IT Onboarding for New Employees: A Practical Checklist for Small Businesses

A poor IT onboarding experience costs you in two ways: it makes new employees less productive during a critical first week, and it creates security problems that can persist for years.

The productivity side is visible — a new hire waiting for email access, unable to access shared drives, or missing permissions for the tools they need. Every hour spent waiting is wasted.

The security side is less visible but often more consequential. When onboarding is informal, employees get more access than they need ("here's the admin password, you'll figure out what you need"). Shared credentials get handed over verbally. Access isn't documented, so offboarding is guesswork. The principle of least privilege — giving people access to what they need for their role and nothing more — gets ignored in the rush to get someone productive.

Good IT onboarding starts before the employee shows up. What needs to happen in advance: create the Microsoft 365 account and assign the appropriate license; configure the account settings (display name, job title, department, manager); add the user to the correct security groups and distribution lists; prepare the device (if company-owned) with Intune enrollment or manual setup; and create credentials for any business-specific applications the employee will need.

If you use Windows Autopilot or Intune, the device can be shipped directly to the employee and self-configure on first boot — downloading software, configuring settings, and joining the organization automatically. This eliminates manual device setup entirely.

Communicate to the employee what to expect: what their email address will be, whether they're bringing their own device or receiving one, what to do on day one.

The core day-one IT setup: walk through Microsoft 365 account setup (password, MFA enrollment, Authenticator app), email client configuration on their device, access to shared drives or SharePoint sites they'll use, Teams setup and relevant channels/groups, and any critical business application logins.

MFA setup should happen on day one, before the employee accesses any business systems. It takes 5 minutes and is significantly harder to mandate retroactively.

Document what access was granted. A simple spreadsheet or a column in your HR system recording the systems, groups, and roles assigned to each employee is sufficient for a small business. This documentation becomes your offboarding checklist when they leave.

The common small business approach to application access is to give everyone admin access to everything because it's easier. This is a security and compliance risk.

A better approach: define role-based access templates for common positions (office manager, sales rep, accountant, operations) that specify what groups, applications, and permission levels each role should have. New employees are provisioned from the template for their role.

This doesn't need to be elaborate. A one-page document listing each role and what access it includes is enough. The goal is consistency — the same role gets the same access, regardless of who processes the onboarding.

For Microsoft 365 specifically: most employees should not be global admins, Exchange admins, or SharePoint admins. Reserve administrative roles for the people who genuinely need them, and review those assignments quarterly.

Day one is the right time to cover basic security expectations: what to do if they receive a suspicious email, how to use the password manager, what the company policy is for personal device use and data handling, and how to report a potential security incident.

This doesn't need to be a formal training session. A 20-minute conversation covering phishing awareness, password management, and reporting procedures is more effective than a compliance module they click through.

Establish from the start that security questions are welcome — employees who are uncertain about whether something is legitimate should ask, not ignore it. A culture where security concerns are raised quickly is more valuable than any individual technical control.

Intragreat can help small businesses build IT onboarding and offboarding processes as part of our managed IT services — including user provisioning, Intune device enrollment, and access documentation. If you're not sure what your current process looks like end-to-end, our free security review is a good place to start.