Unable to authenticate with Google Federation to Entra using on-premise AD account

Question

I currently have it set to let the students/staff login with their Google accounts when accessing Microsoft services, these were created with Google (Microsoft 365 app is configured through SAML in Google Admin). This apps creates an account automatically in Entra. My goal is to combine the on-premise AD accounts with the Entra accounts that Google creates.

I have my on-premise AD set up to sync with Entra via Azure AD Connect. I'm testing with one account to be able to use our routable domain that we use with Google (our AD is a .local) and not have a separate account that was auto created with Google. The test account in AD has the UPN matching the @mydomain.org. The account in Entra shows on-premise sync enabled is yes. I do not have duplicate accounts for the same user on the Entra side (I deleted the account in Entra that Google created that had the same email address associated). This user does not have any roles and has a license.

When going to office365.com to test the account, the user is able to log in via Google, but the following error occurs.

AADSTS51004: The user account ******@mydomain.org does not exist in the xxxxx-xxxxx-xxxxx-xxxxx-xxxxx directory. To sign into this application, the account must be added to the directory.

I have tried the following:

• verified that the objectguid on-premise matched the immutableid in Entra
• added SMTP:******@mydomain.org to the proxyaddress on-premise account
• since none of the previous changes did anything, I changed the Azure AD Connect anchor source from objectguid to ms-ds-consistencyguid and synced with a delta sync a few times

I'm thinking my AD/Entra settings should work, but perhaps I'm not passing the correct info via Google back to Entra. Any suggestions?

Answer 1

Hello @SH,

Thank you for posting your query on Microsoft Q&A.

Based on your description, it seems you've federated your custom domain (domainA.com) with Google IDP. This means any user with the domainA.com suffix is redirected to Google's endpoint for authentication. This setup works for users synchronized from Google to Entra ID, but you're now trying to achieve the same for on-premises user accounts. You've used Microsoft Entra Connect to sync these on-prem users to Entra ID. However, when these users attempt to sign in to office.com, they encounter the error: "AADSTS51004: The user account ******@mydomain.org does not exist in the xxxxx-xxxxx-xxxxx-xxxxx-xxxxx directory. To sign into this application, the account must be added to the directory."

This issue can occur if the Immutable ID is not correctly set for the user. To resolve this, follow these steps:

1. Convert the federated user to a cloud-only user (update the UPN to a non-federated domain)
2. Update the ImmutableId
3. Convert the user back to a federated user

Here's a PowerShell example to update the ImmutableId for a federated user:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph
Connect-MgGraph -Scopes 'User.Read.All', 'User.ReadWrite.All'
#1. Convert the user from federated to cloud-only
Update-MgUser -UserId alton@example.com -UserPrincipalName ******@example.onmicrosoft.com
#2. Convert the user back to federated, while setting the immutableId
Update-MgUser -UserId ******@example.onmicrosoft.com -UserPrincipalName alton@example.com -OnPremisesImmutableId '260051'

Please refer the below document for more information.

Identity matching in Microsoft Entra ID

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Thanks,
Raja Pothuraju.