Setting up Workday/Entra ID integration to handle leave of absence without deleting user

JennyDunham-7796 20 Reputation points
2024-04-30T22:17:27.3766667+00:00

We currently have Workday provisioning users to Entra ID, however there's been an ask to have employee accounts disabled while they're on leave. The integration is set to have the "Create" and "Update" options allowed but not "Delete" within the provisioning page, and we've set SkipOutOfScopeDeletions to 'true' to prevent accidental account deletions. We're unsure if the integration will actually soft delete/hard delete accounts without the "Delete" option selected and haven't had a situation where we're able to test safely since we don't have an Entra sandbox.

Will the integration, with current settings, actually set accounts into a soft delete state and fully delete them after 30 days if the "Delete" option is not selected? We've confirmed that utilizing the LeaveAbsenceType [is not null] as a condition will disable the account if SkipOutOfScopeDeletions is set to 'false', but we don't want accounts to be deleted if someone is on leave for more than 30 days.

If they will be deleted, is there a way to flag an account for just disabling? The only potential solution that I've been able to trac down is below, however when I test the expression the output is always "On Leave", which would falsely disable an account.

|Hi @bsalisbury17
To account for LOA scenarios, you can modify the attribute mapping for the accountDisabled attribute in the following way:Add a new line to the attribute mapping for accountDisabled attribute.In the Source column, enter the following expression: Switch([Worker_Status], "On Leave", "True", , "False")In the Target column, enter accountDisabled.This expression will set the accountDisabled attribute to True for any worker who is on leave, and False for all other workers.Once you have made this change, you should test the configuration with a few test users from Workday to ensure that the mappings work as expected. Once you have verified that the mappings work, you can gradually expand the scope to include more users.| | -------- | |Hi @bsalisbury17 To account for LOA scenarios, you can modify the attribute mapping for the accountDisabled attribute in the following way:Add a new line to the attribute mapping for accountDisabled attribute.In the Source column, enter the following expression: Switch([Worker_Status], "On Leave", "True", , "False")In the Target column, enter accountDisabled.This expression will set the accountDisabled attribute to True for any worker who is on leave, and False for all other workers.Once you have made this change, you should test the configuration with a few test users from Workday to ensure that the mappings work as expected. Once you have verified that the mappings work, you can gradually expand the scope to include more users.|

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,767 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Carlos Solís Salazar 16,701 Reputation points MVP
    2024-05-01T23:29:18.47+00:00

    Hello,

    I had the same situation in the past, the workaround that I found is to Create a Hybrid Identity infrastructure and implement User sign-in with Microsoft Entra pass-through authentication (PTA). So in the ADDS I Restrict logon time for Active Directory users

    Hope this helps!

    Remember to accept the answer if it is helpful.

    0 comments No comments