Hello there,
We have been using Workday to synchronise User accounts through Azure to our On-Prem Active Directory. For about 4-6 weeks we have been facing the issue now that Multi-valued attributes are no longer written correctly to the on-prem AD which was working before. This specifically effects the Assigned Provisioning Group from Workday using xpath:
wd:Worker/wd:Worker_Data/wd:Account_Provisioning_Data/wd:Provisioning_Group_Assignment_Data[wd:Status='Assigned']/wd:Provisioning_Group/text()
We are currently seeing the following behaviour:
- An Employee in Workday has Provisioning groups A, B and C assigned = A, B and C are synchronised to Active Directory into a Multi-valued attribute
- The same Employee in Workday is updated and now has Provisioning groups A, B, C and D assigned
- The provisioning in Azure now evaluates the diff between whats in AD and Whats in Azure and evaluates that D is a new value and was appended to the attribute
- The provisioning now overwrites the entire attribute in AD with the value of group "D"
- Once the provisioning runs again it evaluates the diff to be A, B and C as appended values and replaces the value D with A, B, C in AD.
- These steps repeat continuously writing A,BC then D then A,B,C again and so on
Checking the provisioning agent that pushes the Workday data from Azure to the on-prem AD, you can see the following verbose outputs: (SCIM operation is Replace and not Add)
Sync 1:
{'schemas':['urn:ietf:params:scim:api:messages:2.0:BulkRequest'],'Operations':[{'method':'PATCH','bulkId':'f2be78c1-177a-4f90-b5c8-61b7f3cdb576','path':'/DynamicElements/1f56ed3b-cafd-40b0-ab44-5b3a7bcc2bc6','data':[{'op':'Replace','path':'destinationIndicator','value':[{'value':'All_COO_Org_Managers_CELOCORE_AUTO'},{'value':'All_GTM_Org_CELOCORE_AUTO'}]}]}],'failOnErrors':null}
Sync 2:
{'schemas':['urn:ietf:params:scim:api:messages:2.0:BulkRequest'],'Operations':[{'method':'PATCH','bulkId':'858895c7-7e06-4b8a-866d-d3649482e7d5','path':'/DynamicElements/1f56ed3b-cafd-40b0-ab44-5b3a7bcc2bc6','data':[{'op':'Replace','path':'destinationIndicator','value':[{'value':'All_Celonis_CELOCORE_AUTO'}]}]}],'failOnErrors':null}
Sync 3:
{'schemas':['urn:ietf:params:scim:api:messages:2.0:BulkRequest'],'Operations':[{'method':'PATCH','bulkId':'f2be78c1-177a-4f90-b5c8-61b7f3cdb576','path':'/DynamicElements/1f56ed3b-cafd-40b0-ab44-5b3a7bcc2bc6','data':[{'op':'Replace','path':'destinationIndicator','value':[{'value':'All_COO_Org_Managers_CELOCORE_AUTO'},{'value':'All_GTM_Org_CELOCORE_AUTO'}]}]}],'failOnErrors':null}
Has anyone else faced this issue and has a solution at hand on how this could be resolved?
Any help is much appreciated as our Microsoft support has already declared this as 3rd party and asked us to reach out to Workday as this is not within the support of them.
Many thanks and best regards
Timo
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 78%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETK%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 4%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELV%3C/text%3E%3C/svg%3E)
