Microsoft 365 Error CAA50021: What It Means and How to Fix It (2026 Updated Guide)

Quick answer

CAA50021 is a Microsoft 365 work or school account sign-in error. It means Windows tried to authenticate your account with Entra ID (formerly Azure AD) several times in a row, and the device gave up. The fastest fix that actually works is to clear the broken Web Account Manager (WAM) state with dsregcmd /cleanupaccounts from an elevated terminal, then sign in again. Almost every other guide buries this step. Try it second, after a clean restart.

Before you start

• This is a work/school account error, not a personal Microsoft account error. If you’re signing in with you@gmail.com or you@outlook.com, you will not see CAA50021. If you are seeing it, your account is you@yourcompany.com, you@yourschool.edu, or similar.
• You probably need local administrator rights for the most reliable fix. If you don’t have them on your work device, jump to the Work or school device section before changing anything.
• Don’t reinstall Office. It won’t fix CAA50021 in nine cases out of ten and you will lose 30 minutes you didn’t have to.
• Do not download “PC repair” or “Microsoft account fixer” tools. None of them solve CAA50021. The fix is built into Windows.

What CAA50021 actually means

The CAA error family belongs to Microsoft Entra ID (the identity service that used to be called Azure Active Directory). Specifically, CAA50021 is reported by the Web Account Manager — the Windows component that brokers token exchange for work and school accounts on behalf of Microsoft 365 apps.

The full message reads:

Something went wrong. We couldn’t sign you in. If this error persists, contact your system administrator and provide error code CAA50021.

The phrase Microsoft uses internally is “number of retry attempts exceeds expectations.” That is the whole error in one sentence: the device tried to get an authentication token, failed silently several times, and then surfaced a generic failure to the user.

The retries can fail for many reasons — a stale token cache, a broken device-join state, a conditional-access block, a clock-skew issue, a corrupted WAM account list — but the symptom is the same. That is why the error feels random and why generic “10 fixes for CAA50021” lists feel like guessing. They are guessing. The reliable approach is to figure out which root-cause family is most likely from the symptoms, then start with the high-yield fix for that family.

Where this error appears

CAA50021 surfaces in any Microsoft 365 client that authenticates against Entra ID. The four most common surfaces:

• Outlook for Windows. Account add fails, or password prompt loops with CAA50021 after entering credentials. Detailed scenario page: CAA50021 in Outlook.
• Microsoft Teams (new Teams 2.0 or classic). Sign-in fails immediately, or hangs on “We’re getting things ready” before throwing CAA50021. Detailed scenario page: CAA50021 in Microsoft Teams.
• OneDrive for Business sync client. Adding a work account fails, often after a personal account was already paired. Detailed scenario page: CAA50021 in OneDrive.
• Microsoft 365 Apps activation. Word, Excel, or PowerPoint show a yellow banner asking you to sign in, and that sign-in fails with CAA50021. The fix path overlaps with Outlook’s.

Other surfaces — SharePoint, Power BI, Dynamics 365 desktop clients — share the same root causes when they hit CAA50021. The fixes in this guide apply to all of them.

Common causes (in order of how often they actually cause it)

The fix order in this guide is built from this list, not from the order Microsoft Support articles use.

1. The WAM account cache is broken. This is the single most common cause. Windows keeps a per-user list of work and school accounts in the Web Account Manager. After a password change, MFA reset, conditional-access policy update, or a Windows security update, that list can fall out of sync with what Entra ID expects. The device retries with stale token state, fails repeatedly, and surfaces CAA50021. Practitioners report dsregcmd /cleanupaccounts resolves this category cleanly and quickly.

2. The device-join state is stuck. Your Windows device registers with Entra ID in one of three modes — Microsoft Entra joined (cloud-only), Microsoft Entra registered (BYOD), or Hybrid Microsoft Entra joined (also AD-joined on-prem). If that registration partially breaks — usually after a domain change, a hardware repair, or an OS upgrade — sign-in fails with CAA50021 because the device cannot prove it’s the device it says it is.

3. A conditional access policy is blocking the sign-in. Many organizations require devices to be marked compliant by Intune (or a similar MDM) before any token is issued. If the device falls out of compliance — antivirus disabled, BitLocker off, OS version too old — Entra ID quietly refuses the token and the client retries until it gives up. CAA50021 is what you see; the actual block is upstream.

4. The system clock is wrong. Token validation includes a timestamp. A device whose clock is more than five minutes off from real time will fail token validation silently. This is uncommon but devastating when it happens — usually after a CMOS battery dies in an old desktop.

5. Antivirus or VPN is interfering with the auth flow. Aggressive endpoint security can break the redirects WAM uses to talk to login.microsoftonline.com. We list this fifth deliberately. Most of the time it’s blamed unfairly. But when it is the cause, nothing else will fix it.

