Expanded features and customizing the Onboarding Crate
Approval requirement for new users
By default, the Microsoft: User Onboarding Crate provisions users immediately upon form submission. However, some organizations may require an approval process before onboarding users.
How the approval workflow works
The user submits the onboarding form.
The workflow pauses execution and notifies the designated approver—IT admin, HR, or supervisor.
The approver receives a notification via email, PSA ticket, or within Rewst.
If approved, the workflow proceeds with user creation.
If denied, the workflow terminates without creating the user.
How to enable the approval workflow
Configure the following organizational variable in Rewst > Configuration > Organizational Variables:
Variable name
Purpose
Default value
require_approval_for_new_users
Enables the approval step before user creation.
0 Disabled
new_user_approval_email
Defines the email address for sending approval requests.
None
If approvals are enabled, ensure that designated approvers regularly check for pending requests.
Ticketing and documentation handling
The Crate automatically creates and updates tickets in supported PSA platforms.
Automated PSA ticket creation and management
Functionality
Description
Create Ticket if None Exists
A ticket is automatically created if one is not found.
Update Existing Ticket
If a ticket exists, it is updated with onboarding progress.
Track Onboarding Status
The ticket logs user details, licensing, and provisioning status.
Define Ticket Prioritization
Rewst assigns default priorities, work roles, and tech IDs.
Ticketing organizational variables
Variable name
Purpose
default_psa
Selects the PSA where tickets will be created.
default_ticket_location
Defines the board for Rewst-created tickets.
default_ticket_status
The ticket status when Rewst is actively processing.
ticket_status_waiting_input
The status when waiting for manual input-e.g., license purchase.
ticket_status_workflow_complete
The status when the onboarding workflow is completed.
default_priority
Assigns the default priority for onboarding tickets.
send_from_address
The reply-to address for emails sent from Rewst.
Ensure that PSA permissions allow Rewst to create and modify tickets.
Delayed user creation
The onboarding process can be scheduled for a future date instead of immediate provisioning.
How it works
The Start Date field is set in the onboarding form.
The workflow pauses execution until the specified date.
On the activation date, the workflow automatically resumes and creates the user.
Enable delayed user creation
This setting is useful when onboarding users before their official start date.
Variable name
Purpose
Default value
allow_scheduled_user_creation
Enables scheduled user activation.
0 (Disabled)
Multi-Factor Authentication enrollment
The Crate does not enforce MFA directly but supports Microsoft Entra ID (Azure AD) conditional access policies.
Recommended MFA configuration
Enable Azure AD Security Defaults to enforce MFA at the tenant level.
Use Conditional Access Policies to require MFA for new users.
Set up self-service MFA registration to allow users to enroll their devices.
Ensure that MFA policies align with company security requirements before enforcing them.
Security and password management
The Crate includes flexible password handling options based on security policies.
Password handling options
Setting
Description
Default value
Require Password Change on First Login
Forces the user to reset their password at first login.
✅ Enabled
Restrict User from Changing Password
Prevents users from modifying their own passwords.
❌ Disabled
Set Password to Never Expire
Ensures the user’s password does not require renewal.
❌ Disabled
Auto-Store Password in Documentation
Saves the password securely in external documentation platforms.
✅ Enabled
Send Password via SMS or Email
Sends credentials to the manager via email or SMS.
✅ Enabled
Password storage locations
Rewst can store temporary passwords in the following locations:
PSA internal ticket notes
ITGlue
Hudu
Passportal
PWPush, if configured
To configure where passwords are stored, update the following variables:
Variable name
Purpose
Default value
store_password_in_ticket
Saves the password in the PSA ticket internal notes.
1 Enabled
onboarding_password_save_location
Defines alternative storage (PSA, ITGlue, Hudu).
None
pwpush_url
The URL for PWPush if being used.
None
Licensing and group assignments
The Crate supports multiple licensing and group assignment methods.
License assignment options
Method
Description
Direct Assignment
The user is assigned an M365 license individually.
License Group Membership
The user is added to an M365 license group.
Auto-Purchase Licenses
If no licenses are available, Rewst can purchase new seats.
To enable license auto-purchasing, configure the following setting:
Variable name
Purpose
Default value
auto_purchase_license_if_none_available
Enables license auto-purchase when needed.
