Skip to content
WiseChecker
  • Home
  • Quizzes
    • Ability
    • Knowledge
    • Personality
  • Games
  • Tools
  • About Us
Outlook Web Add-In Sign-In Loop With SSO: How to Reset Trust
🔍 WiseChecker

Outlook Web Add-In Sign-In Loop With SSO: How to Reset Trust

2026年6月4日 by wisechecker

When you open an Outlook web add-in that uses single sign-on, you may see a sign-in prompt that keeps reappearing after you enter your credentials. This creates an infinite sign-in loop that blocks you from using the add-in. The root cause is a broken trust relationship between the add-in and the Microsoft identity platform, often triggered by a tenant configuration change or an expired token cache. This article explains why the loop occurs and provides the exact steps to reset the trust so the add-in works normally again.

Key Takeaways: Resetting SSO Trust for Outlook Web Add-Ins

  • Azure AD > App registrations > Certificates & secrets: Delete and recreate the client secret to force a new trust handshake between the add-in and Azure AD.
  • Outlook on the web > Add-ins > Manage add-ins: Remove and re-add the affected add-in to clear its cached SSO state.
  • Browser developer tools > Application > Cookies: Delete the EstsAuthState and SignInState cookies to reset the local SSO session.

ADVERTISEMENT

Why the SSO Sign-In Loop Occurs in Outlook Web Add-Ins

An Outlook web add-in that uses single sign-on requests a token from Azure Active Directory without prompting the user for credentials. The add-in and Azure AD establish a trust relationship through a registered application ID and a client secret. When this trust breaks, the add-in cannot obtain a valid token silently. Instead, it redirects the user to the sign-in page repeatedly.

The Token Cache Mismatch

The most common cause is a mismatch between the token cached in the browser and the token expected by Azure AD. If the tenant admin rotates the client secret or changes the app registration permissions, the cached token becomes invalid. The add-in tries to refresh it but fails because the stored secret no longer matches. The sign-in loop starts because the add-in cannot complete the token exchange.

Expired or Revoked Consent

Admin consent for the add-in may expire or be revoked. When consent is missing, Azure AD treats every token request as a new authentication attempt. The add-in redirects to the consent page, and after the user approves, the redirect lands back on the add-in, which triggers another token request and another consent prompt. This creates a loop that never reaches the add-in content.

Browser or Add-In Cache Corruption

The browser stores SSO state in cookies and local storage. If these become corrupted or stale, the add-in reads incorrect state information and initiates a new sign-in flow. Each sign-in attempt produces a new state cookie that conflicts with the previous one, causing the loop.

Steps to Reset the SSO Trust for an Outlook Web Add-In

Follow these steps in order. Each step clears a specific layer of the broken trust. Test the add-in after each step to see if the loop stops.

Step 1: Clear Browser Cookies for the Outlook Domain

  1. Open browser developer tools
    Press F12 in Chrome, Edge, or Firefox. Switch to the Application tab in Chrome or Edge, or the Storage tab in Firefox.
  2. Select Cookies
    In the left panel expand Cookies and select the domain for Outlook on the web, usually outlook.office365.com or outlook.office.com.
  3. Delete SSO-related cookies
    Look for cookies named EstsAuthState, SignInState, ESTSAUTHPERSISTENT, and ESTSAUTHLIGHT. Right-click each cookie and select Delete. Do not delete all cookies, only these SSO cookies.
  4. Refresh the Outlook tab
    Close the developer tools and refresh the browser tab. Open the add-in again. If the loop stops, no further steps are needed.

Step 2: Remove and Re-Add the Add-In in Outlook on the Web

  1. Open add-in management
    In Outlook on the web, select the gear icon in the top-right corner and choose Manage add-ins from the menu.
  2. Find the affected add-in
    Scroll through the list of installed add-ins. Click the three dots next to the add-in name and select Remove.
  3. Confirm removal
    In the confirmation dialog, select Remove again. The add-in disappears from the list.
  4. Re-add the add-in
    Click Add add-in in the top-left corner. Search for the add-in by name or browse the store. Select it and click Add. Wait for the installation to complete.
  5. Test the add-in
    Open a new or existing email message. Click the add-in icon in the ribbon. If the sign-in loop returns, proceed to Step 3.

