Microsoft’s Workday Integration showcases their approach to Cloud-based Identity and Access Management (IDM)

Last week Microsoft released into Preview a concrete glimpse of the future of their Identity Management as a Service offering. In general, this integration puts some bones on the already-visible strategy for cloud-based identity management.

In this specific case, the focus is on taking employee lifecycle inputs from a Workday HR instance, and transmitting these to an “on-premises” Active Directory. *

This is not the first version of a Workday feed to be seen in preview – a previous version had the HR feed provisioning Azure Active Directory first: the on-premises AD would be fed using the User Writeback feature of AD Connect (and the attribute flow logic defined in that platform).

In the new version, Workday can provide worker details for provisioning or update into AD/AAD, and Workday can also receive updates from AAD (email addresses, for example).

Active Directory on-premises can be provisioned first

The new preview functionality has the significant advantage over the previous approach that Active Directory on-premises can be provisioned first, which is important for those customers still running their on-premises AD as the primary identity system in the organization (and for OCG, these customers are still in the majority). So here we have a solution in which we can provision AD straight from the Workday system in the cloud, with other downstream directories like AAD being provisioned using AD Connect out of AD as usual.

The original blog post from Microsoft’s Alex Simons is here, and the configuration details are here.

Solution allows us to configure much logic in the cloud

While the details of this implementation for Workday are specifically interesting to those customers using, or planning to use, a Workday HR source, they are also of general interest to all of us invested in the Microsoft identity platform for the insight that we gain into Microsoft general approach. The solution allows us to configure much logic in the cloud – including attribute flows which involve transformation logic, for example – while the actual transactional interaction with the Active Directory is performed by a lightweight agent which requires no configuration.

“Smart Cloud, Dumb Agent” model is taking shape

The solution is not yet comparable to a full-scale identity governance solution, but the “Smart Cloud, Dumb Agent” model is taking shape.

This comes as no real surprise! I wrote about the emerging System for Cross-Domain Identity Management (SCIM) integration in November 2015 (here), and it is SCIM which is being used in this case. It is clear that the future “brain” of any system is likely to include logic defined in the cloud, and computation executed in the cloud, with any necessary connectivity to private networks being performed by such lightweight, dumb, agents.

Microsoft continues to make investments in identity security, integration and governance, focusing on delivering valuable point-solutions while incrementally building out a strategic platform which will increasingly support general-purpose, custom solutions.

* More often than not, “on-premises” nowadays means VMs in a private network hosted in the cloud.

At OCG, we are committed to providing the most effective solutions for our customers, and are of course staying on top of the new developments as they emerge.

For help in planning a future-proof identity governance solution, please contact us contact us today at Our technical and business consultants are ready to help and advise.