How to resolve AADSTS51004 error

Question

After following the Configure Google Workspace as an IdP for Microsoft Entra ID guide here: https://learn.microsoft.com/en-us/education/windows/configure-aad-google-trust

When our users try to sign into Microsoft services they get redirected to Google and sign in without any issue, but when redirected back to Microsoft services they now get the following error message:

AADSTS51004: The user account does not exist in the f759966c-a7a4-4611-a73b-d33f385008df directory. To sign into this application, the account must be added to the directory.

When checking the users, there user principal name (email) is exactly the same within Entra ID. The directory ID is also correct too.

So ideally we are looking to find out how resolve this issue?

On a side note, we would also like to know how to roll back the change if we cannot resolve the above issue too.

Thanks for help in advance.

Answer 1

Hi @Paul Levett , thank you for returning with your answer. Since you can't confirm your own answer, I'll repost it here for others to reference. Please select "Verify Answer" to do this.

The issue was resolved by:

1. Going to  Entra ID > Identity > All Users
2. Change the UPN domain for each affected user to their onmicrosoft.com UPN and save to confirm the domain change
3. Open Powershell and run this command: set-msolUser -userprincipalname name@<domain name> -immutableID name@<domain name>
4. Once the command has completed go back to  Entra ID > Identity > All Users and change the affected users back to the federated domain.

All users can now access their Microsoft Services via Google Workspace.

Answer 2

Hi @Paul Levett , please try the following steps for me:

1. Check that the user account exists in the Entra ID directory that is being used for authentication. You can do this by searching for the user in the Entra ID portal.
2. If the user account does not exist in the Entra ID directory, you will need to add the user to the directory. You can do this by creating a new user account in the Entra ID portal and assigning the appropriate licenses and permissions.
3. If the user account does exist in the Entra ID directory, check that the user principal name (email) is exactly the same in both Google Workspace and Entra ID. If there are any differences, you will need to update the user principal name in one of the systems to match the other.
4. Check that the Google Workspace domain is added as a verified domain in the Entra ID portal. You can do this by going to the Entra ID portal, selecting "Domains" from the left-hand menu, and verifying that the Google Workspace domain is listed and marked as "Verified".
5. If none of the above steps resolve the issue, you can try removing and re-adding the Google Workspace identity provider in the Entra ID portal.

To roll back the change, you can simply remove the Google Workspace identity provider from the Entra ID portal. This will revert the authentication method back to the previous configuration.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James

Answer 3

I have resolved the issue by

1. Going to  Entra ID > Identity > All Users
2. Change the UPN domain for each affected user to their onmicrosoft.com UPN and save to confirm the domain change
3. Open Powershell and run this command: set-msolUser -userprincipalname name@<domain name> -immutableID name@<domain name>
4. Once the command has completed go back to  Entra ID > Identity > All Users and change the affected users back to the federated domain.

All user can now access their Microsoft Services via Google Workspace.