Outlook Keeps Asking for Password: The Modern Auth Fix Order (Not the 2018 One)

If you search “Outlook keeps asking for password,” you’ll get a hundred articles published between 2017 and 2020 telling you to set Logon Network Security to Anonymous Authentication, run OUTLOOK.EXE /resetnavpane, or edit the EnableADAL registry key. Most of that advice is irrelevant in 2026. Microsoft retired Basic Authentication for Exchange Online in October 2022. Modern Authentication is the only authentication path now. The fix order changed, and most of the older articles haven’t been updated.

This guide is the current one. If you want the historical context, the bottom of the page covers what changed and why old fixes don’t apply.

Quick answer

The “Outlook keeps asking for password” symptom in Microsoft 365 has three modern-auth root causes. Run the fix order:

1. Sign out of Office completely and sign back in. Clears stale tokens. Resolves more cases than anything else.
2. Clear cached credentials in Windows Credential Manager. Removes Office credentials, then signs back in cleanly.
3. Reset the Web Account Manager (WAM) and identity cache. Rebuilds the token broker state.
4. Recreate the Outlook profile. When the profile itself is corrupted rather than the auth state.
5. Switch to a fresh installation. Last resort; uninstall and reinstall Microsoft 365.

If you’re using POP/IMAP with a Microsoft 365 mailbox (which Microsoft strongly discourages), the path is different — see the POP/IMAP section below.

If you’re an admin and the loop affects multiple users on multiple devices, it’s almost certainly Conditional Access policy or Modern Auth not being enabled at the tenant. See admin-side MFA loop causes.

Before you start

Three checks first:

• Confirm you can sign in to Outlook on the web at outlook.office.com. If you can, your account and password are fine — the issue is local. If you can’t, you’re not in password-loop territory; you’re in an account/license issue, see CAA50021.
• Identify which Outlook you’re using. “Classic Outlook” (the one most professional users have used for years, formerly called “Outlook desktop”), “new Outlook for Windows” (the lightweight replacement Microsoft has been rolling out), or “Outlook on the web.” The fixes here apply to classic Outlook. New Outlook handles auth differently.
• Confirm Microsoft 365 service status is healthy at admin.microsoft.com/servicestatus.

What’s actually happening

When Outlook sends or receives mail, it has to prove its identity to Exchange Online. Modern Authentication does this with a refresh token and an access token, not a password. The password you typed once was used to obtain the initial token; from then on, Outlook should refresh tokens silently in the background.

A password prompt means one of three things has happened:

1. The refresh token expired or got invalidated and the silent refresh failed.
2. Outlook can’t find the cached token at all because the cache was cleared.
3. Outlook is being told by policy to re-authenticate — typically by Conditional Access “sign-in frequency” rules.

The “fix” of typing your password again sometimes works briefly because it triggers a fresh token, but if the underlying cause isn’t resolved, the prompt comes back within hours.

Note: the password prompt that appears in modern Outlook is not the old Basic Auth prompt that asked for username + password directly. It’s a redirect to a Microsoft-hosted sign-in page (or a WebView equivalent). If you’re getting an old-style Basic Auth prompt with no Microsoft branding, you’re either on a very old Outlook build or your profile is misconfigured to use a non-Modern-Auth path.

Where this happens

The password prompt loop in Outlook surfaces in:

• Classic Outlook on Windows, after a Windows update, password change, or several days of normal use.
• Outlook for Mac, with a similar pattern but different cache locations.
• Outlook Mobile (iOS / Android) — much less commonly, usually requiring a full app reinstall.
• Outlook on the web — almost never, because cookies handle persistence and the OWA flow is different.

It does not normally happen in new Outlook for Windows. If it does there, the cause is usually a botched account-add; remove and re-add the account in new Outlook itself.

Common causes (modern Outlook, post-Basic-Auth)

In rough order of frequency:

1. Stale token in the Outlook identity cache. Most common cause. Outlook holds a refresh token in %LOCALAPPDATA%\Microsoft\Outlook and %LOCALAPPDATA%\Microsoft\IdentityCache. After a Windows update, password change, or long idle period, that token can become invalid in a way Outlook doesn’t recover from automatically.

2. Bad Credential Manager entries. Old credentials from previous Outlook versions or from sign-ins to other accounts conflict with the current sign-in. Outlook reads the wrong credential and prompts when validation fails.

3. WAM (Web Account Manager) / AAD Broker corruption. When the underlying Windows broker has a problem, every Office app fails the same way. Outlook just surfaces it most prominently because it’s the one constantly authenticating.

