Jordan Flynn KB
Scripting

Automating User Onboarding

Using scripts to streamline new user account creation and provisioning.

Why Automate?

Automating user onboarding eliminates manual errors and ensures every new hire gets a consistent experience from day one. A well-built onboarding script handles everything from account creation to licence assignment in a single run.

What to Automate

  • Active Directory account creation with correct OU placement
  • Security group and distribution list membership
  • Exchange Online mailbox provisioning
  • Microsoft 365 licence assignment
  • Home drive and shared folder permissions
  • Welcome email or Teams notification to the new hire and their manager

Best Practices

Store onboarding scripts in a version-controlled repository and run them via a service account with the minimum required permissions. Add error handling, logging, and a dry-run mode so you can validate changes before they take effect in production.

  • Use a CSV file as input — one row per new hire with all required fields
  • Implement a -WhatIf / dry-run flag to preview changes
  • Log every action to a timestamped file for auditing
  • Send a summary email to IT when the script completes
  • Store scripts in Git and require code review before changes

Tip

Add a validation step at the start of the script that checks the CSV for missing fields, duplicate usernames, and invalid characters before creating any accounts. Fail fast and loud.

Creating AD Accounts

Create AD users from a CSV file
$users = Import-Csv "C:\Onboarding\NewStarters.csv"

foreach ($user in $users) {
    $password = ConvertTo-SecureString $user.TempPassword -AsPlainText -Force

    New-ADUser `
        -Name "$($user.FirstName) $($user.LastName)" `
        -GivenName $user.FirstName `
        -Surname $user.LastName `
        -SamAccountName $user.Username `
        -UserPrincipalName "$($user.Username)@contoso.com" `
        -Path "OU=NewStarters,DC=contoso,DC=com" `
        -AccountPassword $password `
        -ChangePasswordAtLogon $true `
        -Enabled $true

    # Add to department group
    Add-ADGroupMember -Identity $user.Department -Members $user.Username

    Write-Host "Created: $($user.Username)" -ForegroundColor Green
}

Assigning Licences

Assign Microsoft 365 licences via Graph
Connect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All"

$users = Import-Csv "C:\Onboarding\NewStarters.csv"
$skuId = (
    Get-MgSubscribedSku | 
    Where-Object { $_.SkuPartNumber -eq "ENTERPRISEPACK" }
).SkuId

foreach ($user in $users) {
    Set-MgUserLicense `
        -UserId "$($user.Username)@contoso.com" `
        -AddLicenses @(@{ SkuId = $skuId }) `
        -RemoveLicenses @()

    Write-Host "Licensed: $($user.Username)" -ForegroundColor Cyan
}

Warning

Never hardcode passwords in your scripts or CSV files stored in shared locations. Use a secure password generator and consider having the script set a random temporary password that is sent directly to the new hire's manager via an encrypted channel.

Scripting

Automation and PowerShell notes for repeatable IT operations.

PowerShell Remoting

Running commands on remote machines using WinRM and PowerShell.

On this page

Why Automate?What to AutomateBest PracticesCreating AD AccountsAssigning Licences