Share via

Import organizational data from Workday (preview)

Important

This feature is for public preview customers only. Features in preview might not be complete and could undergo changes before becoming available in the broader release.

You can import organizational data into Microsoft 365 with the Workday connector, using the process described below.

Prerequisites

Before you can set up a connection between Workday and Microsoft 365, you'll need the following information about your Workday environment from your Workday admin:

  • Workday web services URL
  • Token URL
  • Username
  • ClientID
  • Complete steps within Workday described in later section

Steps

1. Set up your Workday connection

Applies to: Microsoft 365 Global Administrator

  1. Start the import from the Select connection type page on the Organizational Data in Microsoft 365 page (Home > Setup > Migration and imports > Organizational Data in Microsoft 365 > Select connection type). Under Workday connector, select Start Workday setup.

    1. You can also start the import by selecting Copilot on the left, then select Agents & connectors.

    2. Under Connectors, select Your connections.

    3. Select Add connection.

    4. At the bottom of the page, under People, and next to Workday, select Add.

    Screenshot of the page to start the Workday connection.

  2. Select Get started (if this is the first time you're importing data), or New import (if you've already imported data).

  3. On the Select connection type page, select Start Workday setup.

  4. Select the apps and services with which you'd like to share data. By default, all public reserved attributes are shared across Microsoft 365 and Viva apps and services. Use this page to select apps with which to share application-specific and custom data. You can change your selections at any time within Settings. Learn more.

  5. Under Download your Workday certificate, select Download certificate. A x509 certificate file will download called "publicKey.pem." Open the file in a text editor and copy its contents. Share this with the Workday admin.

    • This page also includes a .json mapping file for mapping your Workday attributes to their required fields in the Viva apps you selected in Step 4 above. Learn more about how Workday sends data to Microsoft 365 and the default field mapping. If the default field mapping works for your needs, you don't need to use the .json file. But, if you'd like to customize the mapping, select Download default mapping, and make your edits to the file.

    Screenshot of the page to download the certificate.

  6. Read the acknowledgment note and select Next.

  7. Under Set up Workday connection:

    1. Enter a name for your connection.

    2. Contact your Workday admin to complete the steps in Workday described below.

    3. Enter the Workday Web services URL, Token URL, and ClientID provided by the Workday admin.

    4. For username, enter the name of the ISU created by the Workday admin.

    5. Select how frequently you want Workday to send data to Microsoft 365: weekly or monthly.

      Screenshot of the page to set up the connection.

  8. If you want, select Prioritize Organizational Data in Microsoft 365. Learn more about data prioritization.

  9. Confirm you understand that the data you upload here might be processed by Viva and Microsoft 365, as well as non-Microsoft services that you've granted access to through the Workday API, and select Validate credentials.

  10. On the Upload attribute mapping page, if you're using your own custom mapping, select Browse to upload the .json mapping file you customized. Then at the bottom of the page, select Next.

    • Or, if you're using the default mapping, you don't need to upload a .json file. Select Next at the bottom of the page.

  11. Review the details for your reserved attribute mapping. To make changes, go back to the Upload attribute mapping page and upload a new .json file. If everything looks good, at the bottom of the page, select Next.

  12. If you've imported any custom attributes, review them on the next page. These can't be renamed and you can't change their data type. To make changes to the names, go back to the Upload attribute mapping page and upload a new .json file. If everything looks good, at the bottom of the page, select Validate mapping.

  13. Next, if you sent any app-specific or custom data to any destination, choose which apps can access the attributes you mapped, then view the global attributes that are used for all Microsoft 365 apps and services. Learn how.

  14. On the last page, review all the details, apps, and attribute mapping for your connection. If everything looks correct, select Connect. Once validation is complete, the organizational data will be made available to the apps and services you selected.

    Note

    If you set up periodic exports, your data will be validated for Viva and Microsoft 365 services requirements. Validation takes a few hours; however, it can take up to three days for your complete data upload to be available in the profile store. You can check the validation status on the Organizational data page in the Microsoft 365 admin center. When validation is complete, a message will say your data is in use and managed by Viva and Microsoft 365.

2. Steps within Workday

Applies to: Workday admin

  1. Open Workday. Search for "Create Integration System User" and select it. This is a system user not associated with a real person.

    Screenshot of the search field for Create Integration System user.