4. Conditional Access sign-in frequency policy. Admin-set policy forcing re-auth every X hours. Looks identical to a malfunction. Common in regulated industries; increasingly common everywhere as security postures tighten.

5. Corrupted Outlook profile. The profile itself (the .ost file plus profile registry entries) has a fault that prevents the auth state from persisting in that profile. A new profile resolves it.

6. AutoDiscover misconfiguration. Less common with M365 (where AutoDiscover usually works), but if AutoDiscover is hijacked by a misconfigured DNS record or a third-party domain provider, Outlook can fail authentication in subtle ways. See the AutoDiscover section below.

7. POP/IMAP profile against a M365 mailbox. Microsoft 365 mailboxes prefer Exchange or MAPI/HTTP profiles. If your profile is configured for POP or IMAP, you’ll authenticate every send/receive — that’s the protocol’s behavior. Convert to an Exchange profile.

Fixes — try these in order

Fix 1: Sign out of Office and back in

The simplest fix and the one that most often works. The act of signing out forces a clean token re-issue.

1. In any Office app (Word is fine), go to File → Account → Sign out. Confirm.
2. Close all Office apps. Outlook included. Check Task Manager for OUTLOOK.EXE, WINWORD.EXE, EXCEL.EXE, OfficeClickToRun.exe. Kill any.
3. Reopen Outlook.
4. Sign in. Walk through the modern auth flow. Tick “Allow my organization to manage my device” when offered (see why this matters for context).
5. Send/receive a test email. Confirm no prompt.

If this fixes it for an hour and the prompt comes back, you have Pattern 4 (Conditional Access) — skip to Fix 6.

Fix 2: Clear cached credentials

When Fix 1 doesn’t stick, bad cached credentials are the next likely culprit.

1. Press Windows + R, type control /name Microsoft.CredentialManager, press Enter.
2. Click Windows Credentials.
3. Under Generic Credentials, find and remove entries starting with:
   • MicrosoftOffice16_Data:
   • MicrosoftAccount:
   • OneDrive Cached Credential
   • MS.Outlook.16:
   • Anything containing your work email address
4. Restart Outlook.
5. You’ll be prompted to sign in once. Walk through the flow.
6. Send/receive a test email.

Don’t delete credentials unrelated to Office — other apps store credentials here too.

Fix 3: Reset the WAM token broker and identity cache

When credential cleanup alone doesn’t work, reset the broker layer.

1. Sign out of Office (File → Account → Sign out).
2. Close all Office apps.
3. Open File Explorer and navigate to %LOCALAPPDATA%\Microsoft.
4. Rename these folders (don’t delete; keep as backup):
   • IdentityCache → IdentityCache.bak
   • OneAuth → OneAuth.bak
   • TokenBroker → TokenBroker.bak
5. Restart Windows (a full restart, not a sign-out — the broker service must fully stop and restart).
6. Open Outlook and sign in with the modern auth flow.
7. Tick “Allow my organization to manage my device” when offered.

If this works, the prompt should not come back. You can delete the .bak folders.

If it works briefly and comes back, see Fix 6 (Conditional Access).

Fix 4: Recreate the Outlook profile

When the profile itself is the problem.

1. Close Outlook.
2. Open Control Panel → Mail (Microsoft Outlook). (If you don’t see Mail, it’s only created after Outlook is first run; on Win 11 it may be under Control Panel → User Accounts → Mail.)
3. Click Show Profiles.
4. Note your existing profile name (likely “Outlook” or your name).
5. Click Add. Name the new profile (e.g., “OutlookFresh”). Click OK.
6. Walk through the email account setup with your work email. Modern auth should be used automatically.
7. When prompted to choose, set Always use this profile to OutlookFresh.
8. Open Outlook. The new profile will populate (this can take 10 minutes to several hours depending on mailbox size).
9. Once the new profile is working without prompts, you can delete the old profile from Control Panel → Mail → Show Profiles → select old → Remove.

The old .ost file (cached mail data) lives at %LOCALAPPDATA%\Microsoft\Outlook\<old-profile>.ost. You can delete it after confirming the new profile works, but only if you’ve confirmed all your mail synced properly to the new profile.

Fix 5: Online Repair of Microsoft 365

Last local-fix resort before reinstalling.

