You removed a work or school account from Windows 11, but it reappears after a reboot or sync cycle. This problem occurs because the account is still linked to an active Azure AD or Microsoft Entra ID enrollment, or because cached tokens and registry entries are not fully cleared. The account is being re-pushed by the organization’s management policy or by a leftover credential provider. This article explains the root cause and provides step-by-step fixes to permanently remove the account.
Key Takeaways: Permanently Removing a Work Account on Windows 11
- Settings > Accounts > Access work or school > Disconnect: Removes the account from the user interface but may not delete cached tokens.
- Command Prompt as admin > dsregcmd /leave: Unjoins the device from Azure AD or Microsoft Entra ID, stopping the account from being re-pushed.
- Registry Editor > HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\StoredIdentities: Deletes leftover entries that cause the account to reappear.
Why a Work Account Reappears After Removal on Windows 11
When you remove a work or school account through Settings, Windows 11 deletes the account from the user interface but often leaves behind cached tokens, certificates, and registry keys. The most common cause is that the device is still joined to Azure AD or Microsoft Entra ID. If the device is enrolled, the organization’s MDM policy or conditional access rules can automatically re-add the account during the next sync cycle, which typically happens every 60 to 90 minutes.
Another cause is a corrupted or leftover credential provider entry in the Windows Credential Manager. The credential provider stores authentication tokens that Windows uses to verify the account. If these tokens are not cleared, the account can reappear even after you click Remove. A third cause is a registry entry under the IdentityCRL key that Windows reads during sign-in to rebuild the account list.
Steps to Remove a Stubborn Work Account Permanently
Use the following methods in order. Stop after the account is gone and does not return. If you skip a method, the account may reappear later.
Method 1: Disconnect the Account and Check Azure AD Join Status
Start by disconnecting the account from the Settings app, then verify whether the device is still joined to Azure AD.
- Open Settings > Accounts > Access work or school
Press Windows + I to open Settings, then go to Accounts > Access work or school. You will see the work account listed under the header. - Click the account name and select Disconnect
Click the account entry, then click the Disconnect button that appears. Confirm the action when prompted. Restart the computer after the disconnect completes. - Check Azure AD join status with dsregcmd
Open Command Prompt as administrator. Typedsregcmd /statusand press Enter. Look for the line AzureAdJoined. If it says YES, the device is still joined to Azure AD and must be unjoined. If it says NO, proceed to Method 2.
Method 2: Unjoin the Device from Azure AD or Microsoft Entra ID
If the device is still joined, the account will be re-pushed automatically. You must leave the Azure AD tenant to stop this.
- Open Command Prompt as administrator
Press Windows + X and select Terminal Admin or Command Prompt Admin. Confirm the UAC prompt. - Run dsregcmd /leave
Typedsregcmd /leaveand press Enter. Wait for the command to complete. It will unjoin the device from Azure AD and clear the device registration. - Restart the computer
Restart Windows 11. After reboot, open Settings > Accounts > Access work or school. The account should be gone. If it reappears later, proceed to Method 3.
Method 3: Clear Cached Credentials from Credential Manager
Credential Manager stores tokens that can cause the account to reappear. Delete all entries related to the work account.
- Open Credential Manager
Press Windows + R, typecontrol keymgr.dll, and press Enter. This opens Credential Manager directly. - Click Windows Credentials
In Credential Manager, click the Windows Credentials tab. Scroll through the list of Generic Credentials. - Remove all entries containing your work account domain
Look for entries that include your organization’s domain name, such asMicrosoftOffice16_Data:ADAL:user@contoso.comorMicrosoft.AAD.BrokerPlugin_user@contoso.com. Click the arrow to expand each entry, then click Remove. Confirm the deletion. Repeat for every related entry.
Method 4: Delete Leftover Registry Keys
If the account still reappears, a registry key under IdentityCRL may be restoring it. Editing the registry is safe if you follow these steps exactly.
- Open Registry Editor as administrator
Press Windows + R, typeregedit, and press Enter. Confirm the UAC prompt. - Navigate to the StoredIdentities key
In Registry Editor, go toHKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\StoredIdentities. If the path does not exist, the account may already be fully removed. - Delete the subkey for your work account
Right-click the subkey that matches your work account email address and select Delete. Confirm the deletion. Close Registry Editor. - Restart the computer
Restart Windows 11. After reboot, check Settings > Accounts > Access work or school to confirm the account is gone.
If the Work Account Still Reappears After All Fixes
Account reappears after a Group Policy sync
If your device is managed by an MDM policy, the organization may enforce a policy that re-adds the account. Check if the device is enrolled in MDM by going to Settings > Accounts > Access work or school and clicking the Info button. If MDM enrollment is active, you must contact your IT administrator to remove the device from the MDM console. After they remove it, run dsregcmd /leave again and restart.
Account reappears after a Windows Update
A Windows Update can re-trigger Azure AD join if the device certificate is still present. Open an elevated Command Prompt and run certlm.msc to open the local machine certificate store. Navigate to Personal > Certificates. Delete any certificate issued by your organization that is related to the work account. Then run dsregcmd /leave again.
Account reappears after signing in to Microsoft 365 apps
Signing in to Outlook, Teams, or OneDrive with the work account can re-add the account to Windows 11. Sign out of all Microsoft 365 apps first. Open each app, go to File > Account > Sign out. Then clear the credential cache by running rundll32.exe keymgr.dll,KRShowKeyMgr and deleting any remaining entries.
Settings Account Removal vs Registry Deletion: What Each Method Resolves
| Item | Settings Account Removal | Registry Deletion |
|---|---|---|
| Scope | Removes the account from the UI only | Deletes the underlying stored identity token |
| Persistence | Account can reappear after sync or reboot | Account stays removed unless re-added by MDM |
| Skill level | Basic user | Advanced user comfortable with Registry Editor |
| Risk | None | Moderate; incorrect deletion can break profile loading |
| Best for | First attempt at removal | Stubborn accounts that survive Settings removal |
After applying these steps, your work account should stop reappearing. If your device is fully managed by an organization, ask your IT administrator to unjoin the device from the tenant. To prevent future reoccurrence, avoid signing in to Microsoft 365 apps with a work account on a personal device. The most reliable long-term fix is to run dsregcmd /leave and delete all registry entries under IdentityCRL.