Browse all topics
All guidesGlossary
Microsoft 365 essentials

Microsoft 365 onboarding new users

A clean joiner workflow for Microsoft 365 — provisioning, access, training, and first-week experience.

A new hire's experience joining a Microsoft 365 tenant says a lot about how the IT organisation operates. Done well, they sign in on day 1 with everything ready; done badly, they spend the first week chasing help-desk tickets for missing access. A structured onboarding workflow makes the difference.

The pre-arrival phase

Before the new hire's first day:

  • HR system trigger — the HR system signals a new hire starting on a specific date.
  • Entra ID user creation — automatic via SCIM provisioning from HR, or manual if HR-Entra integration isn't in place.
  • Group memberships assigned — department, role, location groups via dynamic group membership or explicit assignment.
  • Licence assigned — via group-based licensing (preferred) or direct assignment.
  • Temporary Access Pass (TAP) generated — let the new hire sign in once without a password.
  • Email account provisioned — happens automatically with E3/E5 licence assignment.
  • Manager assigned — populated in Entra ID attributes from HR data.
  • Welcome email — sent to the new hire's personal email with first-day instructions.

For tenants using Microsoft Entra ID Governance Lifecycle Workflows, much of this is automated based on HR-system triggers.

Day 1 experience

The new hire on day 1:

  1. Receives a device (corporate-issued laptop) — usually via Autopilot zero-touch provisioning.
  2. Powers on the device for the first time.
  3. Signs in with their corporate email and the TAP.
  4. Registers authentication methods — Microsoft Authenticator, Windows Hello, optionally FIDO2 key for high-security roles.
  5. Sets a permanent password (or skips and goes fully passwordless).
  6. Outlook, Teams, OneDrive, Office all sign in automatically.
  7. Known Folder Move activates — Desktop, Documents, Pictures start syncing to OneDrive.
  8. Default groups are visible in Teams and Outlook.
  9. Welcome / onboarding messages posted to relevant Teams channels.

For frontline workers on shared devices, the experience is slightly different — shared device sign-in with shorter session duration.

First week

The first-week experience focuses on enablement:

  • Manager 1:1 — most important onboarding intervention; tools follow culture.
  • Tour of Microsoft 365 surfaces — Teams, SharePoint, OneDrive, Outlook, the corporate intranet.
  • Critical apps — show specific role-related apps (CRM, ticketing system, internal tools).
  • Training resources — link to internal Viva Learning, role-specific paths.
  • Champions network — connect them with adoption champions in their team.

For knowledge-worker roles, time-to-productivity is measured in days; the onboarding programme should target that.

Access provisioning

For role-specific access beyond the baseline:

  • Entitlement Management access packages — new hire requests via the access portal; manager approves; access granted.
  • Custom Power Apps for IT requests — for organisations without Entitlement Management.
  • Specific app SSO — provisioned per-app via SCIM if integrated.

The principle: automated provisioning for predictable access, request-based for role-specific access, none required for self-service.

Communications

A practical pattern: a first-day Teams message to the new hire posted to a dedicated channel:

  • Welcome to the company.
  • Links to the corporate intranet, key resources.
  • Champions to contact for specific topics.
  • First-day checklist.

Generated by the Lifecycle Workflow or a Power Automate flow on user creation.

Common pitfalls

  • HR data inconsistency — wrong department, wrong manager, wrong start date in HR system flows to wrong provisioning.
  • Access by manual request only — every new hire creates 5-10 tickets; doesn't scale.
  • Devices arriving late — laptop ordered too late for day 1.
  • Generic onboarding — same experience for every role; senior engineers get the same as customer service reps. Differentiate.
  • No follow-up — the 30-day check-in catches problems users haven't reported.

Automation tools

  • Microsoft Entra ID Lifecycle Workflows — joiner-mover-leaver automation.
  • SCIM provisioning from HR systems to Entra.
  • Power Automate flows for custom integration.
  • Microsoft Graph API for bespoke provisioning logic.
  • Microsoft 365 admin centre for manual provisioning.

For organisations with significant hiring volume, investing in onboarding automation pays back continuously — both in IT effort saved and in better new-hire experience. The new hire experience day 1 sets the tone for years.