Configure federation between Google Workspace and Microsoft Entra ID error AADSTS51004

Question

Hello,

After follow the steps of this guide https://learn.microsoft.com/en-us/education/windows/configure-aad-google-trust I'm testing the login. I am getting the redirect to google when try to sign in but after that I get this error:

Request Id: 70941c8e-8dfe-404c-b4c0-c3b69c785a00

Correlation Id: 34d3913a-81eb-45f2-8461-8c55ad6110fb

Timestamp: 2023-11-17T11:51:02Z

Message: AADSTS51004: The user account email does not exist in the Directorycode directory. To sign into this application, the account must be added to the directory.

Why this is happening? Is it something related to the ImmutableID? How to fix it?

Answer 1

It appears that you are encountering an error related to Azure Active Directory (AAD) and Google integration when trying to sign in. The error message "AADSTS51004: The user account email does not exist in the Directory code directory. To sign into this application, the account must be added to the directory" indicates that the user account you are trying to log in with is not found in the Azure Active Directory.

This issue might be related to the ImmutableID, which is a key component in identity synchronization processes, especially in scenarios where you are integrating services like Azure AD with third-party identity providers (IdPs) such as Google. Here are some steps you can take to troubleshoot and resolve the issue:

1. Verify User Existence in Azure AD: Ensure that the user account you are trying to sign in with actually exists in Azure Active Directory. You can check this via the Azure portal.
2. Check User Principal Name (UPN): The UPN of the user in Azure AD should match the email address used in Google. Any discrepancy here can cause authentication issues.
3. ImmutableID: If you are synchronizing identities from an on-premises Active Directory using Azure AD Connect, make sure that the ImmutableID in Azure AD matches the objectGUID of the user in the on-premises AD. If the user is cloud-only, the ImmutableID may not be required.
4. Synchronization Issues: If you are using directory synchronization, make sure that it is functioning correctly and that recent changes (like new user accounts or updates to existing accounts) have been synchronized to Azure AD.
5. Review the Configuration: Double-check the configuration steps outlined in the guide you followed (Configure Azure AD and Google Federation). Ensure that all steps have been completed correctly, including setting up federation and assigning users.
6. Check Azure AD Connect Health: If you are using Azure AD Connect, check its health and synchronization status to ensure there are no underlying issues with synchronization.
7. Logs and Diagnostics: Review the Azure AD sign-in logs for any additional clues or error messages that could help in diagnosing the problem.
8. Consult Azure Support: If the issue persists, consider opening a support ticket with Azure Support for more direct assistance.

It's important to ensure that the user accounts and their attributes are properly managed and synchronized between Azure AD and any external identity providers or directories. Any mismatch or misconfiguration can lead to authentication issues like the one you're experiencing.

Accept the answer if the information helped you. This will help us and others in the community as well.

Answer 2

Hello @Davide Orbitello

Thank you for posting your query on Q&A.
I apologize for the inconvenience you have experienced.
Error code: AADSTS51004 is states the user account doesn’t exist in the directory. An application likely chose the wrong tenant to sign into, and the currently logged in user was prevented from doing so since they did not exist in your tenant. If this user should be able to log in, add them as a guest. For further information, please visit add B2B users.
Make sure that the user account email is added to the directory before you can sign into the application.
Reason behind the error you saw is, that when you created these users via google, their email became their immutable, and it worked fine, however if you create users directly in Office 365 /Ad sync, then you would first need to ensure immutable = user’s email address.
I hope this information helps! If you have any further questions, please feel free to ask.

For more information, please refer https://learn.microsoft.com/en-us/answers/questions/465354/erro-aadsts51004-ao-configurar-integra-o-do-gsuite

https://learn.microsoft.com/en-us/answers/questions/1306272/configured-google-as-idp-via-federation-now-cant-l
https://learn.microsoft.com/en-us/education/windows/configure-aad-google-trust

Thanks,
Akhilesh.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 3

• the users were created in the Office 365 admin console , ImmutableID should be blank. To set the ImmutableID attribute for each of these users in Office 365 to match their UPN, use the Set-MsolUserPowerShell command: 

Set-MsolUser -UserPrincipalName testuser@yourdomain.com -ImmutableID testuser@yourdomain.com

You can also use Set-MsolUserto bulk update all users. You can find specific instructions in the PowerShell documentation .

https://support.google.com/cloudidentity/answer/6363817?hl=es#zippy=%2Cpaso-configura-immutableid

https://support.okta.com/help/s/article/SSO-from-Okta-to-office365-shows-error-AADSTS51004?language=en_US

Reply__Forward

Answer 4

Set-AzureADUser -ObjectId ssssm -ImmutableId ###UPN####