DaemonLayer Logo
Microsoft 365

Automated Microsoft 365 onboarding and offboarding

A new-hire ticket becomes a provisioned Microsoft 365 account. A leaver ticket becomes a safely de-provisioned one. Both run unattended when it's safe, and stop when it isn't.

Coverage

Two workflows that close the employee lifecycle

Onboarding and offboarding are the two highest-volume, highest-risk Microsoft 365 tickets an MSP handles. Both are repetitive enough to automate and consequential enough that a mistake reaches the client the same day. DaemonLayer runs both from a single PSA ticket — no forms, no templates, no special formatting from the person who asked.

01
User Onboarding

DaemonLayer pulls the name, start date, title, department and manager from the ticket. It builds the account on the client's own naming convention, checks for duplicates, infers group membership from the existing directory, and assigns a licence. The temporary password is emailed to the requester — never written into the ticket.

02
User Offboarding

A leaver ticket triggers a live protected-account check, then a fixed de-provisioning sequence: disable, revoke sessions, convert the mailbox to shared, remove licences and groups, and strip delegate access across the tenant. The account is soft-deleted and restorable. Nothing is hard-deleted, ever.

User Onboarding

Automated Microsoft 365 user onboarding, end to end

Everything below happens from one ticket, with no technician touching a console.

"We have a new colleague starting Monday, Anneleen Verkerk — please set up an Office account for her." That is a complete onboarding request as far as DaemonLayer is concerned.
01

Read the request

The new hire's name, start date, job title, department and manager are extracted from plain English. Anything genuinely missing triggers one targeted clarification question back to the requester, not a guess.

02

Build the username on the client's convention

DaemonLayer detects how the client names users — firstname.lastname, flastname, whatever they already use — and builds the UPN to match, folding diacritics on the way (Renée Böhm becomes renee.bohm@). Duplicates are caught before anything is created, not after.

03

Infer group membership from the directory

Group access is resolved from the client's existing Microsoft 365 directory through a four-tier cascade, explained below. The model reads the ticket. It does not decide who gets access to what.

04

Strip every privileged group

Role-assignable groups are removed from the resolved set before the account is created. This gate runs in code on every onboarding, whichever tier produced the group list.

05

Licence and PSA contact

The client's default Microsoft 365 licence is assigned if a seat is free, and a matching contact is created in the PSA. If seats are exhausted, the account is still created and the gap is flagged — a licence problem doesn't abort the onboarding.

06

Deliver credentials, then document

The temporary password is emailed directly to the requester, and the new hire must change it at first sign-in. The ticket gets a public confirmation and an internal audit note listing the groups assigned, the evidence used, and anything skipped.

How It Works

How DaemonLayer infers Microsoft 365 group membership

Nobody writes "add her to SG-Finance-RW" in a new-hire ticket. Group access has to be inferred from the directory the client already has. DaemonLayer does that in four deterministic tiers, and stops at the first one that produces a confident answer.

01

Homogeneous directory

If every user at the client already shares the same set of groups, the new hire gets that set. The simplest case, and the most common one at small clients.

02

Title and department peers

Where the directory isn't homogeneous, the new hire is matched against existing users with the same job title or department, and membership is inferred from what that peer group actually has.

03

Recent-hire convergence

If peers disagree, DaemonLayer looks at how recent hires in similar roles were actually provisioned and converges on that pattern — the most current signal of what the client does today.

04

Escalate to a technician

No confident answer means no automated answer. The ticket is suspended and a technician assigns groups manually. DaemonLayer does not guess at access.

The cascade decides what's plausible. It does not decide what's safe — that's the gate below, and it applies to all four tiers.
The Safety Gate

Privileged groups are stripped in code, not policy

Before any account is created, every role-assignable group is removed from the resolved set. This is deterministic code that runs on every onboarding, regardless of which cascade tier produced the group list. It is not a setting you can misconfigure, and approving the request does not bypass it. You are liable for your clients' Microsoft 365 tenants — a safety gate that a tired technician can click through isn't a safety gate.

  • Role-assignable groups are always stripped, even when a technician approves the request
  • Duplicate accounts are caught before creation, not discovered afterwards
  • The temporary password never appears in PSA notes, ticket comments or internal logs — it goes to the requester by email and nowhere else

User Offboarding

Automated Microsoft 365 offboarding, in a fixed, safe order

Offboarding is where MSPs get hurt: sessions left alive, delegate access nobody remembered, a mailbox deleted before anyone read it. DaemonLayer runs the same sequence every time, and never permanently deletes anything.

"Tom Baker's last day is Friday — please remove his access and give Jane access to his mailbox." One ticket, both the de-provisioning and the handover.
01

Disable and revoke

The account is disabled and every active sign-in session is revoked. A disabled account with a live token is still a live account.

