During the Workspace ONE Access directory setup, you select the user attributes to sync to the Workspace ONE Access directory. The list of user attributes is managed from the Identity & Access Management > Setup > User Attributes page.

The User Attributes page lists the default Workspace ONE Access directory attributes that can be mapped to Active Directory or LDAP directory attributes. You select the attributes that are required, and you can add other attributes that you want to sync to the directory. When you add attributes, the attribute name you enter is case-sensitive. For example, address, Address, and ADDRESS are different attributes.
Table 1. Default Attributes to Sync to Directory
Workspace ONE Access Directory Attribute Name Default Mapping to Active Directory Attribute
userPrincipalName userPrincipalName
distinguishedName distinguishedName
employeeId employeeID
domain canonicalName. Adds the fully qualified domain name of object.
disabled (external user disabled) userAccountControl. Flagged with UF_Account_Disable

When an account is disabled, users cannot log in to access their applications and resources. The resources that users were entitled to are not removed from the account so that when the flag is removed from the account users can log in and access their entitled resources

phone telephoneNumber
lastName sn
firstName givenName
email mail
userName sAMAccountName.

The following attributes cannot be used as custom attribute names because the Workspace ONE Access service uses these attributes internally for user identity management.

  • externalUserDisabled
  • employeeNumber

Attributes on the User Attributes page apply to all directories in the Workspace ONE Access service. When you make changes to user attributes, consider the effect on all directories. For example, if you plan to add both Active Directory and LDAP directories, ensure that you do not mark any attributes required except for userName. If an attribute is marked required, users without that attribute are not synced to the Workspace ONE Access service.

When you create a directory, the list of attributes from the User Attributes page appears on the Mapped Attributes page of the Add Directory wizard and you can specify the mapping between the Workspace ONE Access attributes and the Active Directory or LDAP directory attributes. After you create the directory, the Mapped Attributes page is available from the directory's Sync Settings page.

Changes that are made and saved in the User Attributes page after a directory is created are applied to the directory with the next sync.