When someone joins, moves or leaves in Workday, you want that change reflected in Microsoft Entra ID without anyone touching it by hand. To connect Workday to Microsoft Entra ID, Joinly reads each HR change at the source and applies it automatically to the right account. Workday stays your source of truth; Joinly is the engine that keeps every action accurate and traceable.
Key takeaways
Workday stays your source of truth; Joinly applies every joiner, mover and leaver change to Microsoft Entra ID automatically.
Joinly maps Workday job profiles and supervisory organisations to the right Entra ID groups and licences, something Entra Cloud Sync can't do on its own.
Accounts are created on the start date and disabled on the end date, so there are no early-access gaps and no orphaned accounts.
Every action is logged for a complete audit trail, aligned with NIS2 and ISO 27001.
Works for both cloud (Entra ID) and on-premise Active Directory provisioning.
Workday
Let IT automatically adapt to HR processes. New employees receive immediate access to the right systems, job changes are processed automatically, and upon termination, access is immediately revoked. This facilitates faster, more consistent onboarding and offboarding without manual steps.
Let IT automatically adapt to HR processes. New employees receive immediate access to the right systems, job changes are processed automatically, and upon termination, access is immediately revoked. This facilitates faster, more consistent onboarding and offboarding without manual steps.
Let IT automatically adapt to HR processes. New employees receive immediate access to the right systems, job changes are processed automatically, and upon termination, access is immediately revoked. This facilitates faster, more consistent onboarding and offboarding without manual steps.
Microsoft Entra ID
Employees from your HR system, automatically in your IT environment
Source system | Workday |
Target system | Microsoft Entra ID (formerly Azure AD) |
Connection method | Workday REST / RAAS API → Entra ID |
Supported events | Joiner, mover, leaver |
Synced attributes | Name, email / UPN, department, job title, manager, cost centre, start and end date |
Real-time or batch | Frequent sync, multiple times per day |
Compliance | ISO 27001, NIS2-ready, GDPR (EU data centre) |
How does Joinly sync Workday to Microsoft Entra ID?
Joinly reads each HR change in Workday and applies it to the matching Entra ID account automatically. Workday holds the authoritative record of every employee, so it is the starting point for each identity action.
Joiner. HR creates the employee in Workday. Joinly reads the new record via the Workday REST/RAAS (Report-as-a-Service) API and determines the role from attributes like department, job title and cost centre. It then creates the account in Entra ID, assigns the right licences and maps the person into the correct groups.
Mover. When someone changes role or department in Workday, Joinly updates their group membership, permissions and licences to match. Access that no longer fits the new position is revoked, so permissions stay aligned with the actual job.
Leaver. On the end date recorded in Workday, Joinly disables the Entra ID account automatically. There are no orphaned accounts left active after someone has left.
Example: A logistics company hires a warehouse planner in Workday with a start date next Monday. Joinly reads the record, creates the Entra ID account, assigns an Office E3 licence and adds the planner to the Warehouse-Operations group. When that planner later moves into a dispatch coordinator role, Joinly swaps the group membership and removes the old warehouse access the same day.
What manual user management costs
Without automation, every account starts as a Workday HR ticket or a line in a spreadsheet that IT works through by hand. Each new hire, transfer and departure becomes manual data entry, and the gap between the HR change and the account change is where errors and risk live. Entra Cloud Sync is the native option, but it needs an intermediate source between Workday and Entra ID and does not map roles to groups out of the box, so the part that actually decides access still falls to people.
Onboarding delays. New joiners wait for accounts, licences and group access while a ticket sits in a queue, losing productive days in their first week.
Permissions that don't keep up (privilege creep). When movers change role, old access often stays attached, so people accumulate rights they no longer need.
Forgotten offboarding. Accounts that aren't disabled on time are both a security and audit risk, and unused licences keep costing money.
Joinly vs. Entra Cloud Sync
Entra Cloud Sync is a fine baseline, but it stops short of the part that actually decides access. Here's how the two compare for a Workday-driven setup.
