When someone joins, moves or leaves in ADP Workforce Now, you want that change reflected in Microsoft Entra ID without anyone touching it by hand. To connect ADP Workforce Now to Microsoft Entra ID, Joinly reads each HR change at the source — through the ADP Worker Management API in API Central — and applies it automatically to the right account. Workforce Now stays your source of truth; Joinly is the engine that keeps every action accurate and traceable.
Key takeaways
ADP Workforce Now stays your source of truth; Joinly applies every joiner, mover and leaver to Entra ID automatically.
Joinly maps Workforce Now organisational data — home department, business unit and job title — to the right Entra ID groups and licences, which the SSO-only ADP gallery app cannot do at all.
Joinly reads the effective hire date on each new associate, so accounts are provisioned on the actual start date and not the moment HR keys in the new hire.
Associate-versus-position is resolved correctly: a worker with multiple Position IDs keeps a single account driven by the home position, instead of being provisioned twice.
Every action is logged for a complete audit trail, aligned with NIS2 and ISO 27001.
ADP Workforce Now
Let IT automatically adapt to HR processes. New employees receive immediate access to the right systems, job changes are processed automatically, and upon termination, access is immediately revoked. This facilitates faster, more consistent onboarding and offboarding without manual steps.
Let IT automatically adapt to HR processes. New employees receive immediate access to the right systems, job changes are processed automatically, and upon termination, access is immediately revoked. This facilitates faster, more consistent onboarding and offboarding without manual steps.
Let IT automatically adapt to HR processes. New employees receive immediate access to the right systems, job changes are processed automatically, and upon termination, access is immediately revoked. This facilitates faster, more consistent onboarding and offboarding without manual steps.
Microsoft Entra ID (Microsoft Azure AD)
Employees from your HR system, automatically in your IT environment
Source system | ADP Workforce Now |
Target system | Microsoft Entra ID (formerly Azure AD) |
Connection method | ADP Worker Management API (API Central) → Entra ID |
Supported events | Joiner, mover, leaver (incl. rehire, job change, multiple positions) |
Synced attributes | Name, email / UPN, home department, business unit, job title, manager, associate ID, position ID, hire and termination date |
Authentication | OAuth 2.0 (client_credentials) over mutual TLS with an X.509 client certificate |
Real-time or batch | Frequent sync, multiple times per day |
Compliance | ISO 27001, NIS2-ready, GDPR (EU data centre) |
How does Joinly sync ADP Workforce Now to Microsoft Entra ID?
Joinly reads each HR change in Workforce Now through the ADP Worker Management API and applies it to the matching Entra ID account automatically. Workforce Now holds the authoritative worker record, so it is the starting point for each identity action.
Joiner. HR completes the new hire in Workforce Now. Joinly reads the new worker — the associateOID, workerID and the primary Position ID — and determines the role from attributes like home department, business unit and job title. It then creates the account in Entra ID, assigns the right licences and maps the person into the correct groups — timed to the effective hire date.
Mover. When an associate changes position, home department or business unit in Workforce Now (an ADP job change), Joinly updates their group membership, permissions and licences to match. Access that no longer fits the new position is revoked, so permissions stay aligned with the actual job.
Leaver. On the termination date recorded in Workforce Now, Joinly disables the Entra ID account automatically. There are no orphaned accounts left active after someone has left, and where an associate holds more than one position, access is only removed when the last active position ends.
Example: A professional services firm hires a consultant in Workforce Now with a hire date next Monday in its Advisory business unit. Joinly reads the worker record, waits until the hire date, creates the Entra ID account, assigns an Office E3 licence and adds the consultant to the Advisory-Consultants group. When that consultant later picks up a second, part-time Position ID in the Training department, Joinly keeps the home position as the driver of the UPN and adds the extra group without creating a duplicate account.
What manual user management costs
Without automation, every account starts as an ADP report or a line in a spreadsheet that IT works through by hand. The Entra gallery 'ADP' app only delivers single sign-on, not provisioning, so unless you buy a separate sync bridge there is no native path from Workforce Now to Entra ID — and even then role-to-group mapping, hire-date timing and multi-position handling fall to people.
Onboarding delays. New joiners wait for accounts, licences and group access while a ticket sits in a queue, losing productive days in their first week.
Permissions that don't keep up (privilege creep). When associates change position or business unit, old access often stays attached, so people accumulate rights they no longer need.
Forgotten offboarding. Accounts that aren't disabled on time are both a security and audit risk, and unused licences keep costing money — and with multiple positions it is easy to disable an account while another position is still active.
