Connect Workday to Microsoft Cloud App Security

Applies to: Microsoft Cloud App Security

This article provides instructions for connecting Microsoft Cloud App Security to your existing Workday account using the app connector API. This connection gives you visibility into and control over Workday use. For information about how Cloud App Security protects Workday, see Protect Workday.

Quick start

Watch our quick start video showing how to configure the prerequisites and perform the steps in Workday. Once you've completed the steps in the video, you can proceed to add the Workday connector.


The Workday account used for connecting to Cloud App Security must be a member of a security group (new or existing). We recommended using a Workday Integration System User. The security group must have the following permissions selected for the following domain security policies:

Functional area Domain Security policy Subdomain Security policy Report/Task Permissions Integration Permissions
System Set Up: Tenant Setup – General Set Up: Tenant Setup – Security View, Modify Get, Put
System Security Administration View, Modify Get, Put
System System auditing View Get
Staffing Worker Data: Staffing Worker Data: Public Worker Reports View Get


  • The account that is used to set up permissions for the security group must be a Workday Administrator.
  • To set permissions, search for "Domain Security Policies for Functional Area", then search for each functional area ("System"/"Staffing") and grant the permissions listed in the table.
  • Once all permissions have been set, search for "Activate Pending Security Policy Changes" and approve the changes.

For more information about setting up Workday integration users, security groups, and permissions, see steps 1 to 4 of the Grant Integration or External Endpoint Access to Workday guide (accessible with Workday documentation/community credentials).

How to connect Workday to Cloud App Security using OAuth

  1. Sign in to Workday with an account that is a member of the security group mentioned in the prerequisites.

  2. Search for "Edit tenant setup – system", and under User Activity Logging, select Enable User Activity Logging.

    Screenshot of allowing user activity logging

  3. Search for "Edit tenant setup – security", and under OAuth 2.0 Settings, select OAuth 2.0 Clients Enabled.

  4. Search for "Register API Client" and select Register API Client – Task.

  5. On the Register API Client page, fill out the following information, and then click OK.

    Field name Value
    Client Name Microsoft Cloud App Security
    Client Grant Type Authorization Code Grant
    Access Token Type Bearer
    Redirection URI
    Non-Expiring Refresh Tokens Yes
    OAuth2 Scopes Staffing and System
    Scope (Functional Areas) Staffing and System

    Screenshot of registering API client

  6. Once registered, make a note for the following parameters, and then click Done.

    • Client ID
    • Client Secret
    • Workday REST API Endpoint
    • Token Endpoint
    • Authorization Endpoint

    Screenshot of confirming registration of API client

  7. In the Cloud App Security portal, click Investigate and then click Connected Apps.

  8. In the App connectors page, click the plus button and then Workday.

    Screenshot of adding app connector

  9. In the pop-up, add your instance name and then click Connect Workday.

    Screenshot of adding instance name

  10. On the next page, fill out the details with the information you noted earlier, and then click Connect in Workday.

    Screenshot of filling out app details

  11. In Workday, a pop-up appears asking you if you want to allow Cloud App Security access to your Workday account. To proceed, click Allow.

    Screenshot of authorizing access to app

  12. Back in the Cloud App Security portal, you should see a message that Workday was successfully connected. Make sure the connection succeeded by clicking Test API.

    Testing may take a couple of minutes. After receiving a success notice, click Close.


After connecting Workday, you'll receive events for seven days prior to connection.

If you have any problems connecting the app, see Troubleshooting App Connectors.

Next steps

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.