How to resolve AADSTS51004 error

Paul Levett 0 Reputation points
2024-08-29T15:57:01.6466667+00:00

After following the Configure Google Workspace as an IdP for Microsoft Entra ID guide here: https://learn.microsoft.com/en-us/education/windows/configure-aad-google-trust

When our users try to sign into Microsoft services they get redirected to Google and sign in without any issue, but when redirected back to Microsoft services they now get the following error message:

AADSTS51004: The user account does not exist in the f759966c-a7a4-4611-a73b-d33f385008df directory. To sign into this application, the account must be added to the directory.

When checking the users, there user principal name (email) is exactly the same within Entra ID. The directory ID is also correct too.

So ideally we are looking to find out how resolve this issue?

On a side note, we would also like to know how to roll back the change if we cannot resolve the above issue too.

Thanks for help in advance.

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,769 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,449 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. James Hamil 24,481 Reputation points Microsoft Employee
    2024-08-29T19:13:04.3833333+00:00

    Hi @Paul Levett , please try the following steps for me:

    1. Check that the user account exists in the Entra ID directory that is being used for authentication. You can do this by searching for the user in the Entra ID portal.
    2. If the user account does not exist in the Entra ID directory, you will need to add the user to the directory. You can do this by creating a new user account in the Entra ID portal and assigning the appropriate licenses and permissions.
    3. If the user account does exist in the Entra ID directory, check that the user principal name (email) is exactly the same in both Google Workspace and Entra ID. If there are any differences, you will need to update the user principal name in one of the systems to match the other.
    4. Check that the Google Workspace domain is added as a verified domain in the Entra ID portal. You can do this by going to the Entra ID portal, selecting "Domains" from the left-hand menu, and verifying that the Google Workspace domain is listed and marked as "Verified".
    5. If none of the above steps resolve the issue, you can try removing and re-adding the Google Workspace identity provider in the Entra ID portal.

    To roll back the change, you can simply remove the Google Workspace identity provider from the Entra ID portal. This will revert the authentication method back to the previous configuration.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    1 person found this answer helpful.

  2. James Hamil 24,481 Reputation points Microsoft Employee
    2024-09-06T00:11:21.8133333+00:00

    Hi @Paul Levett , thank you for returning with your answer. Since you can't confirm your own answer, I'll repost it here for others to reference. Please select "Verify Answer" to do this.

    The issue was resolved by:

    1. Going to  Entra ID > Identity > All Users
    2. Change the UPN domain for each affected user to their onmicrosoft.com UPN and save to confirm the domain change
    3. Open Powershell and run this command: set-msolUser -userprincipalname name@<domain name> -immutableID name@<domain name>
    4. Once the command has completed go back to  Entra ID > Identity > All Users and change the affected users back to the federated domain.

    All users can now access their Microsoft Services via Google Workspace.

    1 person found this answer helpful.
    0 comments No comments

  3. Paul Levett 0 Reputation points
    2024-08-30T15:26:57.76+00:00

    I have resolved the issue by

    1. Going to  Entra ID > Identity > All Users
    2. Change the UPN domain for each affected user to their onmicrosoft.com UPN and save to confirm the domain change
    3. Open Powershell and run this command: set-msolUser -userprincipalname name@<domain name> -immutableID name@<domain name>
    4. Once the command has completed go back to  Entra ID > Identity > All Users and change the affected users back to the federated domain.

    All user can now access their Microsoft Services via Google Workspace.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.