This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 25%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
I have federated our O365 AAD domain with our GSuite domain as the SAML IdP. Access is granted via membership to a specific gsuite group. This generally works after having to set UPN = ImmutableID.
I have a user who, after migrating to a new computer, tried to authenticate their applications or log into the Office portal and receives "Message: AADSTS51004: The user account xxxxxxxxxxxxxxxxxxxx does not exist in the yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy directory. To sign into this application, the account must be added to the directory.
Nothing has been changed WRT the user's user object in either system. When I Get-AzureADUser, this user appears in the output as expected and everything looks correct. In the admin portal they also show up properly and are licensed just the same. I have tried having them clear cache and cookies with no change in results. I had another user several months back who ran into the same or very similar issue when we set them up on their repaired machine. This seems to be the commonality (changing the user machine) with both instances. The first one I tried several things down to deleting the O365 user hoping to re-propagate them into Azure but then needed to have Google support make some database edit before they would re-propagate so I don't really want to go that route again.
Anybody have an explanation and/or fix for this?
Thanks
--Jason
The only potential thing I see is that this user's ImmutableID has an upper-case first letter which I think was also the case for the other user who encountered this.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Were you able to get this resolved? This can happen if the on-premises UPN doesn't match the one in Azure. If one has an upper case letter and the other does not, that could be the issue.
Here is how you transfer domains between subscriptions: https://learn.microsoft.com/en-us/microsoft-365/admin/get-help-with-domains/transfer-data-manually?view=o365-worldwide
If you want to remove a custom domain from a tenant and add it to another tenant, you can follow the steps from these articles:
Let me know if this is what you are looking for!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 60%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECK%3C/text%3E%3C/svg%3E)
Hi Jason,
I have experienced the same problem like you too and found the solution after severaal hours of investigation. You can take a look at the following article if you still experiencing the probem.
Hope it helps !
Regards,
Cengiz