How do I automate onboarding ?

[-]

FireCyber88@reddit

Easy. Tell Claude to make you be a powershell script and tell it exactly line by line what you want it to do. Be precise. You’ll have it done in no time, and then you’ll ask yourself why you didn’t do this years ago.

[-]

Rough_Variety_2601@reddit

We use Cadenio internally to streamline the work from start to finish. Def worth a shot

[-]

sebf@reddit

Write everything down in a wiki. Also have a wiki for the high turnover level employees so that they can write down their own tricks and later users will be able to find ressources by themselves.

[-]

Disastrous_Syrup687@reddit

PowerShellis your be͏st friend herefor steps 1-4 Write a scriptthat takes a CSVor form input with the newhire's info and does theAD account creationgroup assignments proxy addresses, and licenseassignment in one shotTheres a million examples on githubfor this exact workflow search"powershell onboarding script entra" and you'll findsolid templates to start from For the computersetup stuff (7.1-7.4)look into scripting that with Intune or even just a PowerShelllogon script that detects first loginand configures outlookprinters, teams, etc The 3CX piece might need theirAPI but I havent messedwith that personally Thebigger picture thing tho istying all of this together so it kicks off automaticallywhen someone submitsa new hire request We useInvGate ServiceManagement at work andthe workflow builderlets you chain these stepstogether so when HR submitsthe onboarding formit auto-assigns tasks to the right peopleand triggers scripts theai ticket stuff is nice too becauseit categorizes and routesthings without someone manually triaging But evenwithout a tool like that, just having the PowerShellscripts ready to go will save you aTON of timeand definitely makeyou stan͏d out asthe new sysadmin

[-]

Paladroon@reddit

The first few steps really should be:

Figure out a trigger for the automation. Is it an email, automated API call from your HR system, a web form, some automation service line power automate, etc…
Figure out what method of automation works for each system you need to interact with.
PowerShell will likely be your best friend for some of this, the AD stuff for sure

If you have tools like Entra or Okta with their provisioning service you can use those to help setup accounts in other systems once they make it into Entra/Okta.

As you work through those a lot of the “how” will start to reveal itself. But it will take some learning and time.

[-]

Zagrey@reddit (OP)

It seems that off boarding will be easier to setup as everything can be done with power shell. 1. Disable user 2. Hide from address list 3. Move to different OU 4. Concert exchange mailbox 5. Remove license

Any starting point advice here ?

[-]

Paladroon@reddit

That’s all pretty straight forward. The hardest part of that list of steps (IMO) is managing the automated connection into M365 to disable the license and convert the mailbox, and I only say that because you have to consider the means of authenticating to M365 and storing it securely.

I would search (or AI if that’s your jam) how to interact with AD and M365 via PowerShell to read up on the how-tos and start learning it.

Again, you need to consider the trigger. Do you want to just kick off the script manually and tell it the user account to off board? Or do you want an email to trigger it, etc… but I’d build it first, make sure it works, then figure out how best to kick it off automatically after that.

[-]

cheetah1cj@reddit

Actually u/Zagrey, there's no need to touch Exchange depending on your set up. If you are already moving offboarded users to a different OU, just ensure that that OU is not synced to Azure. Then, when a user is moved to that OU, the user is automatically deprovisioned in Exchange, so that handles blocking sign-ins and removing their licenses.

The only downside is that the user will no longer appear in Exchange, so it is a little different to give other users access to their data, but their old OneDrive is still accessible for 91 days as a SharePoint site and Microsoft has an article that explains exactly how to grant access to it, and their mailbox can also be recovered or converted into a shared mailbox easily. This also means that instead of right clicking the user in Exchange to forward emails, you will simply add their email address as lowercase smtp to another user's proxy address list, so you can forward their emails without needing a license.

[-]

EveningChildhood3236@reddit

If the user is no longer ina syncing OU. They disappear from 365 no? So how would you convert to (and keep as) a shared mailbox after the fact?

[-]

Paladroon@reddit

These are fair points! The process used at my org is to connect to EXO and convert so we keep the AD account in AD so we can manage all mailboxes the same way with the same expectations of usernames and sync times, etc… since we have to manage attributes on-prem still it’s easier to keep them all the same.

