This article describes the cause and the resolution for the AADSTS50020 error that is triggered when a user attempts to log in to Office using Okta after a change has been made to the Microsoft default domain:
 

AADSTS50020: User account <usename> from identity provider <identity provider> does not exist in tenant <tenant name> and cannot access the application <application ID> (Okta Microsoft Graph Client) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

• Single Sign On (SSO)
• Microsoft Desktop Apps 
• Service Provider (SP)-Initiated SSO

Changing the Microsoft default domain (from "MyDomain.onmicrosoft.com" to "MyDomain2.onmicrosoft.com", for example) may trigger the AADSTS50020 error.

1. For Mac:

1. Close all Microsoft applications.
2. Open Keychain and choose View > Show Invisible Items.
3. Search for "Microsoft Office Identities Cache"  and "Microsoft Office Identities Settings"; delete these two.
4. Search for "com.microsoft.oneauth" and delete all.
5. Open Word (or any other Microsoft app) and click Sign In.

2. For Windows:

• Please review How to clear cached credentials in Windows.
   

Related References

• Office 365 API Error: The Account needs to be added as an external user in the tenant first
• How to clear cached credentials in Windows