Hello @Rodrigo Cruz
Thank you for reaching out to Microsoft QnA support. I would like to confirm following details with regards to the error message shared.
- Error Code: AADSTS51004
- Message: UserAccountNotInDirectory - The user account doesn’t exist in the directory. The user account “ImmutableId” does not exist in the “tenant guid” directory. To sign into this application, the account must be added to the directory.
- Description: The user does not exist in the tenant.
When a federated user authenticates and after the validity of the token is confirmed, the corresponding user object is searched from the tenant. The token contains the user’s UserPrincipalName and ImmutableId. Azure AD searches the user object using only the ImmutableId; the UserPrincipalName is not used at all. Thus, the UserPrincipalName can be any string, such as Rodrigo@abc.com. The search procedure searches for a user object having the matching ImmutableId. I would like to emphasize that there are no sanity checks whether the user’s domain matches the federation realm. In practice, this allows all tenant’s IdPs to create valid tokens for any user of the tenant. This includes tenant.onmicrosoft.com and external users.
- In this case Google expects UserPrincipalName in the ImmutableID of the user.
- This information is also mentioned on Microsoft Identity Platform documentation: Use a SAML 2.0 Identity Provider (IdP) for Single Sign On
Hence to successfully authenticate the users with Google Workspace you might need to specify users UPN in ImmutableID section. You can use commands mentioned on following article to update ImmutableID on Entra ID accounts: https://learn.microsoft.com/en-us/education/windows/federated-sign-in?tabs=intune#identity-matching-in-microsoft-entra-id
Hope this will help. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.