Step 3: Recreate the Client Secret in Azure AD

  1. Open Azure Active Directory admin center
    Go to https://aad.portal.azure.com and sign in as a Global Administrator or Application Administrator.
  2. Navigate to App registrations
    In the left navigation select App registrations. Search for the app registration that corresponds to the Outlook add-in. The app name is usually the same as the add-in name or the add-in publisher name.
  3. Open Certificates & secrets
    Select the app registration. In the left menu of the app registration page, select Certificates & secrets.
  4. Delete the old client secret
    Under Client secrets, locate the secret that the add-in uses. Click the trash icon and confirm deletion. Note the expiration date of the secret you are deleting.
  5. Create a new client secret
    Click New client secret. Enter a description, for example Outlook add-in SSO secret. Set the expiration to 180 days or 365 days based on your organization policy. Click Add. Copy the secret value immediately. You cannot retrieve it after leaving this page.
  6. Update the add-in manifest or configuration
    If the add-in is a custom add-in, update its configuration file or deployment script with the new secret. For add-ins from AppSource, contact the vendor support to update the secret. After the secret is updated, repeat Step 2 to remove and re-add the add-in.

Step 4: Re-Admin Consent for the Add-In

  1. Go to Enterprise applications
    In the Azure AD admin center, select Enterprise applications. Search for the add-in app registration.
  2. Open Permissions
    Select the app. In the left menu select Permissions. Review the list of delegated and application permissions.
  3. Grant admin consent
    Click Grant admin consent for your organization. Sign in as a Global Administrator. Accept the permissions. Wait for the confirmation message.
  4. Test the add-in again
    Return to Outlook on the web, open the add-in, and confirm the sign-in loop is gone.

ADVERTISEMENT

If the Add-In Still Loops After the Main Fix

Add-In Works in Another Browser but Not in the Current One

This indicates a local browser issue rather than a tenant or add-in problem. Clear all browser cache and cookies for the Outlook domain, not just the SSO cookies. In Chrome, go to Settings > Privacy and security > Clear browsing data. Select Cookies and other site data and Cached images and files. Set the time range to All time. Click Clear data. Test the add-in again.

Add-In Fails on a Shared or Delegated Mailbox

SSO tokens are scoped to the user principal name. When you access a shared mailbox, the add-in may request a token for the shared mailbox identity instead of your identity. The token exchange fails because the add-in is registered only for your user. Use the add-in only in your primary mailbox. For shared mailbox support, the add-in vendor must register a separate app for shared mailbox scenarios.

Multiple Users Report the Same Loop

This suggests a tenant-wide issue. The client secret may have expired without the admin noticing. Check the expiration date of the client secret in Azure AD. If the secret is expired, follow Step 3 to create a new secret and update the add-in. Also verify that admin consent was not revoked by a conditional access policy. Review the Azure AD sign-in logs for the add-in app to see the failure reason.

Cached SSO Token vs Fresh Token: Key Differences

Item Cached SSO Token Fresh Token After Trust Reset
Source Stored in browser cookies or local storage Issued by Azure AD after a new authentication request
Validity May be expired or based on an old client secret Valid for the current client secret and consent
Consent status May reference revoked or expired admin consent Includes current admin consent for the add-in
Behavior in loop Triggers repeated redirects to Azure AD sign-in Allows silent token acquisition without user prompts

Clearing the cached SSO token and resetting the trust forces the add-in to request a fresh token from Azure AD. This fresh token uses the current client secret and consent, which breaks the infinite loop. After the reset, the add-in can acquire tokens silently and display its content without interrupting your workflow.

ADVERTISEMENT

🐋
Take a Break — Higher or Lower?
Heaviest Animals Game
Blue whale wins. But what about second place?
Play Now ▶ All 50+ Games
ABOUT THE EDITORIAL TEAM
WiseChecker Editorial Team
Operated by Shadowcity LLC, Tokyo

WiseChecker is an international reference for everyday problem solving, IT troubleshooting, and life decision frameworks. Our editorial approach is evidence-based, regularly updated, and independent from corporate interests.

Meet the editorial team →
← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You

Fix VPN Split Tunneling Ignoring Routes After Sleep on Windows 11Quick fix: After sleep, Windows’ route table partially rebuilds — sometimes losing the VPN split-tunnel routes added via…Copilot Returns HTTP 413 Payload Too Large When Uploading: FixWhen you upload a file to Copilot in Microsoft 365, you may see an HTTP 413 error that…
Categories Windows & PC Tags Outlook, Outlook Account
How to Set Up Outlook With Yahoo Mail Using OAuth Instead of App Password
How to Set Outlook to Use a Specific Account for Calendar by Default

Quick Links

  • About Us
  • Privacy Policy
  • Terms of Use
  • SiteMap
  • Contact Us
© 2026 WiseChecker.com. All rights reserved.