Error: AADSTS50177 – User does not exist in tenant and cannot access the application
This error means the user referenced in the delegated access attempt is not recognised in the customer tenant. It commonly occurs when the GDAP relationship is missing, expired, or incorrectly assigned. It can also occur when the customer tenant does not have the required CSP partner relationship with your partner tenant.
Cause: The delegated admin account or service principal may not be correctly assigned in the GDAP relationship, the GDAP relationship may have expired, or the customer may not have an active Partner Center customer/reseller relationship such as Cloud Reseller or Reseller.
Free GDAP tool: If the GDAP relationship is missing, expired, or assigned to the wrong group, you can use the free Sync 365 GDAP Builder to create a new relationship for Sync 365 access.
Resolution
Check both access paths before retrying the Sync 365 connection or sync action:
- GDAP relationship: required for delegated admin permissions.
- Partner Center customer/reseller relationship: required so the customer tenant is linked to your partner tenant as a CSP customer.
1. Verify the GDAP relationship
Confirm the GDAP relationship for the affected tenant:
- Confirm that the tenant has an active GDAP relationship with your partner tenant.
- Ensure that the correct security group is used in the GDAP permissions.
- Ensure your delegated admin account is a member of that group.
- Confirm the relationship has not expired.
You can follow the full validation steps here: Checking your GDAP relationship
2. Check the Partner Center customer relationship
GDAP access alone may not be enough. The customer tenant also needs to exist under your Microsoft Partner Center customers with the correct partner relationship.
- Sign in to Microsoft Partner Center.
- Go to Customers.
- Search for the affected customer tenant.
- Confirm the customer appears in your customer list.
- Open the customer and confirm there is an active customer/reseller relationship, such as Cloud Reseller or Reseller.
- If the customer does not appear, create a new partner relationship request from Partner Center.
- Send the generated relationship link to the customer.
- Ask the customer to accept the relationship request in the Microsoft 365 admin center.
- Once accepted, confirm the customer appears in Partner Center, then retry the Sync 365 connection or sync action.
Important: Both relationships need to be valid. GDAP provides the delegated permissions. The Partner Center customer/reseller relationship links the customer tenant to your partner tenant as a CSP customer. If either relationship is missing, expired, or incorrectly configured, delegated access can fail with AADSTS50177.
Common checks
- The tenant appears under Partner Center > Customers.
- The customer has an active relationship such as Cloud Reseller / Reseller.
- The GDAP relationship is active and has not expired.
- The delegated admin account is in the security group assigned to the GDAP roles.
- The Sync 365 consent or sync action is retried after the relationships are corrected.