Skip to Content

How to fix CAA200004 and AADSTS90072 user account errors in Outlook desktop client?

By: Author Alex Lim

Posted on  - Last updated:

Categories Troubleshooting

Problem

We have implemented Microsoft 365 E5 with Office 365 Message Encryption enabled to ensure secure messaging. When external recipient opens encrypted emails using the Outlook desktop client, they will be prompted to enter a username and password instead of an MFA code.

When an external user enters their login information and clicks the Next button, CAA200004 and AADSTS90072 user account errors are encountered. The detailed error message is as follows:

Something went wrong
We couldn’t sign you in. If this error persists, contact your system administrator and provide the error code CAA 200004.
Additional problem information
Error code: CAA200004

Something went wrong We couldn't sign you in. If this error persists, contact your system administrator and provide the error code CAA 200004. Additional problem information Error code: CAA200004

Sorry, but we’re having trouble signing you in.
AADSTS90072: User account ‘xxx’ from identity provider ‘xxx’ does not exist in tenant ‘xxx’ and cannot access the application ‘xxx'(Microsoft Office) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Sorry, but we're having trouble signing you in. AADSTS90072: User account 'xxx' from identity provider 'xxx' does not exist in tenant 'xxx' and cannot access the application 'xxx'(Microsoft Office) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Something went wrong
Unfortunately we’re having trouble signing you in. Try again in a few minutes. If this doesn’t work, contact your support person and report this error.
AADSTS90072: User account ‘xxx’ from identity provider ‘xxx’ does not exist in tenant ‘xxx’ and cannot access the application ‘xxx'(Microsoft Office) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Something went wrong Unfortunately we're having trouble signing you in. Try again in a few minutes. If this doesn't work, contact your support person and report this error. AADSTS90072: User account 'xxx' from identity provider 'xxx' does not exist in tenant 'xxx' and cannot access the application 'xxx'(Microsoft Office) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

The error will not occur if open the encrypted email using either the default Windows 10 mail application or Outlook Web Access in a browser. Follow the below solution steps to fix CAA200004 and AADSTS90072 user account errors.

Potential Causes

Refer to Microsoft Doc > Azure AD Authentication and authorization error codes, AADSTS90072 error is:

PassThroughUserMfaError: The external account that the user signs in with doesn’t exist on the tenant that they signed into; so the user can’t satisfy the MFA requirements for the tenant. This error also might occur if the users are synced, but there is a mismatch in the ImmutableID (sourceAnchor) attribute between Active Directory and Azure AD. The account must be added as an external user in the tenant first. Sign out and sign in with a different Azure AD user account.

Refer to Microsoft Doc/> Azure AD Authentication and authorization error codes, AADSTS90072 error is PassThroughUserMfaError” width=”1526″ height=”274″></p><p>Conditional Access Policies are implemented to enable Multi-Factor Authentication (MFA) for guests and external users. External users who do not have an account in the Azure Active Directory are unable to use MFA.</p><h2 id=Solution 1: Exclude Microsoft Azure Information Protection

Apply below steps to excluded the Microsoft Azure Information Protection cloud app from Require MFA for guests policies.

Step 1: Go to Azure Dashboard > Conditional Access.

Step 2: Under the Assignments > Users and groups > Include for All guest and external users.

Under the Assignments/> Users and groups > Include for All guest and external users.” width=”1066″ height=”726″></p><p><strong>Step 3:</strong> Under the <strong>Assignments</strong> > <strong>Cloud apps or actions</strong> section.</p><p><strong>Step 4:</strong> Select <strong>Microsoft Azure Information Protection</strong> as an <strong>excluded cloud app</strong>.</p><p><img loading=

Exclude Microsoft Azure Information Protection

Solution 2: Exclude Guest and External Users

Step 1: Create a new conditional access policy.

Step 2: Under the Assignments > Users and groups > Exclude for All guest and external users.

Under the Assignments/> Users and groups > Exclude for All guest and external users.” width=”1518″ height=”1114″></p><p><strong>Step 3:</strong> Under the <strong>Assignments</strong> > <strong>Cloud apps or actions section</strong> > <strong>Include</strong> for <strong>Microsoft Azure Information Protection</strong> cloud app.</p><p><img decoding=