Outlook Desktop - Repeated Sign-In Prompt (WAM BrokerPlugin Reset)
Document Type: Known Issue - Workaround
Applies To: Microsoft Outlook Desktop (Classic), Windows 10/11, Microsoft 365 / Exchange Online
Overview
This article documents a workaround for a recurring issue where Outlook Desktop prompts users to sign in repeatedly — as frequently as every 15 minutes to every hour - without retaining the session after completing authentication. This issue can affect individual users or a large number of users simultaneously across an organisation.
The Issue
Users open Outlook and are presented with a "Sign In" prompt unexpectedly. After signing in successfully, the prompt reappears again after a short period. The following self-service steps do not resolve the issue:
- Restarting the laptop or PC
- Signing out of Outlook and signing back in
- Restarting Microsoft Teams or other Office apps
The issue may also surface across other Microsoft 365 services (Teams, OneDrive, SharePoint) simultaneously, as they share the same underlying authentication component.
Root Cause
Modern Microsoft 365 applications do not handle authentication directly. Instead, they delegate all sign-in and token management to a Windows OS component called Web Account Manager (WAM) and its associated background plugin: Microsoft.AAD.BrokerPlugin.
Normal Authentication Flow
| User opens Outlook ↓ Outlook requests a token from WAM ↓ WAM calls Microsoft.AAD.BrokerPlugin ↓ Plugin communicates with Microsoft Entra ID ↓ Entra ID returns an OAuth access token (valid ~1 hour) and a refresh token (valid up to 90 days) ↓ WAM silently refreshes the token in the background when it expires - user is never prompted again |
What Breaks the Flow
When the Microsoft.AAD.BrokerPlugin folder becomes corrupted or enters a broken state, the silent background refresh fails. When the 1-hour access token expires, Outlook falls back to prompting the user because WAM cannot silently obtain a new one.
Known Triggers
This corruption can occur due to, but is not limited to:
-
Windows OS cumulative/security updates (confirmed trigger - February 2026 Patch Tuesday, build 10.0.29510.1001 and earlier - January 2026 KB5074109)
-
Incomplete or interrupted Microsoft 365 app updates
-
User profile corruption
-
Mid-session password or MFA changes in Entra ID
-
Entra ID token store inconsistencies after account modifications
This workaround applies to all of the above scenarios. If a user is experiencing the repeated Outlook sign-in prompt and no Conditional Access policy or service health incident is identified as the cause, resetting the BrokerPlugin is the recommended first-line fix.
Before You Start
Rule out the following before applying this fix at scale:
| Check | Where |
|---|---|
| Active Microsoft service incident | M365 Admin Center > Health > Service Health |
| Recently modified Conditional Access policy | Entra Admin Center > Protection > Conditional Access |
| User password recently expired or changed | Entra Admin Center > Users |
| Entra sign-in logs showing policy interrupts | Entra Admin Center > Monitoring > Sign-in Logs |
If none of the above are present, proceed with the fix below.
Fix: Manual Steps (Per Machine)
Run on the affected user's machine, logged in as that user. You do not need to be a local admin for Steps 1–4.
Step 1: Close All Microsoft Applications
Fully close Outlook, Teams, OneDrive and any other Office applications. Check the system tray and ensure none are still running in the background.
Step 2: Navigate to the BrokerPlugin Folder
Press Win + R and enter:
%localappdata%\Packages
Locate the following folder:
Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
Step 3: Rename the Folder
Rename the folder by appending .old to the end:
Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy.old
Do not delete the folder. Renaming it preserves a backup and instructs Windows to recreate it fresh on next boot. If you encounter the error "The action can't be completed because the folder or a file in it is open in another program", see the Troubleshooting section below before continuing.
Step 4: Clear Cached Credentials
-
Open Control Panel → Credential Manager → Windows Credentials
-
Remove all entries beginning with:
-
MicrosoftOffice16_* -
msteams_* -
Microsoft_OC_* -
Any entry referencing
office.comoroutlook.com
Step 5: Reboot the Machine
Perform a full restart (not sign out). Windows will automatically recreate the Microsoft.AAD.BrokerPlugin folder in a clean state on boot.
Step 6: Sign Back Into Outlook
Open Outlook. When prompted, sign in once. The session should persist without re-prompting.
Fix: Automated Script (Bulk Deployment)
Use this script for fleet-wide remediation via RMM tool, Intune Remediation Script, or GPO logon script.
Important: This script must run in the affected user's context, not as SYSTEM or a local admin account. The BrokerPlugin folder is per-user profile.
# Step 1: Kill processes holding the BrokerPlugin before rename
Stop-Process -Name "Microsoft.AAD.BrokerPlugin" -Force -ErrorAction SilentlyContinue
Stop-Process -Name "backgroundTaskHost" -Force -ErrorAction SilentlyContinue
Stop-Process -Name "RuntimeBroker" -Force -ErrorAction SilentlyContinue
# Brief pause to allow process termination to complete
Start-Sleep -Seconds 2
# Step 2: Rename the BrokerPlugin folder
$brokerPath = "$env:LOCALAPPDATA\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy"
if (Test-Path $brokerPath) {
Rename-Item -Path $brokerPath -NewName "$brokerPath.old" -Force
Write-Output "SUCCESS: BrokerPlugin reset complete. Reboot required."
} else {
Write-Output "INFO: BrokerPlugin folder not found or already reset. No action taken."
}
Post-deployment: Push a reboot policy immediately after the script runs, or instruct users to restart when prompted.
Troubleshooting — "The Action Can't Be Completed" Rename Error
If Windows displays:
The action can't be completed because the folder or a file in it is open in another
programprogram"
This means a background Windows process is still holding a lock on the folder even though all visible apps are closed. The Microsoft.AAD.BrokerPlugin process runs silently in the background and can respawn quickly. Use the following method to identify and terminate it before retrying the rename:
Using Windows Resource Monitor (No Additional Tools Required)
-
Press
Win + Rand run:
perfmon.exe /res
In Resource Monitor, select the CPU tab
Scroll down and expand the Associated Handles section
In the search box, type:
AAD.BrokerPlugin
Press Enter — Resource Monitor will display all processes currently holding a handle on the folder
Right-click each result → End Process
Immediately return to the folder and complete the rename (Step 3 above) before the process respawns