Directory Image
This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.

Explain Workday integration with Azure AD

Author: Rajesh Cynix
by Rajesh Cynix
Posted: Feb 23, 2021

To provision user accounts, the Azure user provisioning service. This combines with the Workday Human Resources API. The workflows for Workday integration user provisioning provided by the Azure AD user provisioning. This allows the following human resources and identity lifecycle management scenarios.

  • Hiring new workers

When a new employee introduces to Workday, the user account gets in. Then optionally Microsoft 365 and other Azure AD-supported SaaS apps. This is immediately generated, with IT-managed contact details written back to Workday.

  • Employee attribute and profile upgrade –

Anytime an employee record is changed in Workday, Azure. Then optionally Microsoft 365 and other Azure AD-supported SaaS applications. This can automatically update their user accounts.

  • Employee termination

When an employee ends Workday, Azure, and Microsoft 365. Then other Azure AD-supported SaaS programs delete their user account.

  • Employee rehires –

Anytime an employee of Workday software is rehired, it is possible to immediately hire. This can reactivate or re-provision their old account.

Who is the best choice for this consumer provisioning solution?

This consumer provisioning approach from Workday integration is perfectly appropriate.

  • Organizations who want a pre-built, cloud-based Workday consumer provisioning solution.
  • Those enterprises involving direct user provisioning to Azure from Workday.
  • Org’s that involve the provision of users using data collected. This is from the Workday HCM module.
  • Organizations that enable users to enter, switch, and one or more. OUs to be coordinated based solely on change information in the Workday HCM module.

Architecture of Solutions

The end-to-end user provisioning solution architecture. This is useful for popular hybrid environments that is defined in this section. There are two connected flows that exist within.

Authoritative HR data flow-

This is from Workday to on-premises. Worker activities first occur in the Workday HR tenant cloud. Then the case data flows via Azure AD and the Provisioning Agent. Depending on the case, this can result in AD creating/updating/enabling operations.

Writeback flow-

This is from on-premises to Workday. Once the account creation is complete, it is with Azure AD through Azure AD Link. Then it is possible to write back to Workday details such as email, username, and phone number.

The flow of end-to-end usage data

The HR unit manages staff transactions in Workday HCM.

The Azure AD Provisioning Service runs planned Workday HR identity synchronization. Then detects the updates that need to process for on-premises synchronization.

The Azure AD Provisioning Service invokes the on-site Azure AD Connect Provisioning Agent. This containing the creation/updating/enable/disable operations of the AD account.

A service account is used by the Azure AD Connect Provisioning Agent to add/update AD account data.

To pull notifications in AD, the Azure AD Link/AD Sync engine runs delta sync.

Updates to are synced to Azure.

If the Workday Writeback software attributes like password, username back to Workday.

Your deployment preparation

The setup of Workday to user provisioning. This involves significant preparation covering various aspects, such as follows.

  • Setup of the provisioning agent for Azure AD Link
  • Number of apps for the deployment of this software and AD consumer provisioning
  • Choosing the proper matching filter identifier, attribute mapping, transformation, and scoping
  • For specific guidance and proposed best practices. Please refer to the cloud HR implementation schedule.

Configure Workday Integration Device Customer

A standard condition with all Workday provisioning connectors is that a Workday integration. User's credentials are needed to connect to the Workday Human Resources API.

Creating a customer to an automation system

To build a customer for the Workday integration system.

  • Use an administrator password to log in to your Workday Tenant. In the Workday Program, in the search window, select Create User. Then press Create User for Integration Method.
  • Complete the Build Device Integration User role. This is by providing a new Workday integration system User with a user name and password.
  • Leave the Need New Password option unchecked at Next Sign Up, so this user can log in.
  • Leave the Session Timeout Minutes with a default value of 0. This is which will avoid premature timing of user sessions.
  • Pick the Do Not Accept UI Sessions option as it offers an authentication layer. Thus, it prohibits a user from logging into Workday with an integration device.

Creation of a Workday Integration Community

In this step, you create an unconstrained or restricted Workday integration system Protection. Then delegate this group to the user of the Workday integration system created in the previous step.

  • To build a community for security.
  • In the search window, type Create Protection Group and then press Create Security.
  • Complete a job to build a Protection Community.
  • There are two forms of Workday Security Groups:

1. Unconstrained:

All security community members can access all security group-secured data instances.

2. Constrained:

All members of a security community have contextual access to a subset. This is of data instances (rows) that can be accessed by the security group.

  • To pick the right security group form for the integration. Please consult with your Workday Integration Partner.
  • Pick Workday integration system Security Group or Workday integration system Security Group. Type drop-down until you know the group type.
  • You can see a page where you can appoint members to the security group after the formation of the security. To this protection category, introduce the new user of the integration framework generated. If you use a restricted protection category, you may also need to pick the necessary scope.

Configuring access from domain protection policies

In this stage, you will provide the protection community with a "domain security" policy.

To configure permissions for domain protection policies:

  • In the search box, enter Protection Community Membership and Access and click.
  • Search Membership of Defense Community.
  • Next to the group name, press the ellipsis (...) and from the menu, choose Protection Group> Retain Security Group Domain Permissions.
  • Pick Retain Permissions for Domain
  • Under Integration Permissions, add the following domains. This is to the Domain Protection Policies Makes Access Authorization list.
  • External Provisioning for Account
  • Job Data:

Worker Public Records

  • Personal Data:

Contact Information for Jobs required if you plan to writeback. This contact data from Azure AD to Workday.

  • Workday accounts (required if you plan to write username/UPN back to Workday from Azure AD.

Check for the protection category that was formed in the previous phase and pick it.

Under Integration Permissions, add the following domains to the Domain Protection Policy Access.

  • Data of the Worker: Staff
  • Job Information: All Positions
  • Job Data:

Latest Knowledge about Staffing

  • Worker data:

Company title on the profile of the worker

It uses professional employees. Optional - add this menu to recover worker qualification data for provisioning them.

  • Job Data:

Competencies and experience.

The Permissions panel appears as seen below after following the above steps.

On the next page, press OK or Finished to complete the setup.


The Workday integration approach involves the installation of a provisioning agent. This is on an on-premises Windows server, and this agent generates logs in the Windows Case log. Thus, can include personal data depends on the mapping of the Workday to AD attributes. You will ensure that no data is stored in event logs after 48 hours. This is to comply with user privacy needs by setting up a planned Windows event log. You can proceed in this direction with guidance through Workday online training.

About the Author

I am a Digital Marketing Analyst working in cynix it

Rate this Article
Leave a Comment
Author Thumbnail
I Agree:
Author: Rajesh Cynix

Rajesh Cynix

Member since: Feb 11, 2021
Published articles: 4

Related Articles