Solved: How do I fix CAA200004 and AADSTS90072 user account errors in Outlook desktop client?

Problem: We are using Microsoft 365 E5 with Office 365 Message Encryption enabled. When the external recipient opens encrypted emails using the Outlook desktop client, the external user receives a username and password login prompt instead of an MFA code. After external user enters their own login information and click on the Next button, CAA200004 and AADSTS90072 user account errors occur. The detailed error message as below:

Something went wrong
We couldn’t sign you in. If this error persists, contact your system administrator and provide the error code CAA 200004.
Additional problem information
Error code: CAA200004

Something went wrong We couldn't sign you in. If this error persists, contact your system administrator and provide the error code CAA 200004. Additional problem information Error code: CAA200004

Sorry, but we’re having trouble signing you in.
AADSTS90072: User account ‘xxx’ from identity provider ‘xxx’ does not exist in tenant ‘xxx’ and cannot access the application ‘xxx'(Microsoft Office) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Sorry, but we're having trouble signing you in. AADSTS90072: User account 'xxx' from identity provider 'xxx' does not exist in tenant 'xxx' and cannot access the application 'xxx'(Microsoft Office) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Something went wrong
Unfortunately we’re having trouble signing you in. Try again in a few minutes. If this doesn’t work, contact your support person and report this error.
AADSTS90072: User account ‘xxx’ from identity provider ‘xxx’ does not exist in tenant ‘xxx’ and cannot access the application ‘xxx'(Microsoft Office) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Something went wrong Unfortunately we're having trouble signing you in. Try again in a few minutes. If this doesn't work, contact your support person and report this error. AADSTS90072: User account 'xxx' from identity provider 'xxx' does not exist in tenant 'xxx' and cannot access the application 'xxx'(Microsoft Office) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

The error will do not occur if open the encrypted email using the default Windows 10 mail application and or Outlook Web Access in a browser.

Follow the below solution steps to fix CAA200004 and AADSTS90072 user account errors.

Content Summary

Potential Causes
Solution 1: Exclude Microsoft Azure Information Protection
Solution 2: Exclude Guest and External Users
Reference

Potential Causes

Refer to Microsoft Doc > Azure AD Authentication and authorization error codes, AADSTS90072 error is:

PassThroughUserMfaError: The external account that the user signs in with doesn’t exist on the tenant that they signed into; so the user can’t satisfy the MFA requirements for the tenant. This error also might occur if the users are synced, but there is a mismatch in the ImmutableID (sourceAnchor) attribute between Active Directory and Azure AD. The account must be added as an external user in the tenant first. Sign out and sign in with a different Azure AD user account.

Refer to Microsoft Doc > Azure AD Authentication and authorization error codes, AADSTS90072 error is PassThroughUserMfaError

Conditional Access Policies are created including enable Multi-Factor Authentication (MFA) for guests and external users. The external user who doesn’t have an account in the Azure Active Directory unable to use MFA.

Solution 1: Exclude Microsoft Azure Information Protection

Apply below steps to excluded the Microsoft Azure Information Protection cloud app from Require MFA for guests policies.

Step 1: Go to Azure Dashboard > Conditional Access.

Step 2: Under the Assignments > Users and groups > Include for All guest and external users.

Under the Assignments > Users and groups > Include for All guest and external users.

Step 3: Under the Assignments > Cloud apps or actions section.

Step 4: Select Microsoft Azure Information Protection as an excluded cloud app.

Select Microsoft Azure Information Protection as an excluded cloud app.

Exclude Microsoft Azure Information Protection
Exclude Microsoft Azure Information Protection

Solution 2: Exclude Guest and External Users

Step 1: Create a new conditional access policy.

Step 2: Under the Assignments > Users and groups > Exclude for All guest and external users.

Under the Assignments > Users and groups > Exclude for All guest and external users.

Step 3: Under the Assignments > Cloud apps or actions section > Include for Microsoft Azure Information Protection cloud app.

Under the Assignments > Cloud apps or actions section > Include for Microsoft Azure Information Protection cloud app.

Step 4: Under the Access controls, Grant access Require multi-factor authentication.

Under the Access controls, Grant access Require multi-factor authentication.

Reference

Microsoft Doc > Azure AD Authentication and authorization error codes
Microsoft Doc > Office Message Encryption – Recipient not able to open office attachments
Microsoft > Security, Compliance, and Identity > Admin control for attachments now available in Office 365 Message Encryption
Microsoft Community > Encrypted e-mail error AADSTS90072