TLDR: Winging your MSP onboarding is how you end up missing firewall rules and scrambling for ISP credentials three weeks into an engagement. This phase-by-phase checklist covers everything from contract review and network discovery to RMM deployment and go-live — copy it, customize it, and use it on every client.
Why MSPs Need a Standardized Onboarding Checklist
Every MSP has a horror story. You sign a new client, skip a few steps during onboarding, and three weeks later you’re scrambling because nobody documented the firewall rules or collected the ISP credentials.
Disorganized onboarding is the fastest way to erode trust with a new client. They just signed a contract with you because they believe you’re more competent than their last provider. Prove it from day one.
A standardized checklist eliminates guesswork. It ensures your team handles every client the same way, regardless of who runs point. And it gives your client confidence that they made the right call.
Here’s the checklist. Copy it. Customize it. Use it on every engagement.
Phase 1: Pre-Onboarding
This happens between contract signing and the first on-site or remote session.
- Review the signed MSA and SLA — confirm response times, covered hours, and exclusions
- Assign an onboarding lead and a backup contact internally
- Send the client a welcome packet with timeline, expectations, and a point of contact
- Schedule the kickoff call within 3-5 business days of signing
- Create the client record in your PSA (ConnectWise, Autotask, HaloPSA, etc.)
- Set up the client folder in your documentation platform (IT Glue, Hudu, etc.)
Skip this phase and you’re already behind before the technical work starts.
Phase 2: Network Discovery and Infrastructure Audit
This is where you build your understanding of what you’re managing.
- Document the network topology — switches, routers, access points, VLANs
- Inventory all endpoints — workstations, laptops, servers, printers, mobile devices
- Record IP ranges and DHCP scopes
- Identify the ISP — account number, circuit ID, support contact, bandwidth tier
- Document existing domain setup — registrar, DNS hosting, MX records
- Map line-of-business applications — what software runs the business and where is it hosted
- Check warranty status on all critical hardware
If you’re doing this manually, it takes hours. Tools like Liongard, Network Detective, or even a well-structured secure file upload portal can speed this up dramatically.
Phase 3: Credential Collection
This is often the most painful phase. Clients never have their passwords organized.
- Domain admin credentials (on-prem Active Directory)
- Microsoft 365 or Google Workspace global admin
- Firewall/router admin credentials
- ISP portal login
- Hosting and domain registrar logins
- Vendor portal credentials (copier company, phone system, LoB software)
- Backup solution credentials
- Security camera or physical access system logins
- Cloud service accounts (AWS, Azure, etc.)
Do not accept credentials via email. Use an encrypted vault or a client portal with secure document collection. This protects you and the client.
Phase 4: Security Assessment
You need to know the state of security before you take responsibility for it.
- Antivirus/EDR status — what’s installed, is it current, is it managed
- Firewall rules review — are there open ports that shouldn’t be
- Backup audit — what’s backed up, where, how often, when was the last test restore
- MFA status — which accounts have it, which don’t
- Email security — SPF, DKIM, DMARC records in place
- Password policy review — complexity, rotation, shared accounts
- Patch status — Windows updates, firmware, third-party apps
- Dark web scan — check for compromised credentials tied to the client’s domain
Document everything you find. This becomes your baseline and your leverage for recommending improvements.
Phase 5: RMM and PSA Deployment
Now you install your tooling.
- Deploy RMM agents to all endpoints (workstations, servers, network devices where supported)
- Configure monitoring policies — CPU, disk, memory, service status
- Set up automated patching schedules
- Deploy managed antivirus/EDR through the RMM
- Configure backup agents if switching providers
- Create asset records in the PSA linked to the client
- Set up alerting thresholds and escalation paths
- Test remote access to at least 3 devices to confirm connectivity
Phase 6: Documentation Handoff
- Complete the documentation package in IT Glue, Hudu, or your platform of choice
- Share relevant documentation with the client — network diagram, escalation contacts, support process
- Confirm the client knows how to submit a ticket
- Provide a “What We Manage” summary so scope is crystal clear
This phase is where you set expectations for the ongoing relationship. The MSP case study guide covers how other providers handle this transition.
Phase 7: Go-Live Review
Schedule this 7-10 days after deployment.
- Review all open issues from the onboarding process
- Confirm all monitoring is active and alerting correctly
- Walk through the first monthly report with the client
- Collect feedback on the onboarding experience
- Transition from onboarding lead to ongoing account manager (if applicable)
Stop Rebuilding This From Scratch
If you’re copying this checklist into a Google Doc for every client, you’re already wasting time. A repeatable onboarding process should live in a system, not a spreadsheet.
The best MSPs treat onboarding like a product. Same steps, same quality, every time. That’s what separates a $50/endpoint shop from a $150/endpoint partner.
For a broader look at how service businesses handle checklists beyond IT, check out the client onboarding checklist for service businesses.
OnboardMap gives you a branded client portal where you can templatize this entire workflow — collect credentials securely, track progress, and look like the professional operation you are. Get early access here.