Joinly | Entra Cloud Sync | |
|---|---|---|
Source | Reads Workday directly | Needs an intermediate source between Workday and Entra ID |
Role-to-group mapping | Built in, rule-based | Not available out of the box — manual |
Licence assignment | Driven by role/attributes | Manual or group-based only |
Future-dated hires | Times account creation to the start date | No native start-date handling |
On-premise AD | Yes — own agent plus the native Microsoft agent | Cloud sync only |
Audit trail | Per-action logging tied to the HR source | Limited |
Watch-outs when connecting Workday to Microsoft Entra ID
A few details decide whether this connection stays reliable at scale.
UPN format with duplicate names. When two employees share a name, a naive UPN rule produces collisions or inconsistent sign-in names. Joinly applies custom transformation rules — adding a suffix, cost-centre code or controlled tiebreaker — so every UPN is unique and predictable from day one.
Start-date timing. Workday often holds a future-dated hire well before the first working day, and provisioning too early or too late both cause problems. Joinly reads the start date and times account creation to it, so access is ready on the right day and not before.
Mapping supervisory orgs and job profiles to Entra groups. Workday's supervisory organisations and job profiles don't translate one-to-one to Entra ID groups. Joinly builds explicit mapping rules from those structures to the correct groups and licences, so role drives access rather than manual assignment.
Joinly handles each of these by default with custom mapping and transformation.
Always audit-ready
Every account action Joinly performs is logged: who was affected, when it happened, which access changed and which Workday change triggered it. For NIS2 that matters directly — access can be traced back to an authorised HR source rather than an ad-hoc request. Joinly is ISO 27001 certified, runs in an EU data centre in Amsterdam, applies least-privilege by default, and is built to meet NIS2 and ISO 27001.
Customer story
A regional healthcare provider with around 1,400 employees across twelve locations was drowning in manual account work. Every new nurse, doctor or support worker started as a Workday HR ticket that IT processed by hand, and with seasonal contracts and frequent internal transfers the queue never emptied. New joiners regularly waited until day two or three for their account and licences, and as a healthcare organisation under NIS2 the team couldn't reliably prove that access matched someone's actual role.
After connecting Workday to Microsoft Entra ID with Joinly, that work disappeared. Joinly now reads each HR change at the source and acts on it automatically: new hires have their account, Office licence and group access ready on their start date, transfers between departments swap the right groups the same day, and leavers are disabled on their end date with a 30-day soft-delete grace window.
"Onboarding used to cost us hours a week and still left gaps. Now an account is simply ready when the nurse walks in, and we can show the auditor exactly which Workday change created every bit of access." (Head of IT at a regional healthcare provider)
The result: onboarding time dropped from a few days to zero touch, privilege creep from old roles was eliminated, and the team walked into its last NIS2 assessment with a complete, source-backed audit trail.
More than a connector
A standalone Workday–Entra ID connection is a good start, but identity rarely stops at one target. Joinly manages the complete chain from joiner to leaver across all your systems, with logging and governance built in. You review the exceptions; Joinly maintains the chain.
Employees from your HR system, automatically in your IT environment
Employees from your HR system, automatically in your IT environment
Follow these steps to connect Workday to Microsoft Entra ID with Joinly. The entire cloud setup happens in the platform — no scripts or local software required.
1. Create your account
Go to platform.joinly.app and create your account.
Note: charges may apply for using the platform after the trial period ends.
Sign up at platform.joinly.app to get started.
2. Connect your Microsoft account
Open platform.joinly.app/settings/provisioning/idp-setup and connect your Microsoft tenant. Select the scopes you need — for provisioning you don't need any additional scopes.
Connect your Microsoft tenant and pick your scopes.
3. Import your existing accounts from Entra ID
Import all existing accounts from Entra ID at platform.joinly.app/settings/provisioning/entra-import. This gives Joinly a baseline of every account that already exists, so it can match people to their current account instead of creating duplicates.
4. Find the Workday integration in the Joinly marketplace
Open the Joinly marketplace and search for the Workday integration.
Search the marketplace for the Workday integration.
Don't see your system listed? Get in touch at support@koppelhet.nl and we'll help you out.
