Home

Howdy folks,

 

As more and more enterprises move to Cloud Human Capital Management (HCM) solutions, we see an increasing demand for Azure Active Directory (Azure AD) integrations that tap identity at the source where it first gets created. You’ve told us how enabling such integrations can create transformational ways of managing your workforce. Today, I’m excited to announce that automated inbound user provisioning from Workday to on-premises Active Directory and Azure AD is now Generally Available!

 

With pre-built cloud-based integration of Azure AD with the Workday HCM suite, you can now:

 

  • Securely tap into the rich workforce identity and organization data present in Workday.
  • Implement end-to-end identity lifecycle management covering the entire spectrum of Joiner-Mover-Leaver scenarios using Workday as the “system of record.”
  • Eliminate old school approaches of using flat files or custom scripts to sync employee data.

 

Embracing HR-centric approach to provisioning

 

The Workday to Azure AD inbound user provisioning solution is designed to work for both hybrid and cloud-first companies looking to automate the provisioning and deprovisioning of users from Workday HCM to on-premises Active Directory and Azure AD.

 

When workforce profiles change in Workday— a name change, title change, manager change, or termination—those changes are detected by the cloud-based Azure AD user provisioning service and synchronized to the downstream systems and applications.

 

Workday and Azure AD integration 1.png

Since we released the first public preview of this solution, many customers have already successfully adopted and deployed it live in their organizations. The Azure AD provisioning service now manages 10.8 million identities and we are thrilled to see customers realizing the unique automation and compliance benefits that our cloud managed provisioning service offers.

 

Here is what Mikkel Heiberg, Principal Cloud Architect, at Nilfisk, one of our Danish manufacturing customers, had to say about the solution:

 

“The Azure AD and Workday integration delivers a solid foundation for automating employee identity life cycle management with direct traceability to Workday HR events. It has accelerated our employee onboarding and off boarding process workflows and eliminated a lot of recurrent tasks for our IT service center.” 

 

Since the public preview, we added new capabilities to our Workday integration, all based on customer feedback:

 

  • Lightweight Provisioning Agent wizard to manage on-premises Active Directory domains—The new Provisioning Agent with built-in support for high availability and failover allows you to configure user provisioning to multiple on-premises Active Directory domains.

Workday and Azure AD integration 2.pngProvisioning Agent Configuration wizard.

  • Access to more Workday data—You can now provision data from any attribute supported by the Workday Get_Workers operation of the Workday Human Resources API. This includes cost center data, employee categories, custom user IDs, and more. For details, see Customizing the list of Workday user attributes in the tutorial.

Workday and Azure AD integration 3.pngWorkday to Active Directory attribute mapping.

  • Automatic unique ID generation and conflict resolution for new users—User Principal Name (UPN) or Common Name (CN) for your new user already exists? No problem! Using the new SelectUniqueValue function, you can now specify fallback logic at the time of user creation for generating non-conflicting values for attributes like CN, samAccountName, and userPrincipalName that have uniqueness constraints.

 

Workday and Azure AD integration 4 v2.pngSpecify Unique ID Generation rule.

  • Advanced provisioning of new hires—A common request to IT from business units is to ensure that a newly-hired employee has all their required user accounts pre-provisioned with the correct level of access, in advanced of their first day of work. The Workday provisioning app now enables you to provision user data as soon as it becomes available in Workday, instead of waiting until the user is set to “Active” in Workday.

The Workday-driven inbound user provisioning feature is available today for all customers using Azure AD Premium P1 and above. You can start using this feature by following our updated Tutorial for Configuring Workday for Inbound User Provisioning. To help you plan your deployment, we have also published a comprehensive deployment guide.

 

Let us know what you think in the comments below. You can also post your feedback or suggestions for new capabilities that you would like to see in our Azure AD UserVoice feedback forum.

And as always, we’d like to say a special thank you to our preview customers and our partners at Workday, who provided great feedback to enhance the integration of Workday HCM with Azure AD and make this feature a reality!

 

Best regards,

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division

26 Comments
Occasional Contributor
I'm curious, how other folks are managing contract termination of off-boarded user accounts?
Deleted
Not applicable

The tutorial publication was last updated 06/17/2018. Was there any improvement made in synchronizing the thumbnailPhoto user attribute?

Microsoft

Hi @Alexey Goncharov , I'm part of PM team working on Cloud HCM integrations. Thanks for sharing your question here. I'd like to further understand your use-case to provide the right guidance. It will be great if you can send an email with your use-case details to AADWDProvFeedback@microsoft.com and we can work on it. I'll then update the thread here to close the loop. 

Microsoft

Hi @Deleted, Looks like the doc set change took some time to propagate. Please check the tutorial link again and you can see updates to our documentation. We have included a new FAQ and Troubleshooting section in the tutorial. Regarding your specific question on thumbNailPhoto attribute, it is not supported in the current release. We have seen multiple requests for supporting binary attributes and it is in our backlog. 

Thank you for sharing your feedback. We welcome all feedback and encourage you to submit your idea or improvement suggestion in the feedback forum of Azure AD. For specific feedback related to the Workday integration, select the category SaaS Applications and search using the keywords Workday to find existing feedback related to the Workday. You can also up vote existing feature suggestions and demonstrate support for it by leaving your comments. 

Senior Member

any plans to support employeecenter (succesfactors) in a similar way ? 

Microsoft

@Wouter Goderis , yes, we have plans to support SuccessFactors. Stay tuned for updates on that front!

