During the Workspace ONE Access directory setup process, you select the user attributes to sync to the Workspace ONE Access directory. The list of user attributes is managed from the Identity & Access Management > Setup > User Attributes page.

The User Attributes page lists the default Workspace ONE Access directory attributes that can be mapped to Active Directory or LDAP directory attributes. You select which attributes are required and which ones are optional. Attributes marked required must be populated for all synced user records. User records that are missing values for the required attributes will not be synced to Workspace ONE Access. Also keep in mind that you can only mark attributes required before any directory is created in the Workspace ONE Access service. After a directory is created, you can no longer change an attribute to be a required attribute.

Table 1. Default Attributes to Sync to Directory
Workspace ONE Access Directory Attribute Name Default Mapping to Active Directory Attribute
userPrincipalName userPrincipalName
distinguishedName distinguishedName
employeeId employeeID
domain canonicalName. Adds the fully qualified domain name of object.
disabled (external user disabled) userAccountControl. Flagged with UF_Account_Disable

When an account is disabled, users cannot log in to access their applications and resources. The resources that users were entitled to are not removed from the account so that when the flag is removed from the account users can log in and access their entitled resources

phone telephoneNumber
lastName sn
firstName givenName
email mail
userName sAMAccountName.

On the User Attributes page, you can also enter additional attributes that you want to sync to the directory. When you add attributes, the attribute name you enter is case-sensitive. For example, address, Address, and ADDRESS are different attributes.

The following attributes cannot be used as custom attribute names because the Workspace ONE Access service uses these attributes internally for user identity management.

  • externalUserDisabled
  • employeeNumber
  • emails

Attributes on the User Attributes page apply to all directories in the Workspace ONE Access service. When you make changes to user attributes, consider the effect on all directories. For example, if you plan to add both Active Directory and LDAP directories, ensure that you do not mark any attributes required except for userName. If an attribute is marked required, user records that do not contain a value for that attribute are not synced to the Workspace ONE Access service.

When you create a directory, the list of attributes from the User Attributes page appears on the Mapped Attributes page of the Add Directory wizard and you can specify the mapping between the Workspace ONE Access attributes and the Active Directory or LDAP directory attributes. After you create the directory, the Mapped Attributes page is available from the directory's Sync Settings page.

After any directory is created in the Workspace ONE Access service, you can no longer mark attributes required on the User Attributes page. The following changes to user attributes are still allowed:

  • Add custom attributes (User Attributes page)
  • Delete custom attributes (User Attributes page)
  • Change required attributes to optional (User Attributes page)
  • Change the mapping of attributes (directory's Sync Settings page)

Changes that are made and saved in the User Attributes page after a directory is created are applied to the directory with the next sync.