Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Say good-bye to custom scripts and simplify your workforce identity lifecycle with Workday and Azure
Published Jan 23 2019 09:00 AM 40.3K Views

Howdy folks,

 

As more and more enterprises move to Cloud Human Capital Management (HCM) solutions, we see an increasing demand for Azure Active Directory (Azure AD) integrations that tap identity at the source where it first gets created. You’ve told us how enabling such integrations can create transformational ways of managing your workforce. Today, I’m excited to announce that automated inbound user provisioning from Workday to on-premises Active Directory and Azure AD is now Generally Available!

 

With pre-built cloud-based integration of Azure AD with the Workday HCM suite, you can now:

 

  • Securely tap into the rich workforce identity and organization data present in Workday.
  • Implement end-to-end identity lifecycle management covering the entire spectrum of Joiner-Mover-Leaver scenarios using Workday as the “system of record.”
  • Eliminate old school approaches of using flat files or custom scripts to sync employee data.

 

Embracing HR-centric approach to provisioning

 

The Workday to Azure AD inbound user provisioning solution is designed to work for both hybrid and cloud-first companies looking to automate the provisioning and deprovisioning of users from Workday HCM to on-premises Active Directory and Azure AD.

 

When workforce profiles change in Workday— a name change, title change, manager change, or termination—those changes are detected by the cloud-based Azure AD user provisioning service and synchronized to the downstream systems and applications.

 

Workday and Azure AD integration 1.png

Since we released the first public preview of this solution, many customers have already successfully adopted and deployed it live in their organizations. The Azure AD provisioning service now manages 10.8 million identities and we are thrilled to see customers realizing the unique automation and compliance benefits that our cloud managed provisioning service offers.

 

Here is what Mikkel Heiberg, Principal Cloud Architect, at Nilfisk, one of our Danish manufacturing customers, had to say about the solution:

 

“The Azure AD and Workday integration delivers a solid foundation for automating employee identity life cycle management with direct traceability to Workday HR events. It has accelerated our employee onboarding and off boarding process workflows and eliminated a lot of recurrent tasks for our IT service center.” 

 

Since the public preview, we added new capabilities to our Workday integration, all based on customer feedback:

 

  • Lightweight Provisioning Agent wizard to manage on-premises Active Directory domains—The new Provisioning Agent with built-in support for high availability and failover allows you to configure user provisioning to multiple on-premises Active Directory domains.

Provisioning Agent Configuration wizard.Provisioning Agent Configuration wizard.

  • Access to more Workday data—You can now provision data from any attribute supported by the Workday Get_Workers operation of the Workday Human Resources API. This includes cost center data, employee categories, custom user IDs, and more. For details, see Customizing the list of Workday user attributes in the tutorial.

Workday to Active Directory attribute mapping.Workday to Active Directory attribute mapping.

  • Automatic unique ID generation and conflict resolution for new users—User Principal Name (UPN) or Common Name (CN) for your new user already exists? No problem! Using the new SelectUniqueValue function, you can now specify fallback logic at the time of user creation for generating non-conflicting values for attributes like CN, samAccountName, and userPrincipalName that have uniqueness constraints.

 

Specify Unique ID Generation rule.Specify Unique ID Generation rule.

  • Advanced provisioning of new hires—A common request to IT from business units is to ensure that a newly-hired employee has all their required user accounts pre-provisioned with the correct level of access, in advanced of their first day of work. The Workday provisioning app now enables you to provision user data as soon as it becomes available in Workday, instead of waiting until the user is set to “Active” in Workday.

The Workday-driven inbound user provisioning feature is available today for all customers using Azure AD Premium P1 and above. You can start using this feature by following our updated Tutorial for Configuring Workday for Inbound User Provisioning. To help you plan your deployment, we have also published a comprehensive deployment guide.

 

Let us know what you think in the comments below. You can also post your feedback or suggestions for new capabilities that you would like to see in our Azure AD UserVoice feedback forum.

And as always, we’d like to say a special thank you to our preview customers and our partners at Workday, who provided great feedback to enhance the integration of Workday HCM with Azure AD and make this feature a reality!

 

Best regards,

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division

35 Comments
Iron Contributor
I'm curious, how other folks are managing contract termination of off-boarded user accounts?
Deleted
Not applicable

The tutorial publication was last updated 06/17/2018. Was there any improvement made in synchronizing the thumbnailPhoto user attribute?

Microsoft

Hi @Alexey Goncharov , I'm part of PM team working on Cloud HCM integrations. Thanks for sharing your question here. I'd like to further understand your use-case to provide the right guidance. It will be great if you can send an email with your use-case details to AADWDProvFeedback@microsoft.com and we can work on it. I'll then update the thread here to close the loop. 

