Outlook & Teams Sign-in Loops, Cache Corruption, and Autodiscover Failures on Microsoft 365 Clients
Microsoft 365 desktop clients (Outlook 2016–365, Teams Classic and New) fail with repeated credential prompts, stuck loading screens, missing shared mailboxes, or calendar/chat sync failures. Root causes are almost always client-side: corrupted WAM/Credential Manager tokens, stale Teams cache in %AppData%\Microsoft\Teams or %LocalAppData%\Packages\MSTeams_8wekyb3d8bbwe, broken Outlook profile, missing Autodiscover CNAME, disabled Modern Authentication, or a Conditional Access block. Resolution follows a deterministic sequence: rule out service health, verify licensing/Autodiscover, then clear cached credentials, reset Teams cache, and rebuild Outlook profile if needed.
Indicators
- Outlook repeatedly prompts for credentials or fails Modern Auth sign-in
- Teams stuck on loading splash screen or 'We're sorry — we've run into an issue'
- Shared mailboxes fail to load or show as disconnected in Outlook status bar
- Calendar items created in Outlook do not appear in Teams (or vice versa) after >15 minutes
- Users cannot join Teams meetings, send/receive chat, or presence shows perpetually 'Unknown'
- Autodiscover fails in Microsoft Remote Connectivity Analyzer with HTTP 401 or DNS lookup failure
- Entra ID sign-in logs show repeated interactive sign-in failures with Conditional Access failure reason
Likely causes
- Corrupted WAM/OAuth tokens in Windows Credential Manager (MicrosoftOffice16_Data:*, MSTeams, *.office.com entries)
- Stale Teams cache in %AppData%\Microsoft\Teams (Classic) or %LocalAppData%\Packages\MSTeams_8wekyb3d8bbwe (New Teams)
- Missing or incorrect Autodiscover CNAME (autodiscover.<domain> → autodiscover.outlook.com) for Exchange Online
- Modern Authentication (OAuth2ClientProfileEnabled) disabled at tenant level
- Conditional Access policy blocking client platform, location, or requiring compliant device the endpoint is not
- Microsoft 365 service-side incident affecting Exchange Online, Teams, or Entra ID token issuance
- Outlook profile corruption (OST index damage, malformed autodiscover.xml cache)
- Outdated Office/Teams build missing required auth stack fixes
Diagnostic steps
-
Open Microsoft 365 admin center → Health → Service Health. Filter on Exchange Online, Microsoft Teams, and Identity Service. Note any active advisories or incidents.Rule out tenant-wide service outage before touching the client — avoids wasted remediation on a Microsoft-side incident.
-
In admin center → Users → Active Users, confirm the affected user has an active Microsoft 365 licence with Exchange Online and Teams service plans enabled and mailbox provisioned (Get-Mailbox <upn> via Exchange Online PowerShell).Confirms licensing and mailbox provisioning are not the root cause.
-
Run Microsoft Remote Connectivity Analyzer (https://testconnectivity.microsoft.com) → Office 365 → Outlook Connectivity and Exchange ActiveSync Autodiscover, using the user's UPN and password.End-to-end validation of Autodiscover, OAuth token issuance, and mailbox connectivity from outside the corporate network.
-
On the affected workstation, open Control Panel → Credential Manager → Windows Credentials. Enumerate entries starting with MicrosoftOffice16_Data:, MSTeams, msteams_adalsso, and *.office.com.Identifies stale or corrupt cached OAuth/WAM tokens driving repeated credential prompts.
-
Collect diagnostics: Teams — hold Ctrl+Shift+Alt+1 (Classic) or right-click Teams tray icon → Collect support files (New Teams). Outlook — File → Options → Advanced → 'Enable troubleshooting logging (requires restarting Outlook)', restart, reproduce, then collect %TEMP%\Outlook Logging.Captures client-side auth and MAPI/HTTP failure detail for deeper analysis or Microsoft support escalation.
