When a user tries to sign into an Azure-connected application, they get the error: "AADSTS50034: The user account does not exist in the directory. To sign into this application, the account must be added to the directory."
The Fix
The most common cause is that the user account is set to Guest type instead of Member in Microsoft Entra ID (Azure AD). Applications like UiPath, migration tools, and service principals often do not allow Guest accounts to authenticate.
Convert Guest to Member in Azure Portal:
1. Log into portal.azure.com as a Global Administrator.
2. Go to Microsoft Entra ID > Users.
3. Search for and select the affected user.
4. Click Profile, then change User type from Guest to Member.
5. Save. Have the user retry authentication.
Convert Guest to Member via PowerShell:
# Install Microsoft Graph module if needed
Install-Module Microsoft.Graph -Scope CurrentUser
Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.ReadWrite.All"
Get the user ID
$userId = (Get-MgUser -Filter "mail eq 'user@domain.com'").Id
Update user type to Member
Update-MgUser -UserId $userId -UserType "Member"
Disconnect
Disconnect-MgGraphIf That Doesn't Work: Verify User Exists in Correct Tenant
The error may mean the user account is not in the target directory at all.
1. In Entra ID > Users, search for the user account.
2. Verify the directory domain matches the application's tenant (check the error message for the directory GUID or *.onmicrosoft.com domain).
3. If the user is missing, add them: New user > Invite user (external) or Create new user (internal).
4. Set the new account to Member type.
5. Send the invitation and have the user accept before retrying.
If That Doesn't Work: Fix Azure AD Connect Sync Issues
When using Azure AD Connect or Cloud Sync, the error may show {EmailHidden} instead of the email. This indicates a sync problem.
# Install Azure AD Cloud Sync Tools module
Install-Module -Name AADCloudSyncTools -Scope CurrentUser
Follow Microsoft's PowerShell reference to configure sync:
https://learn.microsoft.com/en-gb/azure/active-directory/cloud-sync/reference-powershell
Run sync repair to match tenant configuration:
After repairing the sync configuration, force a delta sync and wait 30 minutes for changes to propagate.
If That Doesn't Work: Check Application Configuration
Some applications require specific OAuth2 settings. For example, YSoft Email Print needs public workflows enabled:
1. Open the application's OAuth2 or authentication settings.
2. Find Allow Public Workflows or a similar setting.
3. Enable it and save.
4. Restart the application service if required.
If That Doesn't Work: Remove and Recreate Connection
For integration failures (Viva Goals, third-party connectors):
1. Go to the application's connection settings.
2. Delete the existing connection to Entra ID.
3. Create a new connection using an active Member account.
4. Ensure the account has the correct application permissions.
Verify
After making changes, test authentication. For Member type conversion, the change is immediate. Have the user sign out completely, close all browser sessions, and sign in again. The error should not appear.
For sync-related fixes, wait 30 minutes. Check the user's properties in Entra ID to confirm the email is no longer masked and the account is active. Check application logs for successful authentication.
RainCity Techworks