I have federated our O365 AAD domain with our GSuite domain as the SAML IdP. Access is granted via membership to a specific gsuite group. This generally works after having to set UPN = ImmutableID.
I have a user who, after migrating to a new computer, tried to authenticate their applications or log into the Office portal and receives "Message: AADSTS51004: The user account xxxxxxxxxxxxxxxxxxxx does not exist in the yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy directory. To sign into this application, the account must be added to the directory.
Nothing has been changed WRT the user's user object in either system. When I Get-AzureADUser, this user appears in the output as expected and everything looks correct. In the admin portal they also show up properly and are licensed just the same. I have tried having them clear cache and cookies with no change in results. I had another user several months back who ran into the same or very similar issue when we set them up on their repaired machine. This seems to be the commonality (changing the user machine) with both instances. The first one I tried several things down to deleting the O365 user hoping to re-propagate them into Azure but then needed to have Google support make some database edit before they would re-propagate so I don't really want to go that route again.
Anybody have an explanation and/or fix for this?
Thanks
--Jason