You open a Microsoft 365 desktop app like Word or Outlook and attempt to use Copilot, only to see the error MSAL_ERROR_INVALID_REFRESH_TOKEN. This error prevents Copilot from generating responses or connecting to Microsoft Graph data. The cause is a corrupted or expired refresh token that the Microsoft Authentication Library MSAL can no longer validate. This article explains why the token fails and provides step-by-step fixes to clear the cached token and restore Copilot functionality.
Key Takeaways: Fixing Copilot MSAL_ERROR_INVALID_REFRESH_TOKEN
- Windows Credential Manager > Windows Credentials > MicrosoftOffice16_Data:ADAL: Delete all entries with this prefix to clear stale tokens.
- Sign out and sign back in: Triggers a fresh token acquisition from Microsoft Entra ID.
- Microsoft 365 admin center > Health > Service health: Check for ongoing authentication service incidents before troubleshooting locally.
Why the MSAL_ERROR_INVALID_REFRESH_TOKEN Error Occurs
The MSAL_ERROR_INVALID_REFRESH_TOKEN error appears when the Microsoft Authentication Library cannot exchange a stored refresh token for a new access token. This happens when the refresh token has been revoked, expired, or corrupted in the local credential cache.
Common triggers include a password reset by the user or an IT administrator, a conditional access policy change in Microsoft Entra ID, or a failed Microsoft 365 update that corrupts the token cache. When Copilot tries to authenticate to Microsoft Graph, it presents the invalid token and the server returns this specific error.
The token cache is stored in Windows Credential Manager under the MicrosoftOffice16_Data prefix. Deleting these entries forces the desktop app to request a new token from the identity provider on the next sign-in.
Steps to Clear the Token Cache and Resolve the Error
The primary fix involves deleting the cached tokens and signing back into the Microsoft 365 desktop app. Follow these steps in order.
- Close all Microsoft 365 desktop apps
Close Word, Excel, PowerPoint, Outlook, and Teams. Also close any background processes for these apps from Task Manager to prevent locks on the credential cache. - Open Windows Credential Manager
Press the Windows key, type Credential Manager, and select the result. Click Windows Credentials in the top section. - Delete all MicrosoftOffice16_Data entries
Scroll to the Generic Credentials section. Look for any entry that starts with MicrosoftOffice16_Data:ADAL: or MicrosoftOffice16_Data:MSAL:. Click the arrow to expand each entry, then click Remove. Confirm the deletion. Delete every entry with this prefix. - Open any Microsoft 365 desktop app
Launch Word or Outlook. You will see a sign-in prompt. Enter your Microsoft 365 work or school account credentials. Do not skip this step even if the app appears to be already signed in. - Test Copilot
Open a document or email, then open the Copilot pane. Type a simple prompt such as Summarize this document. The error should no longer appear. If it does, proceed to the next method.
Method 2: Use the Microsoft Support and Recovery Assistant
The Microsoft Support and Recovery Assistant SaaSRA can automate the token cache cleanup process. Download the tool from the Microsoft 365 admin center or from aka.ms/SaRADownload. Run the tool, select Office then Sign-in, and follow the prompts. The tool will delete cached credentials and reset the sign-in state.
Method 3: Reset the Microsoft 365 Activation State
If the error persists, reset the entire activation state. Open a Command Prompt as administrator. Navigate to the Office installation folder, typically C:\Program Files\Microsoft Office\Office16. Run the command cscript ospp.vbs /dstatus to check the current activation status. Then run cscript ospp.vbs /act to force a reactivation. This clears all cached tokens and re-registers the product key with Microsoft servers.
If Copilot Still Has Issues After the Main Fix
Copilot shows the error again after a few hours
This indicates a recurring authentication problem. Check your Microsoft 365 license status in the admin center. Go to Billing > Licenses and confirm the user has an active Copilot license assigned. If the license is expired or removed, the token will be revoked repeatedly.
Error appears on only one device but not others
The issue is local to that machine. Run the Microsoft Support and Recovery Assistant on that device. If the tool does not resolve it, uninstall and reinstall the Microsoft 365 desktop apps. Go to Settings > Apps > Installed apps, select Microsoft 365, and click Uninstall. Then reinstall from the Microsoft 365 portal.
Copilot returns a different MSAL error code
If you see MSAL_ERROR_INTERACTION_REQUIRED or MSAL_ERROR_USER_CANCELED, the token cache is likely intact but the user session requires reauthentication. Sign out of all Office apps, clear the MicrosoftOffice16_Data entries as described above, and sign back in.
Copilot Token Error vs Other MSAL Errors: Key Differences
| Item | MSAL_ERROR_INVALID_REFRESH_TOKEN | MSAL_ERROR_INTERACTION_REQUIRED |
|---|---|---|
| Root cause | Refresh token is expired, revoked, or corrupted | User must reauthenticate due to policy change or MFA prompt |
| Fix location | Windows Credential Manager or SaRA tool | Sign out and sign in again in the desktop app |
| Recurrence pattern | Persistent until cache is cleared | One-time after policy change |
| User action required | Delete cached credentials manually | Complete interactive sign-in only |
You can now clear the MSAL_ERROR_INVALID_REFRESH_TOKEN error by deleting the MicrosoftOffice16_Data entries in Windows Credential Manager and signing back in. For recurring cases, use the Microsoft Support and Recovery Assistant or reset the Office activation state. As an advanced step, monitor your tenant’s sign-in logs in Microsoft Entra admin center under Monitoring > Sign-in logs to identify any conditional access policies that may be invalidating tokens.