"No credentials" error when a federated user tries to activate an Office application

PROBLEM

Assume that your Microsoft Office 365 organization is federated and that it's enabled for modern authentication. Additionally, assume that you're using directory synchronization to sync on-premises Active Directory to Azure Active Directory (Azure AD). 

In this environment, when a federated user tries to activate a Microsoft Office application, the user receives the following error message:
No credentials
The system requires that you sign on to a valid account

CAUSE

This issue occurs if the ImmutableID attribute of the user is missing. When the federated identity platform sends the expected values of the user principal name (UPN) and the ImmutableID attribute, the ImmutableID attribute can't be verified in Azure AD because the property is empty. This causes the service to deny access. In this case, the service is Office.

SOLUTION

Update the ImmutableID attribute of the user. However, be aware that you can't directly update the ImmutableID attribute of a federated user. Therefore, to resolve this issue, use one of the following methods:

Method 1: Convert the federated domain to a managed domain

  1. Install the Azure Active Directory Module for Windows PowerShell (if it isn't already installed), and then connect to Azure AD.

    For more information, see Manage Azure AD using Windows PowerShell.
  2. Convert the domain to a managed domain. To do this, run the following command:
    Convert-MSOLDomainToStandard –DomainName contoso.com -SkipUserConversion $false 
    -PasswordFile c:\userpasswords.txt
    For more information, see Convert-MsolDomainToStandard.
  3. Update the ImmutableID attribute of the user. To do this, run the following command:
    Set-MsolUserPrincipalName -UserPrincipalName user@contoso.com -ImmutableID <ImmutableID> 

Method 2: Convert the federated user to a managed user

  1. Install the Azure Active Directory Module for Windows PowerShell (if it isn't already installed), and then connect to Azure AD.

    For more information, see Manage Azure AD using Windows PowerShell.
  2. Convert the user to a managed user. To do this, change the UPN to a domain that's not federated. For example, run the following command:
    Set-MsolUserPrincipalName -UserPrincipalName user@contoso.com -NewUserPrincipalName 
    user@contoso.onmicrosoft.com
  3. Update the ImmutableID attribute of the user. To do this, run the following command:
    Set-MsolUserPrincipalName -UserPrincipalName user@contoso.com -ImmutableID <ImmutableID> 
  4. Set the UPN to the federated domain. To do this, run the following command:
    Set-MsolUserPrincipalName -UserPrincipalName user_temp@contoso.onmicrosoft.com 
    -NewUserPrincipalName user@contoso.com

MORE INFORMATION

Still need help? Go to Microsoft Community or the Azure Active Directory Forums website.
內容

文章識別碼:3097057 - 最後檢閱時間:2016年12月21日 - 修訂: 1

意見反應