Onboarding new employees
Posted by Ancient_Map_8234@reddit | sysadmin | View on Reddit | 78 comments
Hi all,
Was wondering how does everyone onboard their new employees? Our current proces is to hand over login details to employees the day they start working and recieve the laptop and mobile device. MFA is forced to be configured from a trustee location.
HR wants to automate this proces and make it easier for new employees. They want is to send login details to their personal e-mail adres.
Was wondering if this is normal for anyone else? And if so, how do you deal with MFA setup?
slackerdc@reddit
LOL your HR actually tells you when new employees are starting.
xMikeyDon2@reddit
This guy and I are living the same nightmare it seems đ„Ž
Tramtunnel@reddit
fr hr never tells us anything until the last minute lol. We started using gryffi a couple of months ago and it fixed the whole mess. It basically walks the new person through the setup so they don't keep bugging us for help
BlackV@reddit
I feel this, deep in my soul
we have automation for this, but the HR, dont "wait" for that, then manually create the request, then automation tries to create the user twice
btw they start tomorrow where is the laptop
purplemonkeymad@reddit
You get that conversation before they start?
Literally:
Email at 16.30: "new person starting named ...."
Next morning phone call at 10.00: "What is their sign in details? I was expecting to give them the password by now."
No, we don't have anything else to do other than wait on your new user emails.
MAlloc-1024@reddit
Consider yourself lucky. I literally had one engineer (not IT) start and then on their second or third day they show up at the IT area, introduce themselves as a new user and ask if we have equipment for them. Had to explain to them that no one ever requested any equipment and IT has a policy that we require 5 working days notice for hardware turn around and 24 hours for a new user account. The user account request is only valid if it comes from HR, and the hardware request is only valid if it comes from the department manager, so there were multiple people that dropped the ball since we had zero record of him in the system.
whirlwind87@reddit
Getting more than 1 days notice about 1/2 the time was considered good at my previous. Don't even get me started on the high number of people who left and it took weeks to get a ticket.
RealnessInMadness@reddit
Better count my blessings then as our only woe I face from HR, once in a while, is having an employee entered a week before they start.
On average they do it with a 1-2 month notice.
DrthPenguin@reddit
How many times can I up vote something?
Parking-Asparagus625@reddit
I use LinkedIn to find job postings to be able to ensure enough equipment is in stock, they sure wonât fucking tell me.
MagillaGorillasHat@reddit
We'd been begging the director of our highest turnover department, for a year and a half, to give us more than 3 weeks notice for bulk onboarding so we'd have equipment, but they never would.
I eventually found out that managers for that department had been having daily check-ins the entire time where they reviewed daily, weekly, monthly, 60 day, and 90 day staffing needs and projections so they'd know exactly how many people needed to be hired.
I honestly wondered if it were like some hidden camera show or something. There was a gamut of emotions that day.
anonymousITCoward@reddit
You're lucky... recently I've been told a day or two afterwards...
PersimmonNearby857@reddit
đđđđ€Șđ€Șđđđ€Łđ€Łđ€Ł Glad Iâm not the only one.
ObjectiveApartment84@reddit
It doesnât just happen to me?
shingrus@reddit
If you really need to share a password or login details, use a one-time sharing tool like 1time.io. And if you absolutely have to send the password by email automatically, you can do that with a cli
EX_Enthusiast@reddit
Try newployee
HR_Enjoyer@reddit
Try newployee to avoid complexity
HR_Enjoyer@reddit
Try newployee for better onboarding
EX_Enthusiast@reddit
Sending login details to personal email is risky and increasingly discouraged, which is why many teams move to onboarding automation tools like newployee that provision accounts securely before day one without exposing credentials. Newployee can trigger access, device setup, and MFA enrollment in a controlled flow, so new hires complete MFA on first login while HR avoids insecure manual steps.
EX_Enthusiast@reddit
Sending corporate login details to a personal email is generally discouraged because it widens the attack surface and weakens identity assurance, especially before MFA is in place. A safer approach is to provision accounts ahead of time, ship devices pre-configured, and guide new hires through first-day identity verification and MFA setup on a managed device or secure portal. If HR wants automation, tools like Newployee, an HR onboarding automation platform, can streamline account creation, workflows, and first-day setup without exposing credentials outside controlled channels.
