Microsoft 365 keeps signing me out — fix the trust state

I had a guy email me last December who'd typed his password 23 times in a single morning. He counted. Outlook asked, then Word, then Teams, then Outlook again because the first sign-in didn't take, then Teams again, then a SharePoint pop-up, then back to Outlook. By 11 AM he'd done MFA approvals on his phone so many times the Authenticator app was lagging.

None of his sessions were sticking. None.

And here's the thing about that. Re-typing your password fixes the symptom for one session and recreates the underlying problem for the next one. Whatever's actually broken doesn't care how many times you authenticate. You're treating a fever with paint.

The cause is almost always a broken or partial "trust state" between your Windows device and the Entra ID (formerly Azure AD) tenant your account belongs to. The fix is methodical. Doesn't require wiping your profile, despite what the help desk script on page 4 says.

What "trust state" means

When you sign in to Office on a Windows device, Microsoft 365 stashes three things in three different places:

1. A device trust record, in Windows Settings, Accounts, telling Windows which work account is associated with this device.
2. A token cache in the Web Account Manager (WAM), holding short-lived access tokens and longer-lived refresh tokens.
3. Application-level credentials in Credential Manager, where individual Office apps stash their own copy of the auth state.

If any of those three are stale, contradictory, or missing, the apps cannot present a valid token to Microsoft 365 and you get prompted to sign in. Worse, if the device trust is bad, signing in repeatedly never fixes the underlying state. The next session breaks the same way. And the one after.

Step 1: Inspect your work account's trust state with dsregcmd

Before changing anything, find out what state you're actually in. Open Command Prompt or PowerShell and run:

dsregcmd /status

The output is long. Like, scroll-for-a-minute long. The section you care about is Device State at the top. Look for these specific lines:

Field	Healthy value	What it means if wrong
AzureAdJoined	YES	Device is joined to Entra ID
EnterpriseJoined	NO (typical)	Old on-prem AD join, rare in 2026
DomainJoined	NO (typical)	Same, mostly legacy
WorkplaceJoined	YES or NO	YES if you added a work account; NO if you only signed in via Office

If AzureAdJoined: NO and WorkplaceJoined: NO, your device has no formal trust relationship with the tenant at all. Office apps work via Office-only auth, which is much flakier and re-prompts often. Like, every-day often.

Below that, look at the User State section. The line NgcSet should be YES if you've set up Windows Hello PIN/biometric for the account. WamDefaultSet should be YES too — that means the WAM cache is properly initialised for this user.

Anything in there looking wrong? You have your diagnosis.

Step 2: The Settings, Accounts walkthrough

Open Windows Settings, then Accounts, then Access work or school. You should see your work account listed. If you see it twice, or you see it under a personal email instead of your work email, that's part of your problem. (I had a client whose account was listed three times. THREE. Two were ghosts from a 2022 device migration.)

Remove the account cleanly

1. Click the account, then Disconnect.
2. Confirm the warning. (This does not delete the account from Microsoft 365. Only from this device's local trust list. Calm down.)
3. Restart Windows. Yes, properly restart. Not Shut Down then power on. The full restart flushes lingering credential brokers that the Shut Down/On dance does not.

Re-add it the right way

1. Settings, Accounts, Access work or school, Connect.
2. Type your work email and click Next.
3. Important. At the bottom of the sign-in page, look for "Allow my organization to manage my device" checkbox.

This checkbox is the source of endless confusion. The Microsoft docs on this are useless. Here's what each state actually does:

Checkbox state	What happens	When to use
Checked (default for work-issued laptops)	Device becomes Entra-joined; IT can apply policies, push apps, and remote-wipe the device	Company laptop or BYOD where you've agreed to MDM
Unchecked	Account is added as Workplace Join only; IT can apply conditional access but not full management	Personal device where you only need Office, not full management

If you ticked it on a personal device by accident, congratulations, your IT department can now wipe your laptop. If you unchecked it on a corporate device, conditional access policies might block you from accessing resources that require a managed device.

For most people the right answer: tick it if it's a company laptop. Untick it if it's your own. Get this wrong once and you spend the next six months troubleshooting trust issues that wouldn't exist with the right state.

After re-adding, run dsregcmd /status again and confirm AzureAdJoined or WorkplaceJoined is YES, depending on which choice you made.

Step 3: Sign out of Office cleanly

Removing the device account is not the same as signing out of the Office apps. They keep their own auth records, separately, because of course they do.

In Word/Excel/PowerPoint:

1. File, then Account.
2. Under "User Information," Sign out.
3. Repeat in every Office app. Tedious. Necessary.

Or use the centralised page. Open https://office.com/account, then top-right initial, then Sign out everywhere. This invalidates all refresh tokens issued to your account across every device. You'll have to re-sign-in once per device, but it cleans up months of accumulated stale tokens. Worth doing maybe once a year regardless.

In Outlook (new):

1. File, Account Settings, Account Settings.
2. Select the account, Remove.
3. Re-add via Add Account.

The classic Outlook (Outlook 2021 and earlier) uses MAPI profiles, which deserve their own article. Short version: Control Panel, then Mail (32-bit), then Show Profiles, then remove the broken one and create a new one and set as default. Yeah, MAPI is a 1996 invention and it shows.

