The customer have had federation and Hybrid deployment to Office 365 for about two years. And suddenly one User can’t sign in to Office 365? I turned out that the User have never used any of the resources in Office 365 until now that he have to have access to one of the SharePoint Online Sites in costumers Office 365 tenant.
I checked the following.
1, That the user have a federated account with right license. – Yes!
2, RCA -> Office 365->Single Sign On Test – Does work!
3, If Dirsync has some error and explicit the actions taken for this user. – No errors!
4, Install RCA Client -> Microsoft Connectivity Analyzer and check for this user.
RCA output:
Additional Information: Some problems were discovered when the token is sent to the Azure Active Directory. The endpoint returned the following error code: HR 800478ac
—- and —
Additional Information: Some problems were discovered when the token is sent to the Azure Active Directory. The endpoint returned the following error code: -2147190612 MSPPError
5, Checked the users account in on-prem AD to see if I can see any deviation – but no deviations!
6, Send in support request
7, after some testing MS Support find this.
The user account has not been provision within Azure AD/Office 365!
8, Action: Change the UPN for the user to tenant domain (user@”tenant-name”.onmicrosoft.com).
No, It did not work!
9, Find this in Office 365 community
http://community.office365.com/en-us/forums/148/p/58145/212605.aspx
“Based on your description, I understand that when you use command Set-MsolUserPrincipalName to change a user’s UPN you receive the error message” Access Denied. You do not have permissions to call this cmdlet.”
Please disable the dirsync and then run this command. After that, enable the dirsync to see if the issue persists”
I tried this solution to the access denied problem, but with no luck. Did even wait for one day after I deactivated the dirsync in Office 365 Admin Center.
10, the case did escalated!
Now the MS Support give me a deeper explanation of the real problem.
“The user account has not been provisioned to the Authentication Platform. Because of that the user can’t login and we was unable to change the User UPN.”
Solution:
The User account has to be removed from Azure Directory Store and re-created via Dirsync.
One thing to be aware of is, before you delete the user you have to take care of the users SkyDrive Pro data and or Mailbox data.
In my case the user hade never used any of this so I just deleted the user and start Dirsync manually.
Connect to Azure AD and…
—
Remove-MsolUser -UserPrincipalName user@xxx.se
Confirm
Continue with this operation?
[Y] Yes [N] No [S] Suspend [?] Help (default is “Y”): y
Remove-MsolUser -UserPrincipalName user@xxx.se -RemoveFromRecycleBin
Confirm
Continue with this operation?
[Y] Yes [N] No [S] Suspend [?] Help (default is “Y”): y