We disable the account, reset the PW, etc…. So it’s all secure still.

[-]

Zagrey@reddit (OP)

Thanks. Are you talking to here about the connect to exchange cmdlet ? And yes as of start running it manually would be a start

[-]

Paladroon@reddit

Yeah, connect-exchangeonline for the shared mailbox. I believe the license removal should be done via MSGraph but I’m not as familiar with that these days and still use connect-msolservice when I need it.

[-]

dsons@reddit

Yes it’ll have to be graph for most things, you can have all of this trigger off a hook from your ticket system (if you have one) and grab variables from form fields (easiest way) you can also have the requester fill out a “model after” user to mirror groups after.

Ii recommend using Azure Automations/Runbooks to house the scripts and handle credential access but you’re going to have to be global admin to set up the service account with the right permissions

[-]

03263@reddit

I have automated this stuff and I'll just warn you it turns into a huge thing to maintain all on its own because the interfaces and APIs used in the automation change pretty often. It's a lot of troubleshooting why it isn't working again, not set and forget.

[-]

terminal-admin@reddit

This. I think a lot of people forget that automating a task doesn’t just make it go away, it just changes the focus of your time and definitely frees up time when done correctly.

Personally, I would much rather maintain a bunch of scripts vs manually going through the same tasks every week.

[-]

Frothyleet@reddit

It's not just about time saving, it also removes human error from the equation (or at least it isolates it to whoever is putting data into your HRIS).

[-]

terminal-admin@reddit

Very true. I forgot about that. Just as long as HR or whoever doesn’t spell the employees name wrong and now I have to fix everything 😁 been there.

[-]

itskdog@reddit

The system we use is also our federated login provider. We just have to rename the user in the IdP and it updates the UPN and sets the old one as an alias.

[-]

maxsmoke105@reddit

I automated on boarding at my last job. I had a powershell script that pulled 2 csv files from our Lawson database. The first was all new people. Keyed on office location, department and title. This would create a new account and mailbox. They were added into then added to the correct location based distribution lists, department distribution lists and the correct security groups based on location, department and title.

The second was an export of changed accounts. This branch on the script updated location, department and title in the GAL and added to security groups based on the same format.

I was luck that we had a very structured AD, security groups and distribution lists. That's the key.

[-]

leroywhat@reddit

You can assign licenses based on groups in 365 which will save you a step. ( We have like 30 employees so I haven't bothered to really automate everything).

[-]

M4j0rT0m84@reddit

How would you handle cases like rejoinders? How to handle movers and their permissions?

These things ideally should start with policy and then a technical implementation

[-]

sltyler1@reddit

Check out EasyEntra, they have scripting abilities. Aquera is also not crazy expensive. I’m betting you could use entra enterprise app for 3CX? I haven’t used it recently.

[-]

Agitated-Beat-8627@reddit

At scale each of those manual steps becomes a liability. You can script a lot of this with Entra/PowerShell but longer term some teams move to platforms like Rippling where account creation, app access and device setup are triggered off a single new hire event. Might be worth flagging as a future direction

[-]

SimplifyAndAddCoffee@reddit

it is hybrid environment with Entra Connect

I am so sorry....

you would think something like this would be straightforward, but unfortunately having a hybrid environment is going to complicate it a lot. If you're in a position to architect a solution from the ground up, great, but given that's usually not the case when dealing with hybrid setups with weird legacy requirements... getting provisioning working between disparate platforms can be a nightmare.

Your starting point will probably be powershell on an admin VM with RSAT and a few other admin modules installed.

If your current onboarding process requires creating the mailbox on the on prem exchange first to provision in AD and o365, then you will need to do this on the exchange server itself as a domain admin with the exchange admin console. This was a roadblock for us and ultimately I wasn't able to find a way around it to fully automate the user creation process.

Most of the rest you describe though is trivial enough with powershell and Microsoft Copilot Entra copilot id copilot azure AD copilot integration or whatever they're calling it now... and some group policies for things like default printers.

If the printers you need to configure to scan to email are Ricoh, there is a ricoh printer address book management powershell module out there you can use and integrate into whatever script you end up writing... one of these days I'll get around to posting my own CLI script for it on github or something.

I haven't yet looked into solutions for other models.

