Import organizational data from Workday (preview)

You can import organizational data into Microsoft 365 with the Workday connector, using the process described below.

Prerequisites

Before you can set up a connection between Workday and Microsoft 365, you'll need the following information about your Workday environment from your Workday admin:

• Workday web services URL
• Token URL
• Username
• ClientID
• Complete steps within Workday described in later section

Steps

1. Set up your Workday connection

Applies to: Microsoft 365 Global Administrator

1. Start the import from the Select connection type page on the Organizational Data in Microsoft 365 page (Home > Setup > Migration and imports > Organizational Data in Microsoft 365 > Select connection type). Under Workday connector, select Start Workday setup.

   

2. Select Get started (if this is the first time you're importing data), or New import (if you've already imported data).

3. On the Select connection type page, select Start Workday setup.

4. Under Download your Workday certificate, select Download certificate. A x509 certificate file will download called "publicKey.pem." Open the file in a text editor and copy its contents. Share this with the Workday admin.

   

5. Read the acknowledgment note and select Next.

6. Under Set up Workday connection:

   1. Enter a name for your connection.

   2. Contact your Workday admin to complete the steps in Workday described below.

   3. Enter the Workday Web services URL, Token URL, and ClientID provided by the Workday admin.

   4. For username, enter the name of the ISU created by the Workday admin.

   5. Select how frequently you want Workday to send data to Microsoft 365: weekly or monthly.

      

7. Confirm you understand that the data you upload here might be processed by Viva and Microsoft 365, as well as non-Microsoft services that you've granted access to through Microsoft Graph, and select Next.

8. Review your connection details, then select Confirm.

   Note

   If you set up periodic exports, your data will be validated for Viva and Microsoft 365 services requirements. Validation takes a few hours; however, it can take up to three days for your complete data upload to be available in the profile store. You can check the validation status on the Organizational data page in the Microsoft 365 admin center. When validation is complete, a message will say your data is in use and managed by Viva and Microsoft 365.

2. Steps within Workday

Applies to: Workday admin

1. Open Workday. Search for "Create Integration System User" and select it. This is a system user not associated with a real person.

   

2. Under Create Integration System User, fill out each field, then select OK.

   

3. Create a security group. In Workday, search for "Create Security Group" and select it.

4. Select Integration System Security Group (Unconstrained).

   

5. Add the Integration System User to this group.

6. Search for "Maintain security group" and select Maintain Permissions for Security Group.

   

7. Next to Operation, select Maintain. Next to Source Security Group, select your created security group.

   

8. Select the "+" icon to add a new Domain Security Policy Permission.

   1. Leave the Selected checkbox selected.

   2. Next to View/Modify Access, select Get Only.

   3. For Domain Security Policy:

      1. Add Worker Data: Public Worker Reports
      2. Add Worker Data: Organization Information
      3. Add Person Data: Private Work Email Integration
      4. Add Person Data: Skills
      5. Add Worker Data: Current Staffing Information

      

9. Search for "Activate Pending Security Policy Changes" and select it.

10. Add a descriptive comment about the change and select OK.

11. Select Confirm, then select OK. You now have a new system user with the proper permissions they need to get worker data.

3. Register an API Client

1. Search for "Register API Client" and select it.

   

2. Fill out the following fields:

   1. Give the client an appropriate name, such as "VivaConnectorClient."
   2. For the client grant type, select Jwt Bearer Grant.
   3. For x509 certificate:
      1. Select Create x509 Public Key.
      2. Give the certificate an appropriate name, such as "VivaX509Certificate."
      3. Paste the contents of the publicKey.pem file shared by the Global admin from the earlier step.
      4. Select OK.
      5. Ensure this certificate is selected for the field x509 Certificate.
   4. For Integration System User, enter the user you created earlier.
   5. Leave the access token type as "Bearer."
   6. Under Scope (Functional Areas), search for and select "Staffing," "Contact Information," "Worker Profile," and "Skills."
   7. Leave Include Workday Owned Scope cleared.
   8. Select the default values for the remaining fields.

3. Select OK.

   

4. A few new fields should populate below Restricted to IP Ranges. Save the following information and share it with the Global admin to enter in the Microsoft 365 admin center:

   1. "ClientID"

   2. Your Workday Token URL, such as https://wd3-impl-services1.workday.com/ccx/oauth2/contoso4/token.

   3. Your Workday web services URL, such as https://wd3-impl-services1.workday.com/ccx/service/contoso4.

      Note

      This isn't the same as the Workday REST API Endpoint. If you're not familiar with your Workday web services URL, you can create it by copying your Token Endpoint, replacing "oauth2" with "service," and removing "/token" from the end.

How Workday sends data to Microsoft 365

When you connect Workday to Microsoft 365, Workday sends over a set of predefined source columns. These columns are mapped to fields in Microsoft 365. You can't change these predefined fields.

Field mapping

The table below shows how Workday fields correspond to Microsoft 365 fields. Learn more about Microsoft 365 fields including data type and formatting requirements.