There are other causes — corrupted Office credentials in Credential Manager, Modern Auth disabled at the tenant level, missing organization certificates after a registration leave — but they each account for a small minority of cases. They show up as “Advanced fixes” below.

Fixes to try first

Do these in order. Do not skip ahead unless you know what you’re doing — the order is built around the cost of each step (in time, risk, and follow-on cleanup).

1. Restart properly (90 seconds)

Save your work. Click Start, hold Shift, and click Restart. (Holding Shift forces a clean kernel reload rather than the fast-startup hibernation Windows uses by default.) When the device comes back, try the sign-in again.

This is not throat-clearing. A real restart resolves a non-trivial slice of CAA50021 cases — usually the ones caused by a transient WAM state during a routine token refresh. If a restart fixes it, you’re done.

2. Run dsregcmd /cleanupaccounts (the one that actually works)

If a restart didn’t fix it, this is the high-yield step. It clears stale account entries from WAM without touching device registration.

1. Press Windows key, type cmd, right-click Command Prompt, and choose Run as administrator.
2. At the prompt, type:

   dsregcmd /cleanupaccounts

   and press Enter. The command returns silently — no progress bar, no confirmation. That is normal.
3. Close the window. You do not need to reboot, though some users report better results if you do.
4. Try signing in again, in the app that was failing.

Expected result: CAA50021 is gone, you’re prompted for credentials and MFA, and you’re signed in. If the failing account was your default Windows work account, you may need to re-add it under Settings → Accounts → Access work or school.

This single command resolves a large fraction of CAA50021 cases. Most ranking guides bury it on page two or omit it entirely. It is the answer in the majority of real-world cases.

3. Disconnect and reconnect your work or school account

If cleanupaccounts didn’t help, the device-level work account itself may need rebuilding.

1. Open Settings (Windows key + I).
2. Go to Accounts → Access work or school.
3. Select the affected account and click Disconnect. Confirm.
4. Restart the device.
5. Return to the same screen and click Connect. Sign back in with your work credentials.

You will get prompted for MFA. Some apps (Outlook in particular) will throw a fresh sign-in dialog the next time you open them — that is correct, sign in normally.

What you lose: any apps that were authenticating through that primary account will need to re-authenticate. Bookmark this section so you don’t panic when Outlook asks for a password the next morning.

4. Clear stale Office credentials in Credential Manager

A small but stubborn slice of CAA50021 cases live in cached Office credentials, not WAM.

1. Press Windows key, type Credential Manager, and open it.
2. Click Windows Credentials.
3. Under Generic Credentials, look for entries that start with MicrosoftOffice16_Data:, MicrosoftAccount:, or OneDrive Cached Credential. Expand each and click Remove.
4. Restart Office apps and sign in again.

Don’t remove the entries listed under Web Credentials unless you know exactly what they are — those include browser-saved passwords for non-Microsoft sites.

Advanced fixes

If you’ve worked through everything above and still see CAA50021, you’re in territory where a wrong move costs more than a right one. Read carefully.

Re-register the device with Entra ID (admin rights required)

If dsregcmd /status shows the device as AzureAdJoined: YES but sign-in still fails, the registration itself may be corrupt. The fix is to leave and rejoin.

1. From an elevated Command Prompt, run:

   dsregcmd /status

   Note whether AzureAdJoined is YES or NO, and whether DomainJoined is YES or NO. This tells you which join mode you’re in.
2. If you’re Microsoft Entra joined only (cloud-only): run dsregcmd /leave, restart, and re-sign-in via Settings → Accounts → Access work or school.
3. If you’re Hybrid joined (AzureAdJoined: YES and DomainJoined: YES): do not leave with dsregcmd /leave from the user account. Hybrid-join is re-established by a scheduled task; the proper sequence is to leave and let Workplace Join Automatic-Device-Join task re-register the device on its next run. This is admin work — see the admin checklist.
4. After rejoin, run dsregcmd /status again and verify the join state has returned cleanly.

The hybrid path is where most “I tried to fix it and broke my computer” stories come from. If your device is domain-joined, the right move is the admin checklist, not this command.

Check and correct the system clock

1. Open Settings → Time & language → Date & time.
2. Confirm Set time automatically is on.
3. Click Sync now. If sync fails, run w32tm /resync /force from an elevated prompt.

If the clock was wrong, sign-in will work immediately on the next attempt. If the clock looks right, this wasn’t the cause.

Disable antivirus or VPN temporarily

Disable third-party antivirus and any active VPN for one minute. Try the sign-in. If it works, the security tool is interfering with WAM’s redirect to login.microsoftonline.com — talk to your IT team about whitelisting that domain rather than disabling protection permanently.