Good luck and don't screw the pooch. Make sure your boss is OK with you automating this stuff and signs off on any process changes you make along the way to CYA.

[-]

daryld_the_cat@reddit

powershell

[-]

Odd_War_2239@reddit

We went through this recently. The biggest change for us was not the tools but cleaning up the process first.

We wrote down every step from offer accepted to first week. Who owns what between HR, IT, and the manager. Once that was clear, we connected a few systems together.

Now when someone is marked as hired, it triggers most of the flow. Accounts get created, access is assigned based on role, tasks are created for IT and the manager, and the new hire gets the basic emails and info.

We use an HR system for onboarding and workflows, an identity tool for account setup, and our ticketing system for anything manual like laptops. Role based templates helped a lot so we are not rebuilding each time.

It still needs some manual checks, especially for hardware or odd cases, but it is much smoother now. Start with defining the steps clearly and then automate around that.

[-]

Odd_War_2239@reddit

We went through this recently. The biggest change for us was not the tools but cleaning up the process first.

We wrote down every step from offer accepted to first week. Who owns what between HR, IT, and the manager. Once that was clear, we connected a few systems together.

Now when someone is marked as hired, it triggers most of the flow. Accounts get created, access is assigned based on role, tasks are created for IT and the manager, and the new hire gets the basic emails and info.

We use an HR system for onboarding and workflows, an identity tool for account setup, and our ticketing system for anything manual like laptops. Role based templates helped a lot so we are not rebuilding each time.

It still needs some manual checks, especially for hardware or odd cases, but it is much smoother now. Start with defining the steps clearly and then automate around that.

[-]

Odd_War_2239@reddit

We went through this recently. The biggest change for us was not the tools but cleaning up the process first.

We wrote down every step from offer accepted to first week. Who owns what between HR, IT, and the manager. Once that was clear, we connected a few systems together.

Now when someone is marked as hired, it triggers most of the flow. Accounts get created, access is assigned based on role, tasks are created for IT and the manager, and the new hire gets the basic emails and info.

We use an HR system for onboarding and workflows, an identity tool for account setup, and our ticketing system for anything manual like laptops. Role based templates helped a lot so we are not rebuilding each time.

It still needs some manual checks, especially for hardware or odd cases, but it is much smoother now. Start with defining the steps clearly and then automate around that.

[-]

M365Expert@reddit

Entra ID Governance: Microsoft Entra ID Governance - Microsoft Entra ID Governance | Microsoft Learn

I am deploying this for a customer now, using some MS Graph PowerShell scripting along with an app created in the MS API portal. If you don't want to go that route (it fairly extensive) then you can automate many task though PowerShell scripts. This is a good place to start: https://m365admintools.com/articles/top-10-tasks-admin-should-automate

[-]

Frothyleet@reddit

In my experience, the hardest process of IAM automation is business processes - e.g., getting the HR team to use a form for user requests.

The technical side is usually easy for most of your infra, although you will often have outliers (like crappy LOB apps) that require some manual work.

[-]

420GB@reddit

Everything you've listed is fairly easy but then you still will not have automated onboarding. For that you need to tap into HRs system and automatically perform the onboarding process when a new hire is about to start. Eliminating HR personnel from the onboarding process is the most critical part because that's where all the delays and errors come from.

[-]

RikiWardOG@reddit

90% of this you could probably find scripts online from blog posts to do it with some minor tweaks. If you don't know powershell and Graph API, that's where you need to start.

[-]

anonymousITCoward@reddit

I do most of that with powershell scripts... not super hard but it can be a heck of a rabbit hole if you really want to get into it... not sure about your VOIP system though, I don't automate that, that's going into bash for us and i don't have the time/energy to figure out how to do what we want it to do... so the voip team can deal with it.

[-]

FriedAds@reddit

Take a look at Entra ID Governance. Lifecycle Workflows et al.

Oh an Entra ID API-driven inbound provisioning.

[-]

tedious58@reddit

Get a constant kickoff for the accounts to be created. Everything up to the computer stuff can be automated with powershell. Then the computer stuff can be automated with GP or some kind of device management like SCCM or intune.

[-]

WorkLurkerThrowaway@reddit

How does onboarding start? Do you get an email or ticket from HR? Do they have an HRIS system they use?