  2. Under Create Integration System User, fill out each field, then select OK.

    Screenshot of the page to Create Integration System User.

  3. Create a security group. In Workday, search for "Create Security Group" and select it.

  4. Select Integration System Security Group (Unconstrained).

    Screenshot of the page to create a security group.

  5. Add the Integration System User to this group.

  6. Search for "Maintain security group" and select Maintain Permissions for Security Group.

    Screenshot of the page to maintain permissions for the security group.

  7. Next to Operation, select Maintain. Next to Source Security Group, select your created security group.

    Screenshot of the page to select your created security group.

  8. Select the "+" icon to add a new Domain Security Policy Permission.

    1. Leave the Selected checkbox selected.

    2. Next to View/Modify Access, select Get Only.

    3. For Domain Security Policy:

      1. Add Worker Data: Public Worker Reports
      2. Add Worker Data: Organization Information
      3. Add Person Data: Private Work Email Integration
      4. Add Person Data: Skills
      5. Add Worker Data: Current Staffing Information

      Screenshot of the page to add domain security policies.

  9. Search for "Activate Pending Security Policy Changes" and select it.

  10. Add a descriptive comment about the change and select OK.

  11. Select Confirm, then select OK. You now have a new system user with the proper permissions they need to get worker data.

3. Register an API Client

  1. Search for "Register API Client" and select it.

    Screenshot of the page to search for an API client.

  2. Fill out the following fields:

    1. Give the client an appropriate name, such as "VivaConnectorClient."
    2. For the client grant type, select Jwt Bearer Grant.
    3. For x509 certificate:
      1. Select Create x509 Public Key.
      2. Give the certificate an appropriate name, such as "VivaX509Certificate."
      3. Paste the contents of the publicKey.pem file shared by the Global admin from the earlier step.
      4. Select OK.
      5. Ensure this certificate is selected for the field x509 Certificate.
    4. For Integration System User, enter the user you created earlier.
    5. Leave the access token type as "Bearer."
    6. Under Scope (Functional Areas), search for and select "Staffing," "Contact Information," "Worker Profile," and "Skills."
    7. Leave Include Workday Owned Scope cleared.
    8. Select the default values for the remaining fields.

  3. Select OK.

    Screenshot of the API client.

  4. A few new fields should populate below Restricted to IP Ranges. Save the following information and share it with the Global admin to enter in the Microsoft 365 admin center:

    1. "ClientID"

    2. Your Workday Token URL, such as https://wd3-impl-services1.workday.com/ccx/oauth2/contoso4/token.

    3. Your Workday web services URL, such as https://wd3-impl-services1.workday.com/ccx/service/contoso4.

      Note

      This isn't the same as the Workday REST API Endpoint. If you're not familiar with your Workday web services URL, you can create it by copying your Token Endpoint, replacing "oauth2" with "service," and removing "/token" from the end.

Make changes to the connection or data

  1. Go to the Select connection type page on the Organizational Data in Microsoft 365 page (Home > Setup > Migration and imports > Organizational Data in Microsoft 365 > Select connection type). Under Workday connector, select Start Workday setup.

  2. Select Edit connection.

  3. To change which apps can access your data, select Edit data access selections on the first page, and make your changes, using the same process as described above.

  4. Continue the process and advance through the screens, making any changes you need to on the appropriate page, such as your credentials, attribute access, and mapping. Skip any pages that don't require updates.

  5. When you're done, review your new connection details on the Review and confirm page. If everything looks good, select Confirm.

How Workday sends data to Microsoft 365

When you connect Workday to Microsoft 365, Workday sends over a set of predefined source columns. These columns are mapped to fields in Microsoft 365. You can't change these predefined fields.

Field mapping

The table below shows how Workday fields correspond to Microsoft 365 fields. Learn more about Microsoft 365 fields including data type and formatting requirements.

