Lesson 12 of 60 beginner

Imaging, Onboarding & Offboarding

The lifecycle work every IT team must get right

Open interactive version (quiz + challenge)

Real-world analogy

Onboarding/offboarding is like checking people into and out of a hotel. On day one you hand over the right keys, towels, and wifi. On checkout you reclaim every key — or another guest walks into an unlocked room.

What is it?

The joiner-mover-leaver (JML) lifecycle with imaging, MDM, licensing, permissions, MFA, and documentation. Juniors who master this become immediately useful — these tickets happen every week and directly affect security and user happiness.

Real-world relevance

An executive leaves. Junior A just disables the account. Three months later, an external vendor still has their email forwarded to a personal address because a delegation wasn’t revoked. Junior B runs a full offboarding checklist — mailbox, delegations, DLs, app access, MFA, devices, escrow keys — and documents every step.

Key points

Golden image — one trusted starting point — A corporate laptop should boot from a standardized, patched, tested image with required apps, policies, and agents pre-baked. Imaging reduces variance → fewer weird tickets → faster onboarding.
Provisioning flow (joiner) — Account in AD/Entra → group memberships → license assignment → hardware allocation → image deployment (MDM or WDS/MDT) → MFA registration → delivery. Every step is a checkbox; missing one creates a ticket.
Movers — when someone changes role — Add new group/licenses, REMOVE old ones. The classic failure is ‘permissions only added, never removed’ — a single employee accumulates access to everything over 5 years and becomes a compliance nightmare.
Leavers — the security gate — Disable account on last day, revoke sessions, rotate shared credentials, remove from DLs/groups, reclaim device, wipe or re-image device, archive mailbox, transfer OneDrive to manager. Document all of it.
MDM / Intune for fleet management — Modern enrollment pushes apps, policies, compliance, and Conditional Access to every device. Lost laptop? Remote wipe. Failed compliance? Block access. This is the core of modern endpoint admin work.
BitLocker / FileVault key escrow — Disk encryption is required in most enterprises. Recovery keys MUST be escrowed in AD/Entra/MDM. Losing a recovery key for an executive laptop is a career-visible incident.
Documentation is the product — Onboarding/offboarding is judged by the paper trail. Every approval, every access change, every device return — timestamped, signed, searchable. Auditors love this. Messy IT gets blamed for everything.

Code example

// Joiner-Mover-Leaver (JML) checklist sketch

JOINER:
  [ ] Create AD/Entra account with standard naming
  [ ] Assign standard groups (department, country, role)
  [ ] Assign licenses (M365 plan, specific apps)
  [ ] Register MFA; set initial password policy
  [ ] Allocate device; enroll in MDM
  [ ] Deliver onboarding doc + first-day checklist

MOVER:
  [ ] Add new-role groups and licenses
  [ ] REMOVE old-role groups and licenses
  [ ] Update manager, cost center, distribution lists
  [ ] Access review signed by new manager

LEAVER:
  [ ] Disable account on last business hour
  [ ] Revoke active sessions / tokens
  [ ] Remove from DLs, Teams, shared mailboxes, apps
  [ ] Archive mailbox; transfer OneDrive to manager
  [ ] Reclaim hardware; wipe or re-image
  [ ] Close ticket with evidence attached

Line-by-line walkthrough

1. JML checklist title
2. Joiner header
3. Create account
4. Assign groups
5. Assign licenses
6. MFA and password
7. Device and MDM
8. Onboarding doc
9. Blank separator
10. Mover header
11. Add new access
12. Remove old access
13. Update identity metadata
14. Manager-signed access review
15. Blank separator
16. Leaver header
17. Disable on last hour
18. Revoke active sessions
19. Remove from lists/apps
20. Archive mailbox and transfer data
21. Reclaim and wipe device
22. Close with evidence

Spot the bug

Employee left 90 days ago. Junior disabled the account on day 1.
Today an auditor finds: mailbox still forwarding to a personal gmail, the leaver is still in 3 DLs, their laptop was never reclaimed, and BitLocker keys were not escrowed.

Need a hint?

How many JML steps were actually missed?

Show answer

At least five: forwarder not revoked, DL memberships not removed, hardware not reclaimed, device not wiped, BitLocker recovery keys not escrowed before offboarding. Build and follow a full leaver checklist; attach evidence to the ticket at each step.

Explain like I'm 5

When someone joins, you give them a desk, a keyboard, a keycard, and a chair. When they leave, you take them all back. If you forget the keycard, any stranger can sit at that desk tomorrow.

Fun fact

In mature enterprises, ‘how long it takes a new hire to have all the right access on day one’ is a tracked metric — and the best orgs get it under 1 day. The worst take weeks and lose productivity that dwarfs the salary saved.

Hands-on challenge

Draft your own JML checklist as a one-page document. Share it with yourself as a PDF. This becomes real interview evidence when you can walk through it live.

More resources

Microsoft Intune overview (Microsoft Learn)
BitLocker recovery keys (Microsoft Learn)
JML process in enterprise IT (John Savill)

Open interactive version (quiz + challenge) ← Back to course: IT Jobs Bootcamp