onboarding-form-inputs-and-workflow-process.md

Onboarding form inputs and workflow process

All onboarding form fields

This section provides a complete breakdown of all onboarding form fields, including hidden fields that are conditionally displayed based on other selections.

{% hint style="info" %} Expand each of the categories below to see its related reference table. {% endhint %}

Basic settings required for all configurations

Field name	Field label	Field type	Requirement	Conditions
ticket_id	Existing Ticket Number	Dropdown	Optional	Always visible
account_requestor	Account Requestor (Missing Opt Gen)	Text Input	Optional	Always visible
first_name	First Name	Text Input	Required	Always visible
middle_name	Middle Name	Text Input	Optional	Always visible
last_name	Last Name	Text Input	Required	Always visible
custom_display_name	Custom Display Name	Text Input	Optional	advanced_options_user_attributesis checked
email_domain	Primary Email Domain	Dropdown	Required	Always visible
username	Username	Text Input	Auto-Generated	Requires First and Last Name
user_exists	Does User Exist	Output Only	Determines if the user exists in the primary identity instance.
license_group_assignment	License Group Assignment	Multi-Select Dropdown	Optional	user_exists is true OR licencing_choose_subscription is enabled
direct_m365_license_assignment	Direct M365 License Assignment	Dropdown	Optional	user_exists is true OR licencing_choose_subscription is enabled
license_subscription	License Subscription	Dropdown	Optional	user_exists is true OR licencing_choose_subscription is enabled
copy_user_attributes	Copy User Attributes	Checkbox	Optional	Always visible
user_to_copy	User To Copy	Dropdown	Optional	copy_user_attributes is checked
copy_user_groups	Copy User Groups	Checkbox	Optional	copy_user_attributes is checked
onprem_security_groups	On-Prem Sec Groups	Multi-Select Dropdown	Optional	primary_identity_provider is On-Prem AD or Hybrid
onprem_dist_groups	On-Prem Dist Groups	Multi-Select Dropdown	Optional	primary_identity_provider is On-Prem AD or Hybrid
azure_ad_security_groups	Entra Security Groups	Multi-Select Dropdown	Optional	primary_identity_provider is Azure AD or Hybrid
azure_ad_mail_groups	Entra Mail-Enabled Groups	Multi-Select Dropdown	Optional	primary_identity_provider is Azure AD or Hybrid
organizational_unit	Organizational Unit	Dropdown	Optional	primary_identity_provider is On-Prem AD or Hybrid
password	Password	Text Input	Optional	Leave blank to auto-generate OR enter a password (min 8 chars).
show_advanced_options	Show Advanced Options	Checkbox	Optional	Always visible

Advanced: Manual approver fields

Field name	Field label	Field type	Requirement	Conditions
advanced_options_approval	Advanced - Manual Approver	Checkbox	Optional	show_advanced_options is checked
manual_approver_email	Manual Approver E-Mail	Text Input	Optional	advanced_options_approval is checked

Advanced: User attributes

Field name	Field label	Field type	Requirement	Conditions
home_directory	User Attributes - Home Directory	Checkbox	Optional	primary_identity_provider is On-Prem AD, Hybrid (No Sync), On-Prem Only, AND advanced_options_home_directoryis checked
home_directory_server	Home Directory Server	Dropdown	Optional	home_directory is checked
home_directory_path	Home Directory Path	Text Input	Optional	home_directory is checked
home_directory_drive_letter	Dropdown	Home Directory Drive Letter	Optional	home_directory is checked
description	Description (AD Only)	Multi-line Input	Optional	primary_identity_provider is On-Prem AD or Hybrid

Advanced: RMM options

Field name	Field label	Field type	Requirement	Conditions
advanced_options_rmm	Advanced - RMM Options	Checkbox	Optional	enable_advanced_options is checked

Advanced: Mail attributes

Field name	Field label	Field type	Requirement	Conditions
mail_nickname	Mail Nickname	Text Input	Optional	advanced_options_mailis checked
secondary_email_domains	Secondary Email Domains	Multi-Select Dropdown	Optional	advanced_options_mailis checked
shared_mailboxes	Shared Mailboxes	Multi-Select Dropdown	Optional	advanced_options_mailis checked
shared_mailboxes_allow_send_as	Allow Send As the Shared Mailboxes?	Checkbox	Optional	shared_mailboxes is checked
shared_mailboxes_allow_send_on_behalf	Allow Send on Behalf of the Shared Mailboxes?	Checkbox	Optional	shared_mailboxes is checked

Advanced: Password settings

Field name	Field label	Field type	Requirement	Conditions
require_password_change	Require Password Change	Checkbox	Optional	advanced_options_password is checked
cannot_change_password	User cannot change password (On-Prem)	Checkbox	Optional	advanced_options_password is checked
password_never_expires	Password Never Expires (On-Prem)	Checkbox	Optional	advanced_options_password is checked
store_password_in_ticket	Store Password in Ticket	Checkbox	Optional	advanced_options_password is checked
send_sms_to_user	Send Password to User Mobile	Checkbox	Optional	ORG.VARIABLES.send_sms_to_userand
advanced_options_password
sms_with_country_code	SMS Number with Country Code	Number Input Field	Optional	send_sms_to_user and advanced_options_password
vpn	Dial-In VPN access for the user.	Checkbox	Optional	advanced_options_user_attributesis checked and show_advanced_options is checked

