Onboarding form inputs and workflow process

All onboarding form fields

This section provides a complete breakdown of all onboarding form fields, including hidden fields that are conditionally displayed based on other selections.

Expand each of the categories below to see its related reference table.

Basic settings required for all configurations

Field name

Field label

Field type

Requirement

Conditions

ticket_id

Existing Ticket Number

Dropdown

Optional

Always visible

account_requestor

Account Requestor (Missing Opt Gen)

Text Input

Optional

Always visible

first_name

First Name

Text Input

Required

Always visible

middle_name

Middle Name

Text Input

Optional

Always visible

last_name

Last Name

Text Input

Required

Always visible

custom_display_name

Custom Display Name

Text Input

Optional

advanced_options_user_attributesis checked

email_domain

Primary Email Domain

Dropdown

Required

Always visible

username

Username

Text Input

Auto-Generated

Requires First and Last Name

user_exists

Does User Exist

Output Only

Determines if the user exists in the primary identity instance.

license_group_assignment

License Group Assignment

Multi-Select Dropdown

Optional

user_exists is true OR licencing_choose_subscription is enabled

direct_m365_license_assignment

Direct M365 License Assignment

Dropdown

Optional

user_exists is true OR licencing_choose_subscription is enabled

license_subscription

License Subscription

Dropdown

Optional

user_exists is true OR licencing_choose_subscription is enabled

copy_user_attributes

Copy User Attributes

Checkbox

Optional

Always visible

user_to_copy

User To Copy

Dropdown

Optional

copy_user_attributes is checked

copy_user_groups

Copy User Groups

Checkbox

Optional

copy_user_attributes is checked

onprem_security_groups

On-Prem Sec Groups

Multi-Select Dropdown

Optional

primary_identity_provider is On-Prem AD or Hybrid

onprem_dist_groups

On-Prem Dist Groups

Multi-Select Dropdown

Optional

primary_identity_provider is On-Prem AD or Hybrid

azure_ad_security_groups

Entra Security Groups

Multi-Select Dropdown

Optional

primary_identity_provider is Azure AD or Hybrid

azure_ad_mail_groups

Entra Mail-Enabled Groups

Multi-Select Dropdown

Optional

primary_identity_provider is Azure AD or Hybrid

organizational_unit

Organizational Unit

Dropdown

Optional

primary_identity_provider is On-Prem AD or Hybrid

password

Password

Text Input

Optional

Leave blank to auto-generate OR enter a password (min 8 chars).

show_advanced_options

Show Advanced Options

Checkbox

Optional

Always visible

Advanced: Manual approver fields

Field name

Field label

Field type

Requirement

Conditions

advanced_options_approval

Advanced - Manual Approver

Checkbox

Optional

show_advanced_options is checked

manual_approver_email

Manual Approver E-Mail

Text Input

Optional

advanced_options_approval is checked

Advanced: User attributes

Field name

Field label

Field type

Requirement

Conditions

home_directory

User Attributes - Home Directory

Checkbox

Optional

primary_identity_provider is On-Prem AD, Hybrid (No Sync), On-Prem Only, AND advanced_options_home_directoryis checked

home_directory_server

Home Directory Server

Dropdown

Optional

home_directory is checked

home_directory_path

Home Directory Path

Text Input

Optional

home_directory is checked

home_directory_drive_letter

Dropdown

Home Directory Drive Letter

Optional

home_directory is checked

description

Description (AD Only)

Multi-line Input

Optional

primary_identity_provider is On-Prem AD or Hybrid

Advanced: RMM options

Field name

Field label

Field type

Requirement

Conditions

advanced_options_rmm

Advanced - RMM Options

Checkbox

Optional

enable_advanced_options is checked

Advanced: Mail attributes

Field name

Field label

Field type

Requirement

Conditions

mail_nickname

Mail Nickname

Text Input

Optional

advanced_options_mailis checked

secondary_email_domains

Secondary Email Domains

Multi-Select Dropdown

Optional

advanced_options_mailis checked

shared_mailboxes

Shared Mailboxes

Multi-Select Dropdown

Optional

advanced_options_mailis checked

shared_mailboxes_allow_send_as

Allow Send As the Shared Mailboxes?

Checkbox

Optional

shared_mailboxes is checked

shared_mailboxes_allow_send_on_behalf

Allow Send on Behalf of the Shared Mailboxes?

Checkbox

Optional

shared_mailboxes is checked

Advanced: Password settings

Field name

Field label

Field type

Requirement

Conditions

require_password_change

Require Password Change

Checkbox

Optional

advanced_options_password is checked

cannot_change_password

User cannot change password (On-Prem)

Checkbox

Optional

advanced_options_password is checked

password_never_expires

Password Never Expires (On-Prem)

Checkbox

Optional

advanced_options_password is checked

store_password_in_ticket

Store Password in Ticket

Checkbox

Optional

advanced_options_password is checked

send_sms_to_user

Send Password to User Mobile

Checkbox

Optional

ORG.VARIABLES.send_sms_to_userand

advanced_options_password

sms_with_country_code

SMS Number with Country Code

Number Input Field

Optional

send_sms_to_user and advanced_options_password

vpn

Dial-In VPN access for the user.

Checkbox

Optional

advanced_options_user_attributesis checked and show_advanced_options is checked

Advanced: PSA options

Field name

Field label

Field type

Requirement

Conditions

create_contact_in_psa

Create Company Contact in PSA

Checkbox

Optional

advanced_options_psa is checked

psa_child_company

PSA Child Company

Dropdown

Optional

advanced_options_psa is checked

Device and software assignments

Field name

Field label

Field type

Requirement

Conditions

required_devices

Required Devices

Multi-Select Dropdown

Optional

advanced_options_devicesis checked

device_description

Device Description Information

Multi-line Input

Optional

advanced_options_devicesis checked

required_applications

Required Applications

Multi-Select Dropdown

Optional

advanced_options_apps is checked

Decoded advanced Jinja conditions

In some cases, form fields are dynamically determined using complex Jinja logic.

For example: Identity provider configuration field visibility

{% set idp_config = "invalid_idp" %}
{%- if ORG.VARIABLES.primary_identity_provider|d|lower in ["azure_ad","azuread"] or CTX.mail_only_user|d(false) -%}
    {%- set idp_config = "azure_ad" -%}
{%- elif ORG.VARIABLES.primary_identity_provider|d|lower in ["on_prem"] and ORG.VARIABLES.onprem_no_adsync|d|lower in ["true","1"] -%}
    {%- set idp_config = "hybrid_no_sync" -%}
{%- elif ORG.VARIABLES.primary_identity_provider|d|lower in ["on_prem"] and ORG.VARIABLES.no_azure_ad|d|lower == "true" -%}
    {%- set idp_config = "on_prem_only" -%}
{%- elif ORG.VARIABLES.primary_identity_provider|d|lower in ["on_prem"] -%}
    {%- set idp_config = "on_prem" -%}
{%- endif %}
{{- idp_config in ["hybrid_no_sync", "on_prem_only", "on_prem"] -}}
  • The field will only show if ORG.VARIABLES.primary_identity_provider is On-Prem, Hybrid without Sync, or On-Prem Only.

  • If Azure AD is selected, the field will be hidden.

Workflow process overview

Once a form is submitted, the Microsoft: User Onboarding Crate executes the following steps:

1. Form submission and validation

  • The process starts when a user submits the [Crate] Microsoft: User Onboarding form.

  • The workflow checks if the user already exists in AD or Azure AD.

  • The form captures necessary user details, including personal information, group memberships, licensing, and security settings.

  • PSA integration retrieves the user's location, if available.

  • If the New User Approval System is enabled, an approval request is sent before proceeding.

  • All required fields are validated before proceeding.

2. Ticket creation and management

  • If no ticket exists, a new one is created.

  • If a ticket already exists, it is updated with onboarding progress.

3. User account creation

  • The user account is created based on the selected identity provider:

    • On-Prem AD Only: A new AD account is created.

    • Azure AD Only: A new Entra ID (Azure AD) account is created.

    • Hybrid with Sync: A new AD account is created and synced to Azure AD.

    • Hybrid with No Sync: Separate accounts are created in both directories.

4. Group and license assignments

  • Security groups are assigned in AD or Azure AD.

  • Microsoft 365 licenses are applied via direct assignment or group membership.

  • Shared mailbox permissions are configured if applicable.

5. Credential and notification handling

  • A secure temporary password is generated.

  • The password is securely stored in PSA, ITGlue, Hudu, or sent via email or SMS.

  • The user’s manager may optionally be notified of credential details.

6. Ticket update and completion

  • Final provisioning details are logged in the PSA ticket.

  • The onboarding process is marked complete, and workflow logs are stored.

Workflow breakdown by identity provider type

On-premise AD only

  • Main workflow: Creates a user in Active Directory.

  • Subworkflows:

    • Assigns security groups.

    • Configures mapped drives and home directories.

    • The password is sent via email, SMS, or documented in ITGlue, Hudu, or the PSA system.

    • Updates PSA ticket with user details.

Azure Active Directory only

  • Main workflow: Creates a user in Azure AD (Entra ID).

  • Subworkflows:

    • Assigns Microsoft 365 licenses.

    • Adds users to Microsoft 365 groups and shared mailboxes.

    • The password is sent via email, SMS, or documented in ITGlue, Hudu, or the PSA system.

    • Updates PSA ticket with user details.

Hybrid with AD sync

  • Main workflow: Creates a user in Active Directory and syncs to Azure AD.

  • Subworkflows:

    • Assigns both on-prem AD and Azure AD groups.

    • Applies Microsoft 365 licensing.

    • The password is sent via email, SMS, or documented in ITGlue, Hudu, or the PSA system.

    • Updates PSA ticket with sync confirmation.

Hybrid with no AD sync

  • Main Workflow: Creates separate accounts in Active Directory and Azure AD.

  • Subworkflows:

    • Assigns security groups for each directory independently.

    • Applies Microsoft 365 licensing.

    • The password is sent via email, SMS, or documented in ITGlue, Hudu, or the PSA system.

    • Updates PSA ticket with user details.

Last updated

Was this helpful?