New Employee Up and Running in 2 Hours Instead of 2 Days

Day 1: No Laptop, No Account, No Tools

When a new employee starts and doesn't have a working setup on day one, it's not a minor inconvenience. It's a signal: "We weren't prepared for you." Motivation drops before it ever had a chance to build. Meanwhile, IT scrambles — even though the start date has been known for weeks.

That was exactly the picture I found in late 2024 at a service company with 60 employees. The company was growing fast — five new hires per quarter, trending upward. And every time, the sole IT person spent 1–2 days in front of a laptop.

The manual process in detail: Reinstall Windows. Load Microsoft 365 apps. Create email account. Set permissions — which SharePoint sites? Which Teams channels? Which third-party apps? Configure printers. Set up VPN. Activate security policies. All by hand, from scratch, every single time.

The failure points were systemic: Forgotten permissions, missing apps, wrong group assignments. New employees filed tickets in their first week — not because something was broken, but because something was missed during setup. The IT person spent more time on rework than on the actual setup.

And the worst part: the process wasn't documented. Everything lived in one person's head. When that person was on holiday, nothing happened.

The Solution: Zero-Touch Onboarding with Intune and Autopilot

The goal was ambitious: a new device is unboxed, handed to the employee — and configures itself automatically on first login. No manual setup, no IT ticket, no waiting.

Windows Autopilot: The Device Configures Itself

The core of the solution is Windows Autopilot combined with Microsoft Intune. When a new device is purchased, the hardware hash is registered directly with the supplier — the device knows its Intune tenant before it's even delivered.

On first power-on, the new employee signs in with their Microsoft 365 account. From that moment, Autopilot takes over: Windows is configured, compliance policies kick in, apps are installed, security policies are activated. The employee sees a progress bar — after about 30–45 minutes, the device is ready to use.

What gets installed depends on the department. And that's where the group logic comes in.

Entra ID Groups: Department Determines Equipment

Every new employee is assigned to an Entra ID group (formerly Azure AD) — based on department and role. This group assignment automatically controls:

Apps — Sales gets the CRM, marketing gets the design tools, accounting gets DATEV. Every group has a defined app set.

SharePoint permissions — The new employee immediately has access to the right documents, project spaces, and wikis for their department. No IT ticket needed.

Teams channels — Automatic membership in relevant teams and channels. On day one, the employee is already in all the important conversations.

Printers — The location-specific printer is assigned automatically. Sounds trivial, but this was a recurring IT ticket before.

Security policies — Conditional Access policies, MFA requirements, device compliance — everything kicks in automatically based on group membership.

Power Automate: The HR Trigger

The process doesn't start in IT — it starts in HR. When HR creates a new employee entry in a SharePoint list — name, department, start date, manager — a Power Automate flow triggers the entire chain:

1. Assign Microsoft 365 licence — automatically, based on role.

2. Entra ID group assignment — The employee is added to the right group, which triggers all app and permission provisioning.

3. Welcome email — The new employee receives a personalised email with login credentials, first steps, and links to key resources.

4. Notify manager — The direct manager gets a Teams message with details and a link to the onboarding checklist.

5. Create onboarding checklist — A Planner task is automatically created — with all steps the manager and new employee should complete in the first two weeks. Not just IT setup, but professional onboarding too.

Compliance and Security from Minute One

An often underestimated benefit: security policies apply from the first login. The device is encrypted (BitLocker), updates are enforced, antivirus is active, Conditional Access checks device health on every access to company data. There's no "open window" where an unconfigured device accesses sensitive data.

For companies with compliance requirements — TISAX, ISO 27001, BSI Grundschutz — this is critical: every device is compliant from the very first moment.

The End-to-End Process

1. HR entry — HR creates new employee record in SharePoint
2. Automatic provisioning — Power Automate assigns licence, group, and permissions
3. Device registration — Hardware hash from supplier, Autopilot profile assigned
4. First login — Employee signs in, Autopilot configures device automatically
5. Apps & policies — Intune installs all apps and activates security policies
6. Notifications — Welcome email, manager notification, onboarding checklist
7. Day 1 — Employee is fully operational

Results

IT effort per onboarding: 2 days → under 2 hours. The IT person only needs to register and ship the device. Everything else happens automatically.

Error rate: reduced to zero. Forgotten permissions, missing apps, wrong configurations — that doesn't happen anymore. The group logic ensures every employee gets exactly the setup their role requires.

First-week experience fundamentally improved. New employees are fully productive from day one. No waiting for IT tickets, no "That doesn't work yet." Motivation stays high, the impression is professional.

Scalability. The system works for five new hires per quarter just as well as fifty. Effort doesn't scale linearly with headcount growth.

Documented and person-independent. The process is fully automated and documented. When the IT person is on holiday, everything keeps running.

Security from the first moment. Compliance policies apply from first login — no unconfigured device ever has access to company data. For organisations with heightened security requirements, we've also built an ISMS app on the Power Platform covering VDA ISA and BSI Grundschutz.

IT onboarding is just one piece of the employee lifecycle. We use the same M365 infrastructure for the digital applicant tracking process and automated vacation management — all on existing licences.

Technology Stack

• Microsoft Intune — Mobile device management, app deployment, compliance policies, configuration profiles
• Windows Autopilot — Zero-touch device configuration on first power-on
• Microsoft Entra ID — Group-based access management, Conditional Access, automatic licensing
• Microsoft Power Automate — HR trigger, account provisioning, notifications, onboarding checklist
• Microsoft Planner — Structured onboarding programme for the first two weeks
• SharePoint Online — HR data source, documentation, onboarding resources

---

IT onboarding still manual? Book a strategy call — I'll show you what's possible in your setup.