Erro AADSTS51004 ao configurar integração do GSuite ao Office365

Murilo Melo 6 Reputation points
2021-07-06T20:47:16.95+00:00

PT/BR
Estou tentando configurar a minha integração dos usuários do GSuite para usar o SSO no Office365.

Atualmente, já consegui gerar as ImmutableIds dos usuários manualmente, e inserí-las tanto nos usuários do office quanto nos usuários do GSuite via atributo personalizado; também alterei o antigo domínio @onmicrosoft.com para o meu domínio atual em todos os usuários, corrigindo e validando todas as nomenclaturas e dados.
Porém, o problema se dá após a autenticação na conta Google, onde o Office (ou Azure) não consegue encontrar o usuário em questão no diretório; entretanto, verifiquei o meu AD Azure, meus usuários no Office e comparei com os usuários no GSuite, e todos estão ok.


EN/US

I'm trying to configure my GSuite users integration to use SSO in Office365.

Currently, I've managed to generate the users' ImmutableIds manually, and insert them both in office users and in GSuite users via custom attribute; I also changed the old domain @onmicrosoft.com to my current domain for all users, correcting and validating all naming and data.
However, the problem occurs after authentication to the Google account, where Office (or Azure) cannot find the user in question in the directory; however, I have checked my AD Azure, my users in Office and compared them to users in GSuite, and all are ok.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Other
{count} votes

1 answer

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,721 Reputation points
    2021-07-07T11:30:21.277+00:00

    Hello @Murilo Melo ,

    Thanks for reaching out.

    If you created a custom attribute to add the Office 365 Immutable ID to your Google users' profiles (as per these Steps), then did you select the custom attribute as Name ID as shown below? default Name ID configuration would be Basic Information > Primary email.

    112532-image.png

    User's ImmutableID value must match with custom attribute that you were created and assigned to users in Google Workspace. You can use below PowerShell cmdlet to get user's ImmutableID which is assigned for non working user.

    Get-MsolUser -UserPrincipalName ******@yourdomain.com | select ImmutableID, UserPrinciPalName

    if you see any discrepancy then use following cmdlet to update ImmutableID Set-MsolUser -UserPrincipalName ******@yourdomain.com -ImmutableId ******@yourdomain.com

    If you wish to take a deep dive into and see what NameID value being sent in SAML token from GSuite to Office 365, then use HTTP SAML tracker for troubleshooting plugin in chrome/firefox and capture trace while reproducing the issue so you could figure out actual NameID value sent in response as shown below, this value must match on Gsuite as well on Office 365 for given user sceanrio.

    112508-image.png

    Here are some example from my Lab:

    • Created custom attribute in Gsuite:

    112573-image.png

    • Configured custom attribute as Name ID in Gsuite:

    112532-image.png

    • Added unique value (example: ******@thewebapp.in) to custom attribute for the user in GSuite and verified that same values (which is ******@thewebapp.in) updated for respective user object in Office 365 which match exactly.

    112544-image.png

    • I was able to login successfully.
    • In case if Gsuite sent incorrect NameID values which doesn't match with any of user object's Immutable ID then O365 gives below error same as you get above: 112529-image.png

    To learn more, refer : https://support.google.com/a/answer/6363817#ID&zippy=%2Cstep-configure-immutableid

    Hope this helps.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.