Joinly vs. the native ADP provisioning options
The Entra gallery 'ADP' app covers single sign-on only; for actual provisioning ADP points you at limited connectors or a third-party sync bridge. Here's how that baseline compares to Joinly for a Workforce Now-driven setup.
Joinly | Entra gallery app / ADP sync bridge | |
|---|---|---|
Source | Reads the ADP Worker Management API directly | Gallery app does SSO only; bridge reads ADP separately |
Role-to-group mapping | Built in, rule-based on home department and business unit | No role-to-group out of the box; manual or bridge config |
Hire-date / future hires | Times account creation to the effective hire date | Not handled by the gallery app; bridge needs custom logic |
Multiple positions | Resolves home vs additional Position ID for the UPN | Associate vs position confusion can create duplicate accounts |
Licence assignment | Driven by role / attributes | Manual or group-based only |
On-premise AD | Yes, own agent plus the native Microsoft agent | Requires a separate sync bridge, limited mapping |
Audit trail | Per-action logging tied to the HR source | Limited |
Watch-outs when connecting ADP Workforce Now to Microsoft Entra ID
A few ADP-specific details decide whether this connection stays reliable at scale.
Certificate-based API onboarding. API Central access depends on an OAuth client paired with an X.509 certificate and connector approval, and that certificate expires. Joinly manages the mutual-TLS connection and flags certificate rotation in advance, so the link to Workforce Now never silently goes dark.
Associate ID versus Position ID. An associate holds one identity but a separate Position ID for each job. A naive rule treats every position as a new person and provisions duplicate Entra ID accounts. Joinly keys on the associateOID and picks the home position as the driver of the UPN, while still reflecting the extra access.
Mapping home department and business unit to Entra groups. ADP's home department and business unit don't translate one-to-one to Entra ID groups. Joinly builds explicit mapping rules from those structures to the correct groups and licences, so role drives access rather than manual assignment.
UPN format with duplicate names. When two associates share a name, a naive UPN rule produces collisions. Joinly applies custom transformation rules — a suffix, a department code or the associate ID as a controlled tiebreaker — so every UPN is unique and predictable from day one.
SSO is not provisioning. The Entra gallery 'ADP' app only handles sign-on; it never creates, updates or disables an account. Joinly is the provisioning layer that the gallery app deliberately leaves out, reading worker changes and acting on them in Entra ID.
Joinly handles each of these by default with custom mapping and transformation.
Always audit-ready
Every account action Joinly performs is logged: who was affected, when it happened, which access changed and which Workforce Now change triggered it. For NIS2 that matters directly: access can be traced back to an authorised HR source rather than an ad-hoc request. Joinly is ISO 27001 certified, runs in an EU data centre in Amsterdam, applies least-privilege by default, and is built to meet NIS2 and ISO 27001.
Example case
Picture a professional services firm with around 3,200 employees across several business units, running ADP Workforce Now as its HR core while its identity provisioning never quite keeps up. The Entra gallery 'ADP' app gives people single sign-on but provisions nothing, so a spreadsheet exported from Workforce Now still drives every account by hand — and consultants who pick up a second Position ID for a training role end up with a duplicate Entra ID account, while future hires are provisioned the moment HR saves the record rather than on their actual start date.
Connect ADP Workforce Now to Microsoft Entra ID with Joinly and that work disappears. Joinly reads each HR change in Workforce Now at the source and acts on it automatically: new hires have their account, Office licence and group access ready on their effective hire date, job changes between business units swap the right groups the same day, a second Position ID just adds access on a single stable UPN, and leavers are disabled on their termination date with a 30-day soft-delete grace window.
"Multiple positions used to be the thing that broke every sync — we'd get two accounts for one consultant. Now an account is simply ready on the hire date, a second position just adds access, and we can show the auditor exactly which Workforce Now change created every bit of access." (illustrative — Head of IT, professional services firm)
The outcome this setup is designed for: onboarding drops from days to zero touch, duplicate-account errors from multiple positions stop entirely, and the team can walk into its next NIS2 assessment with a complete, source-backed audit trail.
More than a connector
A standalone Workforce Now to Entra ID connection is a good start, but identity rarely stops at one target. Joinly manages the complete chain from joiner to leaver across all your systems, with logging and governance built in. You review the exceptions; Joinly maintains the chain.
