Workday is moving all customers from legacy private cloud infrastructure to true public cloud hosting on AWS and GCP. This is not optional. Every tenant not already on public cloud will be migrated, and Workday controls the long-term timeline.
That last point matters: you do not choose whether this happens. You choose how prepared you are when it does.
Customers who treat this as a routine update will be surprised. The migration changes URLs, integration endpoints, SSO behavior, and authentication architecture. None of those changes are small in a mature Workday environment. The organizations that come through cleanly are the ones that start their readiness work early, assign clear ownership, and approach the cutover with the same rigor they would bring to a new deployment.
This guide covers everything: what changes, what it means functionally and technically, and how to structure your preparation.
1. Why the Public Cloud Move Matters
The migration is not just an infrastructure upgrade. It unlocks platform capabilities that Workday has been building toward for years.
Experience and Resilience
- Zero-downtime maintenance for most weekly and monthly patches
- Faster page response times and regional failover
- Enhanced resiliency SLAs across all environments
Innovation and AI
- Access to Workday’s evolving AI and machine learning platform
- More scalable compute for EIBs, reports, and integrations
- Faster feature delivery aligned to Workday’s core product roadmap
Security and Governance
- Regional hosting for data residency compliance requirements
- Workday-managed VPC, hardened security groups, and modern TLS standards
- FedRAMP, ISO, SOC2, and HIPAA-aligned infrastructure
Operational Stability
- More predictable upgrade behavior
- Reduced surprise breakages from legacy infrastructure quirks
- Uniform architecture across all Workday customers
The upside is real. But so is the risk if you are unprepared.
2. What Actually Changes
The table below maps every major change area with both its functional and technical implications. Use this as the foundation for your impact assessment.
| Change Area | Impact Summary | Functional Considerations | Technical Considerations |
|---|---|---|---|
| Tenant URLs and Hostnames | All tenants receive new public-cloud URLs | Update job aids, learning content, training, email templates, and intranet pages | Update integrations, API endpoints, bookmarks, and embedded help text links |
| Integrations | Endpoints, IP addresses, and hostnames change | Validate downstream system behavior and timing | Update hardcoded URLs, IP allowlists, x.509 certificates, NAT and firewall rules |
| SSO / Identity | SAML and OAuth endpoints are updated | Revise login instructions and MFA guides for employees | Update IdP configuration (Okta, ADFS, Azure), SCIM provisioning, and token audience values |
| Mobile App | App connects to new hostnames | Update employee mobile setup communications | Revalidate mobile configuration |
| External Vendors | Vendors must update their API targets | Notify vendors with migration dates and testing windows | Vendor allowlist updates and certificate renewals |
| Documentation | All URL references must be refreshed | Update guides, job aids, onboarding materials, and support content | Update embedded help text links and system references |
| Change Management | Communication must be proactive and multi-channel | Deploy via email, Workday Announcements, and LMS | Update Workday Announcements and Workday Articles |
| Testing Burden | High regression risk across all connected systems | Validate business processes end-to-end | Validate EIBs, web services, Studio, PECI, Prism, and Payroll integrations |
| Cutover Steps | New delta-migration process with distinct timing requirements | Functional smoke testing and user validation | DNS propagation, IP rotation, file transfer revalidation |
| Performance Monitoring | System behavior may shift post-migration | Validate report runtimes and dashboards | Monitor logs, API latency, and integration throughput |
3. The Readiness Checklist
What follows is a combined functional and technical preparation plan organized by workstream. Each section can be assigned as a discrete track within your migration program.
A. Governance and Stakeholder Alignment
Functional
- Engage HR, Finance, Payroll, Talent, Recruiting (if deployed), Security, and Legal early
- Communicate expected impacts before the migration window is announced internally
Technical
- Identify system owners for integrations, identity, reporting, and network
- Validate contact information for all external vendors
B. Migration Timing and Business Calendar Alignment
Migration windows should be scheduled away from:
- Payroll close
- Year-end processes
- Open enrollment
- Merit and bonus cycles
- Active acquisition onboarding
Workday will provide a proposed migration window, a test migration (sandbox) window, and the production cutover schedule. Your job is to validate those windows against your business calendar and push back early if there is a conflict.
C. Integration and Endpoint Analysis
This is the highest-risk workstream for most mature tenants. Start here.
