New Hire IT Onboarding Checklist for Growing Businesses

New hire starts Monday. Laptop's on the desk. Has anyone created the accounts, set access levels, enrolled the device in MDM, and documented what that person can actually see?

If you're running IT for a 50-to-150-person company without a dedicated IT director, there's a good chance some of those steps are getting done ad hoc — or skipped. The M365 account gets created. Email works. Done.

That's not done. It's just the beginning of the list.

According to IBM's 2025 Cost of a Data Breach report, compromised credentials take an average of 292 days to detect. That exposure window often starts the moment a new account gets created without proper access controls, MFA enforcement, or documentation of what the account can reach.

Here's what a proper IT onboarding checklist actually covers.

---

Before Day One

The worst IT onboarding starts on day one. By that point you're already behind.

The week before someone starts:

Create the M365 account and assign licenses. In Microsoft Entra ID, add the user to role-based security groups — not a blanket "all employees" group. Least-privilege assignment means this person gets access to what their job actually requires. That distinction matters. Research from Varonis found that 87 percent of organizations have sensitive files accessible to every employee by default. That problem starts at provisioning.

Order and prepare the device. A new hire getting a factory-fresh laptop on their first morning is a bad sign. The device needs to be ordered in advance, enrolled in your mobile device management platform (Microsoft Intune is standard for M365 shops), configured with endpoint protection, and encrypted before anyone logs in. On Windows that means BitLocker. On Mac, FileVault.

Set up email, distribution lists, and app licenses. Get the calendar sharing right. Provision the apps the role actually uses. The first week of someone's employment is a poor time to be chasing down access issues.

---

Day One: What Should Already Be Done

When the new hire sits down, these should be confirmed:

• M365 email and Teams active, login tested
• MDM enrollment confirmed (device visible in your management console)
• BitLocker or FileVault encryption verified
• VPN configured if your environment uses one
• Password manager account created and provisioned
• Security awareness training invitation sent

That last one disappears more often than any other item. Phishing is still the most common attack vector for businesses of every size. A new employee who hasn't gone through a phishing simulation is a live target starting day one.

---

MFA Enrollment

Multi-factor authentication on every account. No exceptions, no grace periods.

For Microsoft 365 environments, Entra ID now supports passkey registration campaigns — meaning you can push phishing-resistant FIDO2 credentials to new users at setup time. Passkeys are meaningfully stronger than app-based MFA because they eliminate the push-fatigue and SIM-swap attacks that beat standard Authenticator codes. If passkeys aren't practical for your environment yet, Authenticator app MFA is still far ahead of nothing.

Worth knowing: Microsoft is enforcing MFA for all Azure portal access starting October 2026. Building the habit now is better than scrambling in Q3.

---

Access Controls: The Part That Actually Creates Risk

This is where provisioning mistakes compound.

The path of least resistance is to copy the previous person in the role, or drop the new hire into a broad access group because it's faster. That approach gets the account working but doesn't account for what the person actually needs.

The Varonis 2021 Data Risk Report found the average organization has roughly 1,800 user accounts with passwords that never expire and around 15,000 inactive ghost accounts left over from past employees. That's not an enterprise problem. It's what happens when companies don't document what access they granted at hire, so there's nothing specific to remove when someone leaves.

At provisioning:

• Document exactly what access is being granted. Which SharePoint sites, which drives, which systems
• Review whether the role actually needs that access, or just whether it's convenient
• Keep that record somewhere retrievable. Not a sticky note

That documentation is also what you hand to IT when the person eventually leaves. We covered what a clean offboarding process looks like in IT Offboarding Checklist: What to Do When an Employee Leaves.

---

If You Run a Hybrid AD/Entra Environment

For companies running a mix of on-premises Active Directory and Microsoft Entra ID — common for businesses in the 50-to-200-person range that haven't fully moved to cloud-only — there's a change to know about before June 1, 2026.

Entra ID will block hard-matching a synced on-premises AD account to any cloud account that holds Entra administrative roles. This closes an attack path where someone with on-prem AD write access could hijack a privileged cloud account through directory sync manipulation.

If your environment is hybrid, your IT team needs to audit sync configurations before that date. The change can break account-provisioning workflows if you're not ready for it, and it's easy to miss because it affects setup steps that haven't changed in years.

---

The Full Checklist

Before day one:

• M365 account created, licenses assigned
• Role-based security groups confirmed (not broad-access defaults)
• Device ordered, enrolled in MDM
• BitLocker or FileVault encryption enabled
• App licenses provisioned
• Email and distribution lists configured

Day one:

• MFA enrollment (passkeys or Authenticator app)
• VPN access tested
• Password manager account active
• Security awareness training invitation sent
• Device confirmed in management console

Access documentation:

• Specific permissions recorded (which systems, folders, and data)
• Least-privilege review completed
• Record retained for offboarding reference

---

What Separates Companies That Do This Well

The businesses that handle IT onboarding consistently have one thing in common: someone actually owns the process. Not "whoever's available that week." A defined workflow, applied the same way for the third hire of the year as for the first.

For a 35-person company, that consistency matters more than it does at a 3,500-person company. There's no IT director to catch gaps informally. There's no dedicated provisioning team doing access reviews. One skipped MFA enrollment, one over-provisioned SharePoint folder, one undocumented admin account — these don't stay theoretical for long.

The managed IT services cost that most businesses consider an overhead expense is, in part, the cost of having a process like this run the same way every time — for the 4th new hire and the 40th.

---

Frequently Asked Questions

How long should IT setup take for a new employee?

A documented process should take 2-3 hours of active work, mostly happening before day one. If setup is still happening on the first morning, there's no real process — someone is improvising. Device enrollment, account creation, and MFA setup should all be ready when the person walks in.

What's the biggest IT security mistake during new employee onboarding?

Over-provisioning access. Adding someone to a broad "all employees" group because it's faster than doing a role-based review creates exposure that's difficult to undo. When 87 percent of an organization's sensitive files are accessible to all employees, that access problem almost always traces back to provisioning shortcuts taken at hire.

Does a 30-person company actually need MDM?

Yes, if employees are using company devices or accessing business data on personal ones. Microsoft Intune is included in many M365 Business Premium licenses. Without it, there's no reliable way to enforce device encryption, remotely wipe a lost device, or confirm that endpoint protection is actually running.

What's the difference between IT onboarding and HR onboarding?

HR onboarding covers payroll, benefits, policies, and paperwork. IT onboarding covers device setup, account creation, system access, and security configuration. They run in parallel but are separate checklists. Folding them into a single "new hire day" creates bottlenecks and increases the chance that IT steps get deprioritized.

Why does IT onboarding documentation matter at 40 employees?

Especially at 40 employees. A company that size doesn't have a dedicated IT team to catch provisioning gaps informally. Documentation is the substitute for institutional memory. When someone leaves six months later, that record is what separates a clean offboarding from a week-long hunt to figure out what accounts need to be deactivated.