Skip to content

Client Onboarding Process

This document outlines the complete onboarding process for CMMC clients, following the 'CMMC Onboarding' project template workflow.

Task 01 - Conduct Kickoff Call

Prepare Kickoff Presentation

  1. Navigate to Beautiful.AI and create a new presentation based on the team template CMMC Kickoff

  2. Customize the presentation:

  3. Edit the title page to include the client's logo (typically sourced from their website)
  4. Review environment diagram slides:
    • There are two variants: Standard and Advanced
    • Remove the slide that is NOT relevant to the planned build

  5. Update the domain name recommendation slide(s):

    • Typical format: companynamegov.us
    • Note: Client has final say on domain name selection

  6. Quality check:

  7. Verify all slides are relevant to this specific client
  8. Confirm timelines and references are accurate

  9. Remove any generic placeholder text

  10. Save the presentation to the client's shared team folder (typically named after the company)

Task 02 - Gather Required Information from Client

Send Information Request Email

  1. In HaloPSA, navigate to the ticket and click the 'Email User' button

  2. Copy the ticket description content into the email body

  3. Edit the email:

  4. Update the 'Confirm New Domain Name' section with the domain discussed during the kickoff call

  5. Add any additional questions or clarifications as needed

  6. Send the email:

  7. TO: Primary project point of contact
  8. CC: Yourself + Ajay

Note: Validation emails typically take 1-2 days for clients to receive.

Task 03 - Submit MS Validation GovIntake Form for GCC High

  1. Navigate to the Microsoft GovIntake portal: https://usgovintake.embark.microsoft.com/

  2. Complete the form using the information gathered from the client in Task 02

  3. Submit the form and wait for validation confirmation

Task 04 - Populate Client Site Fields in HaloPSA

Update Client Site Information

  1. Navigate to Customers in HaloPSA and select the client from the list

  2. Go to the 'Sites & Users' tab

  3. Select the 'Main' site

  4. Click 'Edit' (top left) and scroll down the right information column to 'Additional Details'

  5. Populate the following fields:

  6. CAGE Code
  7. UEI

  8. GSA Contract

  9. Click Save (top left)

Add MS Validation Details

Once you receive GovIntake validation confirmation from the client:

  1. Return to the Client Site (same process as above)

  2. Add the following information from the confirmation email:

  3. MS Validation ID

  4. MS Validation Date

  5. Save changes

Task 05 - Create Slack Channels for Shared Communications

Set Up Client Communication Channel

  1. In Slack, create a new private channel

  2. Naming convention: ext-stratus-clientname

  3. Example: ext-stratus-tesconsultants

  4. Invite users to the channel:

  5. Stratus team members
  6. Client users (as provided in the information gathering email)

Task 06 - Procure MS GCC High (G5) Licenses via Pax8

Prerequisites: MS Validation Code and Date of Validation required

Order Initial Microsoft 365 GCC-H G5 Licenses

  1. Log into the Pax8 Portal

  2. Navigate to the client account and create a new order for:

  3. Microsoft 365 GCC-H G5 licenses (start with 3 licenses)

  4. Include Microsoft Agreement for Online Services AOS-G enrollment

  5. Fill out company information:

  6. Customer contact: Technical or project POC (first name, last name, email)
  7. Partner Admin contact: Ajay (name and email)

  8. Approval date: Date from MS Validation email

  9. Submit the order

Note: License provisioning typically takes ~48 hours

Tenant Setup and Registration

Step 1: Registration Email

Wait for the registration email from Microsoft. Click the highlighted registration link in the email.

Registration Email

Step 2: Enter Partner Details

Enter the following partner information: - Email: Ajay@stratuscyber.com - Name: Ajay's full name - Mobile number: Ajay's mobile

Partner Details Form

Step 3: Create New Tenant

You'll be presented with a screen to fill in the new tenant information. Complete all required fields.