Advanced: PSA options

Field name	Field label	Field type	Requirement	Conditions
create_contact_in_psa	Create Company Contact in PSA	Checkbox	Optional	advanced_options_psa is checked
psa_child_company	PSA Child Company	Dropdown	Optional	advanced_options_psa is checked

Device and software assignments

Field name	Field label	Field type	Requirement	Conditions
required_devices	Required Devices	Multi-Select Dropdown	Optional	advanced_options_devicesis checked
device_description	Device Description Information	Multi-line Input	Optional	advanced_options_devicesis checked
required_applications	Required Applications	Multi-Select Dropdown	Optional	advanced_options_apps is checked

Decoded advanced Jinja conditions

In some cases, form fields are dynamically determined using complex Jinja logic.

For example: Identity provider configuration field visibility

{% code overflow="wrap" %}

{% raw %}
{% set idp_config = "invalid_idp" %}
{%- if ORG.VARIABLES.primary_identity_provider|d|lower in ["azure_ad","azuread"] or CTX.mail_only_user|d(false) -%}
    {%- set idp_config = "azure_ad" -%}
{%- elif ORG.VARIABLES.primary_identity_provider|d|lower in ["on_prem"] and ORG.VARIABLES.onprem_no_adsync|d|lower in ["true","1"] -%}
    {%- set idp_config = "hybrid_no_sync" -%}
{%- elif ORG.VARIABLES.primary_identity_provider|d|lower in ["on_prem"] and ORG.VARIABLES.no_azure_ad|d|lower == "true" -%}
    {%- set idp_config = "on_prem_only" -%}
{%- elif ORG.VARIABLES.primary_identity_provider|d|lower in ["on_prem"] -%}
    {%- set idp_config = "on_prem" -%}
{%- endif %}
{% endraw %}
{{- idp_config in ["hybrid_no_sync", "on_prem_only", "on_prem"] -}}

{% endcode %}

• The field will only show if ORG.VARIABLES.primary_identity_provider is On-Prem, Hybrid without Sync, or On-Prem Only.
• If Azure AD is selected, the field will be hidden.

Workflow process overview

Once a form is submitted, the Microsoft: User Onboarding Crate executes the following steps:

1. Form submission and validation

• The process starts when a user submits the [Crate] Microsoft: User Onboarding form.
• The workflow checks if the user already exists in AD or Azure AD.
• The form captures necessary user details, including personal information, group memberships, licensing, and security settings.
• PSA integration retrieves the user's location, if available.
• If the New User Approval System is enabled, an approval request is sent before proceeding.
• All required fields are validated before proceeding.

2. Ticket creation and management

• If no ticket exists, a new one is created.
• If a ticket already exists, it is updated with onboarding progress.

3. User account creation

• The user account is created based on the selected identity provider:
  • On-Prem AD Only: A new AD account is created.
  • Azure AD Only: A new Entra ID (Azure AD) account is created.
  • Hybrid with Sync: A new AD account is created and synced to Azure AD.
  • Hybrid with No Sync: Separate accounts are created in both directories.

4. Group and license assignments

• Security groups are assigned in AD or Azure AD.
• Microsoft 365 licenses are applied via direct assignment or group membership.
• Shared mailbox permissions are configured if applicable.

5. Credential and notification handling

• A secure temporary password is generated.
• The password is securely stored in PSA, ITGlue, Hudu, or sent via email or SMS.
• The user’s manager may optionally be notified of credential details.

6. Ticket update and completion

• Final provisioning details are logged in the PSA ticket.
• The onboarding process is marked complete, and workflow logs are stored.

{% hint style="warning" %} Ensure that your password handling policies align with company security policies. {% endhint %}

Workflow breakdown by identity provider type

On-premise AD only

• Main workflow: Creates a user in Active Directory.
• Subworkflows:
  • Assigns security groups.
  • Configures mapped drives and home directories.
  • The password is sent via email, SMS, or documented in ITGlue, Hudu, or the PSA system.
  • Updates PSA ticket with user details.

Azure Active Directory only

• Main workflow: Creates a user in Azure AD (Entra ID).
• Subworkflows:
  • Assigns Microsoft 365 licenses.
  • Adds users to Microsoft 365 groups and shared mailboxes.
  • The password is sent via email, SMS, or documented in ITGlue, Hudu, or the PSA system.
  • Updates PSA ticket with user details.

Hybrid with AD sync

• Main workflow: Creates a user in Active Directory and syncs to Azure AD.
• Subworkflows:
  • Assigns both on-prem AD and Azure AD groups.
  • Applies Microsoft 365 licensing.
  • The password is sent via email, SMS, or documented in ITGlue, Hudu, or the PSA system.
  • Updates PSA ticket with sync confirmation.

Hybrid with no AD sync

• Main Workflow: Creates separate accounts in Active Directory and Azure AD.
• Subworkflows:
  • Assigns security groups for each directory independently.
  • Applies Microsoft 365 licensing.
  • The password is sent via email, SMS, or documented in ITGlue, Hudu, or the PSA system.
  • Updates PSA ticket with user details.

{% hint style="warning" %} Ensure that the correct organizational variables are set for each configuration to avoid provisioning issues. {% endhint %}