Say good-bye to custom scripts and simplify your workforce identity lifecycle with Workday and Azure

Howdy folks,

As more and more enterprises move to Cloud Human Capital Management (HCM) solutions, we see an increasing demand for Azure (Azure AD) integrations that tap identity at the source where it first gets created. You've told us how enabling such integrations can create transformational ways of managing your workforce. Today, I'm excited to announce that automated inbound user provisioning from Workday to on-premises Active Directory and Azure AD is now Generally Available!

With pre-built cloud-based integration of Azure AD with the Workday HCM suite, you can now:

  • Securely tap into the rich workforce identity and organization data present in Workday.
  • Implement end-to-end identity lifecycle management covering the entire spectrum of Joiner-Mover-Leaver scenarios using Workday as the “system of record.”
  • Eliminate old school approaches of using flat files or custom to sync employee data.

Embracing HR-centric approach to provisioning

The Workday to Azure AD inbound user provisioning solution is designed to work for both hybrid and cloud-first companies looking to automate the provisioning and deprovisioning of users from Workday HCM to on-premises and Azure AD.

When workforce profiles change in Workday— a name change, title change, manager change, or termination—those changes are detected by the cloud-based Azure AD user provisioning service and synchronized to the downstream systems and applications.

Workday and Azure AD integration 1.png

Since we released the first public preview of this solution, many customers have already successfully adopted and deployed it live in their organizations. The Azure AD provisioning service now manages 10.8 million identities and we are thrilled to see customers realizing the unique and compliance benefits that our cloud managed provisioning service offers.

Here is what Mikkel Heiberg, Principal Cloud Architect, at Nilfisk, one of our Danish manufacturing customers, had to say about the solution:

“The Azure AD and Workday integration delivers a solid foundation for automating employee identity life cycle management with direct traceability to Workday HR events. It has accelerated our employee onboarding and off boarding process workflows and eliminated a lot of recurrent tasks for our IT service center.” 

Since the public preview, we added new capabilities to our Workday integration, all based on customer feedback:

  • Lightweight Provisioning Agent wizard to manage on-premises domains—The new Provisioning Agent with built-in support for and allows you to configure user provisioning to multiple on-premises Active Directory domains.

Workday and Azure AD integration 2.pngProvisioning Agent Configuration wizard.

  • Access to more Workday data—You can now provision data from any attribute supported by the Workday Get_Workers operation of the Workday Human Resources API. This includes cost center data, employee categories, custom user IDs, and more. For details, see Customizing the list of Workday user attributes in the tutorial.

Workday and Azure AD integration 3.pngWorkday to Active Directory attribute mapping.

  • Automatic unique ID generation and conflict resolution for new users—User Principal Name (UPN) or Common Name (CN) for your new user already exists? No problem! Using the new SelectUniqueValue function, you can now specify fallback logic at the time of user creation for generating non-conflicting values for attributes like CN, samAccountName, and userPrincipalName that have uniqueness constraints.

Workday and Azure AD integration 4 v2.pngSpecify Unique ID Generation rule.

  • Advanced provisioning of new hires—A common request to IT from business units is to ensure that a newly-hired employee has all their required user accounts pre-provisioned with the correct level of access, in advanced of their first day of work. The Workday provisioning app now enables you to provision user data as soon as it becomes available in Workday, instead of waiting until the user is set to “Active” in Workday.

The Workday-driven inbound user provisioning feature is available today for all customers using Azure AD Premium P1 and above. You can start using this feature by following our updated Tutorial for Configuring Workday for Inbound User Provisioning. To help you plan your deployment, we have also published a comprehensive deployment guide.

Let us know what you think in the comments below. You can also post your feedback or suggestions for new capabilities that you would like to see in our Azure AD UserVoice feedback forum.

And as always, we'd like to say a special thank you to our preview customers and our partners at Workday, who provided great feedback to enhance the integration of Workday HCM with Azure AD and make this feature a reality!

Best regards,

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division


This article was originally published by Microsoft's Entra (Azure AD) Blog. You can find the original article here.