EX_Enthusiast@reddit
Sending login details to a personal email isnât ideal from a security standpoint, and most companies avoid it unless theyâre using a secure onboarding workflow. A better approach is to provision accounts in advance, ship devices pre-configured, and guide the employee through MFA on their first login. Tools like Newployee can help automate this by sending secure, step-based onboarding tasks and instructions without exposing credentials to personal inboxes, making the process smoother for HR while keeping IT policies intact.
Otherwise-Papaya-105@reddit
We had the same mess for a long time, especially with HR wanting âautomationâ but not really thinking through MFA or security. What finally helped us was shifting the orientation parts out of email entirely, so new hires arenât relying on personal inboxes and random PDFs.
We moved to bite-sized onboarding delivered over chat/text through Arist, so HR gets their automation and we still control the actual account provisioning + MFA steps on our side. New hires get the walkthroughs on their phone, we handle the technical flows normally, and nobodyâs sending credentials to Gmail anymore.
Not perfect by any means but it did help lmao
EX_Enthusiast@reddit
Sending login credentials to personal emails is risky and generally not recommended, but tools like Newployee can automate onboarding securely. It allows employees to set their own passwords and complete MFA setup through a protected workflow, all without exposing sensitive credentials, while giving HR a seamless, automated process.
Fizpop91@reddit
We are about 50/50 with half 100% remote and the other half 50% remote. Even with this ALL onboardings happen in the office on their first day (transport and hotel covered by company) and we hand over their device and credentials then
KavyaJune@reddit
TAP (Temporary Access Pass) is an effective option for this situation. It allows new employees to sign in without needing MFA initially and complete their MFA registration safely after logging in.
https://blog.admindroid.com/enable-passwordless-authentication-with-temporary-access-pass/
czj420@reddit
I have aadhj and a Cond Access rule to require MFA or aadhj device. Then people who don't have email on cell phone don't need to deal with MFA.
MPLS_scoot@reddit
What about token theft?
czj420@reddit
https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection
QuantumBagel47@reddit
I feel you!!. we shiped pre configured laptops via tecspal so day 1 is basically open - sign in - set MFA. we stopped emailing passwords and onboarding got a lot calmer. đ
Frothyleet@reddit
You definitely shouldn't shoot off creds to a personal email of unknown security and access, but you can do some more to automate things. E.g., Entra ID will let you provide new users with a one time code to let them configure MFA on first login.
maceion@reddit
Do NOT under any circumstances send login details to their personal emails. You have no idea who else knows their log in details to access their email.. Simple point: My wife knows my log in details to computer and bank in case of injury to myself and her need to administer the house and draw down funds to operate if I am ill. Thus is you send by email other folk may have / get the details. I would ask them to be ready to log in, then phone them on a landline and give them details by phone while they log in. Ask them to write down details and put that safely somewhere secure .
Frothyleet@reddit
Shared credentials? Terrible practice, did you forget what subreddit you are in?
In MY house, my partner would need to go through our PAM to get the break-glass credentials to my accounts, in order to ensure auditability and accountability.
nerfblasters@reddit
When you say landline, do you require that it's a copper POTS connection or is VOIP ok?
Just kidding, who the hell has a landline?
Away_Chair1588@reddit
I assume they mean from on prem.
kevvie13@reddit
Submit this request to your Chief Security Officer to approve. Lol. If he doesn't exist run it through your IT Manager. If he doesnt exist just laugh in your HR face and pack your bags lmao.
Eliogabalus1@reddit
We send the user's username and email address, and password in separate encrypted emails that are set to be delivered at midnight on their start date to their personal email.
We do it this way because labor laws vary by state, and this keeps us from violating any laws.
man__i__love__frogs@reddit
All our employees get Yubikeys, we pre-enroll them with a temp pin using Yubienroll.