[-]

rumham_86@reddit

You could automate all this easily with PowerShell. Automation account in azure would be preferred if you have connected onorem with vNet.

Change to group based licensing to easy up the onboard/offboard. Just add to group that is assigned licenses in M365.

Proxy address will autofill with email value. You just need emailroutingdomain value. Easy to do depends on your email format. First name.lastname@contoso.com? FirstInitialLastname, Lastname only, etc.

Setup an azure ad app registration and create a self signed cert and upload it there.

Add application permissions in API. Connect upload cert to azure then connect to exchange online PowerShell, sharepoint online PowerShell , graph etc. with cert and this is easy to maintain.

Even make yourself a script if you have no system to automate trigger. Just write a Read-Host and enter a variable for the user (samaccountname, upn etc)

[-]

Zagrey@reddit (OP)

Thanks for the input. That tell me I need a lot to learn and I have to start step by step until all of this makes better sense.

[-]

OneSeaworthiness7768@reddit

You’re a fresh sysadmin, but started your own MSP without knowing how to handle something like this? Hooo boy.

[-]

Zagrey@reddit (OP)

I plan to start it using engineers with 15 years experience. I can talk and sell, never did I say in that post I’ll run a solo company ;)

[-]

GuestHistorical6880@reddit

We use a power automate flow for this with a simple power app front end for the service desk to input the user's info. This relies on access to most things being tied to entra groups and api access to the apps not tied to entra groups, but works pretty damn well.

When users enter information into the app, it gets added to a Dataverse DB. One flow triggers when new rows are added to the db and does initial account creation, group memberships, etc. another flow runs nightly to activate users on their start date and send them a TAP to their personal email that will allow passkey setup in ms authenticator so they can be ready to go when they are handed their laptop.

Just a start, but i think its a pretty easy system if you dont have the workday connector for entra set up yet.

[-]

jstar77@reddit

Start with the source of truth. Where does the employee data come from, is there an HR system that can be queried? Here is our basic strategy from a high level:

Our ERP is the source of truth for employee identity.
Employee data including roles (job titles) and start/end date reside in the ERP
All of the roles from the ERP have an AD group named the same
We query the ERP for changes and use ERP data to update identity and make changes to accounts
Create a user if the user does not exist
Update an AD account if users data changes
Disable a user if they meet the criteria for being disabled.

From a slightly lower level:

The process that interacts with the ERP runs every 15 mins it only updates existing accounts or creates a new account.
Data from the ERP updates many AD attributes but for the sake of simplicity for this discussion we populate and update all of the standard AD attributes along with some custom attributes that include Job Title(s), department, start date, & end date.
From there all other process rely on AD queries
If end date >= today run disable process
We have a group synchronization process that synchronizes all AD role groups based on a user query i.e. Place all users with the role "WidgetTesters" in "grpWidgetTesters" and remove any members who do not have the role "WidgetTesters" -- (this is sort of like M365 dynamic groups but dynamic groups have far more limitations)
Role groups determine all other access we do not permission any resources with individual accounts. By doing it that way when a user is assigned a role in the ERP by HR then they have access to the resources they need. When HR removes the role access to the resource is taken away.
We also have a process that queries the ERP to create the AD role groups when HR adds a new position or role. This is a semi manual process, the group gets created automatically but we usually need to go back to HR and discuss what resources the role should can access.

This is still a pretty high level explanation the devil to automation is in the details. Having a source of truth that can present structured data is a must. Also... avoid nested groups Entra has limited support for nested groups.

[-]

fps_trucka@reddit

You can tie a security group to a specific o365 license on entrance. So if you put them in that group you no longer need to technically go into the portal to license them.

[-]

Zagrey@reddit (OP)

Sounds useful thanks

[-]

ITsupportfellow@reddit

I'd recommend creating something like standard user groups like "UG_STD" then you can bind the license, and some other policies through intune to automatically setup the printers and access.

For the laptop setup you could look into setting up a device preparation policy so it automatically runs updates together with autopilot whenever you enroll devices. You might be able to automatically sync sharepoint beforehand (Although i'm not sure if it;s possible).

You could also look into an exclaimer for external emails so users are warned for potential phishing attempts or setup SSPR (if you haven't yet).