Step 4: Clean Credential Manager

Stale entries in Windows Credential Manager are a frequent root cause. Even after signing out of Office, the credentials sit there in Credential Manager waiting to be picked up by the next sign-in attempt. If they're wrong, sign-in fails silently and you get re-prompted.

1. Start menu, type Credential Manager, open it.
2. Click Windows Credentials.
3. Look for entries starting with:
   • MicrosoftAccount:
   • MicrosoftOffice16_Data:
   • OneDriveCachedCredential:
   • any URL ending in .microsoftonline.com or .sharepoint.com
4. Expand each, then Remove.

Don't remove anything else (Wi-Fi credentials, Remote Desktop entries, that weird one labeled "git:https://github.com" you put there in 2021) unless you know what they are.

After clearing, restart and re-sign-in to Office. Credentials get repopulated from scratch.

Step 5: Reset the WAM token cache

The Web Account Manager is the modern broker for Microsoft 365 auth on Windows. Its cache lives at:

%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts

(Yes, that string of garbage at the end is part of the actual path. Welcome to Windows.)

If that folder has corrupt or contradictory entries, every Office app that asks WAM for a token gets a strange answer back. Fix is heavy-handed but it works:

1. Sign out of all Microsoft work accounts (Settings, Access work or school).
2. Close all Office apps and Teams.
3. Open the path above in Explorer.
4. Move (do not delete, move) the contents to a backup folder on your desktop, in case something goes sideways and you need to put them back.
5. Restart Windows.
6. Re-add the work account.

WAM rebuilds its cache from scratch. For about 80% of "keeps signing me out" cases that pass the dsregcmd test, this is the actual fix. The bit nobody tells you about.

Step 6: Conditional access and MFA token expiry

If your trust state is healthy and you still get prompted constantly, conditional access policies set by your tenant might be aggressive. Common ones:

• Sign-in frequency policy: prompts every X hours. Default Microsoft 365 MFA token lifetime is 90 days, but conditional access can override this to 1 hour, 8 hours, whatever IT wants.
• Re-authentication on app session start: every time you open Outlook you get prompted, regardless of how recently you signed in.
• Device compliance check on every session: if your device's compliance state flickers (common with on-call laptops that go in and out of VPN, or remote workers on flaky home Wi-Fi), each session triggers a re-auth.

You can't change these policies as a regular user. What you can do:

1. Ask your IT team what your sign-in frequency policy is set to.
2. Check whether your device shows as compliant in the Microsoft Intune company portal app (if your org uses Intune). Non-compliant devices re-prompt on every session.
3. If you use a VPN, check whether the VPN's IP range is in your tenant's "trusted locations" list. If it is, sign-in frequency drops dramatically.

For MFA itself, default refresh token lifetime is 90 days. If you're getting MFA prompts more than once a week, conditional access is overriding the default. That's a policy decision, not a bug.

Step 7: When the account itself is the problem

Rare but real. The Entra ID account has a configuration issue, not the device. Symptoms:

• Same problem on a brand-new device you just got from IT.
• Same problem in Edge incognito with no extensions.
• Other people in your team don't have the issue.

Possible causes:

• Account was disabled and re-enabled, leaving stale tokens floating around.
• The account is a "guest" in your own tenant due to a migration mishap (yes, this happens, no, it shouldn't).
• A licence was reassigned and the new licence doesn't include desktop Office.

Open https://myaccount.microsoft.com and check the licences shown. Don't see "Microsoft 365 Apps for enterprise" or similar? You don't have rights to use desktop Office at all, and the sign-in prompts are because the apps can't validate your entitlement. Ask IT. They'll have to fix the licence assignment.

Office 365 vs Microsoft 365 vs Office 2024

Quick disambiguation. Troubleshooting differs slightly:

• Microsoft 365 / Office 365: subscription, requires periodic sign-in to validate the licence. The fixes above apply.
• Office 2024 / 2021 (perpetual): product key activation, less reliant on online auth. If perpetual Office is signing out, the account being signed in is for cloud features (OneDrive, recent files), not the licence itself. Fixes are similar but less critical.
• Office on a shared/kiosk device: auth is reset every session by design. The fixes above don't apply. That's just how it works.

Check which you have at File, Account, "Product Information."

So, the order of operations

Microsoft 365 sign-out loops are a trust-state problem. Not a password problem. Re-typing your password fixes the symptom for one session and recreates the problem for the next. Stop doing it.

In order:

1. Run dsregcmd /status and confirm AzureAdJoined or WorkplaceJoined is YES.
2. Disconnect the work account in Settings, Access work or school, restart, re-add.
3. Choose the right state for the "Allow my organization to manage my device" checkbox. Tick for company laptops, untick for personal.
4. Sign out everywhere from office.com/account.
5. Clear MicrosoftOffice16_Data: and similar entries from Credential Manager.
6. If still broken, back up and clear the WAM TokenBroker accounts folder, then re-add the account.
7. If still broken, ask IT about your conditional access sign-in frequency and device compliance state.

You should not need to wipe your Windows profile. That's a "the IT department gave up" move and it should never be the first answer. Or really any answer, except as a last resort on a machine that's been through three OS upgrades and four account migrations.

The guy who emailed me in December? Step 5. Credential Manager had four ghost entries from a 2023 password reset that never got cleaned up. Cleared them, did one fresh sign-in, and his counter went from 23 logins per morning to one per week. He sent me a very nice thank-you and a photo of his Authenticator app finally getting some rest.