Forum Discussion
Sign In Error 90072 with On Prem Accounts - How to mitigate?
We receive weekly reports from one of our security vendors regarding login failures across our environment. As of recent, we've noticed a spike in interactive login failures, particularly with Microsoft services. The application that produces many of these logs is Microsoft Office. Upon investigation, we've determined that many of these sign ins procure error code 90072 with the following error message:
"User account '{user}' from identity provider '{idp}' does not exist in tenant '{tenant}' and cannot access the application '{application}'({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account"
As a disclaimer, I did not edit this message to insert the unfilled variables in brackets - that's how the error message appears in our Entra portal. We currently run a hybrid environment, and all of the users with high volumes of failed sign ins with the given error code and message are on-prem accounts.
These logs produce a lot of noise that we would rather not have polluting our reports. Do you have any information we can use to help remediate this issue?
1 Reply
hi ryanboudreaux1 try below options and see if it works
Check AAD Connect Sync
Ensure the impacted on-prem accounts are properly synced to Azure AD (matching UPN and ImmutableID).
Run Start-ADSyncSyncCycle and confirm accounts exist in Entra.
Review UPN Suffixes
On-prem users should have a UPN suffix that matches the verified domain in Azure AD.
If they log in with @sparkle.local but tenant only knows @healthy.org, they’ll trigger error 90072.
Office Profile Cleanup
Old Office apps may keep cached credentials for the wrong tenant.
Clearing Windows Credential Manager or running Office sign-out / sign-in often reduces noise.
Conditional Access / Exclusions
If these are “false positives” from legacy clients, you can scope them out of certain CA policies to prevent excessive logging.
Noise Reduction in Reports
In Sentinel/Entra logs, filter 90072 events where Application = Office and the UPN suffix is not in your accepted domains.
These can be suppressed or routed to a separate "informational" bucket rather than security noise.
Fix identity alignment → make sure all on-prem accounts have valid UPNs synced to Entra.
Educate users → ensure they log in with the correct domain account (@healthy.org vs legacy).
Clean cached credentials → remove old Office sign-ins pointing to invalid tenants.
Tune monitoring → filter out error 90072 noise from reports if accounts are confirmed non-threat.
this error is usually benign noise from legacy on-prem accounts with mismatched UPNs. The fix is to align UPNs and sync properly, and filter out the noise in reporting.