✅ Enabled
Manual license purchase process
When is the manual license purchase process triggered?
This process is triggered under the following conditions:
The organization is not mapped to a distributor such as Pax8, Sherweb, Ingram Micro, etc., preventing automatic license purchasing.
The user has selected manual purchase in the onboarding form or the workflow logic determines that auto-purchase is unavailable.
There are no available licenses, and auto-purchasing is disabled in Rewst organizational settings.
Process flow
Expand each of the steps below to see the related part of the process flow.
1. Adding a note to the PSA ticket
When a manual license purchase is required, the workflow adds an internal note to the PSA ticket.
This note informs the technician that a license is needed and provides action URLs to confirm purchase or reject purchase.
The message added to the ticket is as follows:
The organization Name requires a license and either you have selected to purchase the license manually or the organization is not mapped with the distributor.Please purchase the requested license and once complete, click the URL below. Note the window will close automatically:Confirm License Purchase: LinkIf you don't want to purchase the license right now, click the URL below. You will need to manually apply a license to the user after the workflow is complete:**
Reject License Purchase:** **Link**The workflow pauses execution until one of these actions is taken.
2. Technician decision : Confirm or reject license purchase
The technician has two options:
Option 1: Confirm license purchase
The technician clicks the Confirm License Purchase URL.
This triggers a webhook response that allows the workflow to continue.
The following actions occur:
A ticket note is added stating that the license has been purchased manually.
The workflow resumes and attempts to assign the purchased license to the user.
The workflow continues to the next step in the onboarding process.
Option 2: Reject license purchase
The technician clicks the Reject License Purchase URL.
This triggers a webhook response indicating that the purchase was not completed.
The following actions occur:
A ticket note is added stating that the license was not purchased.
The workflow continues without assigning a license. The technician must assign the license manually at a later stage.
3. Handling timeouts: No action taken
If neither Confirm nor Reject is selected within 24 hours, the workflow automatically adds a timeout note to the PSA ticket.
The message added to the ticket is:
No option was chosen to purchase the license, and the request has now timed out.The workflow proceeds without assigning a license, requiring manual intervention later.
Workflow breakdown
Step
Action taken
Outcome
Add PSA Note
Adds a note to the PSA ticket requesting manual license purchase confirmation.
Technician receives instructions to confirm or reject the purchase.
Technician Confirms License Purchase
Clicks "Confirm License Purchase" link.
The workflow assigns the license and proceeds with onboarding.
Technician Rejects License Purchase
Clicks "Reject License Purchase" link.
The workflow proceeds without assigning a license, requiring manual assignment later.
Technician Takes No Action
No response within 24 hours.
The workflow adds a timeout note and proceeds without assigning a license.
Organizational variables affecting this workflow
ORG.VARIABLES
Purpose
ms_licensing_distributor
Defines the distributor for license purchases (if auto-purchasing is enabled).
auto_purchase_license_if_none_available
Enables auto-purchase of licenses when none are available.
default_psa
Defines which PSA system to log ticket updates in.
default_ticket_status
Defines the PSA ticket status when waiting for technician input.
ticket_status_waiting_input
The status set in PSA when awaiting technician action.
Final notes
The manual license process ensures that a technician has full control over licensing decisions when auto-purchasing is unavailable.
Clear ticketing updates and automation logs ensure visibility into whether a license was purchased, rejected, or timed out.
If manual licensing becomes a frequent issue, consider updating organizational variables to enable auto-purchasing where possible.
User name format and offboarding defaults
Username format options
The Crate allows you to standardize username formats for new accounts.
Format option
Example
First Initial + Last Name
jdoe
First Name + Last Name
johndoe
First Name + Last Initial
johnd
Set the username format using the following variable:
Variable Name
Purpose
Default Value
username_format
Defines the standard username structure.
firstinitiallastname
Offboarding defaults
The same workflow principles apply to user offboarding, ensuring proper deactivation and account cleanup.
Setting
Purpose
Default value
offboarding_deactivate_user
Disables the user account during offboarding.
✅ Enabled
offboarding_remove_groups
Removes the user from security groups.
✅ Enabled
Offboarding settings should be reviewed periodically to ensure compliance with company policies.
Last updated
Was this helpful?