I am working with a customer who is testing out the new Cloud HR Provisioning solutions for Azure AD. The goal of the deployment is to have new hires, terminations, and movers (department changes, consulting to FTE) events transition from the Workday HR system to Active Directory.
Once in Active Directory their current Azure AD Connect solution will sync the user to the cloud to enable SSO to many of their applications.
While testing this solution I ran into an issue where users that had an account already in AD, prior to the first matching event, would throw an error when Exported to AD.
Digging into this issue the root cause was due to attempting to process an attribute update on the ‘name’ attribute in AD.
The ‘name’ attribute is a Relative Distinguished Name, as such it cannot be updated but requires a Rename event to modify. the current deployment of the Workday provisioning agent does not account for this and throws an error error when attempting to process the request.
To work around this issue, I updated the Attribute Mapping so the ‘name’ value would only be set “only during account creation” and not changed on an update request.
I’ve created a user voice to request Microsoft account for renames of the ‘name’ value by adding the appropriate code to the provisioning agent vote for it here: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/39821542-allow-rename-function-for-ad-name-attribute