A missing or disconnected Active Directory (AD) user profile in Okta causes authentication failures for federated Microsoft Office 365 applications, which is resolved by importing the user from AD. The user receives a Microsoft error when attempting to access Office 365 applications:
AADSTS51004 User account does not exist in the directory.
The user cannot proceed past this page or sign in to any Microsoft Office 365 applications.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Active Directory (AD)
- Microsoft Office 365
- WS-Federation
If users in the Okta org are sourced from AD and Microsoft Office 365 is federated, users authenticate through Okta using their AD credentials. This error occurs because the AD user profile either does not exist or is not connected to the associated Okta user.
How is the Office 365 user account does not exist error resolved?
Follow these steps to verify the Active Directory user profile and import the user into Okta:
- In the Okta Admin Console, navigate to Directory > People.
- Select the affected user and verify that the user profile does not show a status of "Profile sourced by Active Directory".
- Confirm that the AD user exists and note the Organizational Unit where the user profile is located.
- Navigate to Directory > Directory Integrations > [AD] > Provisioning > Integration and verify that the AD user is in scope for import.
- Navigate to Directory > Directory Integrations > [AD] > Provisioning > To Okta and verify that the User Matching settings correctly match the AD user to the Okta user.
- Go to Directory > Directory Integrations > [AD] > Import. Select Import Now and perform a full import from AD.
- Verify that the user has been imported and matched successfully.
- If the Okta user was previously assigned Office 365 applications, remove and reassign the assignment.
- Verify that the user can now log in to O365.
