P2 · Microsoft 365 & Collaboration

Entra ID / Microsoft 365 Authentication Prompt Loop — WAM BrokerPlugin Corruption (Error 1001)

Users on Windows 10/11 Enterprise experience persistent authentication loops when launching Outlook, Teams, or Excel, with sign-in appearing to complete but tokens failing to cache, producing error code 1001. The root cause is corruption within the Web Account Manager (WAM) data folder for the Microsoft.AAD.BrokerPlugin app package, preventing secure caching of OAuth refresh tokens. Resolution requires inspecting the BrokerPlugin AppData folder for permission or visibility issues, then re-registering the AAD BrokerPlugin AppX package via PowerShell for the affected user profile.

Indicators

Persistent authentication prompts when opening Outlook, Teams, or Excel — sign-in loop does not resolve after completing credentials
Error code 1001 generated during the authentication loop
Sign-in appears to complete but the token/session does not persist ('fails to stick')
Urgent escalation to desktop engineering teams due to complete loss of M365 collaboration suite access
AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy folder missing, hidden, or has broken NTFS permissions

Likely causes

Corruption within the local user profile's Web Account Manager (WAM) data folders (AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy) preventing secure caching of modern OAuth refresh tokens
Incorrect or broken NTFS permissions on the Microsoft.AAD.BrokerPlugin package folder causing the WAM service to be unable to read or write token cache data
Missing or invisible BrokerPlugin package folder in the user's local profile, possibly caused by a failed Windows update, profile migration, or antivirus quarantine action

Diagnostic steps

Navigate to C:\Users\<username>\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy within the affected user's local profile directory and verify the folder exists and is visible.

Confirms whether the WAM BrokerPlugin data folder is present in the user profile; absence or hidden state indicates corruption or deletion.
Right-click the Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy folder > Properties > Security tab, or run: icacls "C:\Users\<username>\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy"

Determines whether broken permissions are preventing the WAM service from caching OAuth refresh tokens, even if the folder physically exists.
Reproduce the authentication loop by launching Outlook or Teams as the affected user and note the exact error code returned (expected: 1001).

Confirms the issue is active and captures the error code to verify it matches the known WAM BrokerPlugin failure pattern before applying the fix.
In the Entra ID portal, navigate to Azure AD > Sign-in logs and filter by the affected user's UPN. Review for Conditional Access blocks, MFA failures, or token revocation events.

Eliminates cloud-side causes (e.g., MFA policy misconfiguration, token revocation, Conditional Access) before committing to local profile remediation.
Test with a second user profile on the same device, or test the affected user on a different device, to determine if the issue is profile-specific or device/deployment-wide.

Scopes the incident — per-profile WAM corruption is resolved with the BrokerPlugin re-registration; a wider pattern may indicate a GPO, update, or AV policy causing the corruption.

Resolution path

Step 1 — Open an elevated PowerShell session (Run as Administrator) on the affected device.
Step 2 — Run the BrokerPlugin re-registration command: Get-AppxPackage -AllUsers Microsoft.AAD.BrokerPlugin | foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml" -Verbose}
Step 3 — Sign out of the affected Windows user profile completely (not just lock — full sign-out).
Step 4 — Sign back in and relaunch Outlook, Teams, or Excel to verify the authentication prompt loop no longer occurs and the session persists across application restarts.

Prevention

Implement regular monitoring of the AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy folder presence and permissions via endpoint management tooling (e.g., Intune compliance scripts or SCCM baselines) so corruption is detected proactively.
Exclude the Microsoft.AAD.BrokerPlugin AppData package folder path from antivirus real-time scanning and remediation policies to prevent AV engines from quarantining or corrupting WAM token cache data.
Standardise a post-Windows-update validation check that confirms the AAD BrokerPlugin AppX package is correctly registered for all active user profiles on managed devices, particularly after cumulative or feature updates.
Maintain a documented and tested PowerShell remediation runbook for BrokerPlugin re-registration so L1 teams can execute it rapidly without escalation.

Tools

PowerShell (elevated) — re-register AAD BrokerPlugin AppX package
Windows File Explorer / icacls — inspect and repair NTFS permissions on BrokerPlugin AppData folder
Entra ID / Azure AD portal Sign-in Logs — rule out cloud-side authentication failures
Get-AppxPackage / Add-AppxPackage (PowerShell AppX cmdlets) — query and re-register the BrokerPlugin package

References

Entra IDAzure ADMicrosoft 365Windows 11Windows 10WAMWeb Account ManagerAAD BrokerPluginOAuthauthentication loopOutlookTeamsExcelerror 1001AppXtoken cachinguser profile corruptionL2L3desktop engineering