | M365 License | Identity Groups | SaaS Apps | Shared Drives |
|---|---|---|---|---|
| Sales Rep | Business Premium | All-Hands, Sales | CRM, Sales Nav, Calendar tool | Sales / Public |
| Engineer | E3 | All-Hands, Engineering | GitHub, Jira, Slack, dev tools | Engineering / Public |
| Finance | Business Premium | All-Hands, Finance (privileged) | ERP, banking portal (MFA required) | Finance / Public |
| Marketing | Business Premium | All-Hands, Marketing | Marketing automation, design tools, analytics | Marketing / Public |
| HR | Business Premium | All-Hands, HR (privileged) | HRIS, payroll, ATS | HR / Public |
Every “exception” added at onboarding becomes permanent technical debt. Push back on one-off access requests; if a role pattern is wrong, fix the role pattern.
Security Defaults Every New Hire Needs
- MFA enrollment with a strong factor. Authenticator + number matching at minimum; FIDO2 key for any admin or finance role.
- Compliant device. Laptop enrolled in Intune / MDM, EDR installed and reporting, disk encryption verified.
- Conditional access policies applied. Block legacy auth, require compliant device for sensitive apps.
- Least-privilege access. No shared admin credentials, no “everyone can edit everything” file shares.
- Awareness training assigned and tracked. First training module due in week 1.
- Phish-report button installed. Tested with a benign internal message.
- Saved-password and SSO discipline. Browser password manager configured or company password manager provisioned.
Common Onboarding Failure Modes

- HR did not notify IT until day-of; no time to provision properly
- Manager did not specify the role; IT defaulted to “all access” instead of role-based
- License inventory not maintained; new license purchase delayed activation
- MFA not enrolled on day 1; user works without it and never goes back
- EDR not deployed; helpdesk discovers it during first incident
- Welcome email never sent; user does not know who to ask for help
- SaaS apps provisioned but SSO never tested; user cannot log in
- Onboarding instructions live in someone’s email and not in a runbook
Automation — Where It Pays Back
| Step | Manual | Automated |
|---|---|---|
| Identity provisioning | 30–60 min per hire | 2–5 min via HRIS-to-Entra/Okta sync |
| SaaS app provisioning | 10–20 min per app | 1–2 min via SSO/SCIM auto-provisioning |
| Hardware imaging | 1–2 hours per laptop | Autopilot / Apple Business Manager: zero-touch |
| App deployment | 30 min via helpdesk | 0 min via Intune deployment profiles |
| Onboarding ticket creation | 5–10 min per hire | Auto-created from HRIS event |
Frequently Asked Questions
Should new hires use a temporary password?
Use a Microsoft Entra Temporary Access Pass (TAP) instead. It allows MFA enrollment without a permanent password ever existing. Same principle applies in Okta and Google Workspace.
What if the new hire is remote?
Ship the laptop with Autopilot pre-configured so the user gets a guided enrollment on first boot. Schedule a 30-minute video call for the day-1 walkthrough. Mail or courier any FIDO2 keys separately.
Who owns onboarding when there is no dedicated HR team?
The hiring manager. They confirm role, start date, hardware needs, access requests. IT executes from a manager-driven intake template.
Bottom Line
Good IT onboarding is the cheapest employee-experience investment available. Build the access matrix, automate the high-volume steps, write the day-1 runbook, and treat first-day failures as production incidents worth post-mortem.
Need help building or automating your onboarding flow? ACS designs IT onboarding programs for U.S.-based SMBs and mid-market firms. Contact us.



