OverviewOverview
After a Workplace launch, organizations’ technical setups can change for a variety of reasons, such as adoption of new solutions, mergers and acquisition or organic digital evolution. These changes can affect how Workplace is deployed from an account management standpoint. Workplace supports different provisioning and user authentication methods. In this article we cover how to seamlessly migrate from one Workplace identity architecture to another in some of the most common scenarios organisations can encounter:
Migration from Bulk (with spreadsheet) to Automatic provisioningMigration from Bulk (with spreadsheet) to Automatic provisioning
While Workplace allows you to manage accounts manually or in bulk by using a spreadsheet/csv file, we highly recommend you to automate your account management in order to improve profile fields accuracy, automate deprovisioning, and reduce operational cost. With an automated account management tool in place, a user account will be automatically created, updated and deactivated in Workplace according to your Cloud Identity Provider (IdP).
Follow the steps in this guide to set up your Identity Provider to automate the user account management in Workplace and remove the need to manually add/edit/deactivate users in bulk. You will need to have a Workplace Admin role assigned and have administrative access to your Cloud IdP instance as well in order to make these changes.
Perform a clean-up of your Workplace by disabling users who should no longer be part of it.
IMPORTANT: Validate that active Workplace users have the same email address in your Cloud IdP (UPN or email). This verification will prevent the Cloud IdP from creating duplicate accounts.
If, as part of this activity, you also need to change email addresses of your users in the Workplace, follow the steps in the
Bulk change email addresses section before proceeding to the next step.
After verifying that users have the same email address in Workplace and Cloud IdP, proceed with configuring automatic provisioning in your IDP and activate synchronization as described in
Workplace Tech Resources - Account Management.
Email addresses bulk changeEmail addresses bulk change
If your company decides to change the primary email address (i.e email domain) for all users or some users in your organisation, you will need to edit your users' email addresses in Workplace first. Here are some recommendations for Workplace Administrators to perform this type of change:
If you currently have automatic provisioning configured via Cloud IdP or SCIM API, pause the sync between the platforms.This would ensure existing accounts are not impacted in any way during the migration.
If you are using a SSO provider, validate that the new email domain has been assigned to a Workplace SSO provider.
Before performing the change on all accounts, it's recommended to run a manual test with one user to check that their access to Workplace is not affected. Change the user email address manually via the Admin Panel and perform a clean authentication (i.e. by using an incognito browser session). If authentication is successful, you can proceed with the update of the accounts.
Validate that your identity sources (e.g. Cloud IDP) have the correct emails assigned to the users in scope for the change before reactivating the connector.
Configure the new Cloud IdP provisioning connector or reactivate the sync. In the case of configuring a new Cloud IdP, remember to disable the old Cloud IdP configuration.
After a provisioning connector synchronisation cycle,
export a list of all Workplace users, via API or
via CSV, to verify and confirm that all users have the new email domain.
Changing SSO ConfigurationChanging SSO Configuration
If you plan to move to a new SSO provider (e.g. from ADFS to Azure Active Directory) or change some SSO provider settings (e.g. update your certificate) follow these recommendations:
Configure at least one “break-glass” system administrator account to authenticate to Workplace via username / password (preferably with MFA enabled). In case of an outage or any other problem with the SSO provider configuration, these admins will be able to access Workplace normally, troubleshoot Workplace side, and even change the method of authentication to key users of the platform. Confirm emergency administrators have access to the Admin Panel and have the System Admin role assigned before moving to the next step.
Ensure the migration is done according to your organization's IT change governance schedule (under a proper maintenance Window), and outside the business hours.
To minimise disruptions for your users, edit the current SSO configuration on Workplace under the Admin Panel instead of deleting it.
If you want to force re-authentication for all your users, this can be done from the SSO configuration screen in the Admin Panel (Under Security > Authentication >SAML Reauthentication and select the option "Force everyone to authenticate again now ").
In case all admins get locked out accidentally and you need to contact Workplace support, please use
this form to request assistance.