Repair Microsoft 365 Apps (last resort)

Go to Settings → Apps → Installed apps, find Microsoft 365 Apps for Enterprise (or Office), click the three dots, choose Modify, and run Online Repair. This takes 15–30 minutes and re-downloads the entire Office install. It almost never fixes CAA50021. Run it last.

If you are on a work or school device

Most CAA50021 cases on managed devices have an admin-side cause that no end-user fix will resolve. Specifically:

• A conditional-access policy is blocking your device or your sign-in location.
• Your account is excluded from a security group that controls modern auth.
• Your device has fallen out of Intune compliance and Entra ID has stopped issuing tokens.
• A new conditional-access rule was rolled out yesterday and you’re caught in it.

If you are working through this guide on a corporate-managed laptop (BitLocker on, Intune-enrolled, hybrid-joined, or “company portal” installed), do these end-user steps and stop:

1. Restart the device cleanly (Shift + Restart).
2. Check Settings → Accounts → Access work or school and confirm your work account is listed and shows Connected to your organization’s resources.
3. If it isn’t, capture a screenshot.
4. Send your IT team the error code, the app where it appears, the time it started, and the screenshot. Reference the admin-side checklist for CAA50021 — the IT team will need to inspect Entra sign-in logs, conditional-access policies, and device compliance state.

Do not run dsregcmd /leave on a managed device. Do not delete certificates from the personal certificate store. Do not unregister from Intune. Each of these can lock you out further, and on a hybrid-joined device they may require a full re-imaging to recover.

When to stop

Stop and escalate to your IT team or to a tenant administrator if:

• You’ve worked through the first four fixes and the error persists, and the device is managed by Intune or a similar MDM.
• The error started immediately after an organization-wide notification (a security update, a policy rollout, a tenant migration).
• Multiple users on the same network are seeing CAA50021 at the same time. That is a tenant-side problem.
• The error appeared during onboarding for a new user. See Microsoft 365 new user cannot sign in — the fix is upstream.
• You see a message about device compliance in addition to CAA50021. That is conditional access, not a client issue, and only an admin can resolve it.

CAA50021 on an unmanaged personal device is almost always fixable with the steps above. CAA50021 on a managed device usually isn’t. Knowing the difference saves hours.

Related errors

• CAA50021 in Outlook (detailed scenario)
• CAA50021 in Microsoft Teams (detailed scenario)
• CAA50021 in OneDrive (detailed scenario)
• CAA50021 admin-side checklist
• Microsoft 365 “Something went wrong” sign-in error

Official references

• Microsoft 365 Apps activation error 0xCAA50021 — Microsoft Learn
• Troubleshoot devices using the dsregcmd command — Microsoft Learn
• Web Account Manager (WAM) overview — Microsoft Learn

FAQ

Is CAA50021 a Microsoft outage? Almost never. The error is generated locally by your device’s Web Account Manager after multiple silent token-fetch failures. Real Microsoft outages produce different error families (AADSTS-prefixed codes) and they show up on the Microsoft 365 Status page. If your colleagues can sign in and you can’t, it is not an outage.

Can I fix CAA50021 without admin rights? Sometimes. A clean restart and clearing stored Office credentials in Credential Manager don’t require admin rights, and they resolve a meaningful share of cases. The high-yield fix — dsregcmd /cleanupaccounts — does require an elevated prompt. If you don’t have admin rights on your work device, skip ahead to the IT-escalation step.

Will reinstalling Office or Teams fix CAA50021? No. CAA50021 is an authentication error, not an application error. Reinstalling the client doesn’t touch the WAM account state, the device-registration state, or any conditional-access policy. The cases where reinstall “works” are usually cases where the underlying problem had already cleared during the reinstall window.

Why do I see CAA50021 in Outlook but not in the web version of Outlook? The web version of Outlook authenticates through your browser, which uses a different credential cache than the Windows desktop apps. CAA50021 specifically affects the WAM-based desktop sign-in. If web access works and desktop doesn’t, that confirms the problem is local to your device — the answer is in the steps above.

Does CAA50021 mean my account is compromised? No. CAA50021 is a device-state error, not a security alert. If your account were locked for a security reason, you’d see AADSTS50057, AADSTS50053, or a “your account has been blocked” page. CAA50021 is plumbing, not policy.

Should I be worried that “PC repair” sites recommend CAA50021 fixes that include downloading their tool? Yes. Several high-ranking pages for this error promote PC-repair software that does not address CAA50021 at all. The fix is built into Windows (dsregcmd) and into Settings. You do not need third-party software to resolve this error. If a site is pushing a download as the answer, close the tab.