Tenant Information Form

Step 4: Connect Subscription to Tenant

  1. Return to the original email (wait ~1 hour after initial registration)

  2. Click the option to sign in using the brand-new account created in the previous step

Subscription Connection

  1. This action connects the subscription to the account/tenant

  2. Wait for the confirmation email indicating successful setup

Setup Confirmation Email

Configure Admin Access

  1. Navigate to https://portal.office365.us/adminportal

  2. Add other Stratus administrators and assign Global Administrator role

  3. Verify licenses:

  4. Go to Billing > Licenses in the admin portal
  5. Confirm licenses are present
  6. Assign at least one license to the engineer performing the build

Order Windows 365 Cloud PCs

  1. Return to Pax8

  2. Order the appropriate quantity of Windows 365 Cloud PCs

Note: Provisioning takes 1-3 days (typically faster than M365 G5 licensing)

Task 07 - Provision Client Domain Name and Add to M365 Environment

Cloudflare Account Setup

  1. Request Ajay to create a new Cloudflare account for the client

  2. Ensure you're added as owner/manager

Register Domain Name

  1. Navigate to Stratus Cyber Cloudflare

  2. Purchase/register the client's desired domain name

  3. On the Cloudflare account homepage for the client, change the domain plan to 'Partners Business'

Cloudflare Plan Selection

Cloudflare Partners Business Plan

Add Custom Domain to Entra ID

  1. Navigate to the client's Entra ID portal: entra.microsoft.us

  2. Go to Identity > ... Show more > Settings > Domain names > Custom domain names

  3. Click Add custom domain

  4. Verify the domain:

  5. Add the required DNS record (typically TXT record) in Cloudflare

  6. Complete the verification process

  7. Once verified, select the custom domain and set it as the Primary Domain

Important: Wait 24 hours for domain propagation throughout M365 GCC-H components

Update User Accounts

  1. Navigate to https://portal.office365.us/adminportal

  2. Go to Users > Active Users

  3. For each existing user:

  4. Select the user and edit their username/email

Edit User Email - Step 1

Edit User Email - Step 2

  1. Enter the new email format: first.last@customdomain.us

  2. Once the new address appears in the list below the input box, click the three dots (...) and select 'Change to primary'

  3. Repeat for all users in the environment

Note: Future users will automatically use the new domain as it's now set as primary in Entra

Configure DNS Records in Cloudflare

Add the following DNS records in Cloudflare. DO NOT enable DNS Proxy for these records.

Type Priority Host name Value TTL
MX 0 @ stratuscybergovcloud.mail.protection.office365.us 1 Hour
TXT N/A @ v=spf1 include:spf.protection.office365.us -all 1 Hour
CNAME N/A autodiscover autodiscover.office365.us 1 Hour
CNAME N/A selector1._domainkey selector1-stratuscybergov-us._domainkey.stratuscybergovcloud.onmicrosoft.us 1 Hour
CNAME N/A selector2._domainkey selector2-stratuscybergov-us._domainkey.stratuscybergovcloud.onmicrosoft.us 1 Hour
TXT N/A _dmarc v=DMARC1; p=reject; pct=100; rua=mailto:reports@dmarc.cyber.dhs.gov, mailto:dmarc@clientdomain.us; ruf=mailto:dmarc@clientdomain.us 1 Hour

Important Notes: - MX Record: Uses the default tenant name (typically the onmicrosoft.us domain), not necessarily the chosen domain name - DMARC Record: Replace clientdomain.us with the client's actual domain. Email addresses referenced will be created later during the build.

Configure DKIM

  1. Navigate to security.microsoft.us and sign in with the Global Admin account

  2. Go to Email & Collaboration > Policies & Rules > Threat Policies > Email Authentication Settings

  3. Select the DKIM tab

  4. For the custom domain:

  5. Select the domain being used
  6. Click Generate Keys
  7. Copy the generated CNAME records

  8. Add them as DNS records in Cloudflare

  9. For the onmicrosoft.us domain:

  10. Select the onmicrosoft.us domain
  11. Click Generate Keys

  12. No need to add DNS records for this domain

  13. Enable DKIM:

  14. Refresh the domain list
  15. Verify status shows 'Valid' next to both domains
  16. Toggle the slider from 'Disabled' to 'Enabled' for both domain entries

Task 08 - Establish MS Partner Relationships

Optional: Speak to Ajay if required for your specific client engagement.

Task 10 - Onboard Client into Huntress

Create Organization

  1. Log into the Huntress portal

  2. Click the hamburger menu (top right) and navigate to Organizations

  3. Click Add new organization

  4. Configure the organization:

  5. Name: Client Name Gov (e.g., "Stratus Cyber Gov")
  6. Key: clientname-gov (e.g., "stratuscyber-gov")

Enable Sensitive Data Mode

  1. Click the Help button to open live chat

  2. Request Huntress support to enable 'Sensitive Data Mode' for the new client

  3. They may ask you to confirm via email with a generic "I agree to this" statement

Completion

Once all tasks are completed, update the project status in HaloPSA and notify the team in the client's Slack channel.