Senior Member

@Chetan DesaiAny plans to integrate with Talentsoft? https://www.talentsoft.com/

Occasional Visitor

Is there any intention to release the "Lightweight Provisioning Agent" as a connector so we can create AD accounts from AAD, but driven by something else other than Workday or some other HRIS solution?

Occasional Contributor
Some 3-party SaaS apps are using email/UPN as unique account identifier and don't allow to use the same account name identifier even if employee with similar UPN/email doesn't exist in AD/AAD as those apps keep history much longer that we do in AD/AAD. I'm curious how other companies are handing that?
Microsoft

Hi @Michael Öberg, thank you for the suggestion! I have added it to our UserVoice feedback forum to track it. Feel free to socialize it and request TalentSoft customers to up vote the idea.    

Microsoft

Hi @jbush82 , currently the provisioning agent is designed to work with the Azure AD provisioning service and it uses the SCIM protocol. We plan to use the same provisioning agent for inbound integration with other HRIS systems.  

Microsoft

Hi @Alexey Goncharov - regarding your question about acceptable unique account identifiers in target apps, Azure AD provides two mechanisms to deal with this requirement: 

1) SelectUniqueValue function - You can use this function to define prevent duplicates and specify fallback logic for acceptable unique account identifiers. 

2) Matching precedence rules - At the time of mapping, you can specify matching attributes and set the order for matching precedence. Matching rules are evaluated in order and as soon as a match is found no further rules are evaluated. 

Occasional Contributor
Thanks @Chetan Desai From my understanding, as long as AD/AAD doesn't keep a history for off-boarded employee accounts, we either need to rely on data stored somewhere else, in our case it's the Workday, in order to make sure that previously used email/UPN is not assigned to a newly on-boarded employee or keep disabled AD/AAD accounts to ensure unique email/UPN value for third-party apps which use it either as a login or/and notification and workflow purposes, isn't it?
Microsoft

@Alexey Goncharov Yes, you are right. If your off-boarding process simply disables the account in AD/Azure AD, then you can use the SelectUniqueValue function to ensure unique email/UPN value. If your off-boarding process removes or hard-deletes a user in AD/Azure AD, then you will have to rely on an external store or database to store UPN/email values that cannot be re-used. 

Occasional Contributor
Thanks @Chetan Desai, this is what I expected. So, from my understanding, it’s probably make sense to generate UPN/email for employees in the Workday in our use case as it keeps all records even for off boarded accounts, and then provisione new accounts to AD/AAD.
Occasional Contributor

Within the current provisioning agent, is it able to cope with various scenarios depending on the type of user being onboarded. For example, if a user is a frontline worker (maybe defined by a certain job role) to provision the user into Azure directly as a cloud only user, and if an enterprise worker, to then provision the account in local AD which then syncs up to 365?

 

Or would it be a case of all users in scope for a particular domain are sent to either Azure as all cloud only or all users send to local AD (which would then sync to the cloud via ADC)?

Occasional Contributor
@Steve Elliott, perhaps if your AAD tenant is in hybrid mode, then you don't have such options as all accounts supposed to be provisioned to internal AD and then synced to AAD.
Occasional Visitor

According to the FAQ section of the Tutorial, assigning users to groups is not yet supported.  Is automatic group assignment on the roadmap?  If it is on the roadmap, any clear timeline to when this feature may be available?

Occasional Visitor

Hello @Chetan Desai,
In regards to the provisioning of AD user objects, does this support creating users in different domains within the forest and further more creating them in specific OUs based on say a specific value such as 'Location'.



Microsoft

Apologies for the delay in getting back. 

@David_Hill Automatic group assignment is on the roadmap, but we don't have a timeline on it yet. I have also added it to our UserVoice feedback forum to track the feedback around it. 

@Cart3r90 Yes, the solution supports creating users in different domains and also within a specific OU based on Workday Location attribute. For multiple domains refer to the tutorial section on integrating multiple Active Directory domains and for OU routing use the parentDistinguishedName attribute along with the Switch expression

Microsoft

Hi team, I have a number of customers who use SAP for their HR and it'd be great to know if SAP integration comparable to this is planned.

 

thanks

Regular Visitor

Great this is finally out of Preview (we don't touch anything preview, MS is buggy enough :) )

We are looking to switch from our csv/ftp/powershell script to using this azureAD connection, exploring with our HR team.

We would also love to have photo sync between the systems (bi-directional, with constraints on size because of app limitations), would be a great productivity savings.

Adding of groups at user creation time is critical and would make creating users very difficult if this wasn't possible. We are currently creating users with templates in ManageEngine ADManager, they have some integrations also with WD but not sure how well those work vs using AAD.

Visitor

Chetan...do we have timeframe on when similar capability will be available for SuccessFactors. Is it in planning or development stage?

Microsoft

@freds123 Thank you for your feedback. Both photo sync and group membership provisioning are part of our backlog. As we spec the support for these two features, I would like to validate details such as photo format support, size restrictions, group templates, etc. with you. Feel free to send me a direct message and we can go over it. 

@TM-01 SAP SuccessFactors integration is in advanced stages of planning where we are reviewing the integration spec and scope of the first relase with customers. Can you send me a direct message and I can loop you into this review process? 

Occasional Visitor

Where is Dynamics 365 for Talent on the roadmap for an AD user provisioning solution?

Frequent Visitor

@DarrylJ I have a similar request, so I posted a suggestion to their suggestion forum.  Here is the link so you can upvote if desired: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/37825696-inbound-provisi...