From Manual Onboarding to Automated Provisioning in 2 Weeks

A 45-person healthcare staffing firm came to us with a familiar problem. Their onboarding process was managed through a shared spreadsheet. When HR hired someone, they would add a row to the spreadsheet, email IT, and hope that by the new hire's start date, everything would be ready. It rarely was.

The IT team would manually create an email account, add the user to the correct security groups, enroll their device in the MDM, provision licenses for the six applications the role required, generate temporary passwords, and send a welcome email with login instructions. This took 3 to 4 hours per hire and was error-prone. Roughly 30% of new hires reported missing access to at least one system on their first day.

Offboarding was worse. When someone left, HR would email IT, but the actual access revocation happened when the IT manager got around to it, which was an average of 72 hours later. During that window, the departed employee's accounts remained active, a significant compliance and security risk for a healthcare-adjacent business.

We designed and implemented an automated provisioning system in 10 business days. The architecture is straightforward: HR enters the new hire in their HRIS system with the employee's name, role, department, start date, and assigned office location. This triggers an automated workflow that provisions everything the employee needs based on role-based templates.

The workflow creates the identity provider account with the correct group memberships, generates the email account, assigns application licenses based on the role template, sends an enrollment link to the employee's personal email for MDM device setup, creates accounts in role-specific applications via API integrations, and sends a formatted welcome email with all access details and first-day instructions.

For offboarding, when HR marks an employee as terminated in the HRIS, a separate workflow immediately disables the identity provider account which cascades to revoke all SSO-connected application access, wipes the corporate profile from the enrolled device, revokes application-specific licenses, transfers ownership of files and data to the designated manager, and generates a compliance report confirming all access has been revoked.

The results were immediate. Onboarding time dropped from 4 hours to 12 minutes of automated execution. First-day readiness went from 70% to 100%. Offboarding access revocation went from 72 hours to under 5 minutes. And the IT team recovered approximately 15 hours per month that they redirected to infrastructure improvement projects.

The investment was modest relative to the ongoing savings, and the compliance improvements alone justified the project for a business in the healthcare ecosystem. This is the type of automation we deploy as part of our managed services engagements.