Duplicate WID links causing Writeback Issues

Question

Duplicate WID links causing Writeback Issues

Jessie Cochran 25

Duplicate WID links causing Writeback Issues - Document attached with all data from issue.

Alfred Dean - 73928

Username – ******@la-z-boy.com

Email showing- ******@la-z-boy.com

Workday Writeback error- this means it can’t copy the AD information to WD

Failed to match an entry in the source and target systems User '73928'

Error code

DuplicateTargetEntries

Error message

Azure Active Directory entry 83e8aaf5-741e-4930-a8e9-fe8959b0276e matches the Workday entry d40c3c38f207100114f0682e845b0001 based on the WorkerID value { Add:"73928" (Target) }. However, the Azure Active Directory entry 4bc7bea4-508d-42e2-8fb9-a94d365ee85f has already been matched with the Workday entry d40c3c38f207100114f0682e845b0001. Consider deleting the Azure Active Directory entry 83e8aaf5-741e-4930-a8e9-fe8959b0276e, or at least not granting it access to Workday.

NOTES:

These are both active Employees I can’t just delete them from Active Directory. This is basically saying that Alfred and Evesvan share the same WorkerID in WD

PS C:\WINDOWS\system32> Get-AzureADUser -objectID '83e8aaf5-741e-4930-a8e9-fe8959b0276e'

ObjectId DisplayName UserPrincipalName UserType

-------- ----------- ----------------- --------

83e8aaf5-741e-4930-a8e9-fe8959b0276e Alfred Dean ******@la-z-boy.com Member

PS C:\WINDOWS\system32> Get-AzureADUser -objectID '4bc7bea4-508d-42e2-8fb9-a94d365ee85f '

ObjectId DisplayName UserPrincipalName UserType

-------- ----------- ----------------- --------

4bc7bea4-508d-42e2-8fb9-a94d365ee85f Elesvan Sanchez ******@la-z-boy.com Member

Dezz Jackson - # 73712

Username should be – ******@la-z-boy.com

Username showing: ******@la-z-boy.com

When I try to write back to Workday I receive this error

Failed to match an entry in the source and target systems User '73712'

Error code

DuplicateTargetEntries

Error message

Azure Active Directory entry 9f32b259-c5b4-4264-ab63-327a6ba51764 matches the Workday entry 8e525720a1081000be5b22198d4e0000 based on the WorkerID value { Add:"73712" (Target) }. However, the Azure Active Directory entry 6ef17e75-16eb-4b25-bb1a-f54a281b4262 has already been matched with the Workday entry 8e525720a1081000be5b22198d4e0000. Consider deleting the Azure Active Directory entry 9f32b259-c5b4-4264-ab63-327a6ba51764, or at least not granting it access to Workday

NOTES:

PS C:\WINDOWS\system32> Get-AzureADUser -objectID '9f32b259-c5b4-4264-ab63-327a6ba51764'

ObjectId DisplayName UserPrincipalName UserType

-------- ----------- ----------------- --------

9f32b259-c5b4-4264-ab63-327a6ba51764 Dezz Jackson ******@la-z-boy.com Member

PS C:\WINDOWS\system32> Get-AzureADUser -objectID '6ef17e75-16eb-4b25-bb1a-f54a281b4262'

ObjectId DisplayName UserPrincipalName UserType

-------- ----------- ----------------- --------

6ef17e75-16eb-4b25-bb1a-f54a281b4262 Ariana Robledo ******@la-z-boy.com Member

These are both active Employees I can’t just delete them from Active Directory. This is basically saying that Dezz and Ariana share the same WorkerID in WD

It looks like somewhere. It is getting connected to this person, but it doesn’t appear to be on the AD side ☹

Jessie Cochran 25 Reputation points

2023-05-11T11:25:35.6133333+00:00

We tried to get Workday Support to help with this and they said it's an Azure issue.
Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator

2023-05-16T03:51:11.9333333+00:00

@Jessie Cochran

I am looking into this issue and will get back to you post my research
Jessie Cochran 25 Reputation points

2023-05-16T13:40:17.1166667+00:00

Any help would be greatly appreciated.
Jessie Cochran 25 Reputation points

2023-05-16T13:53:44.6366667+00:00

This still makes me feel like Azure is still finding something in Workday

https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-provisioning-logs

The operation couldn't be completed because more than one user in the target application was found with the configured matching attributes. Remove the duplicate user from the target application, or reconfigure your attribute mappings.