5. Follow the installation wizard
You may be redirected to integrations.joinly.app. Create an account there, enter your Workday credentials, and complete the remaining details such as your company name. We only ask for the information needed to establish a successful connection with Workday. All data is encrypted and stored securely.
Enter your Workday credentials and company details in the wizard.
6. Configure your field mapping
Set up all your field mappings here. Templates support Liquid, so you can build your display name, UPN and other attributes dynamically.
Frequently asked questions
How do I map the manager? Reference the manager's employee ID in the mapping and Joinly resolves the link to the right manager automatically.
What if I have multiple domains? Use a domain-specific Liquid template for each domain.
How do I prevent duplicate usernames? Use the
generateUniqueUsernamehelper, which falls back to the next pattern when the first one is already taken:{{ generateUniqueUsername: "{firstName}.{prefix}.{lastName}", "{initials}.{prefix}.{lastName}" }}
Map Workday fields to Entra ID attributes with Liquid templates.
7. Configure the scheduled import
At platform.joinly.app/settings/import-configs, configure how often the import from Workday should run.
8. Configure your workflows
Workflows are where Joinly turns each HR change into the right action in Entra ID.
Onboarding (joiner)
Create a new workflow for employee onboarding. Give it a name and pick a trigger-based execution so it runs the moment a joiner appears in Workday.
Create a new trigger-based workflow for onboarding.
Add a workflow action of type Email to receive a notification whenever a new joiner is created. This keeps IT and the line manager in the loop without anyone watching the queue.
Add an email action to notify the right people on each new joiner.
Optionally, add conditions so the workflow only runs for the right population — for example, a specific department, location or contract type.
Add conditions to scope the workflow to the right employees.
Offboarding (leaver)
Do the same for offboarding: create a workflow that handles employees who leave, so the right notifications and actions fire automatically on departure.
Mirror the onboarding setup for leavers.
Provision to Entra ID on every change
Create a new workflow of type Identity updated. This triggers on every mutation, so any change in Workday — a new department, a different manager, a renamed cost centre — flows straight through to Entra ID.
An 'Identity updated' workflow fires on every change to a record.
Add a workflow action of type Create/update employee in Entra. Then choose your matching strategy (UPN, employee ID or email) and configure your field mapping (department, name, and so on) so each attribute lands in the right place.
Add the create/update action, then set your matching strategy and field mapping.
Delete from Entra ID when an employee leaves
Create a threshold workflow that runs a set period after the termination date — for example, 30 days. The delay gives you a grace window before access is removed for good.
A date-threshold workflow runs a set number of days after termination.
Add the Entra soft delete action to remove the accounts in Entra ID. Soft delete keeps the account recoverable for the standard retention window in case of a rehire or mistake.
Add the Entra soft delete action to retire accounts safely.
AD on-premise support
Need to provision to an on-premise Active Directory as well? Contact support at support@koppelhet.nl to request setup of the Joinly AD Agent and enable on-premise AD support.
More than a connector
A standalone Workday–Entra ID connection is a good start, but identity rarely stops at one target. Joinly manages the complete chain from joiner to leaver across all your systems, with logging and governance built in. You review the exceptions; Joinly maintains the chain.
Frequently asked questions
Does the Workday to Microsoft Entra ID connection work in real time?
It runs as a frequent sync that updates multiple times per day, so changes in Workday reach Entra ID quickly without waiting for a nightly batch.
What happens in Entra ID when an employee is offboarded in Workday?
On the end date in Workday, the Entra ID account is disabled rather than deleted, so access stops immediately while the data and audit trail are retained.
Which attributes sync from Workday to Entra ID?
The following attributes flow from Workday to Entra ID:
Name
Email / UPN
Department
Job title
Manager
Cost centre
Start and end date
Do I still need Entra Cloud Sync?
No. Joinly takes over the provisioning and role-to-group mapping that Cloud Sync can't do on its own, and maintains it as your Workday data changes — so you don't need the intermediate source or manual group mapping.
Does Joinly also support AD on-premise or hybrid provisioning?
Yes. Joinly has its own AD on-premise agent and also supports the native Microsoft Entra Provisioning agent, so you can provision users to your on-premise AD environment as well.`