CAA50021 in Outlook: Why It Happens and How to Fix It

Quick answer

When CAA50021 appears in Outlook, it is almost never an Outlook bug. It is a Windows Web Account Manager state issue surfaced through Outlook. The reliable fix is to clear the WAM account cache with dsregcmd /cleanupaccounts from an elevated prompt, restart, and re-add the account in Outlook. If that doesn’t resolve it, the next step is rebuilding the Outlook profile from the Mail Control Panel — not reinstalling Office.

If you’ve landed here without context on what CAA50021 actually is, read the Microsoft 365 CAA50021 hub first. This page covers the Outlook-specific layer.

Before you start

• This is the work/school account scenario. Outlook with a personal Microsoft account (@outlook.com, @hotmail.com) doesn’t produce CAA50021. If you’re seeing it, you’re signing into a tenant — you@yourcompany.com or similar.
• Don’t reinstall Office. Outlook reinstall does not clear WAM state, does not rebuild the Outlook profile, and will not fix CAA50021. We have watched this fix consume entire afternoons. It does not work.
• Confirm whether you’re on Classic Outlook or new Outlook for Windows. The fixes differ. Classic Outlook is the Win32 desktop client included with Microsoft 365 Apps. New Outlook is the Windows Store app launched in 2024 that replaces Mail and Calendar. Check Settings → Apps → Installed apps if you’re not sure.
• You’ll need local administrator rights for the most effective fix. If you don’t have them on a managed device, skip to Work or school device.

What CAA50021 in Outlook actually means

The error always has the same root: Windows tried to get a Microsoft Entra ID token for your work account and failed silently several times before raising the error. In Outlook specifically, the failure surfaces in three dialog forms:

1. “We couldn’t sign you in” during Add Account in the Outlook setup wizard.
2. A repeated password prompt that re-appears after every entry, eventually closing with a CAA50021 error in the title bar.
3. A yellow “Account needs attention” banner at the top of the Outlook window, with CAA50021 listed if you click through to File → Account Settings.

All three are the same underlying problem dressed up differently.

Where in Outlook this appears

CAA50021 in Outlook generally hits during one of these moments:

• Just after a password change. The most common trigger by a wide margin.
• After enabling MFA for a user who didn’t have it before, or after a conditional-access rollout that newly enforces MFA.
• After a Windows quality update. Several Patch Tuesday cumulative updates have triggered WAM state issues that surface as CAA50021.
• When a personal Microsoft account is also signed in on the device alongside the work account. WAM cross-talk between personal and work accounts is a recurring root cause.
• After a domain or tenant migration. Outlook may keep cached references to the old tenant.

Common causes (Outlook-specific)

These overlap with the hub article causes, with extras specific to Outlook.

1. WAM holds a stale or conflicting work-account entry. Same root cause as the general hub — but in Outlook it is the most common cause by far, especially after password changes.

2. A corrupt Outlook profile. Outlook stores its account configuration in a Windows profile object that is separate from the WAM account. A profile corrupted by a half-finished autodiscover, a tenant migration, or an aborted account add will keep producing CAA50021 even after WAM is clean.

3. Cached Office credentials in Credential Manager. Outlook caches per-account credentials separately from WAM in Windows Credential Manager. Stale entries here will silently override fresh tokens and reproduce the error.

4. Outlook is on a build that pre-dates a relevant fix. Microsoft has shipped multiple Outlook updates that address WAM-related sign-in issues. Click-to-Run installs that are months behind are a meaningful contributor.

5. Modern Authentication is disabled at the tenant. Rare in 2026 — Microsoft has deprecated basic auth — but possible in older tenant configurations that haven’t been touched. CAA50021 is the symptom; the fix is admin-side.

Fixes to try first

Do these in order. The fix order in this guide is built from how often each one actually works, not from how Microsoft Support articles structure them.

1. Restart cleanly

Hold Shift while clicking Restart from the Start menu. This forces a kernel reload rather than the fast-startup hibernation Windows uses by default. Some WAM state issues clear with a real restart.

2. Run dsregcmd /cleanupaccounts

This is the single highest-yield fix for CAA50021 in Outlook. It clears stale account entries from Web Account Manager.

1. Press Windows key, type cmd, right-click Command Prompt, and choose Run as administrator.
2. Type:

   dsregcmd /cleanupaccounts

   and press Enter. The command returns silently — no progress bar, no confirmation. That is normal.
3. Close Outlook completely. Right-click the taskbar icon and choose Quit if it’s still running.
4. Reopen Outlook. You will be prompted to sign in. Sign in normally.

If the failing account was your default Windows work account, you may also need to re-add it under Settings → Accounts → Access work or school. Do that before re-launching Outlook.

3. Remove and re-add the account in Outlook

If the WAM cleanup didn’t help, the Outlook-side account configuration may need rebuilding.

For Classic Outlook:

1. Open Outlook.
2. Go to File → Account Settings → Account Settings.
3. Select the affected account and click Remove. Confirm.
4. Click New and add the account again. Sign in with your work credentials when prompted.

For new Outlook for Windows:

1. Click the gear icon (Settings).
2. Go to Accounts → Email accounts.
3. Click Manage next to the affected account, then Remove.
4. Click Add account and re-add it.

In both cases, you will be prompted for MFA if your tenant requires it.

4. Clear stale Outlook credentials in Credential Manager

1. Press Windows key, type Credential Manager, and open it.
2. Click Windows Credentials.
3. Under Generic Credentials, look for entries that start with MicrosoftOffice16_Data: or that contain your work email address.
4. Expand each and click Remove.
5. Restart Outlook. You’ll be prompted to sign in fresh.

