Office 365 SSO without immutableID

Samrat Reddy Boothkur 1 Reputation point


I'm trying to set-up Office365 as service provider to login using 3rd party as IDP. We don't have any on-premises AD. All the users are in-cloud users. We are sending NameID as UserPrincipalName in SAML assertion. I even tried to send Object GUID also. Is there a way where we can send SAML assertion without ImmutableID.

AADSTS51004: The user account does not exist in the xxxxxxxxxxxx directory. To sign into this application, the account must be added to the directory.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,790 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,561 Reputation points

    Hello @Samrat Reddy Boothkur ,

    Thanks for reaching out. From your query, I understand that you have setup Office365 as service provider with a third party IDP and users are created directly in the cloud. however when accessing O365, you receive error AADSTS51004 and would want to know if Office 365 SSO can be used without immutableID.

    No, you cannot leverage federation SSO with Azure AD without ImmutableID since AzureAD/Office 365 needs the ImmutableID attribute which used to uniquely identify users. To enable SSO between any identity provides and Office 365, each Office 365 user which used for SSO must have an ImmutableId, and the SAML Name ID attribute sent to Office 365 during SSO must match the ImmutableId.

    The ImmutableID of an AzureAD/O365 users differs depending on how the user is created. The following are the most likely scenarios:

    If users were created in-cloud AzureAD:
    ImmutableID is not set for in-cloud users and blank by default. For these users, you can pick any unique value (for an example: UPN or email address) and assign it as Immutable ID for users.

    Use the PowerShell Set-MsolUser command to set the ImmutableID in Office 365 to match the user’s UPN

    Example: Set-MsolUser -UserPrincipalName -ImmutableId

    PowerShell cmdlet reference:

    If users were created via Azure Active Directory sync, ImmutableID is an encoded version of the On-premises Active Directory objectGUID and get synchronized to Azure AD. To learn more, refer this article.

    Similar scenarios are described in the Immutable sections in this article when using a third-party IDP such as Google with O365 for SSO which can be used to relate with your environment. I hope this was helpful.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments