Problem
We have implemented Microsoft 365 E5 with Office 365 Message Encryption enabled to ensure secure messaging. When external recipient opens encrypted emails using the Outlook desktop client, they will be prompted to enter a username and password instead of an MFA code.
When an external user enters their login information and clicks the Next button, CAA200004 and AADSTS90072 user account errors are encountered. The detailed error message is as follows:
Something went wrong
We couldn’t sign you in. If this error persists, contact your system administrator and provide the error code CAA 200004.
Additional problem information
Error code: CAA200004
Sorry, but we’re having trouble signing you in.
AADSTS90072: User account ‘xxx’ from identity provider ‘xxx’ does not exist in tenant ‘xxx’ and cannot access the application ‘xxx'(Microsoft Office) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Something went wrong
Unfortunately we’re having trouble signing you in. Try again in a few minutes. If this doesn’t work, contact your support person and report this error.
AADSTS90072: User account ‘xxx’ from identity provider ‘xxx’ does not exist in tenant ‘xxx’ and cannot access the application ‘xxx'(Microsoft Office) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
The error will not occur if open the encrypted email using either the default Windows 10 mail application or Outlook Web Access in a browser. Follow the below solution steps to fix CAA200004 and AADSTS90072 user account errors.
Content Summary
Potential Causes
Solution 1: Exclude Microsoft Azure Information Protection
Solution 2: Exclude Guest and External Users
Reference
Potential Causes
Refer to Microsoft Doc > Azure AD Authentication and authorization error codes, AADSTS90072 error is:
PassThroughUserMfaError: The external account that the user signs in with doesn’t exist on the tenant that they signed into; so the user can’t satisfy the MFA requirements for the tenant. This error also might occur if the users are synced, but there is a mismatch in the ImmutableID (sourceAnchor) attribute between Active Directory and Azure AD. The account must be added as an external user in the tenant first. Sign out and sign in with a different Azure AD user account.
Conditional Access Policies are implemented to enable Multi-Factor Authentication (MFA) for guests and external users. External users who do not have an account in the Azure Active Directory are unable to use MFA.
Solution 1: Exclude Microsoft Azure Information Protection
Apply below steps to excluded the Microsoft Azure Information Protection cloud app from Require MFA for guests policies.
Step 1: Go to Azure Dashboard > Conditional Access.
Step 2: Under the Assignments > Users and groups > Include for All guest and external users.
Step 3: Under the Assignments > Cloud apps or actions section.
Step 4: Select Microsoft Azure Information Protection as an excluded cloud app.
Solution 2: Exclude Guest and External Users
Step 1: Create a new conditional access policy.
Step 2: Under the Assignments > Users and groups > Exclude for All guest and external users.
Step 3: Under the Assignments > Cloud apps or actions section > Include for Microsoft Azure Information Protection cloud app.
Step 4: Under the Access controls, Grant access Require multi-factor authentication.
Reference
Microsoft Doc > Azure AD Authentication and authorization error codes
Microsoft Doc > Office Message Encryption – Recipient not able to open office attachments
Microsoft > Security, Compliance, and Identity > Admin control for attachments now available in Office 365 Message Encryption
Microsoft Community > Encrypted e-mail error AADSTS90072
