When you try to sign in to Copilot in Microsoft 365, you may see the error AADSTS50034 with the message “User account does not exist.” This error means the user account you are using is not found in the Azure Active Directory tenant that Copilot connects to. The root cause is often a mismatch between the email domain and the tenant, a deleted or expired user account, or a guest account that has not been fully provisioned. This article explains why this error occurs and provides step-by-step fixes to resolve it.
Key Takeaways: Resolving AADSTS50034 for Copilot
- Microsoft 365 admin center > Users > Active users: Verify the user account exists and is not deleted or disabled.
- Azure AD > Users > User settings > External collaboration settings: Check guest user provisioning status for cross-tenant access.
- PowerShell cmdlet Get-MgUser: Use Microsoft Graph PowerShell to confirm the user object ID and tenant membership.
Why the AADSTS50034 Error Occurs in Copilot
The error AADSTS50034 is an Azure Active Directory authentication failure. It indicates that the user account you are using to sign in does not exist in the directory that Copilot is trying to authenticate against. This can happen for several reasons:
Deleted or expired user accounts. If an admin removed the user from Azure AD or if the user license expired, the account is no longer valid. Copilot cannot authenticate against a non-existent account.
Incorrect tenant domain. When you sign in with an email address that belongs to a different tenant than the one Copilot is configured for, Azure AD cannot find the user. For example, using a personal Outlook.com email instead of a work or school account.
Guest user not fully provisioned. If you are a guest user in another tenant, the guest account must be fully invited and accepted. If the invitation is pending or declined, the account does not exist in the tenant directory.
Federated identity misconfiguration. In hybrid environments where on-premises Active Directory is synchronized with Azure AD, a user may exist on-premises but not be fully synchronized. This results in a missing object in Azure AD.
Steps to Fix the AADSTS50034 Error in Copilot
Follow these steps in order. After each step, try signing in to Copilot again.
Step 1: Verify the User Account Exists in the Microsoft 365 Admin Center
- Open the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with a global admin account. - Navigate to Users > Active users
In the left navigation pane, select Users and then Active users. Search for the user account that is receiving the error. - Check the user status
If the user does not appear in the list, the account has been deleted. If the user appears but the status is Blocked or Sign-in blocked, the account is disabled. Re-enable the account or restore a deleted account within 30 days from the Deleted users page. - Verify the assigned license
Select the user and go to the Licenses and apps tab. Ensure the user has a valid Microsoft 365 license that includes Copilot. If the license is expired or missing, assign a new license.
Step 2: Confirm the Correct Tenant Domain
- Identify the tenant domain
In the Microsoft 365 admin center, go to Settings > Domains. Note the default domain (for example, contoso.onmicrosoft.com). - Check the user email domain
Ask the user which email address they are using to sign in. If the domain part of the email does not match any domain listed in the tenant, the user is trying to sign in to the wrong tenant. - Instruct the user to use the correct email
The user must sign in with an email address that ends with one of the verified domains in the tenant. If they are using a personal email, they need to use their work or school account instead.
Step 3: Provision Guest Users Properly
- Go to Azure AD > External Identities
Sign in to the Azure portal at portal.azure.com. Navigate to Azure Active Directory > External Identities > All users. - Check the guest user status
Search for the guest user email. If the status is PendingAcceptance, the invitation has not been redeemed. Resend the invitation from the user details page. - Complete the invitation process
The guest user must open the invitation email and accept it. After acceptance, the user object is created in the tenant directory. The user can then sign in to Copilot with their guest email.
Step 4: Use Microsoft Graph PowerShell to Diagnose
- Install the Microsoft Graph PowerShell module
Open PowerShell as an administrator and runInstall-Module Microsoft.Graph -Scope CurrentUser. - Connect to Microsoft Graph
RunConnect-MgGraph -Scopes User.Read.Alland sign in with a global admin account. - Search for the user
RunGet-MgUser -Filter "userPrincipalName eq 'user@domain.com'"replacing the email with the affected user. If the command returns no output, the user does not exist in Azure AD. If it returns a user object, check theUserTypeproperty to see if it isMemberorGuest. - Check for synchronization issues
If the user exists in on-premises Active Directory but not in Azure AD, runGet-MgDirectoryObject -DirectoryObjectId (Get-MgUser -UserId "user@domain.com").Idto verify sync status. Use the Azure AD Connect health dashboard to troubleshoot sync failures.
If Copilot Still Shows the Error After the Main Fix
Copilot Returns the Error Only on One Device
If the error appears on a single device but not on others, the issue is likely cached credentials. Clear the browser cache and cookies, or use an InPrivate or Incognito window. In Windows, clear the Windows Credential Manager entries related to Microsoft Office by going to Control Panel > User Accounts > Credential Manager > Windows Credentials and removing any entry that contains MicrosoftOffice or MicrosoftAAD.
Copilot Shows the Error After a Tenant Migration
If the user was moved from one tenant to another, the old user object may still be cached in the browser or application. The user must sign out of all Microsoft services, close all browser sessions, and sign in again. On Windows, sign out of Windows and sign back in. If the issue persists, the admin must delete the old user object from the source tenant and ensure the new user object is fully replicated.
Copilot Shows the Error for Guest Users in a Cross-Tenant Trust
When a guest user is invited from a partner tenant, the guest user object must exist in the resource tenant. The admin of the resource tenant must go to Azure AD > External Identities > Cross-tenant access settings and verify that inbound trust settings allow the guest user to authenticate. If the trust is not configured, the guest user will see AADSTS50034. Configure the cross-tenant access policy to allow the guest user to sign in.
| Item | User Account Exists in Tenant | User Account Does Not Exist |
|---|---|---|
| Description | The user object is present in Azure AD and has a valid license | The user object is missing, deleted, or not provisioned |
| Copilot behavior | Sign-in succeeds with no errors | AADSTS50034 error appears |
| Admin fix | No action needed | Restore or recreate the user account |
| Guest user fix | Complete invitation acceptance | Resend invitation and ensure provisioning |
The AADSTS50034 error in Copilot is caused by a missing or inaccessible user account in Azure AD. By verifying the user exists in the admin center, confirming the correct tenant domain, provisioning guest accounts properly, and using PowerShell for deeper diagnostics, you can resolve this error. After the fix, always clear cached credentials on the affected device. For guest users in cross-tenant scenarios, verify the external collaboration settings and cross-tenant access policies to ensure the user object is fully recognized.