«There was so much manual work, and we had almost accepted that onboarding would just have to be labor-intensive. But it put security and users at risk, and then something had to be done about it.»
For IT this meant:
A steady stream of cases that could have been self-service.
Vulnerable integrations between «My Employees», local AD and other systems.
No good method for regularly reviewing who had what access, especially for employees who work across units and institutions.
For the company, the consequences were easy to see.
New employees often showed up on their first day without the access they needed. Managers spent hours manually approving, forwarding passwords, and hunting for information. It was clear that security and privacy were not where they needed to be.
«We worked hard to keep something alive that should have been replaced a long time ago»— Tine Johannessen Merkesvik, Senior Advisor and IAM Lead at Bufdir
Fortytwo’s mission: Repair the front door without delaying the mission
Bufdir wasn’t looking for a prettier login page. They needed a completely new way to handle onboarding and access, one that could survive the realities of a nationwide organization with constant turnover and dozens of locations.
The requirements were clear enough:
The solution had to be scalable every day, everywhere.
Sensitive information had to be better protected.
Auditors needed something more unified to deal with than scattered spreadsheets.
Whatever was built had to follow the rules and restrictions that came with it.
public work, especially around private entities and labor law.
Bufdir could not afford downtime in the migration process from the old to the new system. Institutions had to stay open, people had to do their jobs, and the service desk had to not be buried under a wave of confusion the moment the switch was turned off and the new system implemented.
Fortytwo came in with deep knowledge of identity and EntraID, and designed a system that worked in Bufdir’s real world – not just on paper.
They built the workflow, connected the systems, and helped Bufdir’s people manage through both the technical and organizational changes.
CheckID as an onboarding and recovery flow
New employees are onboarded using CheckID on their first day of work. Via the ID gate and a simple, guided setup, they create access on their own device before logging into a PC at work. And if something goes wrong later, they return to the same flow to reset their password instead of calling the service desk.
The management portal as a registration system for access
“My Employees” was replaced by the “Manager Portal.” Managers no longer send emails or rely on case systems for access; they request and approve rights within the portal. The same portal feeds downstream systems and acts as a reference point for determining who sees what.
One organizational structure, one truth
Instead of each central system having its own version of the organizational chart, Fortytwo and Bufdir agreed on a governing rule: new systems should receive organizational data from the «Leader Portal», which in turn retrieves its information from SAP. This makes interdisciplinary help and temporary roles manageable and transparent.
Safety without drama
Private mobile numbers are handled as they should be: locked down as limited security attributes, visible only to those who truly need access, and used solely for authentication. And for employees who can’t—or shouldn’t—use their personal phones, there are options that keep security intact without creating barriers.
The Cons: Version 1, Wi-Fi, and Real Life
This is not a story of “everything worked perfectly from day one.” The first version of CheckID did the job, but the installation wizard felt more cumbersome than it needed to be, and employees got lost when the process jumped to Microsoft. Then came the surprise no one had anticipated: Wi-Fi. Passwords created through CheckID didn’t match what local AD expected the first time someone tried to log in to the location.
When the Fortytwo team discovered the pattern, they fixed the order of operations, updated the guidance, and ensured that CheckID V2 came with smoother flow and a clearer division between onboarding new employees and resetting passwords.
The project also uncovered something more subtle on Bufdir’s side: communication gaps between internal IT teams and the service desk. These needed to be addressed as systematically as the identity flow itself.
The onboarding experience that was once chaotic and manual now runs in a predictable and secure manner.
New employees show up with working access. Managers no longer send passwords via email or case systems. The service desk gets fewer “I can’t log in” messages and has more time to solve real problems.
And access audits happen in the «Leader Portal», based on real organizational data instead of from a patchwork of sources.
In real numbers, this means:
Around 8500 people across Norway are undergoing a guided, secure onboarding process.
Access audits no longer consist of random samples from half a dozen sources – they are more structured and more reliable.
All users were moved over without losing access or receiving permissions they shouldn’t have.
Why this is more important at Bufdir than most places
Bufdir and Bufetat work with children and families in crisis – cases involving violence, neglect, risk and emergency response. In that world, identity and access are not administrative details; they are part of protecting the people who rely on these services.
Knowing exactly who accessed what, when, and for what reason is not bureaucracy – it is protection.
By standardizing access, tightening authentication, and making onboarding smoother, Bufdir frees frontline staff to focus on kids, not credentials.
Three things made the difference:
In-depth expertise in Microsoft identity
Fortytwo’s senior engineers worked quickly, built cleanly, and knew Entra and CheckID inside and out.
Architecture with
discipline
«One portal, one organizational structure, one source of truth» went from an idea to a rule everyone follows.
Capability transfer, not dependency
Throughout the project, Fortytwo trained and supported Bufdir’s IAM team so they could operate, improve, and troubleshoot the solution themselves.
What happens next?
The new identity backbone gives Bufdir room to continue moving. Over the next couple of years, the focus is clear:
Move your organization towards passwordless authentication by 2026
Bring even more systems into the management portal.
Continue to build skills within the IAM team and at the service desk.
Ensure that future IT purchases follow the same governance and identity standards.
Simply put:
If a system needs identity or access, it must fit the model.
No more special cases or customization.
There is no way back to the previous solution.
Does your onboarding feel like Bufdir’s «before»?
Fortytwo helps organizations build identity platforms that work in practice: secure, scalable, and ready for the people who use them every day.