When you try to use Copilot in Microsoft 365, you may see the error AADSTS50173 and get stuck in a loop asking for fresh authentication. This prevents Copilot from generating responses or accessing your data. The error occurs because Azure Active Directory rejects an expired or invalidated security token. This article explains why this loop happens and provides the exact steps to resolve it quickly.
Key Takeaways: Fixing the AADSTS50173 Copilot Authentication Loop
- Windows Credential Manager > Windows Credentials > Remove saved tokens: Clears stale authentication data that causes the loop.
- Sign out of all Microsoft 365 apps and sign back in: Forces Azure AD to issue a fresh token instead of using a cached one.
- Clear browser cache and cookies for login.microsoftonline.com: Removes corrupted session state that triggers the AADSTS50173 error.
Why the AADSTS50173 Authentication Loop Occurs
The AADSTS50173 error is an Azure Active Directory token validation failure. It means the security token Copilot sent to the Microsoft 365 service is no longer valid. This typically happens because the token was issued for a different device, a different app, or a session that has been revoked by an admin policy. Common triggers include password changes, conditional access policy updates, or token lifetime expirations set by your IT department.
When Copilot receives this error, it tries to silently refresh the token. If the refresh token is also invalid, the system prompts you for fresh credentials. If the cached credentials are still stale, the loop repeats indefinitely. The root cause is almost always a mismatch between the token Copilot holds and the current authentication state in Azure AD.
Steps to Exit the AADSTS50173 Authentication Loop
The following steps force a complete reset of your authentication state. Perform them in the order listed. Do not skip any step unless specified.
Step 1: Sign Out of All Microsoft 365 Apps
- Sign out of Copilot in the browser
Open the Copilot pane in Microsoft Edge or Chrome. Click your profile picture at the top right of the Copilot pane. Select Sign out. Close the browser tab. - Sign out of Microsoft 365 web apps
Go to office.com. Click your profile picture at the top right. Select Sign out. Do not close the browser yet. - Sign out of the Microsoft 365 desktop apps
Open Outlook, Word, Excel, or Teams. Click your profile picture. Select Sign out of all accounts. Close each app.
Step 2: Clear Stored Tokens in Windows Credential Manager
- Open Credential Manager
Press the Windows key, type Credential Manager, and press Enter. - Select Windows Credentials
Click the Windows Credentials tab. Scroll to the Generic Credentials section. - Remove Microsoft-related tokens
Look for entries containing MicrosoftOffice, Microsoft.AAD, MicrosoftGraph, or login.microsoftonline.com. Click the arrow to expand each entry, then click Remove. Confirm the deletion. Remove all such entries. A typical session has 5 to 15 entries. - Restart your computer
This ensures the credential cache is fully cleared. After restart, do not open any Microsoft 365 apps yet.
Step 3: Clear Browser Cache and Cookies for Microsoft Domains
- Open browser settings
In Edge or Chrome, click the three-dot menu at the top right. Select Settings. - Clear browsing data for specific sites
Go to Privacy, search, and services in Edge or Privacy and security in Chrome. Click Clear browsing data. Choose Cookies and other site data and Cached images and files. Set the time range to All time. Click Clear now. - Delete site data for Microsoft domains
In the same settings area, find Site permissions or Cookies and site data. Click See all cookies and site data. In the search box, type microsoftonline. Remove all entries. Repeat for office, live, and microsoft.com.
Step 4: Sign Back In and Test Copilot
- Open a new browser window
Do not restore previous tabs. Go to office.com. - Sign in with your work or school account
Enter your full email address. When prompted, complete multi-factor authentication if required. Do not check Keep me signed in during this test. - Open Copilot
Click the Copilot icon in the left navigation bar or open a document in Word. Type a simple prompt like Summarize this document. If Copilot responds without asking for reauthentication, the loop is resolved.
If Copilot Still Shows the AADSTS50173 Error
Copilot loops again after a few minutes
Your organization may have a conditional access policy that requires reauthentication every 60 minutes or after a device change. Contact your IT administrator. Ask them to check the Azure AD sign-in logs for the AADSTS50173 error. They may need to update the token lifetime policy or exclude Copilot from a specific conditional access rule.
Copilot works in the browser but not in desktop apps
Desktop apps use a separate token cache managed by the Microsoft Authentication Library. Open the Windows Start menu and search for Accounts under Settings. Select Access work or school. Click your connected account and choose Disconnect. Restart the computer. Then reconnect your account through Settings > Accounts > Access work or school > Connect.
Copilot returns the error on a shared or temporary device
Shared devices often have conflicting cached tokens from multiple users. Run the dsregcmd /leave command in an elevated Command Prompt. This removes the device from Azure AD join. After the command completes, restart the computer and sign in again. This forces a fresh device registration and a new token.
Copilot in Browser vs Copilot in Desktop Apps: Authentication Behavior
| Item | Copilot in Browser | Copilot in Desktop Apps |
|---|---|---|
| Token storage | Browser cookies and local storage | Windows Credential Manager and ADAL cache |
| Token refresh | Silent refresh via iframe to login.microsoftonline.com | Silent refresh via Microsoft Authentication Library broker |
| Common fix for AADSTS50173 | Clear browser cache for Microsoft domains | Remove credentials from Windows Credential Manager |
| Effect of sign-out | Clears browser session only | Clears desktop app token cache |
The AADSTS50173 loop occurs when the token Copilot holds does not match the current authentication state in Azure AD. Clearing all cached tokens from both browser and desktop app stores resolves the mismatch. After completing the steps above, Copilot will generate a new token and the loop will stop. If the error returns, check with your IT team about token lifetime policies or conditional access rules that may be forcing frequent reauthentication for Copilot specifically.