New employee onboarding is where IT support either looks organized or looks like a room full of raccoons with admin rights. A good IT onboarding checklist gets the new hire working on day one, keeps access sane, and gives HR and managers fewer reasons to chase you in Slack.

The short version: confirm the start date and role, create the account from an approved request, prepare the device, assign the right groups and apps, enroll MFA, test the login, document what you issued, and schedule a quick day-one check-in. Do not wait until the employee is sitting at their desk to discover nobody ordered a laptop.

This checklist is for help desk techs, IT coordinators, junior sysadmins, and small-company IT teams that need a repeatable onboarding flow. Adjust it for your company, but keep the shape: request, identity, device, access, verification, handoff, documentation.

The new employee IT onboarding checklist

Use this as the baseline runbook.

StepWhat to doWhy it matters
1Confirm the request, manager, role, location, and start datePrevents rushed setup and wrong access
2Create the identity account from a template or standard profileKeeps usernames, groups, and policies consistent
3Prepare the laptop, desktop, phone, badge, or peripheralsAvoids day-one hardware panic
4Assign email, collaboration, VPN, and line-of-business appsGives the user what they actually need
5Enroll MFA and security controlsReduces risky exceptions and login loops
6Test sign-in before handoffCatches broken licenses, policies, and passwords early
7Give the user a simple first-day guideReduces repeat tickets and confusion
8Document issued assets, access, and next stepsHelps audits, offboarding, and the next tech

1. Confirm the onboarding request first

Do not build accounts from a hallway conversation or a vague “new person starts Monday” message. You need an approved HR ticket, hiring manager request, or whatever your company treats as the source of truth.

Before touching anything, confirm:

  • Full legal name and preferred display name
  • Start date, time zone, and first working day
  • Manager and department
  • Job title or role profile
  • Employment type: employee, contractor, intern, vendor, temporary
  • Location: onsite, remote, hybrid, field, branch office
  • Required hardware and shipping address if remote
  • Required apps, shared mailboxes, distribution lists, file shares, and security groups
  • Whether the person is replacing someone or joining as a brand-new role
  • Any special compliance needs, like privileged access or restricted data

The common failure is assuming “same as everyone else in the department” is good enough. Sometimes it is. Sometimes the last person in that department collected random permissions for three years and nobody noticed. Use templates, but verify the actual role.

2. Create the account the boring, consistent way

Boring is good here. Usernames, email aliases, display names, organizational units, and groups should follow a standard. Cute exceptions turn into support tickets later.

A sane account setup includes:

  • Directory account in Active Directory, Entra ID, Google Workspace, Okta, or your identity provider
  • Email mailbox and primary alias
  • Correct department, manager, title, and location attributes
  • Baseline security groups for the role
  • License assignment for Microsoft 365, Google Workspace, or other core tools
  • Password setup or temporary access flow
  • MFA registration requirement
  • Device enrollment requirement if you use MDM

If you are working in a Microsoft-heavy environment, our Active Directory tutorial for beginners is a good refresher on accounts, groups, and organizational structure. If the user needs group-based access, be extra careful: groups are where “just get them working” quietly becomes privilege creep.

3. Prepare the device before day one

The laptop is not onboarded because it has Windows installed. It is onboarded when the user can sign in, connect to the network, open required apps, and get updates without filing three tickets before lunch.

Device prep checklist:

  • Assign the asset in your inventory system.
  • Install or confirm the operating system version.
  • Apply updates and firmware if required.
  • Enroll the device in MDM or endpoint management.
  • Confirm endpoint protection is installed and reporting.
  • Install required apps, VPN, browser, office suite, chat, remote support tool, and role-specific software.
  • Add printers only if the user actually needs them.
  • Confirm local admin policy matches company standards.
  • Label the device and record serial number, charger, dock, monitor, headset, or accessories.
  • For remote users, ship early enough that “FedEx says maybe” is not the onboarding plan.

For hands-on hardware and first-role fundamentals, link this process with your entry-level IT jobs guide. Onboarding is one of those help desk tasks that looks basic until you do it at scale and realize every missing detail becomes tomorrow’s ticket.

4. Assign access by role, not by vibes

The best onboarding access model is role-based. A tier-one support tech, accounting assistant, sales rep, and developer should not all receive the same pile of permissions because someone copied the wrong user.

Start with required access:

  • Email and calendar
  • Chat and video meetings
  • VPN or zero-trust access if remote systems require it
  • Ticketing system or CRM if part of the job
  • File shares, SharePoint, Google Drive, or Teams channels
  • Password manager vaults
  • Department apps
  • Printer or badge access
  • Security awareness training portal
  • Payroll, HR, time tracking, and benefits systems

Then ask what is truly needed on day one versus later. Giving every new hire every possible app feels friendly until you have to explain it during an audit. A cleaner pattern is: baseline role access now, manager-approved additions later.

If the new hire is replacing someone, do not blindly clone the old employee’s access. Review the old access list with the manager. Copying stale permissions is one of the fastest ways to make offboarding and onboarding both worse.

