You reset your Microsoft 365 password, and now Copilot shows an “Invalid Grant” error when you try to use it. This error appears in the Copilot pane, in Microsoft Teams, or in the Copilot mobile app. The problem occurs because your cached authentication token is no longer valid after the password change. This article explains why the error happens and provides a clear set of steps to fix it quickly.
Key Takeaways: Resolving Copilot Invalid Grant After Password Reset
- Sign out of all Microsoft 365 apps and sign back in: Forces a fresh authentication token that works with the new password.
- Clear browser cache and cookies: Removes stale session data that triggers the invalid grant error in Copilot web access.
- Revoke old refresh tokens in Azure AD: Use the Microsoft 365 admin center to invalidate all existing tokens for the affected user account.
Why Copilot Shows Invalid Grant After a Password Reset
The “Invalid Grant” error is an OAuth 2.0 authentication failure. When you reset your Microsoft 365 password, Azure Active Directory immediately invalidates all existing access tokens and refresh tokens issued to your account. Copilot uses these tokens to verify your identity and fetch data from Microsoft Graph. Because the old tokens are no longer valid, Copilot cannot obtain a new token silently, and it returns the invalid grant error instead.
This behavior is by design. Microsoft Entra ID revokes tokens after a password change to prevent unauthorized access with old credentials. The fix requires you to obtain a fresh token by signing out and signing back into every Microsoft 365 application that uses Copilot. If you use Copilot in a web browser, the browser may still hold cached session data that points to the old token, so clearing that cache is also necessary.
Steps to Fix Copilot Invalid Grant After Password Reset
Follow these steps in order. Stop after each step and test Copilot. If the error persists, move to the next step.
- Sign out of all Microsoft 365 apps
Open each Microsoft 365 app where you use Copilot: Outlook, Word, Excel, PowerPoint, Teams, and the Copilot mobile app. Click your profile picture at the top right and select Sign out. Close all app windows completely. - Sign back in with your new password
Open the Microsoft 365 app again. Enter your email address and the new password. Complete any multi-factor authentication prompts. Copilot should now work without the invalid grant error because the app obtained a fresh token. - Clear browser cache and cookies if Copilot is used in a browser
If you access Copilot through the Microsoft 365 web portal or copilot.microsoft.com, open your browser settings. For Chrome: click the three-dot menu > Clear browsing data. Select Cookies and other site data and Cached images and files. Set the time range to All time. Click Clear data. For Edge: click the three-dot menu > Settings > Privacy, search, and services > Choose what to clear under Clear browsing data. Select Cookies and other site data and Cached images and files, then click Clear now. Close and reopen the browser, then sign in again. - Revoke all refresh tokens for your account in the Microsoft 365 admin center
Open the Microsoft 365 admin center at admin.microsoft.com. Go to Users > Active users. Select your user account. Click the Sessions tab. Click Revoke sessions. This action invalidates all existing tokens for your account. You will be signed out of all devices. Sign back in with your new password. - Clear the Microsoft 365 app cache on Windows
If you use Copilot in the Microsoft 365 desktop apps on Windows, clear the app cache. Press Windows key + R, type %appdata% and press Enter. Navigate to Microsoft and then Office. Delete the folder named 16.0. This removes cached authentication data. Restart the Microsoft 365 app and sign in again. - Reset the Copilot mobile app
On iOS: go to Settings > General > iPhone Storage > Microsoft Copilot > Offload App. Reinstall the app from the App Store. On Android: go to Settings > Apps > Microsoft Copilot > Storage > Clear data. Open the app and sign in with your new password.
If Copilot Still Shows Invalid Grant After These Steps
Copilot still shows invalid grant in Teams
Teams caches authentication tokens separately from other Microsoft 365 apps. Clear the Teams cache by closing Teams completely. Press Windows key + R, type %appdata%\Microsoft\Teams and press Enter. Delete all files and folders inside that location. Restart Teams and sign in with your new password.
Copilot shows invalid grant on a shared or managed device
If your organization uses conditional access policies or device compliance rules, the password reset alone may not be enough. Contact your IT administrator and ask them to check the sign-in logs in the Microsoft Entra admin center. They can revoke all sessions for your account from the admin center and verify that no conditional access policy is blocking token refresh.
Copilot shows invalid grant after a federated identity password reset
If your organization uses federated identity with Active Directory Federation Services or another identity provider, resetting the password in the on-premises directory does not automatically revoke tokens in Microsoft 365. Your IT administrator must run the Revoke-AzureADUserAllRefreshToken PowerShell cmdlet or use the Microsoft Entra admin center to revoke sessions for your account.
Copilot Invalid Grant vs Other Authentication Errors
| Item | Invalid Grant | Other Authentication Errors |
|---|---|---|
| Root cause | Expired or revoked refresh token after password change | Expired password, expired MFA session, or network timeout |
| Primary fix | Sign out and sign in again to get a new token | Reset password, re-authenticate MFA, or check network connectivity |
| Occurs in | Copilot in Microsoft 365 apps, Teams, mobile app, and web browser | Any Microsoft 365 service that requires authentication |
| Resolution time | Under 5 minutes with the steps above | Varies based on root cause; password reset may take up to 15 minutes to sync |
After you complete the steps in this article, Copilot should resume normal operation with your new password. If the error returns after a few days, contact your IT administrator to verify that no token lifetime policies or conditional access settings are causing early token expiry. For ongoing prevention, consider enabling self-service password reset in your organization so users can update tokens immediately after a password change.