๐Ÿ“‹ Pre-Start Mostly Gusto

Everything that should be completed before the employee's first day. Gusto handles most of this via a self-service onboarding link sent automatically when you add the hire.

Item Owner Tool Notes
Offer letter Kevin Gusto Built-in offer letter builder with e-signature. Send from Gusto when creating the new hire record.
Background check Kevin Gusto + Checkr Initiated directly from Gusto. Checkr integration โ€” no separate account needed.
I-9 (Section 1) Employee Gusto Employee completes digitally via onboarding link.
I-9 (Section 2 โ€” document inspection) Kevin Manual Must physically inspect passport or ID + work auth docs. Remote hires require an authorized representative.
W-4 (federal withholding) Employee Gusto Employee self-service via onboarding link.
State tax withholding Employee Gusto Auto-selected based on work location. All 50 states supported.
Direct deposit setup Employee Gusto Employee enters bank info via onboarding link.
Emergency contact Employee Gusto Collected in Gusto employee profile during onboarding.
Benefits enrollment Employee Gusto Health, dental, vision, 401k. Employee selects via Gusto. Enrollment window: first 30 days.
NDA / confidentiality agreement Kevin TBD Can be added as a custom document in Gusto onboarding flow or sent via DocuSign.
Employee handbook acknowledgment Employee TBD Add as a custom document in Gusto. Employee signs digitally.
State new hire report Gusto Gusto Gusto files automatically. No action required.
Gusto self-service flow When you add a new hire in Gusto and set a start date, Gusto automatically sends them an onboarding link. They complete W-4, direct deposit, emergency contact, and benefits enrollment themselves. By day 1, the payroll and HR side is done.

๐Ÿ”‘ Day 1 โ€” Identity & Access Entra ID

Account creation and authentication setup. Everything flows from the Entra ID account โ€” create it first.

1
Create Entra ID account

Azure portal โ†’ Microsoft Entra ID โ†’ Users โ†’ New user. Set display name, UPN (firstname.lastname@evergrn.co), assign Microsoft 365 license. This triggers email, Teams, and SharePoint access automatically.

2
Assign security group

Add to the appropriate group (engineering, customer_support, professional_support, ops). Group membership drives permissions across all integrated apps.

3
MFA enrollment

Required for all accounts. Employee completes via Microsoft Authenticator on their first sign-in. Conditional Access policy enforces this โ€” no exceptions.

4
Deliver credentials

Share temporary password securely (not by email). Employee is forced to change on first login.

Future automation โ€” Gusto โ†’ Entra ID Gusto webhooks can trigger an Azure Logic App that auto-creates the Entra account when a new hire is added. Not yet implemented โ€” currently a ~5 minute manual step. Build this when hiring frequency justifies it.

๐Ÿ› ๏ธ Accounts & Tools

Once the Entra account exists, these follow. Tools with SCIM provisioning auto-create accounts when the employee is added to the right Entra security group.

Tool How provisioned Who needs it
Microsoft 365 (email, Teams) Auto โ€” Entra license Everyone
Slack TBD Everyone
GitHub Manual invite Engineering
Azure portal Entra role assignment Engineering, Kevin
Evergrn staff portal DB role assignment Support, ops โ€” see Role Access section
Gusto (view-only) Manual invite Kevin, ops only
Notion / docs TBD Everyone
Expense tool TBD Everyone

๐Ÿ’ป Device Setup Intune + Autopilot

Devices are pre-stocked in the office. No per-hire equipment orders. Employee picks up a device on day 1, signs in with their Entra account, and it self-configures.

1
Employee picks up device from office stock

Devices are pre-registered with Intune Autopilot. No imaging or IT setup needed before hand-off.

2
Employee signs in with @evergrn.co account

Autopilot takes over โ€” Intune enrollment, required apps, BitLocker encryption, and MDM policies apply automatically. Takes ~20 minutes on first boot.

3
Log serial number to asset tracker

Record device serial number, model, and employee name in the asset spreadsheet. Date assigned.

Windows Autopilot Standard device is a Windows laptop pre-registered with Windows Autopilot. Purchase directly from Dell or Lenovo with Autopilot pre-enrollment โ€” serial numbers are registered before the device ships. Employee signs in on first boot and Intune takes over automatically.

๐Ÿ’ต Payroll & HR Gusto

All managed in Gusto once the new hire record is created.

ItemToolNotes
Added to payroll run Gusto Auto once hire record exists and start date passes.
Pay schedule confirmed Gusto Semi-monthly or biweekly โ€” set at company level.
PTO policy acknowledged Gusto PTO policies configured in Gusto, employee acknowledges during onboarding.
Workers comp Gusto Gusto can administer workers comp coverage.
First payroll approval Manual โ€” Kevin Always manually approved. Do not automate payroll runs.