5. Handle MFA and first login cleanly

MFA should be part of onboarding, not a surprise error message after the user has already joined their first meeting.

A decent MFA flow:

  1. Tell the user what MFA app or method your company uses.
  2. Have them enroll during a guided first-login process.
  3. Confirm they can sign in from the expected device.
  4. Remove or avoid temporary bypasses unless policy requires them.
  5. Document the method was registered, without recording secrets or recovery codes in the ticket.

If MFA breaks during onboarding, treat it like a security workflow, not an annoyance. Our MFA reset checklist for help desk techs covers the safer process for new phone issues, missing prompts, lost devices, and suspicious sign-ins.

Also test conditional access rules if your company uses them. The account may work from the office but fail from a remote network because the device is not compliant yet. Find that before the user is stranded.

6. Test the setup like a user, not an admin

Admins are terrible testers because admin accounts can accidentally bypass the very problems users hit. Test as close to the new hire’s experience as possible.

Before handoff, verify:

  • User can sign in with the intended account.
  • Email opens and can send internally.
  • Calendar works.
  • Chat and meeting apps launch.
  • VPN or remote access connects if needed.
  • Required apps open without license errors.
  • File shares or cloud folders are visible.
  • Printer access works if assigned.
  • Endpoint security and MDM show healthy status.
  • Password change or first-login flow is understandable.

You do not need to test every button in every app. You do need to catch the predictable blockers: missing license, wrong group, stale password, bad MFA enrollment, device not compliant, or app not installed.

7. Give the user a simple day-one guide

A new hire does not need a 40-page IT policy PDF at 9:03 AM. They need the five things that let them start working.

Give them a short welcome note with:

  • How to sign in
  • How to enroll MFA
  • How to contact IT
  • How to connect to Wi-Fi or VPN
  • Where to find required apps
  • How to request more access
  • What to do if something is missing
  • Any security basics they must follow immediately

Keep the tone normal. “Here are the first steps” beats “Per policy section 4.7.2, end users must…” every time.

This is also where a good knowledge base helps. If your team is rebuilding onboarding from scratch every week, read the IT knowledge base guide and create one clean onboarding article.

8. Write ticket notes the next tech can trust

The onboarding ticket should not just say “done.” That helps nobody.

Use a short structured note:

Created account for Jordan Lee, start date 2026-06-15, Sales department, manager Priya N. Assigned baseline Sales group, Microsoft 365 license, CRM access, VPN group, and Teams channels listed in HR onboarding request. Prepared laptop asset LT-2048, enrolled in MDM, endpoint protection healthy, shipped with charger and headset via tracking number ####. User to complete MFA enrollment during day-one call. Pending: manager approval for shared mailbox access.

Good onboarding notes make offboarding easier later. They also protect IT when someone asks why the new hire did or did not receive access to a system.

For more examples of useful support documentation, see help desk ticket notes examples.

Common onboarding mistakes

Copying another user’s access without review

This is fast and dangerous. If you must use another user as a reference, treat it as a draft. Have the manager approve the final list.

Waiting until the start date to order equipment

Remote onboarding dies here. If the laptop is late, IT owns the first impression even if procurement caused the delay.

Forgetting non-obvious systems

Door access, printer codes, password manager vaults, shared mailboxes, payroll portals, training systems, and phone extensions are easy to miss because they are not always in the main identity provider.

Leaving temporary access in place

Temporary passwords, MFA bypasses, local admin, emergency VPN exceptions, and borrowed licenses should have an expiration date or follow-up ticket.

Not scheduling a day-one check

A ten-minute check-in catches more than a week of passive “let us know if you need anything.” Ask directly: can you sign in, email, attend meetings, access files, and use your main app?

FAQ

What should be included in an IT onboarding checklist?

At minimum: approved request, account creation, device preparation, app and group access, MFA enrollment, security controls, login testing, asset tracking, user instructions, and ticket documentation.

Should IT clone access from another employee?

Use another employee as a reference only, not as the final source of truth. Cloning access can copy old mistakes, excessive permissions, or one-off exceptions nobody remembers approving.

Who owns employee onboarding: HR, IT, or the manager?

All three. HR owns the employment record and start date, the manager owns role requirements, and IT owns accounts, devices, security controls, and technical access. The best onboarding process makes those handoffs explicit.

How early should IT start onboarding a new hire?

As soon as the approved request arrives. For remote employees, start early enough to order, image, ship, and test equipment before day one. Same-day onboarding should be the exception, not the process.

Bottom line

New employee IT onboarding is not glamorous, but it is one of the clearest signals of whether an IT team has its act together. Make it repeatable, test the boring stuff, document the handoff, and resist the urge to solve every access problem by copying someone else’s permissions.

If you want to turn onboarding into a career win, measure it: setup time, day-one tickets, missing-access requests, device shipping misses, and repeated manual steps. That is the kind of operational improvement that shows up well in performance reviews, resumes, and interviews.