Skip to content

Fixing SSO Login Issues with Synology C2 and Microsoft 365

Overview

This document describes how to fix Single Sign-On (SSO) authentication issues between Synology C2 and Microsoft 365 when users receive the error: "AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials."

Root Cause

The issue occurs when there's a mismatch between the user's ImmutableId and their UserPrincipalName (UPN) in Azure AD. Specifically:

  • Working accounts have matching ImmutableId and UPN values using the ovi-gc.com domain
  • Affected accounts often have ImmutableId values using the onmicrosoft.com domain

Prerequisites

  1. PowerShell installed
  2. Microsoft Online Services Module (MSOL)
  3. Admin access to Microsoft 365
  4. The user's email address

Solution

A PowerShell script has been created to automate the fix. The script performs the following steps:

  1. Temporarily moves the user to the onmicrosoft.com domain
  2. Updates their ImmutableId to match their intended ovi-gc.com email
  3. Moves the user back to the ovi-gc.com domain

Script Installation

  1. Create a new file named Fix-SSO.ps1
  2. Copy the following content into the file:
param(
   [Parameter(Mandatory=$true)]
   [string]$Email
)

Write-Host "Connecting to Microsoft Online Service..." -ForegroundColor Cyan
Connect-MsolService

$username = $Email.Split('@')[0]

Write-Host "`nCurrent state:" -ForegroundColor Yellow
Get-MsolUser -UserPrincipalName $Email | Select-Object UserPrincipalName, ImmutableId

Write-Host "`nFixing SSO configuration..." -ForegroundColor Cyan

# Switch to onmicrosoft
Set-MsolUserPrincipalName -UserPrincipalName $Email -NewUserPrincipalName "${username}@ovigc.onmicrosoft.com"
Start-Sleep -Seconds 5

# Set ImmutableId
Set-MsolUser -UserPrincipalName "${username}@ovigc.onmicrosoft.com" -ImmutableId "${username}@ovi-gc.com"
Start-Sleep -Seconds 5

# Switch back to ovi-gc.com
Set-MsolUserPrincipalName -UserPrincipalName "${username}@ovigc.onmicrosoft.com" -NewUserPrincipalName "${username}@ovi-gc.com"

Write-Host "`nNew state:" -ForegroundColor Green
Get-MsolUser -UserPrincipalName "${username}@ovi-gc.com" | Select-Object UserPrincipalName, ImmutableId

Usage

  1. Open PowerShell
  2. Navigate to the directory containing the script
  3. Run the script with the user's email:
.\Fix-SSO.ps1 username@ovigc.onmicrosoft.com
  1. Sign in when prompted with admin credentials
  2. Verify the final state shows matching UPN and ImmutableId values

Verification

After running the script:

  • Have the user attempt SSO login
  • Verify they no longer receive the AADSTS90019 error
  • Confirm successful authentication to Microsoft 365 through Synology C2

Troubleshooting

If issues persist:

  • Verify domain federation settings:
Get-MsolDomain | Select-Object Name, Authentication
  • Check federation configuration:
Get-MsolDomainFederationSettings -DomainName "ovi-gc.com"
  • Verify user configuration:
Get-MsolUser -UserPrincipalName "username@ovi-gc.com" | Select-Object UserPrincipalName, ImmutableId

Domain Information

  • Primary domain: ovi-gc.com (Federated)
  • Tenant domain: ovigc.onmicrosoft.com (Managed)
  • Federation Provider: Synology

Notes

  • This solution assumes the domain federation with Synology C2 is properly configured
  • The script requires Global Administrator privileges
  • Users should close all browser sessions before testing SSO after the fix
  • Changes may take up to 5 minutes to propagate