During the Workspace ONE Access directory setup process, you select the user attributes to sync from your enterprise directory to the Workspace ONE Access directory. You manage the the list of user attributes from the Settings > User Attributes page in the Workspace ONE Access console.

Default Attributes

The User Attributes page lists the default Workspace ONE Access directory attributes that can be mapped to Active Directory or LDAP directory attributes.

You select which attributes are required and which ones are optional. Attributes marked required must be populated for all synced user records. User records that are missing values for the required attributes will not be synced to Workspace ONE Access. Also keep in mind that you can only mark attributes required before any directory is created in the Workspace ONE Access service. After a directory is created, you can no longer change an attribute to be a required attribute.

The following table lists the attributes that have default mappings to Active Directory attributes. You can update the mappings when you create the Workspace ONE Access directory.

Table 1. Default Attributes to sync to the Workspace ONE Access directory
Workspace ONE Access Directory Attribute Name Default Mapping to Active Directory Attribute
userPrincipalName userPrincipalName
domain canonicalName

Adds the fully qualified domain name of object.

disabled (external user disabled) userAccountControl. Flagged with UF_Account_Disable.

When an account is deactivated, users cannot log in to access their applications and resources. The resources assigned to users are not removed from the account so that when the flag is removed from the account users can log in and access their assigned resources.

distinguishedName distinguishedName
Email mail
employeeID employeeID
First Name givenName
Last Name sn
sourceAnchor objectGUID
Phone telephoneNumber
Username sAMAccountName

Custom Attributes

On the User Attributes page, you can also enter additional attributes that you want to sync to the directory. When you add attributes, the attribute name you enter is case-sensitive. For example, address, Address, and ADDRESS are different attributes.

The following attributes cannot be used as custom attribute names because the Workspace ONE Access service uses these attributes internally for user identity management.

Table 2. Attributes that cannot be used as custom attribute names
active externalId locale phoneNumbers timezone
addresses externalUserDisabled meta photos title
displayName groups name preferredLanguage userName
emails id nickName profileUrl userType
employeeNumber ims password schemas x509Certificates
Note: If your enterprise directory includes any of these attributes and you need to sync the attribute to Workspace ONE Access, create a custom attribute in Workspace ONE Access with a different name and map it to the directory attribute. For example, to sync the employeeNumber attribute from your directory to Workspace ONE Access, you can create an attribute named newEmployeeID in Workspace ONE Access and map it to the employeeNumber attribute when you create the Workspace ONE Access directory.

How Attributes Work

Attributes on the User Attributes page apply to all directories in the Workspace ONE Access service. When you make changes to user attributes, consider the effect on all directories. For example, if you plan to add both Active Directory and LDAP directories, ensure that you do not mark any attributes required except for Username. If an attribute is marked required, user records that do not contain a value for that attribute are not synced to the Workspace ONE Access service.

When you create a directory, the list of attributes from the User Attributes page appears in the Map Attributes section of the wizard, and you can specify the mapping between the Workspace ONE Access attributes and the Active Directory or LDAP directory attributes. After you create the directory, you can view and update the attribute mappings from the directory's Sync Settings tab.

After any directory is created in the Workspace ONE Access service, you can no longer mark attributes required on the User Attributes page. The following changes to user attributes are still allowed:

  • Add custom attributes (User Attributes page)
  • Delete custom attributes (User Attributes page)
  • Change required attributes to optional (User Attributes page)
  • Change the mapping of attributes (directory's Sync Settings tab)

Changes that are made and saved in the User Attributes page after a directory is created are applied to the directory with the next sync.

Important Requirements

  • If you map any user attribute to the Active Directory attribute objectGUID or mS-DS-ConsistencyGuid, all users must have a non-empty value for the attribute in Active Directory and the value must be exactly 16 bytes in length. Also, you must map the Workspace ONE Access attribute to the correct Active Directory attribute name, using the correct case. If the attribute names do not match, a null value is returned, and directory sync fails. For example, if you use the mS-DS-ConsistencyGuid attribute in Active Directory and you specify ms-DS-ConsistencyGuid in Workspace ONE Access, directory sync cannot succeed.
  • The sourceAnchor attribute has the following requirements:
    • The sourceAnchor attribute is case-sensitive.
    • Attribute values cannot be changed after users are synchronized to Workspace ONE Access.
    • Attribute values must be fewer than 60 characters in length. Characters that are not a-z, A-Z, or 0-9 are encoded and counted as 3 characters.
    • Attribute values must not contain a special character: \ ! # $ % & * + / = ? ^ ` { } | ~ < > ( ) ' ; : , [ ] " @ _
    • If you map the sourceAnchor attribute to an attribute that is not of type string, then Base64 encode the attribute values to ensure that no special characters appear and make sure the values match the Microsoft encoding format.
    • If you map the sourceAnchor attribute to a binary attribute, make sure the values adhere to the proper GUID format.
    • See Selecting a good sourceAnchor Attribute in the Microsoft documentation for the full list of requirements for the attribute.