Microsoft 365 Keeps Signing You Out? Fix the Device Trust State for Good

You sign into Microsoft 365 first thing in the morning. By lunch, Outlook is prompting again. By 4pm, Word, Excel, and Teams have each thrown you back to a sign-in screen. You've typed your password six times today and you're starting to wonder if the laptop is broken. It isn't. Constant sign-out cycles have a specific cause — once you understand it, the fix becomes obvious.

What's actually happening

Microsoft 365 uses long-lived tokens to keep you signed in. When you first sign in, your device gets a primary refresh token (PRT) from Azure AD, valid for roughly 90 days. Office apps trade that PRT for shorter-lived access tokens silently in the background. As long as the PRT is valid and the device is still trusted, you shouldn't see a sign-in prompt for the entire 90 days.

When apps keep prompting, one of three things has broken:

• The PRT itself is invalid or expired ahead of its 90-day schedule.
• The device has lost its trust state with Azure AD.
• A Conditional Access policy is silently revoking sessions on a schedule (or based on risk signals).

The pattern of when prompts arrive is your biggest clue about which one. Pay attention to it.

First move: clean restart of the auth chain

Sometimes a fresh sign-in is all you need. Try this first — it's cheap and it works often.

1. Open Word.
2. Click File → Account.
3. Under User Information, click Sign out.
4. Close every Office app, including Teams.
5. Reopen Word, sign in fresh, complete any MFA prompts.
6. Open Outlook and Teams — they pick up the new identity automatically.

If sign-out prompts stop after this, the token cache was just stale. If they're back within an hour, keep going down the list.

Check device trust with dsregcmd

For domain-joined or Azure AD-joined devices (most US corporate laptops), the device has its own registered identity with the cloud. If that registration has broken — after a system restore, a hardware change, or a chunky Windows update — tokens stop refreshing because the device can no longer prove it's still itself.

Open Command Prompt as administrator and run:

dsregcmd /status

Scroll through the output for these lines:

• AzureAdJoined : YES — registered with Azure AD.
• DomainJoined : YES — joined to on-prem AD too, if applicable.
• Under SSO State: AzureAdPrt : YES — you have a valid PRT.

If AzureAdPrt says NO, the PRT is the problem. The next step gets you a fresh one.

Force a fresh PRT

The cleanest way to get a new PRT without unjoining and rejoining the device:

1. Open Settings → Accounts → Access work or school.
2. Click your work or school account → Info.
3. Scroll to the bottom and click Sign out on that specific account (not the entire device).
4. Restart Windows.
5. Sign back into Windows with the same account.

That regenerates the device-to-Azure trust from scratch. Run dsregcmd /status again — the PRT line should now say YES.

If you can't sign out of the work account that way

Some MDM configurations make the work account non-removable through Settings (you can only sign out, not detach). In that case:

1. Open Command Prompt as administrator.
2. Run: dsregcmd /forcerecovery

That forces a recovery flow on the next sign-in. You'll be prompted to re-authenticate when you next lock and unlock the screen, and a fresh PRT is issued.

Clear the Web Account Manager (WAM) cache

Windows uses a service called WAM to broker tokens between apps. When its cache gets corrupted, every app that uses it can fail — and that's nearly every Microsoft app on the system.

1. Close Office apps and Teams.
2. Press Win + R, paste this exact path, press Enter:

   %localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts

3. Move the contents of that folder elsewhere (don't delete yet — keep a backup in case you need them).
4. Restart Windows.
5. Sign in to Office apps fresh.

WAM rebuilds its account cache on first use. If a corrupted broker entry was the cause, this clears it.

Conditional Access: the most common silent culprit

If your account is governed by Conditional Access — most US enterprise deployments are — policies can quietly invalidate tokens when:

• You change locations frequently (home → office → coffee shop within a short window).
• Your device falls out of Intune compliance (failed check, BitLocker disabled, antivirus stopped, OS too old).
• An admin marks your account or a recent sign-in as risky.
• A "Sign-in frequency" policy is set aggressively (some orgs require re-auth every 1 hour for sensitive apps like Finance tooling).

The pattern of sign-out tells you it's Conditional Access:

• Prompts cluster on a specific app — always Outlook, never Word, for example.
• Prompts arrive at predictable intervals like clockwork (every hour, every 4 hours).
• Sign-in works briefly and then immediately re-prompts.

If those patterns match, ask IT to check the sign-in logs in Azure AD → Sign-ins. They can see exactly which policy is requiring the re-prompt and whether your device is still considered compliant. That's not something you can diagnose yourself from the desktop.

Compliance failures: the quiet sign-out cause

Intune-managed devices get a compliance check every few hours. If the check fails, your device is silently marked non-compliant and Conditional Access starts blocking access until it's compliant again. You may have no warning that this is happening.

Common compliance failures:

• BitLocker disk encryption suspended or off.
• Windows version below the minimum the org requires.
• Antivirus disabled or definitions out of date.
• Windows Firewall off.
• You changed your Windows password to something shorter than the org's policy minimum.

To check your compliance status:

1. Open Settings → Accounts → Access work or school → Connected to ... → Info.
2. Read the device sync status and any warnings shown.

Fix what's flagged, then click Sync to push the updated state to Intune. Full compliance propagation can take a few hours, so be patient.

Office repair

Microsoft has a one-click repair specifically for Office identity problems.

1. Open Settings → Apps → Installed apps.
2. Find Microsoft 365 or Microsoft Office, click the three dots → Modify.
3. Choose Quick Repair. If that doesn't help, repeat with Online Repair.

Quick Repair takes a couple of minutes and fixes most local issues without re-downloading anything. Online Repair takes about 30 minutes and reinstalls Office, but both leave your documents and settings untouched.

Last resort options, in order

If none of the above sticks:

1. Disjoin and rejoin the device from Azure AD (requires admin help).
2. Create a fresh Windows user profile and migrate your work to it.
3. Reinstall Windows using the in-place upgrade ("Keep personal files and apps") option to reset configuration without losing data.

None of these should be a first resort. They're for cases where the Windows credential store itself has become corrupted in ways in-place repair can't fix.

Read the pattern, pick the fix

If sign-out prompts return every n hours like clockwork, it's a Conditional Access policy and IT can tune it. If prompts cluster on one app, it's an app-specific token cache (Step 1–2). If everything signs out simultaneously after a Windows update, the device's PRT is broken and the PRT-refresh sequence above is the fix.

The pattern is the diagnosis. Notice the pattern, follow the matching path, and you'll spend a lot less of your week typing your password.