Security on OfficeConnectPro

Secure OfficeConnect Workbooks

Mon, 01 Jan 0001 00:00:00 +0000

Automatic timeout

Workday OfficeConnect uses a session timeout to keep your reports secure. If you haven’t refreshed your report in 60 minutes (or your configured timeout period), OfficeConnect prompts you to re-authenticate the next time you try to refresh.

The timeout duration is set by your Adaptive Planning administrator.

Data clearing on save

By default, Workday OfficeConnect clears all data when you save a workbook. Connected cells display a placeholder (default: n/a) until the next refresh. This means:

Fix Authentication and Token Errors in OfficeConnect

Mon, 01 Jan 0001 00:00:00 +0000

Token and sign-in errors usually mean the SSO session has lapsed or the tenant configuration has drifted. Confirm Workday OfficeConnect is pointed at a valid tenant on Sign In & Create a Tenant, and review your Workday SSO configuration if multiple users hit the same error.

Symptom

One or more of the following:

OfficeConnect shows an error message containing words like “Authentication failed”, “Token expired”, “Unauthorized”, or “401”
The sign-in browser window opens but returns an error after you authenticate
OfficeConnect repeatedly asks you to sign in even after a successful authentication
Refresh fails immediately with an authentication-related error rather than a network error

Causes

The Workday SSO session has expired and the access token needs to be refreshed
The OfficeConnect client ID or tenant configuration is incorrect or has changed
A browser cookie or cached token is corrupted, preventing new authentication from completing
The Workday tenant’s OAuth application for OfficeConnect has been disabled or its credentials rotated
Multi-factor authentication (MFA) requirements have changed and OfficeConnect’s browser flow isn’t handling the new MFA step

Fix 1: Sign out and sign back in

The fastest fix for most token errors is a clean sign-out and re-authentication.

Govern

Mon, 01 Jan 0001 00:00:00 +0000

Governance topics for keeping OfficeConnect deployments secure, auditable, and compliant.

Articles in this section

Secure Workbooks — How Workday OfficeConnect handles security, timeouts, and data clearing to protect sensitive financial data

Designing Write-Back Permissions for Workday OfficeConnect

Mon, 01 Jan 0001 00:00:00 +0000

Workday OfficeConnect write-back inherits Adaptive Planning’s permission model. There is no separate “OfficeConnect role” — if a user’s Adaptive role grants Input on a version and a Level, they can write to it from Excel. That means good permission design in Adaptive is good write-back governance in OfficeConnect. This article lays out the design principles and the patterns that make write-back safe by default.

What you’ll need:

An Adaptive Planning admin or model-management role
A target version (typically a Budget or Forecast) that planners will write to
A clear list of who plans for what (planner → Levels they own)

The permission model in plain language

Three things control whether a write-back submit succeeds: version state (the version must be in Input state — Submitted, Locked, and Closed all reject writes), role permission on the version (the user’s role must include Input on that specific version), and Level scope (the user’s role grants Input on a set of Levels; submits outside that set fail per cell). All three must align. A planner with Input on Budget 2026 but only for the Sales division cannot write back to a Marketing cost center, even if the workbook lets them type into the cell.

Single Sign-On for Workday OfficeConnect with Okta

Mon, 01 Jan 0001 00:00:00 +0000

For admins & power users Requires Okta administrator access and Workday Security Administrator access. End users don’t change anything on their side; this is a tenant-level configuration.

Workday OfficeConnect doesn’t authenticate to Okta directly. Instead, OfficeConnect authenticates to Workday, and Workday uses Okta as its identity provider. This indirection is important — the configuration lives on the Workday side, not directly in OfficeConnect — and explains why many SSO problems surface as Workday auth failures rather than Okta errors.

Single Sign-On for Workday OfficeConnect with Microsoft Entra ID

Mon, 01 Jan 0001 00:00:00 +0000

For admins & power users Requires Entra ID Application Administrator (or higher) and Workday Security Administrator access. End users don’t change anything; this is a tenant-level configuration.

Workday OfficeConnect doesn’t authenticate to Microsoft Entra ID directly. OfficeConnect authenticates to Workday, and Workday uses Entra ID as its identity provider. The configuration sits on the Workday side, with Entra ID providing the SAML or OIDC backbone.

This guide assumes Entra ID-to-Workday SSO is already working for the Workday web app. If not, do that integration first (Entra’s enterprise app gallery has a “Workday” SAML template).

Auditing Workday OfficeConnect Write-Back Submissions

Mon, 01 Jan 0001 00:00:00 +0000

Every Workday OfficeConnect write-back submission is logged server-side in Adaptive Planning. The audit trail captures who changed what, when, and to what value — the foundation of any control around write-back. This reference covers where to find the logs, what’s captured, and how to operationalize a review cadence for internal audit or SOX.

What you’ll need: an Adaptive admin role (or a role with audit log access), the version(s) being written to, and a defined review cadence and reviewer.