Picture this. It's Monday morning. You've got three new hires starting today, and you're staring at a spreadsheet trying to remember which security groups the marketing team needs, what licenses to assign, and whether anyone ever documented the process for setting up a shared mailbox.
Sound familiar? You're not alone.
Most IT teams at growing companies handle onboarding the same way they always have: manually. One user at a time, clicking through the Entra ID portal, copy-pasting settings from an existing user who might (or might not) still have the right permissions. It works until it doesn't. And by the time it breaks, you've already got people sitting at their desks with no access to the tools they need.
Why manual onboarding stops working
When your company has 20 people, manual onboarding is fine. A bit tedious, sure, but manageable. At 100 people? You're spending hours every week creating accounts and troubleshooting access issues. At 200+, it's a full-time job that nobody actually signed up for.
Here's what usually goes wrong:
Inconsistent permissions. When you're setting up accounts by hand, things drift. The developer who joined in March gets slightly different access than the one who joined in September, because someone updated the wiki (or didn't) and the person doing the setup made their best guess.
Forgotten steps. Without an automated checklist, stuff falls through the cracks. The new hire can log in but can't access SharePoint. Or they get their email but not their Teams channels. You don't find out until they ping you, usually right before a meeting they're already late for.
No audit trail. If an auditor asks "who approved this user's access to your production environment?" and your answer is "probably Lars, he usually does the onboarding," that's going to be a problem.
What automated onboarding actually looks like
Let's get specific. Automated onboarding in Entra ID means that when HR marks someone as "starting" in your HR system (or you trigger it manually), a chain of things happens without anyone clicking buttons in a portal:
- A user account gets created with the correct attributes (department, job title, manager, location).
- The user gets added to the right security groups based on their role.
- Licenses are assigned automatically (Microsoft 365, any third-party apps you manage through Entra).
- They get a welcome email with login instructions.
- Everything gets logged so you can prove what happened and when.
That's it. No spreadsheet. No guessing. No "I think I set it up the same way as last time."
The native approach: what Microsoft gives you
Microsoft has built some decent automation tools into Entra ID. Dynamic groups are probably the most useful starting point. You can create rules like "everyone in the Sales department automatically gets added to the Sales security group." When HR updates the department attribute, the group membership follows.
You can also use Lifecycle Workflows, which let you build multi-step processes triggered by events like a new hire's start date. These can assign licenses, send emails, add group memberships, and generate temporary access passes.
For companies that use an HR system like SAP SuccessFactors or Workday, Entra ID has built-in connectors that can sync employee data and trigger provisioning automatically.
Sounds great in theory. In practice, there are some real limitations.
Where the native tools fall short
Dynamic groups only work with attributes that are already in Entra ID. If your HR system doesn't sync job codes or department names correctly, your groups won't work right either. Garbage in, garbage out.
Lifecycle Workflows are still relatively new, and they cover the basics but can feel rigid if your onboarding process has any complexity. Need to assign different resources based on which office the new hire is in AND what team they're joining? That gets complicated fast.
And the biggest pain point: there's no single dashboard where you can see "here's everyone who started this week, here's what they got, and here's what's still pending." You're stitching together information from multiple places.
A better way to think about it
The most effective onboarding automation doesn't just replicate your manual process with scripts. It forces you to actually define what each role needs. What groups, what licenses, what resources.
Think of it as building a recipe. You define the ingredients (groups, licenses, apps) for each role once. Then every time someone with that role joins, the recipe runs automatically. If the recipe needs to change, you update it in one place.
This is where purpose-built tools really shine. Instead of duct-taping together dynamic groups, PowerShell scripts, and Lifecycle Workflows, you get a single system that:
- Connects to your HR data (or lets you define roles manually).
- Maps roles to the exact access they need.
- Provisions everything when someone starts.
- Shows you exactly what happened, with full audit logs.
The real payoff
Here's the part that surprises most IT teams. Automating onboarding doesn't just save time on the setup itself. It eliminates an entire category of support tickets.
No more "I can't access the project folder." No more "my Teams channels are missing." No more spending 30 minutes on a new hire's first day fixing things that should have been right from the start.
And when audit season rolls around? You pull a report instead of digging through email threads trying to reconstruct who approved what.
For companies in the Nordics dealing with NIS2 requirements or preparing for ISO 27001 certification, that audit trail isn't just nice to have. It's basically mandatory.
Getting started without boiling the ocean
You don't need to automate everything on day one. Start with the roles you hire for most often. If you're bringing on three salespeople a quarter, automate the sales onboarding first. Get it right, prove the value, then expand to other departments.
Document what each role needs. Map it out. Then look at what can be automated with the tools you already have, and where you need something more capable.
If this sounds like your situation, Adcyma is free for up to 25 users. For larger teams, you can start a free 14-day trial. No credit card, no consultants.