We may create accounts far in advance and leave them disabled until 48 hours before their start date. This gives provisioning time for SSO apps and things like that.
We also use Keeper password manager, and have automator configured to create the vault in our onboarding script, so any non-SSO passwords can be transferred to their vaults before they start.
GherkinP@reddit
Obviously donât dox yourself but do you have anything further on the Keeper automation? Weâve got some apps that donât support SSO and this sounds awesome.
man__i__love__frogs@reddit
I was misremembering the setup...Well we already have keeper SCIM provisioning setup in Entra which creates the users in Keeper, but the vaults are not active until first login.
Keeper Commander is a CLI tool that can be installed anywhere, our user creation script just does a POST/PATCH request to make them active: https://docs.keeper.io/en/enterprise-guide/user-and-team-provisioning/automated-provisioning-with-scim
We also run an Azure Container App of Keeper Automator that auto approves logins if they are SSO and from whitelisted IPs. You can host the automator on a Windows server or Linux and a few other options, it has to be listening on an open port from Keepers public IPs.
https://docs.keeper.io/en/sso-connect-cloud/device-approvals/automator
SoonerMedic72@reddit
This sounds awesome. Thanks for the research subject!
SoonerMedic72@reddit
One of the few good things about working somewhere that is very anti-WFH, we create accounts, drop their windows password in a password vault shared with the trainer, schedule an email to their work email, trainer helps them change all their (non-SSO) login info during orientation when the emails hit their boxes. Everyone has to be there in person and passwords are in their email for less than 15 minutes. đ€·ââïž
SparkyMonkeyPerthish@reddit
We provide an email to the line manager (or designated person) with all the account details except the password which was sent via SMS to the company number 24 hours before the new person started. Privileged accounts required a phone call to get the account unlocked and password reset as it was set to a 24 char random string.
canadian_sysadmin@reddit
We automate creating the account, which sends the credentials to the userâs manager.
We give people 14 days to enable MFA currently. Not ideal but weâve had too much friction with MFA on day one. We are reviewing this though and looking at TAPs and some other options.
Chewychews420@reddit
We do the same, MFA is enforced here and everything is signed into as part of their induction process
Bane8080@reddit
Our process goes something like this.
The person in charge of hiring tells us on the Thursday or Friday directly before the Monday that the person is starting.
I explain to them that it will take a couple weeks to get the laptop ordered.
They tell me "But they're starting on Monday"
And I say "Well, you should have let us know you were interviewing so we could have equipment ready."
gtport82@reddit
This is interesting every place ive been at the process was a disaster, I would set multiple meetings with head of hr to set up over said process and iron it out. I tell them we need at least 2 weeks lead time for all new hires especially with equipment. For the first 1-2 hires they do what they're used to, day before tell us or not tell us at all. When new hire starts and shit hits the fan I show them the emails/slacks of them confirming and agreeing to new process and they quickly get their act together.
That being said I never worked at a company with like 500 or more full time employees though so that could be the reason why standard operating procedures were adapted fairly quickly.
EX_Enthusiast@reddit
Itâs generally not recommended to send corporate login details to a personal email due to security risks. Most companies use automated onboarding tools or identity management systems (like Azure AD or Okta) to handle account creation and MFA setup securely on the first day. A safer approach is to have new employees verify their identity through a secure portal or temporary code rather than sharing credentials externally.
Stormyvil@reddit
We send out the new hire information over to their hiring manager.
It's then the hiring managers responsibility to onboard the user. They get a guide with all the needed info for setting up a new password, MFA etc.
Now that I think about it, it's not great. Although it means a lot less work for our IT it's by far not the most secure way of doing it.
I suspect most managers likely just forward that email right to the new hires private address. :/
chickentenders54@reddit
They typically just walk up to me a few months after they've been here and tell me that they're new here, or I get chewed out that they STILL don't have access to this, that, or the other, when no one ever informed me that they fired someone, let alone hired their replacement.
