1. Always send a temporary password with an automatic requirement to change the password at the first login.
2. You can transfer the password through a trusted person.
This can be the immediate supervisor of the employee, or a separate "security sponsor" - select several people so that there are 1-2 security sponsors in each location who could personally meet with the employee to transfer the password.
3. It is technically possible - to register an employee's phone number, his external mail. But this is only for the main password (login to the domain / mail). To increase security, you can divide the password into two parts, send half to the mail / phone, half through the manager / HR.
4. If this is a password from secondary systems, then you can send a temporary password to corporate mail.

First of all - passwords from accounts.

Either personally or through the head, and there are already his problems.
Through the hands of the driver, again, he confirms the application.
Yes, I forgot to clarify that the password is temporary and changes at the first login.

By SMS a short link to the leading page to create a password

One part of the password in SMS, the second part by email, the third honor on a piece of paper by registered mail.

1. Video call.
The leader along with the employee. There
, the employee reports his phone number and his email on a reliable service
His supervisor confirms
The employee creates an account with his email and phone number
The employee enters the email into your authorization service receives an SMS with a code enters your system and creates a password
when his phone or mail has changed
Again, with the participation of his boss
Everything is as in p1
In the case I forgot the password - the employee goes to your authorization service and receives a link to his mail with a password recovery form, in which he also needs to enter a code from SMS

Theoretically, the system administrator may have access to the personal data of employees (phone, passport)

No

The user is given a link, he registers on it.
Enters his contacts, public key, etc.
Why does the manager (administrator, security officer) check the profile and give him rights, assign roles, that's all.
After obtaining the necessary roles, the user sees in his personal account the addresses of services, balls, servers, databases, and everything that he has access to.
_{I've never seen this in practice, but it's cool, isn't it?}

As a rule, only the employee should know the password, and no one else.
Therefore, it is necessary to provide the user with the opportunity to create passwords for himself.
And you don't have to send anything.
If it is transmitted, then only a temporary password for the first login, and even then it is not necessary.

all new to create a certain standard password that is known to everyone and can be issued immediately upon employment. change it on first login. as an option, the "standard" password is made only for the account and mail with the requirement to change it at the first login, then the passwords are sent to the mail.

You can consider the option - the password is issued / changed by the head of the department.