Research from BambooHR found that employees who go through a structured onboarding programme are 69% more likely to stay with the company after three years. And yet, the IT side of onboarding — the part that determines whether a new hire can actually do their job on day one — is regularly treated as an afterthought. The result is familiar to anyone who has managed a growing team: new staff spending their first morning waiting for a laptop password, chasing someone to activate their email, or discovering that access to the project management system still hasn't been provisioned by the end of week two.
This guide gives you a complete, practical IT onboarding checklist your team can follow every time someone new joins — regardless of whether you have in-house IT staff or rely on a managed IT provider.
Why Poor IT Onboarding Costs More Than You Think
The direct cost of a new employee's first day going wrong is easy to underestimate. A new hire on a $75,000 salary costs roughly $375 in wages alone for one unproductive day. Multiply that across several new hires a year and the waste is real — and that figure doesn't include the frustration, the poor first impression, or the time existing staff spend fielding IT questions that should have been handled before the person walked in the door.
There are also serious security implications. Ad hoc IT onboarding tends to produce the same set of problems: accounts created with broader access than the role requires, old staff accounts left active for weeks after someone leaves, and new employees logging into personal devices before their corporate one arrives. Each of these creates risk that is genuinely difficult to remediate later.
A repeatable IT onboarding checklist addresses all of this systematically, turning a chaotic first day into a predictable process.
The Complete IT Onboarding Checklist
Break the checklist into three phases: before the employee starts, on their first day, and during their first week. Distributing tasks across these phases prevents the failure mode of dumping everything on day one — which invariably means some things get skipped.
| Phase | Task | Owner |
|---|---|---|
| Before start date | Order, configure, and test laptop or desktop | IT / MSP |
| Before start date | Create Microsoft 365 or Google Workspace account | IT / MSP |
| Before start date | Set up email address and add to relevant distribution groups | IT / MSP |
| Before start date | Assign required software licences (M365, CRM, accounting tools) | IT / MSP |
| Before start date | Configure multi-factor authentication on all accounts | IT / MSP |
| Before start date | Provision access to shared drives, SharePoint, or file server folders | IT / Manager |
| Before start date | Create entry in password manager and share relevant credentials | IT / MSP |
| Day one | Hand over device with documented login credentials | IT / MSP |
| Day one | Walk through IT policies: acceptable use, device rules, password requirements | IT / Manager |
| Day one | Confirm VPN access and remote connectivity (if applicable) | IT / MSP |
| Day one | Demonstrate how to log a support request with IT | IT / MSP |
| First week | Complete mandatory security awareness training module | Employee / IT |
| First week | Confirm all application access is working correctly | Employee / IT |
| First week | Enrol device in endpoint management (Intune or equivalent) | IT / MSP |
Account Access and Security — The Non-Negotiables
Account provisioning is where IT onboarding most often creates security exposure. These items must be done correctly, not just quickly.
Apply role-based access controls
New employees should receive only the access they need for their specific role — nothing more. This is the principle of least privilege, and it matters because over-privileged accounts are a primary attack surface in phishing incidents and insider threat scenarios. If a marketing coordinator joins, they do not need admin rights on the file server or access to payroll systems. Access should be granted based on role, not convenience.
Enforce MFA before the first login
Multi-factor authentication must be mandatory from the moment an account is created — not added later as an optional extra. The method matters too. Microsoft Authenticator or a hardware security key is significantly more secure than SMS codes, which are vulnerable to SIM-swapping. If your Microsoft 365 tenant doesn't enforce MFA by default, this is the highest-priority security fix you can make.
Enrol every new account in your password manager
Every credential created during onboarding should be stored in your business password manager immediately. This keeps credentials secure, ensures they're accessible to authorised colleagues if the employee is unavailable, and eliminates the habit of writing passwords on sticky notes or storing them in personal apps where IT has no visibility.
Document your offboarding process alongside this checklist: When an employee leaves, their accounts must be disabled the same day — ideally within the hour of their departure. Delayed account deactivation is one of the most common and preventable causes of data breaches in Australian SMBs. If you don't have a documented offboarding checklist to mirror this one, build it at the same time.
Device Setup — What a Properly Configured Machine Looks Like
For most Sydney SMBs, device setup falls into one of two approaches: purchasing and configuring a new device, or issuing a previously used device that has been fully wiped and rebuilt. Both are valid, but the configuration standard should be identical either way.
A properly prepared onboarding device should have:
- A clean operating system with all current Windows or macOS updates applied
- Endpoint detection and response (EDR) software installed and reporting to your management platform
- Disk encryption enabled — BitLocker on Windows, FileVault on Mac
- Your standard software stack pre-installed: Microsoft 365, browser, VPN client, password manager
- The device enrolled in Microsoft Intune or equivalent mobile device management (MDM)
- A confirmed wipe certificate or clean build log if the device was previously used
Handing over a device that still needs significant configuration on day one means your IT setup lacks a standardised build process. If this is happening regularly, it's worth asking your IT provider how they handle device imaging and provisioning — a competent MSP should be able to hand over a ready-to-use machine with 24–48 hours' notice.
ITEC HELP manages IT onboarding and offboarding as part of our managed IT service — device provisioning, account setup, security configuration, and licence management, handled before your new hire arrives. No chasing, no gaps.
Explore Our Help Desk Support →Building a Repeatable Process
The difference between businesses that onboard new employees smoothly and those that don't is almost always documentation, not budget. A repeatable IT onboarding process has three structural components:
- A standard intake form — completed by the hiring manager at least five business days before the start date. It captures the employee's name, role, department, start date, required software, and any special access needs. Without this lead time, IT is always reactive and corners get cut.
- A tracked checklist — the list above, adapted to your specific environment. Every item has an assigned owner and a completion status. This becomes the audit trail that shows what was done, when, and by whom — useful both for quality control and for any future security review.
- A 30-day follow-up check-in — a brief review at the end of the employee's first month to confirm all access is working, identify anything missed, and verify the employee has completed mandatory security training. This step catches the gaps that aren't obvious until someone has actually tried to use the systems.
For businesses hiring infrequently — say, two to four new staff per year — a shared document is sufficient. For businesses hiring more regularly, a ticket template in your help desk system that auto-assigns tasks to the right people will save significant administrative overhead over time.
Remote and Hybrid Workers — Additional Steps
Remote onboarding adds complexity that many Sydney businesses haven't fully accounted for. If a new employee is working from home, even temporarily, the standard checklist needs several additions:
- VPN access configured and tested before their first day, not during it
- Home network security guidance — confirming they're not on an open Wi-Fi network and their router is using a non-default password
- Video conferencing verified — Microsoft Teams or equivalent installed and tested with audio and camera confirmed working
- Clear escalation path — who they contact when something isn't working and what the expected response time is
- Physical security reminders — locking screens when stepping away from a device, not leaving equipment unattended in public spaces
Remote workers are statistically more likely to be targeted by phishing attacks during their first 90 days, when they're still learning which internal requests are legitimate and which are suspicious. Brief, practical security guidance included in the IT onboarding pack is a low-cost protection with measurable impact.
The Bottom Line
IT onboarding is not glamorous work, but it directly affects how quickly a new employee becomes productive, how secure your environment stays, and whether your business makes a competent first impression. A well-documented checklist shared between the hiring manager and your IT provider eliminates the most common points of failure — and takes less than two hours to build properly the first time.
If your current process is “email IT when the person starts and hope for the best,” this is one of the highest-value, lowest-cost process improvements available to you right now.