Attribute Workday field
Microsoft_PersonEmail /wd:Worker/wd:Worker_Data/wd:Personal_Data/wd:Contact_Data/wd:Email_Address_Data/wd:Email_Address
Microsoft_ManagerEmail /wd:Worker/wd:Worker_Data/wd:Employment_Data/wd:Worker_Job_Data/wd:Position_Data/wd:Manager_as_of_last_detected_manager_change_Reference/wd:ID[@wd:type="Employee_ID" or @wd:type=\"Contingent_Worker_ID"][1]
Microsoft_Organization (Department) /wd:Worker/wd:Worker_Data/wd:Organization_Data/wd:Worker_Organization_Data[1]/wd:Organization_Data/wd:Organization_Name
Microsoft_Layer No mapping from Workday
Microsoft_LevelDesignation /wd:Worker/wd:Worker_Data/wd:Employment_Data/wd:Worker_Job_Data/wd:Position_Data/wd:Job_Profile_Summary_Data/wd:Management_Level_Reference/wd:ID[@wd:type="Management_Level_ID"]
Microsoft_JobDiscipline /wd:Worker/wd:Worker_Data/wd:Employment_Data/wd:Worker_Job_Data/wd:Position_Data/wd:Job_Profile_Summary_Data/wd:Job_Family_Reference/wd:ID[@wd:type="Job_Family_ID"]
Microsoft_CompanyOfficeLocation /wd:Worker/wd:Worker_Data/wd:Employment_Data/wd:Worker_Job_Data/wd:Position_Data/wd:Business_Site_Summary_Data/wd:Location_Reference/wd:ID[@wd:type="Location_ID"]
Microsoft_CompanyOfficeCountryOrRegion /wd:Worker/wd:Worker_Data/wd:Employment_Data/wd:Worker_Job_Data/wd:Position_Data/wd:Business_Site_Summary_Data/wd:Address_Data/wd:Country_Reference/wd:ID[@wd:type="ISO_3166-1_Alpha-3_Code"]
Microsoft_CompanyPostOfficeBox No mapping from Workday
Microsoft_CompanyOfficeStreet /wd:Worker/wd:Worker_Data/wd:Employment_Data/wd:Worker_Job_Data/wd:Position_Data/wd:Business_Site_Summary_Data/wd:Address_Data/wd:Address_Line_Data
Microsoft_CompanyOfficeCity /wd:Worker/wd:Worker_Data/wd:Employment_Data/wd:Worker_Job_Data/wd:Position_Data/wd:Business_Site_Summary_Data/wd:Address_Data/wd:Municipality
Microsoft_CompanyOfficeState /wd:Worker/wd:Worker_Data/wd:Employment_Data/wd:Worker_Job_Data/wd:Position_Data/wd:Business_Site_Summary_Data/wd:Address_Data/wd:Country_Region_Descriptor
Microsoft_CompanyOfficePostalCode /wd:Worker/wd:Worker_Data/wd:Employment_Data/wd:Worker_Job_Data/wd:Position_Data/wd:Business_Site_Summary_Data/wd:Address_Data/wd:Postal_Code
Microsoft_Company /wd:Worker/wd:Worker_Data/wd:Organization_Data/wd:Worker_Organization_Data[1]/wd:Organization_Data/wd:Organization_Name
Microsoft_CompanyCode No mapping from Workday
Microsoft_FirstName /wd:Worker/wd:Worker_Data/wd:Personal_Data/wd:Name_Data/wd:Legal_Name_Data/wd:Name_Detail_Data/wd:First_Name
Microsoft_LastName /wd:Worker/wd:Worker_Data/wd:Personal_Data/wd:Name_Data/wd:Legal_Name_Data/wd:Name_Detail_Data/wd:Last_Name
Microsoft_DisplayName /wd:Worker/wd:Worker_Data/wd:Personal_Data/wd:Name_Data/wd:Preferred_Name_Data/wd:Name_Detail_Data/@wd:Formatted_Name
Microsoft_JobTitle /wd:Worker/wd:Worker_Data/wd:Employment_Data/wd:Worker_Job_Data/wd:Position_Data/wd:Business_Title
Microsoft_SecondaryJobTitle No mapping from Workday
Microsoft_UserSkillNames /wd:Worker/wd:Worker_Data/wd:Skill_Data/wd:Worker_Skill_Item/wd:Skill_Data[@wd:Inactive="0"]/@wd:Name
Microsoft_EmploymentType /wd:Worker/wd:Worker_Data/wd:Employment_Data/wd:Worker_Job_Data/wd:Position_Data/wd:Worker_Type_Reference/wd:ID[@wd:type="Employee_Type_ID" or @wd:type=\"Contingent_Worker_Type_ID"][1]
  • Last updated on