1. Close all Office apps.
2. Settings → Apps → Installed apps.
3. Find Microsoft 365 Apps → three-dot menu → Modify.
4. Choose Online Repair (not Quick Repair). Click Repair.
5. Walk through the prompts. 5–15 minutes plus restart.
6. Open Outlook and sign in.

Fix 6: Address Conditional Access policy

When the loop is policy-driven (Pattern 4), client fixes won’t permanently solve it.

Diagnostic: does the prompt appear at consistent intervals (every 1, 4, 8, or 24 hours)? Does it appear right after switching networks? Does it appear when you connect from home but not when on the office network? Those are policy fingerprints.

End-user options are limited:

• Click “Yes” when asked “Stay signed in?”. Don’t dismiss it.
• Make sure you’re not in a “Guest” Wi-Fi network the policy treats as untrusted.
• Update Windows and run any pending Intune compliance sync (Settings → Accounts → Access work or school → click work account → Info → Sync).

Real fix is admin-side. If you’re the admin (Persona 2 — small business owner), see admin-side MFA loop causes for the Conditional Access policies and sign-in frequency settings to review.

Advanced fixes

If the standard fix order hasn’t worked, three more options:

AutoDiscover diagnostic. When AutoDiscover misroutes Outlook, sign-in can fail in ways that look like password prompts. Run the Microsoft Remote Connectivity Analyzer → Outlook Connectivity test. If AutoDiscover fails or returns an unexpected URL, that’s the root cause. Fixing it usually requires DNS access (admin). Common cause: a third-party domain registrar that responds to autodiscover.<yourdomain> with a wildcard record pointing somewhere unhelpful.

Force re-registration of the device with Entra ID.

Open admin Command Prompt:

dsregcmd /status

Look at AzureAdJoined, WorkplaceJoined, and DeviceAuthStatus. If the device shows as joined but auth is failing:

• On a personal device, dsregcmd /leave (admin), restart, then sign in to Office to re-register.
• On a managed device, never run dsregcmd /leave. It’ll break corporate compliance. Raise a ticket with IT instead.

Disable WAM as a diagnostic only. Some EDR products interfere with WAM. To test whether that’s the cause (only as diagnosis; don’t leave this in place), set:

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\DisableADALatopWAMOverride = 1 (DWORD)

Restart Outlook. If the prompt stops, you’ve identified WAM as the failure surface — and the real fix is to whitelist WAM in your security software, not to leave WAM disabled. WAM is the recommended path; disabling it is a workaround.

Work or school device — when admin involvement is required

Three scenarios where you should stop self-troubleshooting on a managed device:

• Conditional Access policy is the cause. End-user can’t change it.
• Multiple users on the same device or multiple devices for the same user are affected. That’s tenant-side, not device-side.
• Modern Authentication is not enabled at the tenant. This is a 2017–2022 era admin issue that should be fixed by now, but legacy tenants occasionally still have it disabled. Only an admin can enable it.

For Persona 2 admins (small business owners), the admin checklist for new user can’t sign in covers tenant-side checks; the admin-side MFA loop causes covers the Conditional Access angle.

When to stop troubleshooting

Stop when:

• You’ve completed Fix 1 to Fix 4 on a personal device. Reinstall Microsoft 365 (uninstall via Settings → Apps → Microsoft 365 Apps → Uninstall, then download fresh from office.com).
• You’re on a managed device, completed Fix 1 to Fix 3, and the prompt persists. The cause is environmental (EDR, AutoDiscover, Conditional Access). Raise a ticket with diagnostic detail.
• You’ve recreated the profile (Fix 4) and the prompt still appears in the new profile. The fault isn’t in the profile — it’s in the auth state at the device or tenant level.
• The prompt is a Basic-Auth-style raw username/password dialog rather than a Microsoft-branded modern auth WebView. That means a registry setting is forcing legacy auth that no longer exists server-side. Search the registry for EnableADAL = 0 or DisableADALatopWAMOverride = 1 and revert them.

What you should not do: install a “Microsoft 365 password fix” tool from a third-party site, call any phone number that appears in a search result claiming to be Microsoft Support, follow any guide telling you to disable Modern Authentication (you can’t anymore), or follow any guide that recommends setting Logon Network Security to Anonymous Authentication (it doesn’t exist for modern profiles). Microsoft does not call users about password issues.

