Workday Writeback - Re-evaluating users

Question

Workday Writeback - Re-evaluating users

Daniel Spratt 46

I've followed this MS guide regarding the "Timing of writeback for pre-hires"

https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/workday-writeback-tutorial#timing-the-writeback-for-pre-hires

Once a new user is created in Active Directory and then synced to Entra ID, they are evaluated by Workday Writeback. Using the expression from the above article, if the EmployeeHireDate is in the future the Userprincipalname wont be written to Workday UserID.

IgnoreFlowIfNullOrEmpty(IIF(DateDiff("d", Now(), CDate([employeeHireDate])) >= 0, "", [userPrincipalName]))

This works great when Provisioning "on-demand". But I have found that the user is evaluated once when they are first created but not on future provisioning runs, so when the EmployeeHireDate comes and passes the provisioning run ignores the user. The guide mentions:

For the delayed Writeback to work as expected, an operation in on-premises AD or Azure AD must trigger a change to the user just a day before the arrival or on the hire date, so that this user's profile is updated and is considered for Writeback. It must be a change, that updates an attribute value on the user profile, where the new attribute value is different from the old attribute value.

I have used Azure Lifecycle Workflows to perform this action and a value is written extensionattribute2 in Active Directory. This syncs to Entra ID but even so the Workday Writeback provisioning run does not process the user again.

My question is, how do I get Workday Writeback to re-evaluate all users on a daily basis, or what can I update on the user profile to ensure it is considered for Writeback on their employeehiredate?

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-08-23T20:41:15.2866667+00:00

@Daniel Spratt

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

1 answer

Your answer

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-08-23T20:41:15.2866667+00:00

@Daniel Spratt

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

Marilee Turscak-MSFT 37,206 Microsoft Employee Moderator

Hi @Daniel Spratt ,

Is sounds possible that a null attribute could be getting added. The provisioning service has a limitation that it cannot provision null attributes. - https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/known-issues?pivots=app-provisioning#null-attribute-cant-be-provisioned

You need to make sure that you are setting attribute to a value, even if it's an invalid value. You can check for null values using the expression in the documentation: IIF(IsNullOrEmpty([BusinessTitle]),"N/A",[BusinessTitle])

https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/hr-user-creation-issues

Note also that the update operation is skipped if the "Workday user account" is not present, so if the account didn't exist and you had to create it, the account won't be evaluated. For the provisioning service to again evaluate and attempt an update as part of incremental sync, there must be an update on the Azure AD user profile.

If you restart the provisioning from the portal, it will re-evaluate all users, check for differences and apply the expression logic for each user.

If this does not apply to your situation, feel free to send me an email at AzCommunity@microsoft.com ("Attn: Marilee Turscak") and include your subscription ID and a link to this thread, and I can get a support case opened to look into why the users are not getting evaluated.

If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.

Admin Account Sven Böhler 10 Reputation points

2024-02-14T07:20:00.57+00:00

Hi Are there any news or a function Update? We have the same issue. The UserID in Workday has to be changed at Day 0 from example "john.jensen" to the AAD UPN "******@eraneos.com". This doesn't happen and we don't know why. What or which Field in the AAD has to be changed that the User Profile gets marked as Updated User Profile that the WriteBack knows that the User has to be picket up? Thanks for Help
Daniel Spratt 46 Reputation points

2024-02-14T09:19:36.68+00:00
Hi Sven I spent some time with Microsoft Support troubleshooting. There are caveats to Workday Writeback that the guides do not explain. For an AD user to be re-evaluated a changed needs to be made to one of the attributes that Workday Writeback writesback, for example telephone number, email address. This list of Workday Writeback attributes is very limited as you may have seen in the documentation. It also means having some kind of automation or manual process to update a telephone number on day 0. You can't just update any old attribute and expect Workday Writeback to re-evaluate the user.

I found it all less than ideal. The best workaround I found was to use a Logic App to restart the Workday Writeback Provisioning every day. The Loigc App uses a HTTP Post with the MSGraph command in the guide below. This ensures that all users are re-evaluated and where applicable (startdate = today) their UPN will be written back to UserID in Workday and enable SSO. There is some documentation here: https://learn.microsoft.com/en-us/graph/api/synchronization-synchronizationjob-restart?view=graph-rest-1.0&tabs=http on how to do this. Secondly the RegEx in the MS Guide for WorkdayWriteback isn't quite correct. When using the MS RegEx I found in practice it's startdate+1 when the RegEx to writeback the UPN to UserID applies. Instead I use this:

IgnoreFlowIfNullOrEmpty(IIF(CDate([employeeHireDate])<=Now(), [userPrincipalName], ""))

This works exactly on EmployeeHireDate Hope that helps! The Workday Writeback app is poor and the documentation needs some serious review. But sadly it's a necessary evil if you're using Workday to AD Provisioning.
Finazzo, Michael 0 Reputation points

2024-07-03T11:57:39.78+00:00

Marilee,

I'm also having the same issue and could use some guidance. I do use a place holder value for department that is update on the users hire date which should have the user re-evaluated but it doesn't seem to work. I'm using the delayed expression for both UPN and Email.

Thanks
Daniel Spratt 46 Reputation points

2024-07-16T09:39:15.2133333+00:00

Hi Michael

In my experience, if Department is not one of the attributes being written back to Workday then this will not trigger Workday Writeback to re-evaluate the user, and so they will be skipped.

See my previous reply:
"For an AD user to be re-evaluated a changed needs to be made to one of the attributes that Workday Writeback writesback, for example telephone number, email address. This list of Workday Writeback attributes is very limited as you may have seen in the documentation"

Share via

Workday Writeback - Re-evaluating users

1 answer

Your answer