Pre-Onboarding IT Requirements
The pre-onboarding checklist is distributed to the customer administrator 5–7 business days before the onboarding session. Each item must be confirmed complete before the call begins. The most common session failure mode is unresolved conditional access policies — the extended lead time is deliberate.
| Checklist Item | Platform | Action Required | Who |
|---|---|---|---|
| Azure AD conditional access policy | Microsoft 365 | Add PanOps to approved third-party apps; allow multi-tenant OAuth app | Global Admin |
| Google Workspace app approval | Google Workspace | Allow PanOps OAuth app domain-wide consent in Admin Console | Super Admin |
| Zoom app approval | Zoom | Approve PanOps in Zoom Marketplace app management | Zoom Admin |
| Cloud recording policy | Teams / Zoom / Google Meet | Confirm org-wide cloud recording enabled; auto-save to OneDrive / Zoom Cloud / Google Drive | IT Admin |
| Admin role availability | All | Confirm Global Admin / Super Admin / Zoom Admin will be present and available during the session | Admin |
| Employee roster | All | Customer to deliver employee roster by name, location, role, and department, with all connected identifiers (i.e., email address and platform-specific usernames). Preferred format: CSV file. | Admin |
Most common enterprise blocker: Azure AD conditional access policies that block third-party OAuth apps by default. These require IT administrator action — they cannot be resolved during the session. The 5–7 day lead time gives IT teams room to resolve without rescheduling.
Onboarding Session Flow — Technical Sequence
Total session time: 60 minutes. PanOps team member + customer administrator. All connector authorizations are completed through the PanOps Onboarding Portal — a web-based interface that manages OAuth redirect flows, validates authorization success, and displays real-time connector status.
| Step | Duration | Technical Action |
|---|---|---|
| 1. Portal setup | 2 min | Create customer account; set CEO name and output language preference (ISO 639-1 language code stored per customer in Aurora) |
| 2. M365 / Gmail OAuth | 10 min | Admin initiates OAuth redirect; grants org-wide consent; token stored in AWS Secrets Manager scoped to customer + platform; connector status turns green |
| 3. Slack + Teams messaging | 10 min | Slack OAuth app authorization (separate from M365); Teams messaging scopes added to existing M365 app registration via Graph API |
| 4. Video connectors | 8 min | Teams video covered by M365 auth; Google Meet covered by Google auth; Zoom Meetings — separate OAuth app registration, cloud recording webhook receiver activated |
| 5. SMS / voice connector | 8 min | Customer-selected platform (RingCentral, Dialpad, Zoom Phone, or OpenPhone); webhook URL registered with platform; API credentials stored in Secrets Manager; webhook signature verification confirmed |
| 6. Employee enrollment links | 5 min | Directory queried via M365 Graph API or Google Directory API; unique UUID enrollment URLs generated per employee; stored in Aurora; admin confirms list and distribution method |
| 7. CEO access | 5 min | CEO login created with CEO role; role-based access assigned (Signal + Archive + Admin); Signal walkthrough with live connector data ingestion confirmed |
| 8. Confirm and close | 5 min + buffer | All connectors confirmed green; first sync expected within 6 hours; 30-min post-call sync check scheduled |
OAuth App Registration Requirements
PanOps registers once per platform as an authorized third-party application. These registrations must be completed and approved before any customer onboarding can proceed. Review timelines vary significantly by platform.
| Platform | Registration Type | Review Timeline | Required Scopes |
|---|---|---|---|
| Microsoft Azure AD | Multi-tenant OAuth app | 1–3 week review cycle | Mail.Read, ChannelMessage.Read.All, OnlineMeetings.Read.All, Directory.Read.All |
| Google Cloud | OAuth app + domain-wide delegation | Days; requires verification | gmail.readonly, drive.readonly, directory.readonly, meet.recordings |
| Slack | Slack app with OAuth scopes | Same-day typically | channels:history, channels:read, groups:history, groups:read, users:read |
| Zoom Marketplace | OAuth app with webhook | 1–3 days | recording:read, user:read; webhook: recording.completed |
| SMS / voice platforms | Developer portal account | Varies by platform | Webhook receiver + API read credentials |
Zero dev leverage while waiting for Microsoft review. Azure AD multi-tenant app approval can take 1–3 weeks. OAuth app registrations must be submitted before any connector development begins.
Employee Enrollment — Data Model
Employee enrollment is the process by which individual employees are mapped across platforms and provide explicit consent for their communications data to be ingested by PanOps. It runs asynchronously after the onboarding session.
Identity Resolution
Email address is the primary identity key across all platforms. Display name is used as a secondary fallback only. At enrollment, each employee reviews a pre-populated identity mapping (their email and display name as resolved from the directory) and confirms or corrects it. This resolved identity is stored in Aurora and used to attribute all ingested communications to the correct employee record.
Consent Data Logged Per Employee
employee_consent table (Aurora, RLS-scoped to customer tenant) ───────────────────────────────────────────────────── employee_id UUID (primary key) customer_id UUID (foreign key, RLS tenant) email VARCHAR (primary identity key) display_name VARCHAR enrollment_timestamp TIMESTAMPTZ consent_version VARCHAR (consent text version) channels_consented JSONB (array of channel identifiers) ip_address VARCHAR (enrollment device) user_agent VARCHAR (enrollment browser) revoked BOOLEAN (default false) revoked_at TIMESTAMPTZ (nullable)
Enrollment Link Generation
Directory query (M365 Graph API / Google Directory API)
→ Per-employee UUID token generated
→ Enrollment URL: https://app.panops.io/enroll/{uuid}
→ Stored in Aurora with employee_id, customer_id, expiry (7 days)
→ Distributed by customer admin via their preferred methodTarget: >80% enrollment within 48 hours. PanOps monitors enrollment progress post-session. Employees who have not enrolled after 48 hours are flagged in the admin roster for follow-up. Data ingestion for an employee does not begin until their consent is logged.
Post-Onboarding Monitoring
| Timing | Check | Action on Failure |
|---|---|---|
| 30 min post-call | Confirm first sync is running (connector polling logs active) | Investigate connector auth; re-trigger polling if needed |
| 3–4 hrs post-call | Confirm first sync completed for all green connectors | Flag any stale connectors; check Secrets Manager token validity |
| 24 hrs post-call | Check-in with administrator; confirm no IT blockers surfaced | Provide async support for any outstanding issues |
| 48 hrs post-call | Confirm >80% employee enrollment; review connector health dashboard | Re-send enrollment links for pending employees; escalate persistent connector failures |
Common Onboarding Issues & Resolutions
| Issue | Root Cause | Resolution |
|---|---|---|
| Conditional access blocking OAuth | Azure AD default policy blocks third-party OAuth apps | IT admin adds PanOps app to approved list in Azure AD conditional access policy — must be done in advance |
| Zoom cloud recording not enabled | Org-wide cloud recording disabled by default | Zoom Admin enables org-wide cloud recording in Zoom Admin Portal before session |
| Global Admin not available on call | Admin role not confirmed before session | Admin role confirmation is on the pre-onboarding checklist — must be resolved before scheduling |
| OpenPhone API key location | OpenPhone API key not surfaced in standard admin UI | Customer locates API key in OpenPhone Settings → Integrations → API; PanOps provides step-by-step guide |
← Back to overview