Problem signs

Outlook refuses to load, or a sign in window loops, opening and closing quickly. Outlook refuses to connect or send / recieve mail. The Windows store refuses to open. These are the initial symptoms I have seen when the AAD token broker ‘breaks’ for lack of a better term. Event ID 1098 will be logged repeatedly in the Microsoft-Windows-AAD/Operational event log.

The fix

Microsoft has a couple troubleshooting articles on event 1098 Event 1098 Cannot Create New Profiles and Event 1098 Error 0xcaa5001c .

I have found a surefire way to get this resolved is to do the following:

  1. Sign out of the affected user account

  2. Sign into a Local Admin account.

  3. Navigate to the affected users profile folder local appdata folder. Rename or delete the AAD Token Broker folder. For example: C:\users*username*\Appdata\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

  4. If the computer is AzureAD registered, delete the computer object from AzureAD. If the computer is AzureAD joined, disconnect from AzureAD, then delete the computer object from AzureAD (if it exists).

  5. Reboot. Sign back into the affected users profile (reconnecting AzureAD if necessary)

  6. Sign back into office apps.

The takeaway

I have not found an adequete explanantion for this behavior or why it happens. Microsoft does detail AzureAD authentication on Windows using the PRT (primary refresh token) and how the plugins work at a high level https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token . My best educated guess is the PRT or session keys somehow get corrupted and the automatic recovery process fails. Doing the above steps forces authentication as if this was a new device. If anyone has a better explanation, please let me know.