<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Error During Microsoft Office 365 Single Sign-On "AADSTS51004 The user account does not exist in the directory"
Jan 27, 2026
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

This article provides guidance on resolving a specific error encountered during the Single Sign-On (SSO) flow between Okta and Microsoft Office 365. The error message reads:

AADSTS51004: The user account <id> does not exist in the <id> directory. To sign in to this application, the account must be added to the directory.

Error message

Applies To
  • Administrators working with Microsoft Office 365
  • Federation (WS-FED)
  • Single Sign On (SSO)
Cause

This error arises when a Microsoft Office 365 user has an ImmutableID in Entra ID that does not match the ImmutableID configured in Okta.

Solution

Verify ImmutableID in Entra ID

  1. Open Windows PowerShell.
  2. Connect to Microsoft Graph using the command: Connect-MgGraph -Scopes Directory.AccessAsUser.All.

NOTE: Microsoft Graph will need to be installed if it has not already been installed. For more information, please check the Microsoft Documentation: Install the Microsoft Graph PowerShell SDK documentation. 

connect

  1. Verify if the ImmutableID is missing for the affected user by running the following command (replace <user@domain.tld> with the user's UPN):

Get-MgUser -UserId <user@domain.tld> -Property OnPremisesImmutableId | Format-List OnPremisesImmutableId. 

A blank value indicates that the ImmutableID is missing.

immutableID

    Solution 1: ImmutableID is available in Okta, but is missing in Entra ID

    Set the ImmutableID for the affected user with the following command (replace <user@domain.tld> with the user's UPN and <ImmutableId> with the new ImmutableId): 

    Update-MgUser -UserId user1.test0000@secura.one -OnPremisesImmutableId <ImmutableId>

    immutableID  

    Solution 2: ImmutableID is available in Entra ID, and Active Directory is used in Okta

    If Active Directory is used, check the mappings and verify if the value is populated by Active Directory.
    In the Okta Admin Dashboard > Profile Editor > Office 365 instance > Mappings > Okta > Office 365.
    The following expression can be seen:

    hasDirectoryUser()?findDirectoryUser().externalId:null

    Office 365 instance

      Next, ensure that the same value is populated in the Application username profile, in this case, Office 365.
      If the value does not match the Active Directory external ID, reassigning the user will bring the new value in.

      NOTE: Ensure that Deactivate Users is not enabled when unassigning/reassigning the user.

       

      Solution 3: ImmutableID is available in Entra ID, and Active Directory is not used in Okta

      In this scenario, Active Directory is not used as a source, and Okta is not mapping the Object GUID (external ID) to the ImmutableID.
      Best practices recommend that the Okta User ID be used as the mapping value for the ImmutableID, as the Okta User ID is an immutable value during the user's lifecycle.
      Mappings will have to be adjusted accordingly with the following expression:

      user.getInternalProperty("id")
      Microsoft Office 365



       

      Related References

       

       
       

      Recommended content

      Still looking for help?
      Loading
      Error During Microsoft Office 365 Single Sign-On "AADSTS51004 The user account does not exist in the directory"