Onboarding workflow stuck at manager approval step when integrated with Azure AD

Our onboarding workflows are consistently getting stuck at the manager approval stage after we integrated Dayforce with Azure AD for SSO. The workflow progresses normally through HR data entry and document upload steps, but when it reaches manager approval, it just sits there indefinitely.

We’ve verified that managers can log into Dayforce successfully using their Azure AD credentials, but they’re not receiving approval notifications and the tasks don’t appear in their workflow queue. When we check the workflow status in Dayforce, it shows “Pending Manager Approval” but doesn’t identify which manager should be approving.

Our Azure AD sync configuration:


Attribute Mapping:
Azure AD mail -> Dayforce email
Azure AD displayName -> Dayforce full_name
Azure AD employeeId -> Dayforce employee_number

We suspect there’s a mismatch in how manager relationships are being mapped between Azure AD and Dayforce’s organizational hierarchy. Has anyone encountered workflow approval issues after implementing Azure AD integration? We need to resolve this quickly as we have 23 new hires stuck in the system.

Beyond just mapping the manager attribute, you need to ensure the Azure AD manager DN gets resolved to the corresponding Dayforce employee record. This typically requires a transformation rule in your identity provider configuration that extracts the manager’s employeeId from their Azure AD object and maps it to Dayforce’s manager_employee_id field. The DN format doesn’t translate directly.

The manager relationship mapping is definitely the issue. Azure AD uses the ‘manager’ attribute to store the distinguished name (DN) of the manager object, but Dayforce expects a direct employee ID or email reference. Your attribute mapping doesn’t include the manager field at all, so Dayforce has no way to identify who should approve the workflow. You need to add manager attribute mapping to your sync configuration.

Also check your workflow approval logic configuration in Dayforce. The workflow engine needs to be configured to use the correct manager lookup method. There are multiple options: direct manager from org hierarchy, role-based approval, or custom approval routing. If it’s set to use org hierarchy but the hierarchy isn’t populated from Azure AD correctly, approvals will fail silently. Navigate to Workflow Configuration > Approval Rules and verify the manager resolution method matches your integration setup.

You’re dealing with a multi-layered integration problem that requires addressing all four critical areas systematically.

Manager Identity Mapping: Your current Azure AD attribute mapping is incomplete. You must add manager attribute mapping with proper DN resolution:


Attribute Mapping (Enhanced):
Azure AD mail -> Dayforce email
Azure AD displayName -> Dayforce full_name
Azure AD employeeId -> Dayforce employee_number
Azure AD manager (DN) -> Dayforce manager_employee_id (transformed)

The transformation is critical because Azure AD stores manager as a DN like “CN=John Smith,OU=Users,DC=company,DC=com” but Dayforce needs the manager’s employee_number. Implement a lookup transformation that extracts the manager DN, queries that user object, retrieves their employeeId attribute, and maps that to Dayforce’s manager_employee_id field.

Azure AD Attribute Configuration: Configure additional attributes in your Azure AD sync scope. Beyond basic user attributes, you need:


// Pseudocode - Required Azure AD attributes:
1. Query user object with $expand=manager parameter
2. Extract manager.employeeId from expanded object
3. Map to Dayforce organizational hierarchy manager field
4. Ensure manager object exists in Dayforce before mapping (referential integrity)
5. Handle cases where manager is null (executives, CEO)

Also enable delta sync so manager changes in Azure AD propagate to Dayforce within minutes rather than waiting for full sync cycles.

Workflow Approval Logic: Access Dayforce workflow configuration and verify the approval routing method. Navigate to Business Process Configuration > Onboarding Workflows > Approval Steps. The manager approval step should be configured as:

  • Approval Type: “Direct Manager from Org Hierarchy”
  • Fallback Approver: HR Manager (for cases where direct manager is null)
  • Lookup Method: “Employee Manager Relationship”

If it’s currently set to “Role-Based” or “Custom Routing”, that explains why approvals aren’t routing correctly. The workflow engine is looking for role assignments rather than organizational hierarchy relationships.

Integration Service Account Permissions: Your Azure AD app registration needs elevated Graph API permissions. Current required permissions:

  • User.Read.All (delegated and application)
  • Directory.Read.All (application)
  • Group.Read.All (application, if using group-based manager assignments)

Verify these in Azure Portal > App Registrations > Your Dayforce Integration App > API Permissions. After adding permissions, click “Grant admin consent” - this is critical and often overlooked. Without admin consent, the permissions don’t actually take effect even if they’re listed.

Additionally, check the integration service account in Dayforce has the “Manage Organizational Hierarchy” security role. This allows it to write manager relationships to employee records.

For your 23 stuck onboarding workflows, you’ll need to manually remediate them after fixing the integration. Go to each workflow instance, verify the manager is now correctly identified in the employee record, then use the “Reassign Task” function to push the approval to the correct manager’s queue. Going forward, new onboarding workflows should route correctly once all four areas are properly configured.

Implement monitoring on the Azure AD sync job to alert when manager attribute mappings fail - this will catch issues before they impact workflows. We log every manager mapping operation and alert if the failure rate exceeds 2%.

Don’t overlook the integration service account permissions. The account that Dayforce uses to query Azure AD for manager relationships needs specific Graph API permissions: User.Read.All at minimum, and possibly Directory.Read.All depending on your Azure AD configuration. Without these permissions, the integration can’t traverse the organizational hierarchy to identify managers even if the attribute mapping is correct. Check your Azure AD app registration and verify the API permissions are granted and admin-consented.

There’s also a timing issue to consider. If the Azure AD sync runs after the onboarding workflow initiates, the manager relationship might not be populated yet when the workflow tries to assign the approval task. We implemented a workflow delay of 2 hours after initial user creation to ensure the sync completes before approval steps execute.