Employees from your HR system, automatically in your IT environment
Employees from your HR system, automatically in your IT environment
Installation guide
Follow these steps to connect ADP Workforce Now to Microsoft Entra ID with Joinly. The entire cloud setup happens in the platform, with no scripts or local software required.
1. Create your account
Go to platform.joinly.app and create your account.
Note: charges may apply for using the platform after the trial period ends.
Sign up at platform.joinly.app to get started.
2. Connect your Microsoft account
Open platform.joinly.app/settings/provisioning/idp-setup and connect your Microsoft tenant. Select the scopes you need. For provisioning you don't need any additional scopes.
Connect your Microsoft tenant and pick your scopes.
3. Import your existing accounts from Entra ID
Import all existing accounts from Entra ID at platform.joinly.app/settings/provisioning/entra-import. This gives Joinly a baseline of every account that already exists, so it can match people to their current account instead of creating duplicates.
4. Find the ADP Workforce Now integration in the Joinly marketplace
Open the Joinly marketplace and search for the ADP Workforce Now integration.
Don't see your system listed? Get in touch at support@koppelhet.nl and we'll help you out.
Search the marketplace for the ADP Workforce Now integration.
5. Follow the installation wizard
You may be redirected to integrations.joinly.app. Create an account there and enter your Workforce Now connection details: your ADP API Central client ID and secret, plus the X.509 client certificate and private key you generated in the ADP partner self-service portal for the mutual-TLS connection. We only ask for the information needed to establish a successful connection with ADP. All data is encrypted and stored securely.
Enter your ADP API Central credentials and client certificate in the wizard.
6. Configure your field mapping
Set up all your field mappings here. Templates support Liquid, so you can build your display name, UPN and other attributes dynamically from Workforce Now fields.
Frequently asked questions
How do I map the manager? Reference the manager's associateOID in the mapping and Joinly resolves the link to the right manager automatically.
How do I handle multiple positions? Pick the home Position ID as the driver for the UPN; Joinly exposes all of an associate's positions so you can choose the primary one.
How do I prevent duplicate usernames? Use the
generateUniqueUsernamehelper, which falls back to the next pattern when the first one is already taken:{{ generateUniqueUsername: "{firstName}.{prefix}.{lastName}", "{initials}.{prefix}.{lastName}" }}
Map Workforce Now fields to Entra ID attributes with Liquid templates.
7. Configure the scheduled import
At platform.joinly.app/settings/import-configs, configure how often the import from Workforce Now should run.
8. Configure your workflows
Workflows are where Joinly turns each HR change into the right action in Entra ID. Create an onboarding (joiner) and offboarding (leaver) workflow with trigger-based execution, then an Identity updated workflow with a Create/update employee in Entra action so every change in Workforce Now flows straight through to Entra ID. Finally, add a threshold workflow with the Entra soft delete action that runs a set period after the termination date (for example 30 days) to retire accounts safely.
Create a trigger-based onboarding workflow.
Add the create/update action, then set your matching strategy and field mapping.
Add the Entra soft delete action to retire accounts safely.
AD on-premise support
Need to provision to an on-premise Active Directory as well? See our dedicated guide on connecting ADP Workforce Now to Active Directory, or contact support at support@koppelhet.nl to request setup of the Joinly AD Agent.
Frequently asked questions
Does the ADP Workforce Now to Microsoft Entra ID connection work in real time?
It runs as a frequent sync that updates multiple times per day, so changes in Workforce Now reach Entra ID quickly without waiting for a nightly batch.
Doesn't the Entra gallery 'ADP' app already do this?
No. The gallery app provides single sign-on (SAML/OIDC) only — it never creates, updates or disables accounts. Joinly is the provisioning layer that reads worker changes from the ADP API and applies them to Entra ID.
How does Joinly handle associates with multiple positions?
Joinly keys on the associateOID and reads every Position ID a person holds, then applies your rules to pick the home position as the driver for the UPN, so a second position adds access without creating a duplicate account.
How are future hires handled?
Joinly reads the effective hire date on the Workforce Now worker record and times account creation to it, so access is ready on the start date rather than the moment HR saved the record.
Which attributes sync from ADP Workforce Now to Entra ID?
Name, email / UPN, home department, business unit, job title, manager, associate ID, position ID, and hire and termination date. Custom ADP fields can be mapped via Liquid templates.
Does Joinly also support AD on-premise or hybrid provisioning?
Yes. Joinly has its own AD on-premise agent and also supports the native Microsoft Entra provisioning agent, so you can provision users to your on-premise AD environment as well. See the Workforce Now to Active Directory guide.