We use CIPP for tenant management and it has this function where you can offboard an user in 4 clicks, I doubt you'll migrate your tenant(s) over, but it's built on powershell so you might be able to replicate it.

[-]

nakkipappa@reddit

Automate things in stages, getting a few steps automated already helps.

Multiple ways to do this, but alot depend on the HR system. If you get the info in some csv, you can pull the info with powershell and create the user with that info. This is what you should start with, and add the user to a license group so e-mail, teams and stuff turns on and the user receives e-mails.
For the next part you should do rolebased parts in the script for permissions (discuss with client what say customer support needs to access). Start with the roles that have the highest turnover, or one of the highest ones
Device, if you install them by hand, go with some pxe software (like SCCM or MDT & WDS) or autopilot if possible.
Printers,wifi, and settings via config profiles or GPO (depends what kind of setup you have there)
Finetune whatever is left, and when V1 is done, try to use powershell to automatically fetch the data via API if it supports it.

[-]

seanpmassey@reddit

So I’ve done this kind of automation at previous jobs.

There are two things I would recommend starting with. The first thing I would recommend is to standardize your group naming for things like printers, sharepoint sites, email distribution, and any application access. And map these groups to any specific job functions/roles (ie - accounting role gets access to the accounting sharepoint sites, added to an accounting team distribution list, and gets the accounting printer delivered via group policy). By tying access to AD groups, you’re making it easy to provision and deprovision access to resources, and you can easily clean things up when an employee leaves by removing their group memberships.

Second, map out and document your process. You can’t automate something that isn’t documented. This will also allow someone else to maintain it if you have to hand it off for any reason.

PowerShell will be your friend. You can automate almost everything in Windows, Active Directory, and AzureAD/Office365. If 3CX has a REST API, you can also use PowerShell to perform your phone system actions through that.

You also mentioned automating offboarding. I’ve done that too. Documenting that process and expectations is the most important thing as there may be data retention requirements when you clean up users. But outside of exporting/backing up a user’s inbox or OneDrive files, it’s basically the onboarding process except you’re doing things in reverse. I would also recommend disabling the user before you delete them to ensure that you have backed up any data that you need.

[-]

Velo_Dinosir@reddit

Whenever I am trying to automate something the first step I take, is try to complete the action manually using as many commands as possible/ script blocks as possible.

For you this would look like 1. Create AD User with Powershell 2. Add security groups with Powershell and add proxy address 3. Trigger an AADSync 4. Assign license in M365 with Powershell or Graph API 5. Ect ect

You get the drift. Every single action probably has some way to do it in powershell or with an API. If you figure out how to do these you can then string them together in a single script to do these things.

You can get even smarter and tie this to a form in Microsoft Forms to have the hiring manager put this info into something that can be ingested by a powerapp or something to trigger it automatically.

Automatically starts with figuring out how to do these basics

[-]

caffeine-junkie@reddit

Another important part of automating this that I didn't see mentioned, is you don't need to do it all at once. You can automate parts of it as you go along. This helps it not be so daunting of a task.

Pretty much start with a small easy to do part and automate that. Then as you go add parts to it to automate other things. Before you know it, you'll be pretty much done.

[-]

Competitive_Run_3920@reddit

For #5 adding users to printer address books - change from locally stored address books on the machines to connecting the printers to your LDAP directory so the address books is searching AD. This way your address book never has to be updated as long as AD is current.

[-]

iHopeRedditKnows@reddit

You'll get a lot better support from this sub if you provide what you already have in terms of automation or scripting then you will asking for someone else to tell you how.

They'll teach you to fish, but they won't fish for you.

[-]

Zagrey@reddit (OP)

I think I’m asking what fishing is. In terms of automation here all we god is GPO for the mdm a few outdated apps and a few settings about updates that the MDM controls

[-]

dr4kun@reddit

PowerShell is your bread and butter in a Microsoft environment.

[-]

limlwl@reddit

Just keep doing what you doing. People will forget you after awhile. This includes achievements after 12 months.

[-]

Klutzy_Scheme_9871@reddit

And they will ask for your scripts and to mentor a junior so they can fire you.

[-]

Zagrey@reddit (OP)

Lol, you’re disgustingly correct, though I’m trying to sharpen my skills here and prepare for that exact moment.

[-]