You are currently offline, waiting for your internet to reconnect

"No credentials" error when a federated user tries to activate an Office application

PROBLEM
Assume that your Microsoft Office 365 organization is federated and that it's enabled for modern authentication. Additionally, assume that you're using directory synchronization to sync on-premises Active Directory to Azure Active Directory (Azure AD). 

In this environment, when a federated user tries to activate a Microsoft Office application, the user receives the following error message:
No credentials
The system requires that you sign on to a valid account
CAUSE
This issue occurs if the ImmutableID attribute of the user is missing. When the federated identity platform sends the expected values of the user principal name (UPN) and the ImmutableID attribute, the ImmutableID attribute can't be verified in Azure AD because the property is empty. This causes the service to deny access. In this case, the service is Office.
SOLUTION
Update the ImmutableID attribute of the user. However, be aware that you can't directly update the ImmutableID attribute of a federated user. Therefore, to resolve this issue, use one of the following methods:

Method 1: Convert the federated domain to a managed domain

  1. Install the Azure Active Directory Module for Windows PowerShell (if it isn't already installed), and then connect to Azure AD.

    For more information, see Manage Azure AD using Windows PowerShell.
  2. Convert the domain to a managed domain. To do this, run the following command:
    Convert-MSOLDomainToStandard –DomainName contoso.com -SkipUserConversion $false -PasswordFile c:\userpasswords.txt
    For more information, see Convert-MsolDomainToStandard.
  3. Update the ImmutableID attribute of the user. To do this, run the following command:
    Set-MsolUserPrincipalName -UserPrincipalName user@contoso.com -ImmutableID <ImmutableID>

Method 2: Convert the federated user to a managed user

  1. Install the Azure Active Directory Module for Windows PowerShell (if it isn't already installed), and then connect to Azure AD.

    For more information, see Manage Azure AD using Windows PowerShell.
  2. Convert the user to a managed user. To do this, change the UPN to a domain that's not federated. For example, run the following command:
    Set-MsolUserPrincipalName -UserPrincipalName user@contoso.com -NewUserPrincipalName user@contoso.onmicrosoft.com
  3. Update the ImmutableID attribute of the user. To do this, run the following command:
    Set-MsolUserPrincipalName -UserPrincipalName user@contoso.com -ImmutableID <ImmutableID>
  4. Set the UPN to the federated domain. To do this, run the following command:
    Set-MsolUserPrincipalName -UserPrincipalName user_temp@contoso.onmicrosoft.com -NewUserPrincipalName user@contoso.com
MORE INFORMATION
Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.
Properties

Article ID: 3097057 - Last Review: 09/24/2015 20:23:00 - Revision: 2.0

Microsoft Office 365, Microsoft Azure Active Directory, Office 365 Identity Management, Microsoft Office 365 ProPlus, Microsoft Office Professional Plus 2016, Microsoft Office Professional Plus 2013

  • o365022013 o365 o365e KB3097057
Feedback