Can't sign in to Microsoft 365 desktop applications
Symptoms
On a device that has security software installed, you might experience any of the following issues when you try to sign in to Microsoft 365 desktop applications:
The sign-in prompts are intermittent.
The sign-in window shows a blank authentication screen.
The sign-in window is stuck on authentication.
The Outlook desktop client displays the message, "Trying to connect…".
The Teams desktop client displays the message, "We weren't able to connect. Sign in and we'll try again."
If you open Event Viewer, navigate to Windows Logs > Application and then check the details that are displayed for the "AppModel-State" entries in the "Source" column of the table at the top part of the middle pane, you see one of the following event messages that end with a warning or error code
-2147xxxxxx:-
Failure to load the application settings for package
-
Repair of state locations for operation SettingsInitialize against package Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy with error
-
Repair for operation LocalSettings against package Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy with error
-
Triggered repair because operation LocalSettings against package Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy hit error
-
Triggered repair of state locations because operation SettingsInitialize against package Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy hit error
-
Cause
The security software on the device is preventing network communication from being established or maintaining the previous communication state. This problem might occur because of existing or obsolete Windows Filtering Platform (WFP) drivers in the security software. Additionally, the security software might be preventing the Web Account Manager (WAM) plug-ins from running, or it might remove the plug-ins as a side effect of its activity on the device.
If Event Viewer displays any of the event messages that are listed in the "Symptoms" section, the messages indicate that the WAM plug-ins are either broken or tampered with.
Note
- The WAM plug-ins are used by Microsoft 365 apps for establishing and renewing sign-in sessions. The plug-ins are installed within the context of the user profile. This means that although one user might experience problems, another user on the same device might not. Therefore, any mitigation and diagnosis should be done within the context of the affected user, not at the device level or administrator level.
- If the plug-ins are corrupted, tampered with, or removed from the user profile because of security software scanning activity, you can try to repeatedly install the plug-ins by using a background PowerShell script or Group Policy logon script. This action might temporarily mitigate the issue until the next antivirus scan.
Resolution
Important
If the issue is caused by a broken or tampered WAM plug-in, skip to step 3 in the following procedure to re-install the WAM plug-ins. If the issue reoccurs, then work with your security software and WFP driver vendor to configure the appropriate exclusions that are listed in step 5.
To fix the other issues, follow these steps on the device:
Sign in by using an administrator account, and temporarily uninstall the security software and any standalone or obsolete WFP drivers from the device.
Sign in by using the affected user's credentials, and check whether the WAM plug-ins are installed and can run successfully in the user's profile.
Run the following PowerShell cmdlets:
Get-AppxPackage Microsoft.AAD.BrokerPlugin Get-AppxPackage Microsoft.Windows.CloudExperienceHostIf either cmdlet doesn't return anything, go to step 3. Otherwise, run the following commands at a command prompt:
explorer.exe shell:appsFolder\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy!App explorer.exe shell:appsFolder\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy!AppIf either the Work or school account or Microsoft account window doesn't open, go to step 3. Otherwise, go to step 4.
If step 2 isn't successful, reinstall the WAM plug-ins. To do this, run the following PowerShell cmdlets:
Add-AppxPackage -Register "$env:windir\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode -ForceApplicationShutdown Add-AppxPackage -Register "$env:windir\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode -ForceApplicationShutdownMonitor for 48 hours. If the issue reoccurs, contact Microsoft Support. Otherwise, go to step 5.
Note
For troubleshooting, we recommend that you collect the data from the Process Monitor when you reproduce the issue. This can help determine whether:
- Third-party modules are being loaded together with the WAM plug-ins.
- Third-party modules are holding the file or registry lock and preventing the sign-in process.
- Obsolete WFP or security software drivers are installed in the system.
Sign in by using an administrator account, and reinstall the security software and standalone WFP drivers that were uninstalled in step 1. Then, work with your security software and WFP driver vendor to configure the following package, folder, and process exclusions in the security software and WFP drivers.
Package family names to exclude
Microsoft.AAD.BrokerPlugin_cw5n1h2txyewyMicrosoft.Windows.CloudExperienceHost_cw5n1h2txyewy
Folder locations to exclude
%windir%\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy%windir%\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy%localappdata%\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy%localappdata%\Microsoft\TokenBroker%localappdata%\Microsoft\OneAuth%localappdata%\Microsoft\IdentityCache
Processes to exclude
%windir%\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe%windir%\System32\backgroundTaskHost.exefor the following package names:Microsoft.AAD.BrokerPlugin_cw5n1h2txyewyMicrosoft.Windows.CloudExperienceHost_cw5n1h2txyewy
%windir%\System32\svchost.exeloading NT serviceTokenBrokeras TokenBroker.dll