question

khaled-5855 avatar image
1 Vote"
khaled-5855 asked khaled-5855 edited

Error_description":"AADSTS50034: The user account {EmailHidden} does not exist in the "domain.onmicrosoft.com"!

Background to the problem:
A- Given:
1- Azure AC Connect is successfully installed. No error appeard during the installation or syncing.
2- Azure AD Connect Cloud Sync was later installed after the error appeared. To see if the a different error appears.

B- Error:
When syncing the On-Prem AD to AAD with Azure AD Connect, the following "Provisioning Quarantined" error appears at the Azure AD Connect cloud sync screen:

" User and group sync
Status
Quarantine
Last successful run
Never
Error code
AzureActiveDirectorySyncAccountDoesNotExist
Error message
We found an issue with the service account that is used to run Azure AD Connect Provisioning. You can repair the cloud service account by following the instructions at https://go.microsoft.com/fwlink/?linkid=2150988 If the error persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: Error Code: invalid_grant Status: UserInteractionRequired Message: extendedMessage: AADSTS50034: The user account {EmailHidden} does not exist in the teibasec365b.onmicrosoft.com directory. To sign into this application, the account must be added to the directory. Trace ID: 0dcb5daa-4b68-4e58-9037-2336244e5001 Correlation ID: 8af9c775-a946-44ae-ae24-f5bf6d4d22da Timestamp: 2022-02-23 22:12:42Z webException: {"error":"invalid_grant","error_description":"AADSTS50034: The user account {EmailHidden} does not exist in the teibasec365b.onmicrosoft.com directory. To sign into this application, the account must be added to the directory.\r\nTrace ID: 0dcb5daa-4b68-4e58-9037-2336244e5001\r\nCorrelation ID: 8af9c775-a946-44ae-ae24-f5bf6d4d22da\r\nTimestamp: 2022-02-23 22:12:42Z","error_codes":[50034],"timestamp":"2022-02-23 22:12:42Z","trace_id":"0dcb5daa-4b68-4e58-9037-2336244e5001","correlation_id":"8af9c775-a946-44ae-ae24-f5bf6d4d22da","error_uri":"https://login.microsoftonline.com/error?code=50034","suberror":"bad_token"} STS endpoint: HTTPS://LOGIN.MICROSOFTONLINE.COM/TEIBASEC365B.ONMICROSOFT.COM
Next attempt to lift the quarantine
2/24/2022, 12:12:42 AM GMT+1"

It is not clear to me which "AzureActiveDirectorySyncAccountDoesNotExist" is meant as it appears in the Error Code above.

Also when performing a User Provisioning Test, the error appears, although the user is already successfully synced to AAD!
Below are two screenshots of the error.
Can any one please help? e.g. How can I list down or see any hidden or corrupted service accounts that my cause this problem.

Thanks.

177284-screenshot-1.pdf[177316-screenshot-2.pdf][2] [2]: /answers/storage/attachments/177316-screenshot-2.pdf
177333-screenshot-1.pdf


azure-active-directoryazure-ad-connectazure-ad-cloud-provisioning
screenshot-2.pdf (228.8 KiB)
screenshot-1.pdf (308.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @khaled-5855 , Is this just happening for one user or multiple? Is the user's email from your domain, or is it external, for example from "gmail.com." If this is the case you need to add them as an external user. Please let me know and I can help you further.

Best,
James

0 Votes 0 ·
khaled-5855 avatar image
1 Vote"
khaled-5855 answered khaled-5855 edited

Hi @JamesHamil-MSFT , Thank you for you reply.

The error appears due to "certain user" does not exist as the error message suggests. While I see many users being successfully synced from AD to AAD. The error message is talking about some certain accounts whose email addresses "are hidden" that cause the quarantine to happen, yet I cannot know which single account is this because I cannot identify them from the many users that were synced. I cannot count all the users with bare eyes to find out which one does not exist at AAD and needs to be added to the directory, as the error message suggests.

The error message says : "If the error persists, please contact support with Job ID (from status pane of your configuration)". The error really persists.

If the data correlating to the error above is not sufficient, I could get the latest Job ID, if this helps.

No external users. All belong to the Verified, Managed domain on AAD that belongs to the on-Premise AD.
Regards


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

khaled-5855 avatar image
1 Vote"
khaled-5855 answered khaled-5855 edited

I found the solution to the problem: by executing the instructions set in the link:
https://go.microsoft.com/fwlink/?linkid=2150988 and preparing and executing the Prerequisites to the instructions at this above link. (The prerequisites can be found at:https://docs.microsoft.com/en-gb/azure/active-directory/cloud-sync/reference-powershell#install-the-aadcloudsynctools-powershell-module)

After executing the above procedure, the Azure AD Connect cloud sync utility now shows "Healthy" sync status.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.