If they can't find in WD how would we reconfigure out mappings? The WID is the anchor between the systems, it has to be :-(

1 answer

Your answer

Jessie Cochran 25 Reputation points

2023-05-11T11:25:35.6133333+00:00

We tried to get Workday Support to help with this and they said it's an Azure issue.
Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator

2023-05-16T03:51:11.9333333+00:00

@Jessie Cochran

I am looking into this issue and will get back to you post my research
Jessie Cochran 25 Reputation points

2023-05-16T13:40:17.1166667+00:00

Any help would be greatly appreciated.
Jessie Cochran 25 Reputation points

2023-05-16T13:53:44.6366667+00:00

This still makes me feel like Azure is still finding something in Workday

https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-provisioning-logs

The operation couldn't be completed because more than one user in the target application was found with the configured matching attributes. Remove the duplicate user from the target application, or reconfigure your attribute mappings.

If they can't find in WD how would we reconfigure out mappings? The WID is the anchor between the systems, it has to be :-(

Answer 1

Louis Dodge 0

I had this same issue today. It was caused by the incorrect employeeID being assigned to a user. This caused 2 different Workday users to have the same email address and when the Workday Writeback sync ran, Workday associated the Azure user with the wrong Workday account.

We corrected and compared all attributes in AD, Azure, and Workday, but on user1 we were still getting WorkdayInvalidAnchor - Validation error occurred. User Name already taken, please choose another one

and on user2 we were getting:

Failed to match an entry in the source and target systems

DuplicateTargetEntries

Azure Active Directory entry [redacted] matches the Workday entry [redacted] based on the WorkerID value { Add:"[redacted]" (Target) }. However, the Azure Active Directory entry [redacted] has already been matched with the Workday entry [redacted]. Consider deleting the Azure Active Directory entry [redacted], or at least not granting it access to Workday.

This was resolved by changing the Integration IDs > External ID in Workday for the user with the WorkdayInvalidAnchor error to a new unique value. This has to be done by a Workday admin on the Workday site and does not appear to be updatable on the Azure config.

I was able to provision on demand user1 and then user2 without error.

Jessie Cochran 25 Reputation points

2023-06-06T11:44:14.69+00:00

Thank you very much for this! I have sent this to the team I am working with to see if we can get it fixed.
Jessie Cochran 25 Reputation points

2023-06-21T19:08:14.6+00:00

Are you able to provide any further help on this. We are being told we can't change this?
Louis Dodge 0 Reputation points

2023-06-22T16:33:46.9533333+00:00

That is frustrating, not sure why they are telling you that. Workday also tried to tell us it was unfixable on their end and we figured it out ourselves, thankfully we have a user with admin access to Workday. See if you can find a Workday admin who can get to this screen here and change the External ID for the users in question. Just add some extra random chars on the end, then when the provisioning runs it will create a new link. We've fixed about a dozen users with this problem in the past month.

Essentially, Workday creates it's own link to an Azure user and the only way to break the link is to change the user's External ID on the Workday side (easy, low impact), or possibly to change the user's msds-consistencyGUID or ObjectID GUID (more difficult and has the potential to break the user's connection to Azure and local AD, I didn't try it.) Even if the EmployeeID is changed in Azure and provisioned again, the first External ID link it created remains. Despite the user provisioning being configured in the Workday Azure enterprise app to match a Workday user based upon EmployeeID, after the initial match, on the back end Workday seems to be doing matching based upon Azure GUID and Workday ExternalID, and once the match is made it is unbreakable without changing one of these attributes on either the Workday side or the Azure side.

(Right click image and open in new tab if it is too small)
Thao, Charlie 0 Reputation points

2025-02-24T19:30:16.1766667+00:00

Our SSO configuration doesn't use External IDs. It's based on the Reference ID I believe. We are just a tad reluctant to change it until further testing. But it begs the question why we are not using external IDs. Use of the Reference ID seems "automatic" when HCM assigns the employee ID. Do you guys have to manually maintain the External ID in Workday upon hire and termination?

Share via

Duplicate WID links causing Writeback Issues

1 answer

Your answer