Microsoft

Hi @Deleted, Looks like the doc set change took some time to propagate. Please check the tutorial link again and you can see updates to our documentation. We have included a new FAQ and Troubleshooting section in the tutorial. Regarding your specific question on thumbNailPhoto attribute, it is not supported in the current release. We have seen multiple requests for supporting binary attributes and it is in our backlog. 

Thank you for sharing your feedback. We welcome all feedback and encourage you to submit your idea or improvement suggestion in the feedback forum of Azure AD. For specific feedback related to the Workday integration, select the category SaaS Applications and search using the keywords Workday to find existing feedback related to the Workday. You can also up vote existing feature suggestions and demonstrate support for it by leaving your comments. 

Copper Contributor

any plans to support employeecenter (succesfactors) in a similar way ? 

Microsoft

@Wouter Goderis , yes, we have plans to support SuccessFactors. Stay tuned for updates on that front!

Copper Contributor

@Chetan DesaiAny plans to integrate with Talentsoft? https://www.talentsoft.com/

Copper Contributor

Is there any intention to release the "Lightweight Provisioning Agent" as a connector so we can create AD accounts from AAD, but driven by something else other than Workday or some other HRIS solution?

Iron Contributor
Some 3-party SaaS apps are using email/UPN as unique account identifier and don't allow to use the same account name identifier even if employee with similar UPN/email doesn't exist in AD/AAD as those apps keep history much longer that we do in AD/AAD. I'm curious how other companies are handing that?
Microsoft

Hi @Michael Öberg, thank you for the suggestion! I have added it to our UserVoice feedback forum to track it. Feel free to socialize it and request TalentSoft customers to up vote the idea.    

Microsoft

Hi @jbush82 , currently the provisioning agent is designed to work with the Azure AD provisioning service and it uses the SCIM protocol. We plan to use the same provisioning agent for inbound integration with other HRIS systems.  

Microsoft

Hi @Alexey Goncharov - regarding your question about acceptable unique account identifiers in target apps, Azure AD provides two mechanisms to deal with this requirement: 

1) SelectUniqueValue function - You can use this function to define prevent duplicates and specify fallback logic for acceptable unique account identifiers. 

2) Matching precedence rules - At the time of mapping, you can specify matching attributes and set the order for matching precedence. Matching rules are evaluated in order and as soon as a match is found no further rules are evaluated. 

Iron Contributor
Thanks @Chetan Desai From my understanding, as long as AD/AAD doesn't keep a history for off-boarded employee accounts, we either need to rely on data stored somewhere else, in our case it's the Workday, in order to make sure that previously used email/UPN is not assigned to a newly on-boarded employee or keep disabled AD/AAD accounts to ensure unique email/UPN value for third-party apps which use it either as a login or/and notification and workflow purposes, isn't it?
Microsoft

@Alexey Goncharov Yes, you are right. If your off-boarding process simply disables the account in AD/Azure AD, then you can use the SelectUniqueValue function to ensure unique email/UPN value. If your off-boarding process removes or hard-deletes a user in AD/Azure AD, then you will have to rely on an external store or database to store UPN/email values that cannot be re-used. 

Iron Contributor
Thanks @Chetan Desai, this is what I expected. So, from my understanding, it’s probably make sense to generate UPN/email for employees in the Workday in our use case as it keeps all records even for off boarded accounts, and then provisione new accounts to AD/AAD.
Brass Contributor

Within the current provisioning agent, is it able to cope with various scenarios depending on the type of user being onboarded. For example, if a user is a frontline worker (maybe defined by a certain job role) to provision the user into Azure directly as a cloud only user, and if an enterprise worker, to then provision the account in local AD which then syncs up to 365?

 

Or would it be a case of all users in scope for a particular domain are sent to either Azure as all cloud only or all users send to local AD (which would then sync to the cloud via ADC)?

Iron Contributor
@Steve Elliott, perhaps if your AAD tenant is in hybrid mode, then you don't have such options as all accounts supposed to be provisioned to internal AD and then synced to AAD.
Copper Contributor

According to the FAQ section of the Tutorial, assigning users to groups is not yet supported.  Is automatic group assignment on the roadmap?  If it is on the roadmap, any clear timeline to when this feature may be available?

Copper Contributor

Hello @Chetan Desai,
In regards to the provisioning of AD user objects, does this support creating users in different domains within the forest and further more creating them in specific OUs based on say a specific value such as 'Location'.



Microsoft

Apologies for the delay in getting back. 

@David_Hill Automatic group assignment is on the roadmap, but we don't have a timeline on it yet. I have also added it to our UserVoice feedback forum to track the feedback around it. 

@Cart3r90 Yes, the solution supports creating users in different domains and also within a specific OU based on Workday Location attribute. For multiple domains refer to the tutorial section on integrating multiple Active Directory domains and for OU routing use the parentDistinguishedName attribute along with the Switch expression

Microsoft

Hi team, I have a number of customers who use SAP for their HR and it'd be great to know if SAP integration comparable to this is planned.

