Onboarding a new team member in Google Workspace should take about 30 minutes if you're doing it properly. Most businesses do it in 5, skip two thirds of the steps, and end up with an account that's either over-provisioned (access to everything from day one), under-provisioned (missing access they need to do their job), or insecurely configured (no MFA, weak password, logged into a personal device with no management policy applied).
This article is a step-by-step walkthrough of what a proper Workspace onboarding looks like. You can adapt it as a checklist your business follows every time someone joins. The goal is that every new starter has exactly the right access, correctly secured, from their first day.
Before day one: what to prepare
Good onboarding starts before the new starter logs in for the first time. The three things to sort in advance:
- What access do they need? List the Shared Drives, Google Groups, and third-party apps they'll need access to for their role. This is the access list. Stick to it — don't give access to things you're not sure about and add more later.
- What device will they use? Company device or personal? This determines whether you need to handle device enrolment in the Admin Console's mobile management settings.
- Who's responsible for the setup? Name the person who will run through this checklist. If it's whoever has time, it won't get done properly.
The new starter setup checklist
1 Create the user account in Admin Console
Go to admin.google.com → Directory → Users → Add new user. Fill in first name, last name, and the email address you've chosen for them. Use a consistent naming convention — firstname.lastname@yourdomain.com is the most common and easiest to manage at scale.
Set a strong temporary password and tick "Require password change at next sign-in" — this means the new starter sets their own password from day one, rather than you holding it in a message somewhere.
2 Add them to the right Google Groups
Google Groups are how most businesses manage shared email addresses (like team@yourdomain.com or accounts@yourdomain.com). Make sure the new starter is added to every group relevant to their role. Go to Directory → Groups, find each relevant group, and add the new user as a member.
Don't add new starters to every group "just to be safe." Over-membership in groups means they receive emails and notifications they shouldn't, and builds up unnecessary access over time. Role-specific groups only.
3 Grant Shared Drive access
Go to each Shared Drive the new starter needs access to. Under Manage members, add them with the appropriate role — Viewer, Commenter, Contributor, or Manager. For most employees, Contributor (can edit, organise, and add) is appropriate. Manager access (can change membership and settings) should be limited to senior roles and the admin.
The principle here: start with the minimum access needed and add more if required. Starting with full access and trying to restrict it later never works in practice.
4 Set up and require MFA before first login
If MFA is enforced at the organisation level (which it should be — see the MFA enforcement guide), the new starter will be prompted to set up two-step verification when they first log in. Make sure they know to expect this and have a guide available — a confused new starter trying to set up an authenticator app on their first day creates unnecessary friction.
Send them a short note in advance: "When you first log in, you'll be asked to set up two-step verification. Here's a quick guide — it takes about 2 minutes and you'll need your phone." That's enough to prevent confusion.
Want a checklist for every onboarding and offboarding?
GetBulwark manages the full new starter and leaver process for every managed client — same steps, every time, nothing skipped.
See what's included5 Apply a mobile management policy if they're using a phone
If the new starter will access Gmail, Calendar, or Drive from a mobile device, that device should be enrolled in basic mobile management. Go to Devices → Mobile & endpoints in the Admin Console. With Basic Mobile Management enabled, you can enforce screen lock and have the ability to do a remote wipe if the device is lost.
This doesn't require installing anything on their phone beyond the standard Google apps. They'll receive a prompt to enrol when they first add their work account.
6 Confirm their account in the Admin Console user list
Once the new starter has logged in and completed MFA setup, go back to Directory → Users and check their account shows as active. Under their account, you can see whether MFA is enrolled, their last login time, and which devices are registered. This takes 30 seconds and confirms the setup was completed correctly.
What usually gets skipped — and why it matters
In every Workspace I audit, I find the same three things missing from new starter setups:
- MFA not confirmed: Enforced at the org level but never checked whether the specific new user actually completed it.
- Shared Drive access too broad: Added to a top-level drive with Manager permissions when Contributor to specific sub-folders was all that was needed.
- Mobile device not enrolled: They accessed Gmail from their phone on day two and nobody applied a management policy.
None of these are catastrophic in isolation. Together, they mean a new employee joins with more access than they need, improperly secured, on an unmanaged device. If that employee is the one whose credentials end up in a phishing attack three months later, the consequences are proportional to the access they had and the security controls in place.
A proper new starter process takes 30 minutes. Running the same checklist every time means it gets done right regardless of who's onboarding them or how busy the business is.
