Onboard/Offboard a user in M365 Cloud
This action automates the complex process of setting up new users in Microsoft 365 or removing departing users. It handles everything from creating accounts and assigning licenses to managing mailboxes and updating your PSA records.
Automating user lifecycle management saves significant time, reduces errors, and ensures security protocols are consistently followed. No more manually creating accounts, forgetting to block departing users, or missing steps in your onboarding/offboarding checklist. Everything happens automatically and consistently.
This action is available only as a Triggered action in a workflow. Let us know if you'd like to use it as a Scheduled one.
What It Does
Smart Process Planning: Analyzes your ticket and creates a customized plan for onboarding or offboarding the user
Human Approval: Can ask for approval via Teams before making any changes (highly recommended)
Microsoft 365 Management:
- Creates new user accounts with proper details
- Assigns or removes licenses automatically
- Manages group memberships
- Handles password creation and sharing
Mailbox Operations:
- Converts user mailboxes to shared mailboxes
- Sets up email forwarding for departing users
- Manages mailbox permissions and delegation
Security Management:
- Blocks sign-in access for departing users
- Revokes active sessions
- Initiates device wipes when needed
PSA Integration:
- Creates or deactivates contacts in your PSA
- Updates ticket information
- Tracks all changes made
How It Works
Onboarding Process
When setting up a new user:
- Analyzes the Request: Reviews the ticket to understand what needs to be done
- Plans the Setup: Creates a step-by-step plan based on your configuration
- Gets Approval: Sends approval request to designated approvers (if enabled)
- Creates the Account: Sets up the user in Microsoft 365 with appropriate details
- Assigns Licenses: Adds the necessary Microsoft 365 licenses
- Manages Groups: Adds user to relevant security and distribution groups
- Updates Records: Creates corresponding contact in your PSA system
- Shares Credentials: Provides password using your chosen method
Offboarding Process
When removing a departing user:
- Analyzes the Request: Reviews the offboarding ticket details
- Plans the Removal: Creates a comprehensive offboarding checklist
- Gets Approval: Requests approval from designated approvers
- Secures the Account: Blocks sign-in and revokes active sessions
- Manages Mailbox: Converts to shared mailbox and sets up forwarding
- Handles Devices: Initiates account wipe on mobile devices
- Removes Access: Unassigns licenses and removes from groups
- Updates Records: Deactivates PSA contact and updates ticket
Configuration Options
Process Type
Choose what you want to accomplish:
- Onboard a User: Set up a new employee with M365 access
- Offboard a User: Remove departing employee and secure their data
Approval Settings
Require Approval: Have designated people review and approve requests before execution Choose Approvers: Select who gets approval requests in Teams
License Management
License System: Choose how to handle Microsoft licenses:
- Direct Microsoft: Manage licenses directly through Microsoft
- Pax8: Use your Pax8 account for license management
- Microsoft Partner Center: Use Partner Center for licensing
Password Handling (Onboarding)
Password Sharing: Choose how new passwords are shared:
- Secure Link: Create a one-time password link via Password Pusher
- Direct Message: Include password directly in messages
- No Sharing: Don't share passwords automatically
Onboarding Steps
Control which steps happen during user setup:
- Create M365 Account: Set up the user in Microsoft 365
- Assign Licenses: Add necessary Microsoft licenses
- Group Membership: Add to security and distribution groups
- PSA Contact: Create contact record in your PSA
- Ticket Updates: Update the original ticket with user details
Offboarding Steps
Control which steps happen during user removal:
- Block Access: Prevent user from signing in
- Mailbox Management: Convert to shared and set up forwarding
- Device Security: Wipe company data from mobile devices
- License Removal: Unassign Microsoft licenses
- PSA Updates: Deactivate contact and update records
Custom Instructions
Additional Guidance: Provide specific instructions for unique scenarios or company-specific requirements
What You'll Get
After the action runs, you'll see:
- Event History: Complete log of all steps taken
- Internal Summary: Detailed report for your team about what was accomplished
- Customer Messages: Appropriate communications for the end user (new account details, etc.)
- Ticket Updates: Any changes that should be applied to the original ticket
- Success Status: Whether the onboarding/offboarding was completed successfully
Common Use Cases
New Employee Onboarding
When: HR submits ticket for new hire Setup:
- Enable account creation, license assignment, and group membership
- Require approval from IT manager
- Share password via secure link
- Create PSA contact for billing
Result: New employee has complete M365 setup ready for first day
Employee Departure
When: Employee gives notice or is terminated Setup:
- Enable access blocking, mailbox conversion, and license removal
- Require approval from HR and IT
- Set up email forwarding to manager
- Deactivate PSA contact
Result: Secure offboarding with data preservation and access removal
Contractor Setup
When: Temporary contractor needs limited access Setup:
- Create account with basic license
- Add to contractor-specific groups only
- Don't create PSA contact
- Share password directly with hiring manager
Result: Controlled access for temporary workers
Department Transfer
When: Employee moves between departments Setup:
- Update group memberships
- Adjust license assignments if needed
- Update PSA contact details
- No password changes needed
Result: Smooth transition between departments
Best Practices
Always Use Approval: Enable approval workflows for all user lifecycle changes. This provides essential oversight and prevents accidental changes.
Plan Your Steps Carefully: Configure onboarding and offboarding steps to match your organization's procedures. Start with basic steps and add more as you gain confidence.
Test in Safe Environment: Try the action with test user accounts before using it for real employees.
Write Clear Instructions: Use custom instructions to handle unique scenarios or company-specific requirements that aren't covered by standard steps.
Coordinate with HR: Ensure your HR team understands the process and provides clear, complete information in tickets.
Monitor License Usage: If using Pax8 or Partner Center, ensure your license management integration is properly configured.
Secure Password Sharing: Use secure password sharing methods, especially for sensitive positions or when sending passwords via email.
Document Special Cases: Use custom instructions to handle VIP users, executives, or other special scenarios that need different treatment.
Review Results: Check the Event History after each run to ensure all steps completed successfully and identify any issues.
Plan for Failures: Have procedures in place for when automated processes fail and manual intervention is needed.
Security Considerations
Immediate Access Blocking: For offboarding, enable access blocking as the first step to prevent unauthorized access.
Device Management: Use device wipe features for departing employees who had company data on personal devices.
Email Forwarding: Set up email forwarding carefully to ensure business continuity while maintaining security.
License Cleanup: Remove licenses promptly to avoid unnecessary costs and security risks.
Approval Chains: Use appropriate approval workflows to prevent unauthorized account creation or deletion.
The action provides comprehensive user lifecycle management while maintaining security and compliance with your organization's policies.