Integration types to audit:
- Core Connectors (PECI, PICOF, benefit carrier feeds)
- Studio integrations
- RaaS reports consumed by external systems
- EIB inbound and outbound
- API-based vendor calls
- Workday Extend applications
- File transfers via SFTP, FTPS, or HTTPS
Key technical tasks:
- Identify all hardcoded hostnames (wd2, wd3, wd5, and similar)
- Update IP allowlists and firewall exceptions
- Update vendor-side allowlists
- Reassign DNS CNAME records
- Revalidate certificate chains (x.509)
- Update API gateways and proxies
Functional validation tasks:
- Validate downstream system behaviors post-update
- Confirm Payroll, Time, Benefits, and Finance integrations process cleanly
- Verify file delivery timing windows remain intact
D. Identity and SSO Remediation
Technical work:
- Update IdP metadata
- Update ACS and EntityID values
- Update SCIM endpoints
- Validate OAuth2 client and audience values
- Validate MFA selector behavior
Functional work:
- Provide updated login guides to employees
- Update onboarding and offboarding workflows
- Update mobile app provisioning instructions
E. Data Preparation and Reconciliation
Functional tasks:
- Identify critical data objects for pre-migration validation: workers, position history, compensation, benefits elections, time, and payroll inputs
- Identify historical data required for compliance
Technical tasks:
- Run baseline data extracts before the migration window
- Identify data anomalies pre-migration
- Define reconciliation reports to run immediately post-cutover
- Validate custom reports and custom objects
F. Reporting and Dashboards
Functional validation:
- Validate Workday dashboards, scorecards, and custom reports
- Validate audit logs and security outputs
Technical validation:
- Validate report-as-a-service endpoints
- Validate Prism pipelines where applicable
- Confirm embedded help text and report links resolve correctly
G. Testing Strategy
| Testing Type | Scope | Recommended Approach |
|---|---|---|
| End-to-end business process | All deployed modules | Scripted functional test cases by business area |
| Regression | Integrations, reports, EIBs | Automated where possible; manual for edge cases |
| Authentication | SSO, MFA, SCIM | Test every identity provider path |
| Performance | Reports, EIB throughput, API latency | Baseline vs. post-migration comparison |
| Integration behavioral | Studio, Core Connectors, Extend | Full connectivity and data accuracy validation |
For automation, Functionize and Workato are both well-suited to behavioral testing in Workday environments. Data-driven comparative testing against your pre-migration baseline is the most efficient way to catch regressions at scale.
H. Communication and Change Management
Workstreams to stand up:
- Broadcast communications (email, intranet)
- Workday Announcements
- Workday Articles publishing
- Workday Wayfinder updates if you are using that framework
Critical messages for your workforce:
- New tenant URLs and when to expect them
- Identity and login changes
- Mobile app behavior changes
- What employees should do if they experience login issues at cutover
I. Infrastructure and Security Readiness
Network:
- Firewall updates
- NAT rule changes
- TLS version compliance validation
- DNS propagation testing in sandbox
Security controls:
- Updated authentication flows
- Updated certificate pinning where applicable
- Review of downstream IAM and service accounts
4. Migration Phases
The table below defines what SAG handles and what the customer owns across each phase of a managed migration engagement.
| Phase | SAG Responsibility | Customer Responsibility |
|---|---|---|
| 1. Discovery and Assessment | Integration review, data audit, security scoring, architecture mapping | Provide configuration access, vendor contact lists |
| 2. Design and Migration Planning | Cutover plan, technical mapping, identity design, rollback strategy | Validate scheduling, business constraints, and blackout windows |
| 3. Environment Provisioning | Workday coordination, test tenant readiness, baseline data extraction | Provide network and identity access |
| 4. Data Migration and Testing | Execute loads, correct defects, reconcile data, build comparison tooling | Validate results with business owners |
| 5. Integration Remediation | Rebuild endpoints, reconfigure integrations, retest, create migration scripts | Vendor coordination and change approval |
| 6. Identity and SSO Updates | Update IdP configurations, test SCIM, update OAuth flows | Provide IdP access and support |
| 7. Cutover and Go-Live | Lead delta migration, smoke tests, war-room operations | Monitor systems, validate critical functions |
| 8. Hypercare and Optimization | Performance tuning, integration stability checks, ROI dashboards | Provide feedback and approve fixes |
5. Key Risks and Mitigations
Beyond the standard checklist, these are the issues that cause the most damage when they surface late.
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Hardcoded hostname in integration not caught in audit | High in mature tenants | Integration failures at cutover | Comprehensive integration inventory with automated hostname scanning |
| Vendor allowlist not updated in time | Medium | Third-party feed failures | Vendor notification with 6-week lead time minimum |
| SSO misconfiguration post-migration | Medium | Complete user lockout | Full IdP testing in sandbox before production cutover |
| Custom domain or custom object link failures | Medium | Broken help text, embedded links | Pre-migration link audit across all custom content |
| Certificate rotation timing issues | Medium | Authentication failures | Certificate renewal and validation as a discrete workstream |
| High-volume integrations backing up in queues | Low to Medium | Payroll and benefit file delays | Load testing and queue monitoring in the test migration window |
| Payroll integration timing disruption | Low with planning | Pay cycle failure | Explicit payroll validation as a sign-off gate before cutover approval |
6. Success Metrics
Define these before the migration so you have a clear standard for what “done” looks like.
Technical KPIs:
- API latency percentage change pre vs. post migration
- Integration retry counts and error rate trends
- Report runtimes compared to pre-migration baseline
- SCIM provisioning success rate
- Certificate renewal success metrics
Functional KPIs:
- Reduction in user login failure tickets
- Lower L1 and L2 support ticket volume post-cutover
- Payroll and time calculation accuracy confirmation
- Completion time of key business processes vs. baseline
- End-user satisfaction survey results at 30 and 60 days post-migration
7. Immediate Next Steps
If you have not already started, these are the actions that move the needle today:
- Open a Workday Migration Case to get your tenant on the schedule
- Schedule your test tenant migration window as early as possible
- Run an integration inventory to identify every endpoint and hostname reference
- Start your SSO and identity remediation plan
- Prepare data reconciliation reports for post-cutover validation
- Establish executive-level sponsorship and assign a migration owner
SAG offers accelerators for this work: integration analysis scripts, configuration extractors, and data reconciliation tooling built specifically for the public cloud migration. We also recommend pairing this effort with a Workday Wayfinder refresh to modernize your documentation at the same time, and considering parallel security hardening, custom report cleanup, and integration rationalization while the program is already open. Reach out if you want to talk through your specific environment.
Ready to start your migration readiness assessment? Schedule a consultation with our team.