DurangoGango@reddit
We do a ServiceNow flow. HR submits New Hire request, AD DS integration creates the account onprem (which is then synced to Entra via Entra Connect) and other integrations prepare their Exchange hybrid mailbox and home folder on a network share with appropriate permissions. Based on New Hire variables, requests are automatically submitted for equipment and other accounts where applicable. Credentials are emailed to the New Hire's manager, with password change and MFA setup enforced on first logon. The whole thing is intended to require as little manual work as possible, right now humans are only directly involved in physically handling the equipment and in provisioning accounts for the one legacy environment that doesn't have a reliable API (but we're developing one).
TheJesusGuy@reddit
No.. You can reason as to why but at the end of the day if they say jump then you jump.
Ok_Conclusion5966@reddit
Once its automated you only have to monitor and manage it, quite simple
They want integration from their recruiting system to their HR and payroll system which is integrated to the IT Identity and Access Management system.
They control who is onboarded and offboarded, you'll get a notification each time it's done.
Timberwolf_88@reddit
At my old job where I set up the process with HR we did this: SCIM user provisioning in Entra through the HR tool. User was automatically created when they were hired in the HR system.
The account was disabled until the employees' status changed to employed (ie. their official first day).
Since licensing can't be automated via SCIM a tech would apply the correct license(s) as per the employees' attributes fetched from the HR tool as well as any free text info in the HR tool onboarding tasks generated and sent to IT via email. At the same time the tech would generate a random first PW and ensured that was printed and put in a sealed envelope together with the users' physical access tag and that PIN, SIM card for phone if eligible, etc.
This was placed in a locked cabinet only hiring managers have access to, and is next to the locker where new laptops were placed (wiped, but labeled for each new employee).
All accounts require MFA setup on initial login.
gumbrilla@reddit
Good practice, including NIST is to not send credentials basically to a system that is not tied to a device. Therefore email is out. Something encrypted and device tied is more suitable. WhatsApp is what I use.
MFA is enforced during Autopilot join, but if remote setup, it's not from a trusted location.
We have a process for fully remote joiners that mandates that hardware is collected on production of government id, and we security review system use at day 0, day 7, and day 30.
serialband@reddit
Most HR have no clue what IT needs for things to work. Security is not their concern. However, if they hire outside consulting or MSPs, that extra cost will generally make them more attentive and prepared with IT needs.
vadiaro@reddit
Weâve created a communication site in SharePoint as a self setup center. It has a onboarding page with step by step guide on how to claim your account, the temp password and how to change it, mfa setup and the rest of the jazz with screenshots of course. We share the link to onboarding page with the new hires with a few days expiration timer and the url will work only for them. It has been working for us. I donât have to hold their hand during the onboarding anymore.
TheSamJones1@reddit
NEW USER CREDENTIALS TO A PERSONAL EMAIL ADDRESS IS A NIGHTMARE WAITING TO HAPPEN DO NOT DO THIS UNDER ANY CIRCUMSTANCE
Fragrant-Hamster-325@reddit
Call me crazy but we send passwords via email. New hires have zero access prior to day 1 other than being able to create a new password, and setup MFA. After they start they are assigned training, after training, access to other systems is granted. If a new hire doesnât get credentials by their start date theyâll call HR. Weâve been doing it this way for years with zero incidents.
RevolutionaryWorry87@reddit
Emailing user login credentials is absolutely insane.
Ideally, they come into office, onboarded and self service password reset.
stephendt@reddit
It's not if you use a service like pwpush and the username is sent via SMS
Own_Sorbet_4662@reddit
Not just emailing the credentials but emailing them out of your infrastructure is worse. I'm sure HR is trying to improve the process but that breaks so many security rules you cannot let that happen.
We on board each new hire in person or at least on the phone if they are remote. I don't love it but it's required for security and to service our users.
taintedcake@reddit
We on-board over the phone but they have to be in-office.
Our desk sets a temp password when the new employee calls in on their first day and is ready to login.
The desk sets a temp password with force change required on next login and verbally tells it to them, and then they set their own password before ever seeing the desktop.
Then they get walked through MFA setup, and if they opt out it requires manager approval + their account gets added to a group that blocks logging into anything if they arent on our internal network. They cant even get email on their phone in that case, and the VPN on their laptop would be nonfunctional from outside the network as it prompts the user's mfa for any remote connections.