 

thanks

Brass Contributor

Great this is finally out of Preview (we don't touch anything preview, MS is buggy enough :) )

We are looking to switch from our csv/ftp/powershell script to using this azureAD connection, exploring with our HR team.

We would also love to have photo sync between the systems (bi-directional, with constraints on size because of app limitations), would be a great productivity savings.

Adding of groups at user creation time is critical and would make creating users very difficult if this wasn't possible. We are currently creating users with templates in ManageEngine ADManager, they have some integrations also with WD but not sure how well those work vs using AAD.

Copper Contributor

Chetan...do we have timeframe on when similar capability will be available for SuccessFactors. Is it in planning or development stage?

Microsoft

@freds123 Thank you for your feedback. Both photo sync and group membership provisioning are part of our backlog. As we spec the support for these two features, I would like to validate details such as photo format support, size restrictions, group templates, etc. with you. Feel free to send me a direct message and we can go over it. 

@TM-01 SAP SuccessFactors integration is in advanced stages of planning where we are reviewing the integration spec and scope of the first relase with customers. Can you send me a direct message and I can loop you into this review process? 

Copper Contributor

Where is Dynamics 365 for Talent on the roadmap for an AD user provisioning solution?

Copper Contributor

@DarrylJ I have a similar request, so I posted a suggestion to their suggestion forum.  Here is the link so you can upvote if desired: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/37825696-inbound-provisi...

Copper Contributor

Hello, I am in the middle of Workday implementation, would like to know how the new joiner and the hiring team receive the login and password after the AD account is created. Appreciated for the reply. Thanks!

Microsoft

@pollyli Thanks for reaching out. The integration does not support the feature of credential delivery after AD account creation. Please upvote the request for this feature here. An option you may consider: Run a PowerShell script to query for new users created, reset the password and send email to hiring team.

 

Copper Contributor

Where is the Advanced provisioning of new hires option? We have an issue where the integration does not 'see' a new hire until we reach their actual start date in Workday.

Microsoft

@JeffSalveter-Taylor by default, the Workday provisioning app retrieves new hire information when the "New Hire" business process is complete in Workday. Please check with your Workday admin, to see if the new hire business process in your Workday tenant is configured to complete on the start day of the new hire. If the issue still persists, feel free to send me a direct message and we can take a look.  

Copper Contributor

We are in the middle of implementing AD Azure provisioning with Workday. Since we are in Canada, the department in AD has to be in bilingual (English/French), and the title in AD has be in French if the user's preferred language is French. However, we have an issue to get the French translation into AD and we were told that Workday calculated fields are not support by AD Azure provisioning. Is there a workaround to make the French translation working? Thanks!

Microsoft

@wtian This is an interesting requirement. The Workday connector directly consumes the response from Get_Workers API call and I couldn't find a way in it to specify retrieval of locale-specific values. In the Workday community, there is a suggestion to create the ISU with a preferred language of French. Did you get a chance to try this option? If that's not feasible, then you could use a Switch expression mapping as a workaround. Configure expression mapping for department and title using a Switch function. The Switch function should take as input English values and return the French translation of the string. Feel free to send me a direct message and I can help review the expression. 

Copper Contributor

@Chetan Desai  For departments, we have more 700 and they could be changed from time to time. To use Switch function, we have to hardcode all the department names for both English and French, and maintain the list on regular basis which is not an ideal solution. And yes, we are navigating the option by using French language on the ISU and we are able to get the French translation from Workday to AD. Basically, we have 2 provisioning: one for English and one for French. However, the provisioning overwrites each other. We want to use AD attribute in the Expression to avoid the overwriting but without success. For example, in the English provisioning, we want to update AD department attribute only if the user language is English; otherwise, keep the AD department as it is, some like IIF([UserLanuage]="en_US",[SupervisorOrganization],[AD department]). The problem is the Azure AD reported that [AD department] is not a recognized attribute. Is there a way to use AD attribute in Expression?

 

Thanks, Wen

Microsoft

@wtian Good to know that with French language on the ISU, you are now able to get the French values for department. In the expression mapping, using target AD attributes is not supported. To handle your specific requirement, I think it may be possible to use scoping filters. Can you send me a direct message with your contact email? Let's setup a meeting to go over this scenario next week.

 

Thanks,

Chetan 

Copper Contributor

Hi! Its been a while I know, but attempting to see with you @Chetan Desai and/or @wtian if finally you found a better way to handle mutli-language around the user-provisionning "Workday To AD"? Last week we changed here the ISU language to french and yes I confirm its working (the AD now receive values in french), but I would like to see if in the meantime (since 2021 posts above) you found something else to get the AD receive both english and french... ? Last attempt :) 

 

Thanks!

Version history
Last update:
‎Jul 24 2020 01:46 AM
Updated by: