Entra ID / Microsoft 365 Authentication Prompt Loops — WAM BrokerPlugin Corruption (Error 1001)
Users on Windows 10/11 Enterprise experience persistent authentication loops when launching Outlook, Teams, or Excel, with sign-in attempts failing to cache credentials and generating error code 1001. The root cause is corruption of the Web Account Manager (WAM) data stored under the Microsoft.AAD.BrokerPlugin local package folder, preventing OAuth refresh tokens from being securely cached. Remediation involves re-registering the AAD BrokerPlugin app package via PowerShell for the affected user profile.
Indicators
- User is persistently prompted to authenticate when opening Outlook, Teams, or Excel — sign-in loop does not resolve on completion
- Authentication attempts fail to persist across sessions — credentials do not stick after completing the sign-in flow
- Error code 1001 generated during the authentication loop in M365 applications
- Complete denial of service for all M365 collaboration suite applications (Outlook, Teams, Excel) for the affected user
- Urgent escalation requests raised to desktop engineering teams due to total productivity loss
Likely causes
- Corruption within the local user profile's Web Account Manager (WAM) data folders, specifically under the Microsoft.AAD.BrokerPlugin package directory, preventing secure caching of modern OAuth refresh tokens
- Incorrect or missing permissions on the AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy directory within the affected user's local profile
- AAD BrokerPlugin app package context not properly registered for the local Windows user profile, causing WAM to fail token brokering operations
Diagnostic steps
-
Navigate to the affected user's local profile and verify the existence and visibility of the WAM BrokerPlugin directory: %LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewyConfirms whether the BrokerPlugin package folder is present and visible. Absence or inaccessibility of this folder indicates WAM data corruption or permission loss.
-
Inspect permissions on the BrokerPlugin package folder using icacls from an elevated prompt: icacls "%LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy"Determines whether the affected user account has correct NTFS permissions on the WAM data folder. Incorrect permissions prevent token caching even if the folder exists.
-
Confirm the issue manifests across multiple M365 applications (Outlook, Teams, Excel) to distinguish a WAM/profile-level problem from a single-application configuration issue.WAM corruption affects all applications relying on the shared token broker. Cross-application impact confirms the WAM layer is the failure point.
-
Review the contents of the Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy package folder for signs of data corruption — look for missing, zero-byte, or inaccessible token cache files within the package's data subdirectories.Identifies specific corrupted WAM data artifacts preventing OAuth refresh token caching and confirms re-registration is appropriate versus a full profile rebuild.
Resolution path
- Step 1 — Close all Microsoft 365 applications (Outlook, Teams, Excel) for the affected user before beginning remediation to ensure no process has locks on WAM data files.
- Step 2 — Open PowerShell in the context of the affected user profile and run: Get-AppxPackage -Name Microsoft.AAD.BrokerPlugin | ForEach-Object { Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml" }
- Step 3 — After the re-registration sequence completes, verify the AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy directory is correctly present with appropriate permissions for the user account.
- Step 4 — Relaunch affected M365 applications and prompt the user to authenticate once — confirm that the sign-in persists without looping and that error code 1001 no longer appears.
Prevention
- Implement regular monitoring of the Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy package folder permissions across managed endpoints using endpoint management tooling (e.g., Intune compliance policies or SCCM scripts) to detect permission drift before it causes authentication failures
- Establish a proactive profile health check process as part of Windows 10/11 Enterprise device lifecycle management — periodically validate WAM data folder integrity on endpoints to identify corruption early, particularly after in-place OS upgrades or profile migrations
- Ensure that any automated profile management, folder redirection, or security hardening scripts explicitly preserve correct permissions on the AppData\Local\Packages path to prevent inadvertent WAM data corruption
Tools
- PowerShell — re-register AAD BrokerPlugin app package for the affected local user profile
- icacls — inspect and repair NTFS permissions on the BrokerPlugin package directory
- Windows File Explorer — verify visibility and presence of the Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy package folder