Home HOW-TO How to troubleshoot “AADSTS51004: The user account XXX does not exist in the XXX directory. To sign into this application, the account must be added to the directory.” Error Message

How to troubleshoot “AADSTS51004: The user account XXX does not exist in the XXX directory. To sign into this application, the account must be added to the directory.” Error Message

by Cengiz Kuskaya

Problem Description

"AADSTS51004: The user account 4ZtVnLfa9UfSXjKe/32NLQ== does not exist in the 4842004-47b3-4aso-8f12-797e13d1-y823 directory. To sign into this application, the account must be added to the directory." error message can appear once you try to sign in to a Microsoft website, your cloud based corporate application / website , Office 365 or try to activate your Office 365 Desktop App.

Root Cause Analysis

The "AADSTS51004: The user account …." error message throws only during the first sign in attempt after the problem occured. You can reproduce this error message always by opening a private browser session and trying to access the resource again.

Once you refresh your browser with the "AADSTS51004" error message, the browser will throw a second error message as you can see in the 2nd screenshot below.

Screenshot 1 :

The 2nd error message below "This account might not exist or it might not be synchronized. Contact your administrator to add or synchronize the account." shows now the User as "Signed In". This basically means that the User was able to authenticate itself successfully. In other words the User’s UserName and Password is correct and the Authentication mechanism works as expected against the local Windows Server Active Directory.

Screenshot 2 :

This problem only occurs with “Windows Server AD” originated accounts which are synchronized to Microsoft Azure.

Remember our 1st error message. The User “Account ID” which is mentioned in the message is the so called "ImmutableID" of the User. Basically it’s the "Base64String" converted format of the User’s "ObjectGUID" in local Active Directory. With the Powershell Script below you can easily convert the "ImmutableID" into the User’s "ObjectGUID" and vice versa for cross-check purpose in local Active Directory.

Error Message

Sign in
Sorry, but we're having trouble signing you in.

AADSTS51004: The user account 4ZtVnLfa9UfSXjKe/32NLQ== does not exist in the 4842004-47b3-4aso-8f12-797e13d1 y823 directory. To sign into this application, the account must be added to the directory.

Powershell Script

$objectGUID = 'f17dt3dc-5516-312b-8b7l-5fsdtf5743y1'

$ImmutableID = '6DNsiGEES0GKjV+6y1dZdW=='

Write-Host "Convert objectGUID $objectGUID to ImmutableID " -NoNewline
[system.convert]::ToBase64String(([GUID]$objectGUID).ToByteArray())

Write-Host "Convert ImmutableID $ImmutableID to objectGUID " -NoNewline
([GUID][System.Convert]::FromBase64String($ImmutableID)).Guid

As conclusion the above error messages means that the User’s "ImmutableID" cannot not be synced properly to Azure AD therefore the User doesn’t get access to Azure Resources.

Solution

There are lots of approaches available on the Internet but the easiest and most safe method to fix this problem is to remove the User’s Account on the Azure AD Connect Server from the SYNC and re-add the User to the SYNC again. This is an administrative task and can be only done by an Administrator who has access to the Azure AD Connect SYNC Server.

Good luck !