If you also see entries containing OutlookAccountSettings or OneDrive Cached Credential for the same account, remove those too. Don’t touch entries under Web Credentials — those are unrelated browser-saved passwords.

Advanced fixes

If you’ve worked through the steps above and CAA50021 in Outlook persists, the issue is either deeper Windows-side state or an Outlook-profile problem. The fixes below are progressively more invasive — only run them if you’ve ruled out the simpler causes.

Rebuild the Outlook profile

This is the Outlook-specific equivalent of “the nuclear option that isn’t actually nuclear.” It clears a corrupted profile without touching anything else on the device.

1. Close Outlook completely.
2. Press Windows key, type Control Panel, and open it. Set View by to Small icons in the top-right.
3. Click Mail (Microsoft Outlook).
4. Click Show Profiles.
5. Click Add to create a new profile. Name it something obvious like Work-2026.
6. Walk through the Add Account wizard with your work credentials.
7. Once the profile is created and you’ve signed in, return to Show Profiles, set Always use this profile to your new one, and click Apply.
8. Open Outlook. It will rebuild the local mail cache.

This takes 5–30 minutes depending on mailbox size, because Outlook downloads new offline data. Don’t panic when Outlook looks empty for the first few minutes.

Update Outlook to the latest channel build

1. In Outlook, go to File → Office Account → Update Options → Update Now.
2. Wait for the update to complete. Restart when prompted.
3. Try sign-in again.

If you’re on a managed device, your IT team controls Office update channel and cadence. You may not have permission to force an update — that’s normal, and not something to fight.

Check the system clock

Outlook token validation is timestamp-sensitive. If the device clock is more than five minutes off real time, sign-in fails. Open Settings → Time & language → Date & time, confirm Set time automatically is on, and click Sync now.

Disable add-ins to rule out interference

Some third-party Outlook add-ins inject themselves into the auth flow.

1. In Outlook, go to File → Options → Add-ins.
2. At the bottom, set Manage to COM Add-ins and click Go.
3. Note which are enabled, then uncheck them all.
4. Restart Outlook and try sign-in.

If sign-in works with all add-ins disabled, re-enable them one at a time to find the offender. Most often it is a security or DLP add-in that hasn’t been updated for current auth flows.

If you are on a work or school device

If your work device is managed by Intune, joined to your organization’s domain, or running corporate DLP and antivirus tooling, treat the user-level fixes as bounded. Do steps 1–4 from Fixes to try first and stop. Specifically:

• Do not run dsregcmd /leave on a hybrid-joined device. You can break the domain trust.
• Do not delete certificates from your personal certificate store.
• Do not unenroll from Intune.

If the steps above don’t resolve it, the issue is upstream — a conditional-access policy, a tenant-side Modern Auth toggle, an Intune compliance failure, or a stale device record in Entra ID. None of these are end-user fixable. The admin-side checklist is the right escalation document; send it to your IT team along with a screenshot of the error and the time it started.

When to stop

Stop and escalate if:

• You’ve worked through the fixes above and CAA50021 persists, and the device is corporately managed.
• The error appeared simultaneously with Outlook keeps asking for password symptoms across the organization. That is a tenant-side conditional-access or MFA rollout, not a client problem.
• You see CAA50021 alongside Outlook is disconnected from server symptoms. The disconnect message points at network or Exchange health, not at WAM.
• A profile rebuild has caused you to lose access to something — calendar entries, archived mail, signatures. Stop and have IT recover before you make further changes.
• You’re tempted to start deleting registry keys or running scripts you found in a forum thread. Don’t. The cost of misfiring on a managed device is high.

Related errors

• Microsoft 365 error CAA50021 (hub)
• CAA50021 in Microsoft Teams
• CAA50021 in OneDrive
• Outlook keeps asking for password
• Outlook is disconnected from server

Official references

• Microsoft 365 Apps activation error 0xCAA50021 — Microsoft Learn
• Create or modify an Outlook profile — Microsoft Support
• Set up modern authentication in Microsoft 365 — Microsoft Learn

FAQ

Why does CAA50021 only appear in Outlook and not in the web version? The web version authenticates through your browser’s credential cache, separate from the Windows Web Account Manager. CAA50021 is a WAM-layer error, so if web Outlook works and desktop Outlook doesn’t, the problem is local to your device — specifically in WAM or Outlook profile state.

Will rebuilding my Outlook profile delete my email? No. Mail in a Microsoft 365 mailbox lives on Exchange Online, not in the local profile. Rebuilding the profile clears local cache files (.OST), local rules, signatures, and add-in configuration. The first time you open Outlook with the new profile, it will re-download mail and rebuild the cache. Local PST archives aren’t affected — verify their path under Account Settings → Data Files in the new profile.

I keep seeing CAA50021 right after every password change. Is that normal? It’s common, not normal. The cause is WAM holding stale tokens for the old password. Running dsregcmd /cleanupaccounts after each password change clears them; some organizations script this into the password-change flow specifically to prevent the next-day support tickets.

Does the new Outlook for Windows have the same CAA50021 issue as Classic Outlook? Yes. Both clients use the Windows Web Account Manager for work and school account sign-in, so the WAM-side fixes apply equally. The difference is the profile layer — new Outlook doesn’t have the Mail Control Panel profile concept, so the “rebuild profile” step in this guide is for Classic Outlook only. For new Outlook, removing and re-adding the account from Settings is the equivalent.

My Outlook signs in but immediately disconnects with a CAA50021 banner. What’s different? That pattern usually points at a conditional-access policy that allows initial sign-in but blocks subsequent token refreshes — for example, a session-control policy that expects continuous device-compliance signal. The error code is the same, but no client-side fix will resolve it. Send the admin-side checklist to your IT team.