Share via

Workday-Entra Provisioning - Pre-hire/hiring date not checked by the incremental sync

Fabrice Bastian 60 Reputation points
2026-02-17T08:43:44.38+00:00

Hello,

We are using Workday with the Entra Provisioning connector to synchronize account from Workday to on-premise Active Directory.
The sync is in place and working as expected (mainly), except for this usecase:

We are trying to configure pre-hiring stuff: user is created in AD in disabled status and is then enable 1 day before his hiredate.
For this we have this expression in the accountDisabled attribute:

Switch([PastLastDayOfWork], Switch([Active], "False", "1", IIF(DateDiff("d", Now(), Join("", FormatDateTime([StatusHireDate], ,"yyyy-MM-ddzzz", "yyyy-MM-dd"), ""))<="1", "False", "True"), "0", "True"), "Workers past Last Day of Work", "True")

Account are correctly created in disabled state prior their hiredate.

Unfortunately, the account doesn't switch to active 1 day before reaching hiredate.

-> If we run on-demand provisioning, the account is correctly switch to active.

Is this a limitation of the incremental sync (as nothing changed on the worker profile, and so no workday transaction logs could be found)?

Did someone here already encounter this issue?

Best regards

Fabrice Bastian

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Answer accepted by question author
  1. VEMULA SRISAI 9,265 Reputation points Microsoft External Staff Moderator
    2026-02-18T19:43:56.3+00:00

    Yes, your understanding is correct.

    In Workday → Microsoft Entra provisioning, attribute mappings are evaluated only when a worker is picked up in the incremental (delta) sync. After the initial full sync, the connector cannot be configured to run scheduled full syncs, and there is no mechanism to periodically re‑evaluate mappings based on time‑based logic (such as Now() or hire‑date comparisons).

    Because no Workday transaction occurs between pre‑hire creation and the hire date, the worker does not appear in the delta feed, so the accountDisabled expression is not re‑evaluated. On‑demand provisioning works because it explicitly forces evaluation for that user, but it cannot be scheduled or used at scale.

    To keep your intended behavior:

    • Create AD account disabled when the worker becomes active in Workday
    • Enable AD account 1 day before hire date

    you will need to use one of the following supported approaches:

    Option 1 – Workday‑driven trigger (recommended) Introduce a Workday attribute or business process that changes 1 day before the hire date (for example, a calculated flag or effective‑dated field). This generates a Workday transaction, causing the worker to appear in incremental sync and allowing the accountDisabled mapping to be re‑evaluated.

    Option 2 – Downstream scheduled process Keep Entra provisioning focused on account creation, and handle enablement separately using a scheduled process (PowerShell, Azure Automation, or AD task) that:

    • Identifies disabled AD accounts
    • Compares against the hire date
    • Enables the account 1 day before hire

    This limitation is by design and applies to all time‑based provisioning scenarios.

    For your reference: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/workday-integration-reference

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.