02

Convert the mailbox to shared

Mailbox size is read via Exchange Online, then the mailbox is converted to a shared mailbox so the team keeps access to its contents.

03

Licence decision at 50 GB

Under 50 GB, the licence is removed and the seat goes back to the client. At 50 GB or above it is retained, because Microsoft requires a licence on large shared mailboxes. The rule is applied automatically — no technician has to remember it.

04

Remove licences and group memberships

Remaining Microsoft 365 licences and all non-dynamic group memberships are removed.

05

Soft-delete, restorable for 30 days

The account moves to Deleted Users and can be restored for 30 days. If the leaver comes back, or somebody offboarded the wrong Tom, it's recoverable.

06

Strip delegate access across the tenant

The step everyone forgets. Every other mailbox in the tenant is scanned for access the leaver held — Full Access, Send As, Send on Behalf, Calendar — and it is all removed.

07

Handover, aliases, PSA contact

The requested email handover runs — forward, grant access, or both — always internal, because external forwarding is never automated. Aliases are released or held per client configuration, the PSA contact is deactivated, and the ticket receives an internal checklist of every action taken or skipped, with reasons.

Built-In Guardrails

Admins are never automated away

A live check runs against Microsoft 365 the moment the ticket lands. Any account holding a privileged directory role — Global Admin, User Admin, Helpdesk Admin or similar — goes straight to the service desk. It never reaches an approval card, so nobody can click it through. The same check runs again immediately before changes are applied, which means a role granted after the ticket was opened still gets caught. Cached data cannot bypass it.

A per-client daily velocity limit contains the damage a single bad ticket can do. A five-person layoff processed at once trips the limit and routes the overflow to the service desk — and because the limit is per client, no other client's automation is touched.

Protected-account check runs at ticket time and again before any change is applied
Per-client
Velocity limit contains a bad ticket to one client's automation
30 days
Restore window on every soft-deleted account

Authorization

Who is allowed to request an offboarding?

Onboarding and offboarding both sit at the highest risk tier, so the sender has to clear a confidence score of 90 before anything runs unattended. DaemonLayer checks, in order: is the sender the target user's manager in Microsoft 365? Is the sender a known approver scoring above the threshold? If neither holds, the workflow suspends and a technician gets an approval card itemising exactly what will happen. Approver scores are built from Microsoft 365 and PSA signals, and they rise each time a technician approves the same person — so the requests that need a human get fewer over time.

Time Saved

Billable time back, every hire and every leaver

Onboarding and offboarding are fixed-rate billable work that a technician currently does by hand, in a console, at eleven o'clock at night before a Monday start date. DaemonLayer runs both unattended when it's safe, escalates when it isn't, and posts an audit note either way.

~20 min
Technician time saved per Microsoft 365 onboarding
~25 min
Technician time saved per Microsoft 365 offboarding

FAQ

Onboarding and offboarding automation, answered

Can Microsoft 365 user onboarding really be automated from a ticket?

Yes. DaemonLayer reads a plain-English new-hire ticket in your PSA, extracts the name, start date, job title, department and manager, then creates the Microsoft 365 (Entra ID) account, assigns groups and a licence, and creates the matching PSA contact. No form, no template, no special formatting from the requester.

How does DaemonLayer decide which groups a new user gets?

Through a four-tier deterministic cascade: a homogeneous directory match, then title and department peer matching, then recent-hire convergence, then escalation to a technician. The language model only extracts what the ticket says. It never decides access. If no tier produces a confident answer, the ticket goes to a technician.

What stops an automated onboarding from granting admin rights?

A hard gate in code. Every role-assignable (privileged) group is stripped from the resolved set before the account is created, no matter which cascade tier produced it. It is not a setting, and a technician approving the request does not bypass it.

Does automated offboarding delete the user's account?

No. Nothing is ever permanently deleted. The account is disabled, sessions are revoked, the mailbox is converted to a shared mailbox, and the account is soft-deleted — restorable from Deleted Users for 30 days.

What happens if the leaver is a Global Admin?

The offboarding never runs. A live check against Microsoft 365 at ticket time routes any account holding a privileged directory role — Global Admin, User Admin, Helpdesk Admin and similar — straight to the service desk. It never reaches an approval card. The same check runs again immediately before any change is applied.

Which PSA systems does this work with?

Onboarding and offboarding are triggered from tickets in your connected PSA and write results back to it. DaemonLayer integrates with ConnectWise Manage, Autotask, HaloPSA and Jira, including PSA contact creation on onboarding and contact deactivation on offboarding.

Related

Automate your first ticket in under 30 minutes

Connect your PSA, and DaemonLayer starts triaging, resolving, and routing, no scripting, no setup calls. Cancel anytime.

Prefer a walkthrough? Book a demo →