The AAD Workday Writeback provisioner

It works something like this

One of the best things about Azure AD is the built in SCIM based provisioning applications that can be used to push information from Azure AD to other systems such as Workday.

We use the Workday Writeback Provisioner to set the workers business e-mail and telephone after they’ve been assigned as part of onboarding.

While the linked tutorial covers the basics, it doesn’t really address some of the nuances we found. Here, in the spirit of saving you time Googling, is the missing documentation for writeback to Workday.

1 What will you join on?

We populate the AD EmployeeID field with the Worker ID from Workday. Assuming this is fully populated in AD, then that’s by far the simplest field to join on with matching precedence of 1.

Provisioner Mapping

2 Clean up landline numbers

Workday requires the country code (both numeric and ISO) be loaded to separate fields. That implies that you need to ensure all the landline numbers are in a fixed format so you can parse out the country code. The key goal is that the country code needs to be separated from the rest of the number: +1 212 555 2555 not +12125552555. Ensure your onboarding runbook documents this!

This PowerShell will export all your users into a CSV so you can do an audit:

get-azureaduser -all $true | where UserType -eq 'Member' `
 | select UserPrincipalName, TelephoneNumber | `
 Export-Csv Users_tel.csv -NoTypeInformation

3 Map to LandlineCountryCodeName

The tutorial naively assumes that your employees all have phone numbers in the US. We can use a switch statement to map country dialing code to ISO codes (line breaks added for readability)

    Replace([telephoneNumber], , "\\+(?<isdCode>\\d+) ", , "${isdCode}", , ), , 
    "1", "USA", 
    "44", "GBR", 
    "353", "IRL", 
    "65", "SGP",
    "352", "LUX"

Obviously the more countries you operate in, the uglier this will get. If your address data is trustworthy and aligns with how you allocate telephone numbers you could, instead, switch off of the country loaded to Active Directory.

4 Map remaining fields

Here’s the expressions we use for the other fields:

The latter does a double replace to remove any punctuation or whitespace from the matched phone number. The documentation for the Replace function is absolutely lousy. One key thing we learned, never put an empty string in when a missing parameter will work. In particular, if you put "" for the fourth parameter, RegexGroupName, the provisioner will fail with impenetrable errors.

As ever, Regex101 is a great resource for testing these, remembering that you need to escape the backslash when you copy over the working regular expression. Good luck!