Why old guides don’t apply

If you’ve read Outlook password-prompt articles published before 2023, they’re solving a problem that no longer exists. The history:

• Pre-2017: Exchange Online used Basic Authentication by default. Outlook sent username/password on every connection. Password prompts had a different fix path (Logon Network Security, registry edits).
• 2017–2022: Modern Authentication (OAuth) became available, then default. Many tenants and clients ran in mixed mode. Old fixes still partially worked.
• October 2022: Microsoft disabled Basic Auth for Exchange Online for nearly all tenants.
• 2023: Basic Auth fully removed for SMTP and the remaining protocols.
• 2024–2025: Number-matching MFA, mandatory; new Outlook rolled out alongside classic Outlook.
• 2026 (now): Modern Auth is the only path. Conditional Access is widely enforced. WAM is the default broker on Windows.

If a guide tells you to set EnableADAL (this enables Modern Auth, which is now the default), or DisableADALatopWAMOverride (this forced WAM), or anything about Anonymous Authentication, it’s solving a problem that doesn’t exist on modern installs. Skip it.

Related errors

• Microsoft 365 ‘Something went wrong’ sign-in — same root-cause families, broader symptom.
• CAA50021 — when sign-in is being explicitly rejected.
• Microsoft 365 MFA prompt loop — when the prompt is MFA rather than password.
• Outlook disconnected from server — when Outlook can’t connect at all.

Official references

• Microsoft Support: Outlook prompts for password and won’t accept it
• Microsoft Learn: Modern Authentication for Office 2013, 2016 and 2019
• Microsoft Learn: Basic Authentication deprecation for Exchange Online
• Microsoft Remote Connectivity Analyzer: testconnectivity.microsoft.com

FAQ

Why does Outlook keep asking for password right after I type it correctly?

Outlook accepted the password — it just couldn’t persist the resulting token to the local cache. The next time it needs to authenticate (which is essentially every send/receive), it doesn’t find a token and prompts again. Fix 2 and Fix 3 address the persistence problem; the password isn’t the issue.

Should I tick “Remember my credentials”?

Yes, but it doesn’t actually do what it says on modern Outlook. The checkbox is a holdover from Basic Auth days; on Modern Auth it’s irrelevant. The token persistence happens via WAM regardless of whether you tick the box. Tick it for safety; the real persistence depends on the WAM/identity cache state.

Why does Outlook ask for password but Word and Excel don’t?

Outlook authenticates against Exchange Online frequently (every send/receive cycle), while Word and Excel only authenticate when accessing OneDrive or SharePoint, which happens less often. So Outlook is the canary — it fails noisily when the auth state is partially broken; the others can sometimes mask the same fault for hours.

Is the password prompt a phishing risk?

The legitimate Modern Auth password prompt opens a browser-style sign-in page with the standard login.microsoftonline.com URL. If a password prompt opens from somewhere unexpected (an email, a website, a popup that appeared without you opening Outlook), don’t enter your password. When in doubt, close the prompt, open Outlook explicitly, and trigger sign-in from there. Phishing prompts that imitate Outlook’s UI are common; the rule is to enter passwords only into prompts you triggered.

My company recently moved from on-premises Exchange to Microsoft 365 and now the prompts started. Why?

Your Outlook profile is likely still configured against the old on-premises endpoints. AutoDiscover should have updated it, but sometimes the profile is sticky. Recreate the profile (Fix 4) and let it auto-configure against M365. The mailbox cache (.ost) will rebuild — it can take time depending on mailbox size.

Will switching to “new Outlook for Windows” fix this?

Sometimes — but not as a fix. New Outlook handles auth differently and avoids some of classic Outlook’s failure modes. But new Outlook also lacks features classic Outlook has (PST file support, full add-in compatibility, several power-user workflows). Don’t migrate to new Outlook just to escape a prompt loop; if classic Outlook is genuinely broken, fix it. New Outlook is a different product, not a fix.

I’m using POP/IMAP against my Microsoft 365 mailbox. Is that the cause?

Yes, almost certainly. Microsoft 365 mailboxes prefer Exchange profiles (MAPI/HTTP). POP and IMAP authentication has a different lifetime and requires re-auth on every session. Convert your profile to Exchange — Add account in Outlook, choose Exchange / Microsoft 365 instead of POP/IMAP, and let AutoDiscover configure it. The password prompts should stop.

My organization just enabled MFA / Conditional Access and now Outlook prompts every few hours. Is this the cause?

Yes — that’s a sign-in frequency policy. The prompt every few hours is by design. Speak to your admin if the frequency is interfering with productivity; the policy can be tuned (e.g., from 4 hours to 8 hours or 1 day) without compromising security. You can’t change it as an end user.