Share via

Improve/fix Workday to Azure AD provisioning to enable updating the userType based on a dynamic expression

Fernando Almeida 106 Reputation points
2022-09-14T23:34:02.82+00:00

For some reason I can't figure out, it seems that the userType property for an AAD user can only be set on creation and is never updated. A conditional mapping expression was set that was verified to work properly and write the expect value to another extension property for confirmation.

The reason for this is that I need map "partner" users to a separate internal domain but want to make them guests. Overtime these could be ultimately hired as employees and thus their userType should be changed to Member

Use case: change a user userType when the worker type changes to restrict visibility to the tenant directory to the minimum required.

  1. from CW/FTE => set userType to be "Member"
  2. from FTE/CW => set userType to be "Guest"
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,107 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Chetan Desai 971 Reputation points Microsoft Employee
    2022-09-16T15:26:34.46+00:00

    @Fernando Almeida
    In my lab setup, I verified that userType update works as expected. Please check the expression to make sure it is evaluated properly.

    If the issue persists, you can open a support ticket from the Azure portal. Specify service: "Azure AD User Provisioning and Synchronization" -> "Problem Type: Provisioning from Cloud HR to AD or Azure AD".

    0 comments
  2. Fernando Almeida 106 Reputation points
    2022-09-16T23:19:38.43+00:00

    I'm on a deadline for setting up a migration and you've been very helpful and expedite to provide valuable feedback that I'll share some additional details before opening the support ticket if really needed.

    The expression I'm using to try and update the userType is the following 

    IIF(IsPresent([EmployeeID]), "Member", "Guest")

    The XPATH for the API expression for EmployeeID that I'm using is 

    wd:Worker/wd:Worker_Reference/wd:ID[@wd:type='Employee_ID']/text()

    Test scenarios:

    Test 1: Succeeds (eg. transition from Contingent Worker to Employee)

    • Target an AAD user that has an EmployeeID coming from the matched Workday worker and set his manually set his userType = 'Guest'
    • Run the "provision on demand" action for the matching target WorkerId
    • User type is updated as expected to 'Member' after working through some weird client caching issues. Additionally the details pane for the "provision on demand" feature does not show any metadata in the data flow tab highlighting that userType was changed.
      242035-usertype-changed-but-not-logged.png

    Test 2: Fails (eg. transition Employee to Contingent Worker) => MY ISSUE IS HERE. Is this by design?

    • Target an AAD user that does not have an EmployeeID coming from the matched Workday worker, ie he's a Contingent Worker CW, and set his userType = 'Member'
    • Run the "provision on demand" action for the matching target WorkerId
    • User type is NOT updated as expected to 'Guest' and remains as 'Member' unless manually changed
    0 comments