AdComfortable1659@reddit
I'm trying to implement Apache Syncope or MidPoint, maybe u can check it too
earthmisfit@reddit
Apache Syncope....MidPoint...whaaaat?
Ill_Confusion_9135@reddit
We get told with an hour left in the day that a new employee starts in the morning. I always thought that was normal process??
mr_limpet112@reddit
Why tf would you send credentials to an email? A personal email at that?
BrilliantJob2759@reddit
We typically hit them over the head, drag 'em on board, and set sail. If they want to eat, they work. Oh, wait...
We have automated scripts that HR use to create a new user which requests their manager, department, etc. and automatically deploys the user. Creates the user in the correct department OU, assigns the appropriate licenses for the given script, generates the email address, creates appropriate logon script for their dept., enrolls their email into the 3rd party 2FA, assigns them to the base departmental security/distribution groups/Teams, etc.. The system emails their direct manager a single-use password to hand off to the employee (we have a few different things that check that that's not being abused) and the manager walks them through the rest of the steps like enrolling in 2FA, changing their password, orienting them around the network, etc.
At my last place, it was "hey, so-and-so started this morning so we need them set up in all of the manual systems and get a computer for them, even though we won't buy any spares so have to wait a couple of weeks for a new one to come in. And we need it all done an hour ago."
KellyMaus@reddit
Sounds like you have a solid automated process! For MFA, we make sure to provide clear step-by-step guides and have a designated support person available for any hiccups. Also, using a dedicated app for 2FA can streamline things a lot for new hires.
Pump_9@reddit
You get an IAM system that has connectors into the HR system and when someone is hired it kicks off birthright access. For example all AD groups that everyone should have for basic functions like logging into the VPN and accessing the company intranet. MFA is self-service registration...there is no need for heldesk intervention. Typically you purchase a product that comes with MSP support.
Speeddymon@reddit
Do not send login details to personal email addresses. JFC!
Email is not a secure mechanism for delivery. If someone typos a Gmail, and it happens to be a valid email address, GG.
dab_penguin@reddit
Sending details like that to a personal account can lead to compromise. If that account has already been owned, the corp account is next. Kill that request from HR, and don't give them a login until day 1.
OneSeaworthiness7768@reddit
This is handled by our help desk. Access requests are triggered from the hr system when hr puts in their start date. HD creates their accounts and puts the username and temp password in the ticket. Ticket is closed and the userâs supervisor gets the credentials emailed to them from the ticket notification.
neveralone59@reddit
They should receive a password when they start that they need to reset. Last time I worked with windows server we had a script that meant HR could self service new starters, it worked very well.
Adam_Kearn@reddit
We have a script that looks at the same database HR use using APIs and then it will create or disable the account.
All accounts get created with their birthdate as the initial password. First login allows them to set this to something more secure.
The script runs daily every night.
Their is a second script that is run a few hours later to licence the user in 365 as we are AD synced but if you are fully Entra/365 then this is not needed
LokeCanada@reddit
Emailing passwords is going to create more work for you.
Credentials can be sent with an encryption and stuff to make it more secure. Then who does the person contact when they need handholding for the initial setup? Whoever just sent them the information. We get this constantly with consultants. No you canât run multiple VPNâs. No idea what application the dev team wants you to use. No I donât have a copy of that for you to run locally on your Mac.
MFA needs to be done with security behind it. Best if you are looking the person right in the face when it is done. Otherwise you lose most of the security behind it.
Warm_Share_4347@reddit
You can connect HRIS to your ticketing system first so you donât have to rely on HR for getting the info. You can then trigger workflows which will create account, send password by email personal or pro.. have a look at Siit itsm it has native integrations and templates
BloodFeastMan@reddit
If you want to go that route, consider a pastebin instead of sending credentials to personal email.
sryan2k1@reddit
We generate a TAP that is only valid for 8 hours on their first day. Their manager walks them through using that to do SSPR and set up MFA.
Blindly emailing passwords is a security nightmare and should be avoided.