When using Copilot in Microsoft 365, you may see error AADSTS90033. This error appears as a pop-up or in the Copilot pane with a message about a transient session problem. The error stops Copilot from generating responses, drafting documents, or analyzing data. The root cause is a temporary failure in the authentication token exchange between your client app and the Microsoft identity platform. This article explains why AADSTS90033 occurs and gives you a clear retry strategy to restore Copilot functionality quickly.
Key Takeaways: Copilot AADSTS90033 Transient Error
- Sign out and sign back into Microsoft 365: Forces a new authentication token and clears the transient state.
- Clear browser cache and cookies for login.microsoftonline.com: Removes corrupted session data that triggers the error.
- Wait 5–10 minutes before retrying: The Microsoft identity platform may need time to recover from a transient backend failure.
Why AADSTS90033 Appears in Copilot
Error AADSTS90033 is a transient authentication failure. Transient means the problem is temporary and not caused by a permanent configuration error in your tenant or user account. The Microsoft identity platform issues this error when it cannot validate the session token within its expected timeframe.
The Authentication Flow Behind the Error
When you open Copilot, your Microsoft 365 client sends an authentication request to the Microsoft Entra ID service. Entra ID checks the token and returns a response that grants or denies access. AADSTS90033 occurs when the Entra ID service experiences a temporary glitch — a network timeout, a load balancer hiccup, or a database read failure. The token itself is valid, but the service cannot confirm it in time.
Why It Affects Copilot Specifically
Copilot relies on real-time token validation for every interaction. Unlike a static web page that caches a session for hours, Copilot requests a fresh token each time you send a prompt or open a new file. This tight coupling means that any transient failure in the authentication pipeline immediately blocks Copilot responses. Other Microsoft 365 apps may still work because they use longer-lived cached tokens.
Retry Strategy to Resolve AADSTS90033
The retry strategy follows a progression from the quickest fix to the most thorough. Start with step 1 and move forward only if the error persists.
- Refresh the browser or restart the desktop app
Press F5 in the browser or close and reopen the Microsoft 365 desktop app. This triggers a new token request without clearing any data. If the transient failure has resolved on the server side, Copilot will work again immediately. - Sign out of Microsoft 365 and sign back in
Click your profile picture in the top-right corner of the Microsoft 365 app. Select Sign out. Wait 10 seconds, then sign in again with your work or school account. This forces Entra ID to issue a completely new session token. - Clear browser cache and cookies for Microsoft domains
In your browser settings, clear cached images and files for the past hour. Delete cookies specifically for login.microsoftonline.com and microsoft.com. Do not clear all browser data — only the Microsoft-related storage. After clearing, restart the browser and sign in again. - Wait 10 minutes and retry
If the first three steps do not resolve the error, the transient issue may be on the Microsoft Entra ID service side. Wait 10 minutes, then repeat step 1. Microsoft typically resolves backend transient failures within 5 to 15 minutes. - Use a private or incognito browser window
Open a new private window in your browser. Sign into Microsoft 365 with your credentials. Test Copilot in that window. A private window bypasses cached extensions and corrupted session data that may be causing the error in your main browser profile.
If the Error Persists Beyond the Retry Strategy
In rare cases, AADSTS90033 may indicate a deeper issue rather than a transient glitch. The following scenarios require different actions.
Copilot Shows AADSTS90033 After a Tenant Migration
If your organization recently moved domains or changed the primary authentication provider, the token endpoint may be misconfigured. Contact your Microsoft 365 administrator and ask them to verify the Microsoft Entra ID tenant ID and the allowed token audiences for Copilot. The admin can check this in the Microsoft Entra admin center under App registrations.
Error Appears Only on One Device but Not Others
This points to a local issue such as a corrupted browser profile, an interfering browser extension, or a system time that is out of sync. Check that the device clock is set to automatic time sync. Disable all browser extensions temporarily and test Copilot. If the error disappears, re-enable extensions one by one to find the culprit.
Error Repeats Every 15 to 30 Minutes
A recurring transient error suggests a token lifetime policy that is too short. The default token lifetime for Microsoft 365 apps is 60 to 90 minutes. If your tenant has a conditional access policy that forces token refresh every 15 minutes, Copilot may hit AADSTS90033 during the refresh window. Ask your admin to review the sign-in frequency policy in Microsoft Entra ID > Conditional Access.
Copilot Transient Error vs Permanent Authentication Failure
| Item | AADSTS90033 Transient Error | Permanent Authentication Failure |
|---|---|---|
| Error code | AADSTS90033 | AADSTS50020, AADSTS50126, or AADSTS700016 |
| Duration | Resolves within 15 minutes | Persists across multiple sign-in attempts and days |
| Root cause | Temporary backend glitch in Entra ID | Expired password, disabled account, or misconfigured app registration |
| Fix | Retry strategy described above | Password reset, account reactivation, or admin configuration change |
| Affects other apps | Usually only Copilot or the current session | Blocks sign-in to all Microsoft 365 apps |
You now have a structured retry strategy for AADSTS90033 that moves from a simple refresh to clearing browser data and waiting for backend recovery. Start with step 1 and escalate only if needed. For recurring errors, check token lifetime policies and device-specific issues. If you manage a tenant, set up a conditional access policy that grants a 60-minute token lifetime to reduce the frequency of transient failures for Copilot users.