This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I recently accomplished configuring SSO using Google Workspace as identity provider for AAD and I encountered this: when signing in to AAD using Google Workspace credentials I get this error message only for some federated users: AADSTS51004: The user account someone@domain does not exist in the xxx-xxxxxx directory. To sign into this application, the account must be added to the directory.
I created an account in GW and tried signing in to OneDrive and other Microsoft services (My Account, M365, etc.) and the sign in worked. However, the account that I previously used on my computer encountered a number of AADSTS errors depending on the service being signed into. Other GW accounts that I've used before (on the same computer) experienced the same.
I tried to sign in with GW accounts that I've not used before on my computer. They all worked.
The sign in worked for those accounts created before federation as well as for those after - as long as I have not used them before on my computer (or other computers they've signed in before SSO).
Prior to SSO, I manually created accounts on our AAD using GW email as AAD principal name. Each account in AAD and GW had the same email address but may have different passwords.
Is this problem related to Windows or is it singularly an AAD issue?
Ensure that the tokens exchanged during SSO are correctly signed and validated by both Google Workspace and Azure AD. Token signing issues can lead to authentication failures.
Thanks, Vahid, for your reply. But why would tokens be correctly signed and validated for some users and not for others? Would it have something to do with the device they're signing in from?