Question 108168 in Azure Question posted in
The official documentation to get you started can be found here.

Azure AD provisioning : WorkDay -> AD -> AAD : how to handle email id

My environment / use case:

  • WorkDay as identity source
  • We have on-prem AD and Azure AD, AADC in place.
  • We do not have on-prem exchange, we assign licenses in Azure AD to provision O365 mailboxes.
  • We want to write back userid, email id and phone to Workday.

I am reading this below MS document and one thing is not very clear is how to manage the mail attribute. I want the mail id present in on-prem AD and Azure AD both. Do we generate mail ids while creating AD account via the Azure AD provisioning agent and that syncs up to Azure AD? Or, is there any other way?

My basic question is how do we manage the mail attribute / email id value in this architecture?

Links I am following:
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/workday-inbound-tutorial
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/workday-writeback-tutorial

Tags:

2

Answers


  1. 0

    Basically in writeback flow

    from on-premises Active Directory to Workday: Once the account
    creation is complete in Active Directory, it is synced with Azure
    AD through Azure AD Connect     and information such as email, username
    and phone number can be written back to Workday.

    Many organizations want to let users sign in to Azure Active Directory (Azure AD) using the same credentials as their on-premises directory environment. With this approach, known as hybrid authentication, users only need to remember one set of credentials and has only one mailId to login.

    But due to business or compliance reasons, some organizations doesn’t want to use the on-premises UPN to sign in to Azure AD.
    To help with the move to hybrid authentication, you can configure Azure AD to let users sign in with their email as an alternate login ID.

    When using an Alternate ID, the on-premises attribute userPrincipalName is synchronized with the Azure AD attribute onPremisesUserPrincipalName. The Alternate ID attribute, for example mail, is synchronized with the Azure AD attribute userPrincipalName.

    Reference : Sign-in to Azure AD with email as an alternate login ID

    Login or Signup to reply.
  2. 0

    Do we generate mail ids while creating AD account via the Azure AD provisioning agent and that syncs up to Azure AD? My basic question is how do we manage the mail attribute / email id value in this architecture?

    Depending on your requirement, here is how you can get started and expand the solution.

    • For existing users in on-prem AD and Azure AD, start by configuring the Workday Writeback provisioning app. This will sync existing email addresses of users present in both Workday and Azure AD. Use "employeeId – WorkerID" as the matching attribute pair for synchronization.
    • Once you are ready to perform Workday-driven inbound provisioning, setup the
      Workday to AD User provisioning app. This will start synchronizing new hires, updates and terminations into your on-prem AD. For new hires, configure mail attribute to be auto-generated in this provisioning app using the SelectUniqueValue function. This will set the mail attribute in AD, which will sync to Azure AD with AAD Connect Sync. The Workday Writeback app will then update the user’s profile in Workday with this mail value.
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search