question

JasonBradford-3831 avatar image
0 Votes"
JasonBradford-3831 asked CengizKuskaya answered

Federated user getting AADSTS51004 on SAML login attempt

I have federated our O365 AAD domain with our GSuite domain as the SAML IdP. Access is granted via membership to a specific gsuite group. This generally works after having to set UPN = ImmutableID.

I have a user who, after migrating to a new computer, tried to authenticate their applications or log into the Office portal and receives "Message: AADSTS51004: The user account xxxxxxxxxxxxxxxxxxxx does not exist in the yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy directory. To sign into this application, the account must be added to the directory.

Nothing has been changed WRT the user's user object in either system. When I Get-AzureADUser, this user appears in the output as expected and everything looks correct. In the admin portal they also show up properly and are licensed just the same. I have tried having them clear cache and cookies with no change in results. I had another user several months back who ran into the same or very similar issue when we set them up on their repaired machine. This seems to be the commonality (changing the user machine) with both instances. The first one I tried several things down to deleting the O365 user hoping to re-propagate them into Azure but then needed to have Google support make some database edit before they would re-propagate so I don't really want to go that route again.

Anybody have an explanation and/or fix for this?

Thanks
--Jason

azure-active-directoryazure-ad-domain-services
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JasonBradford-3831 avatar image JasonBradford-3831 ·

The only potential thing I see is that this user's ImmutableID has an upper-case first letter which I think was also the case for the other user who encountered this.

0 Votes 0 ·
MarileeTurscak-MSFT avatar image MarileeTurscak-MSFT JasonBradford-3831 ·

Were you able to get this resolved? This can happen if the on-premises UPN doesn't match the one in Azure. If one has an upper case letter and the other does not, that could be the issue.

0 Votes 0 ·

2 Answers

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

Here is how you transfer domains between subscriptions: https://docs.microsoft.com/en-us/microsoft-365/admin/get-help-with-domains/transfer-data-manually?view=o365-worldwide

If you want to remove a custom domain from a tenant and add it to another tenant, you can follow the steps from these articles:

  1. Remove a domain from Office 365

  2. Add your users and domain to Office 365


Let me know if this is what you are looking for!



5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CengizKuskaya avatar image
0 Votes"
CengizKuskaya answered

Hi Jason,

I have experienced the same problem like you too and found the solution after severaal hours of investigation. You can take a look at the following article if you still experiencing the probem.

How to troubleshoot “AADSTS51004: The user account XXX does not exist in the XXX directory. To sign into this application, the account must be added to the directory.” Error Message

Hope it helps !

Regards,
Cengiz



5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.