-
In Entra ID admin center → Users → Sign-in logs, filter by the affected UPN for the last 24 hours. Inspect Status, Failure reason, Conditional Access column, and correlation ID for each failure.Identifies Conditional Access blocks, MFA failures, or device compliance failures preventing token issuance.
-
From an admin PowerShell on the workstation, run: Resolve-DnsName autodiscover.<primary-smtp-domain> -Type CNAME. Confirm it resolves to autodiscover.outlook.com.Detects missing or misconfigured public Autodiscover DNS records — a common cause of Outlook profile creation failure.
-
Run Microsoft Support and Recovery Assistant (SaRA) with the Outlook or Teams scenario for the affected user profile.Automates known-issue detection (profile corruption, cached mode issues, Teams add-in conflicts) with structured output.
Resolution path
- Clear cached credentials: Control Panel → Credential Manager → Windows Credentials. Remove every entry matching MicrosoftOffice16_Data:*, MSTeams, msteams_adalsso, and *.office.com. Close and reopen Outlook/Teams; re-authenticate with the user's UPN.
- Reset Teams Classic: fully exit Teams (right-click tray → Quit; confirm Teams.exe not in Task Manager), then delete contents of %AppData%\Microsoft\Teams (preserve backgrounds subfolder if needed). Relaunch Teams.
- Reset New Teams: right-click tray → Quit. Run 'Get-AppxPackage -Name MSTeams | Reset-AppxPackage' in admin PowerShell, or manually clear %LocalAppData%\Packages\MSTeams_8wekyb3d8bbwe\LocalCache. Relaunch.
- Rebuild Outlook profile: close Outlook. Control Panel → Mail (Microsoft Outlook) → Show Profiles → Remove existing profile → Add new profile → let Autodiscover configure it with the user's UPN. Set 'Always use this profile'.
- Verify Autodiscover DNS at the registrar: ensure CNAME autodiscover.<domain> → autodiscover.outlook.com exists and resolves publicly.
- Ensure Modern Authentication is enabled: Connect-ExchangeOnline; Set-OrganizationConfig -OAuth2ClientProfileEnabled $true.
- Update Office and Teams to the latest build: Outlook → File → Office Account → Update Options → Update Now. For New Teams, allow auto-update or reinstall the MSIX package.
- If Conditional Access is blocking: review the failing policy in Entra ID sign-in log entry, add a targeted exclusion (user, group, or named location) or adjust device compliance requirement, and retest.
Prevention
- Enforce Modern Authentication tenant-wide and disable legacy Basic Auth protocols (SMTP AUTH, POP, IMAP, MAPI-over-HTTP legacy) via authentication policies.
- Publish and monitor Autodiscover CNAME with an external synthetic check (e.g., ThousandEyes, StatusCake) alerting on resolution or content drift.
- Standardise on Microsoft 365 Apps Monthly Enterprise Channel for predictable, tested update cadence across the fleet.
- Deploy all new Conditional Access policies in Report-only mode for 7–14 days before enforcement; review sign-in log impact before flipping to On.
- Subscribe key admins to Microsoft 365 Service Health email/Teams notifications and integrate with the ITSM alerting channel.
- Publish a documented self-service KB article for end users covering Teams cache clear and Credential Manager reset as first-line remediation.
- Baseline Outlook and Teams versions via Intune/SCCM configuration profiles and alert on clients falling more than one channel release behind.
Tools
- Microsoft Remote Connectivity Analyzer (Autodiscover, OAuth, mailbox connectivity testing)
- Microsoft Support and Recovery Assistant / SaRA (automated Outlook/Teams diagnostics)
- Windows Credential Manager (clear cached WAM/OAuth tokens)
- Microsoft 365 admin center (service health, licence and mailbox verification)
- Entra ID Sign-in Logs (auth and Conditional Access troubleshooting)
- Teams Diagnostic Log Collector — Ctrl+Shift+Alt+1 (Classic) / tray → Collect support files (New)
- Exchange Online PowerShell (Get-Mailbox, Get-OrganizationConfig)