๐Ÿ” Role Access

Roles in the Evergrn staff portal map directly to Entra ID security groups. Assigning the group grants the correct app access.

engineering
GitHub, Azure portal (contributor), full DB read, staff portal (technical_support role), deployment access
Entra: engineering DB: read Staff: technical_support
customer_support
Staff portal customer_support role only. No DB access, no Azure.
Entra: customer_support Staff: customer_support
professional_support
Staff portal professional_support role. No DB access, no Azure.
Entra: professional_support Staff: professional_support
ops
Gusto view-only, reporting tools, internal_audit staff role. No code access.
Entra: ops Staff: internal_audit
admin (Kevin)
Everything. Azure owner, Gusto admin, DB admin, staff portal admin.
Entra: Global Admin DB: evergrn_admin
Staff portal elevation Any staff role can request temporary admin elevation โ€” this requires Kevin's approval via email and issues a 15-minute impersonation token. All elevation actions are logged to AuditEvent.

๐Ÿ“œ License Tracking

For employees in licensed trades (HVAC, plumbing, electrical). Uses the same infrastructure as provider license verification.

ItemHowNotes
License number recorded Manual Record in employee file when hired. Maine only for now.
License validated against registry Automated โ€” daily scraper Maine license scraper runs at 6 AM EST daily. Validates active/expired/revoked status.
Expiry warnings Automated 14-day and 3-day courtesy warnings sent automatically (same as providers).
Out-of-state licenses Manual No scraper for other states yet. Track renewal dates manually.

๐Ÿ“… Ongoing

ItemWhenOwner
30-day check-in Day 30 Kevin โ€” how is onboarding going, any blockers
60-day check-in Day 60 Kevin โ€” role fit, tool access gaps
90-day review Day 90 Formal performance conversation, probationary period close
Annual performance review Yearly TBD โ€” tool not selected
License renewal tracking Ongoing Automated via daily scraper for Maine licensed trades

๐Ÿšช Offboarding

Run this checklist on or before the employee's last day.

1
Set termination date in Gusto

Triggers final paycheck calculation, benefits end dates, and COBRA notification automatically.

2
Disable Entra ID account

Azure portal โ†’ Entra ID โ†’ User โ†’ Block sign-in. This immediately revokes access to email, Teams, SharePoint, and all SCIM-provisioned apps. Do this on their last day at end of business.

3
Remote wipe device (if applicable)

Intune โ†’ Device โ†’ Wipe. Only if device is not being returned immediately. If returned in person, wipe after physical return.

4
Retrieve device

Collect laptop and any peripherals. Reset via Autopilot, return to office stock.

5
Remove from GitHub org

Manual step โ€” Entra SCIM does not always cover GitHub org membership. Verify removal.

6
Update asset tracker

Mark device as returned and back in stock.

โš™๏ธ Tools & Owners

ToolPurposeAdminStatus
Gusto Payroll, HR, benefits, onboarding Kevin Active
Microsoft Entra ID Identity, SSO, access management Kevin Active
Microsoft Intune Device management, MDM Kevin Pending setup
Checkr Background checks Kevin (via Gusto) Pending
Autopilot Zero-touch Windows laptop provisioning Kevin Pending setup

๐Ÿ”’ Device Policy

Enforced via Intune on all company devices. No exceptions.

Required

  • Full disk encryption (BitLocker โ€” enforced by Intune)
  • 15-minute screen lock
  • MDM enrollment on first sign-in
  • OS and security patches within 7 days of release

Prohibited

  • Storing company data on personal devices
  • Sharing credentials with anyone
  • Disabling MDM or encryption
  • Installing unapproved software with system access

๐Ÿ“ฆ Office Stock Policy

No per-hire equipment orders. Devices are pre-stocked and pre-registered with Autopilot.

Standard Kit โ€” Windows

  • Laptop: Dell Latitude 5550 โ€” Intel Core Ultra 5 125U, 16GB DDR5, 512GB SSD (~$1,059)
  • Dock: Dell Thunderbolt Dock WD22TB4 (~$299) โ€” one cable charges laptop + drives 2 external monitors via DisplayPort + all USB peripherals
  • Display setup: Laptop screen + 2ร— external via dock = 3 monitors total
  • Wireless mouse + keyboard
  • Per workstation total: ~$1,358 (before monitors)
  • Order laptop with Autopilot pre-enrollment direct from Dell

Buffer Policy

  • Minimum 2โ€“3 units on shelf at all times
  • Reorder when stock drops to 1
  • Buy in batches of 3
Day 1 device flow Employee arrives โ†’ picks up laptop from shelf โ†’ signs in with @evergrn.co account โ†’ Autopilot configures everything automatically (~20 min) โ†’ ready to work. No IT involvement required.