Error code 0xCAA90014 in Microsoft Teams usually points to a sign-in token problem, not a chat or meeting feature problem. Teams often shows the symptom, while the real break sits lower in Microsoft Entra ID, federated authentication, cached credentials, Windows account state, or device registration. Fixing it gets much easier once those layers are separated.
What the code means: Microsoft maps 0xCAA90014 to ERROR_ADAL_WSTRUST_REQUEST_SECURITYTOKEN_FAILED. In practice, that means the sign-in flow reached a WS-Trust or federated authentication step, the server returned a fault, and Teams could not obtain the assertion it needed. Microsoft also documents the decimal form as -894894060. [✅Source-1]
Table of Contents
What 0xCAA90014 Means in Teams
Teams is usually not the root cause here. The desktop client is asking Windows and the organization’s identity path for a token. When administrators analyze similar Microsoft Teams authentication error codes, they often find the failure inside the identity or federation layer rather than inside the Teams client itself. If that request fails during a federated or WS-Trust step, Teams surfaces 0xCAA90014. That is why reinstalling the app alone often changes nothing when the failure actually lives in AD FS, Microsoft Entra sign-in, stale cached credentials, or a broken device sign-in state.
The most useful mental model is simple: if the same account fails across many devices, think identity or federation first; if the issue hits one device only, think local cache, Windows account connection, token broker state, or device registration first. Small distinction. Big time saver.
Account Layer
Password status, MFA prompts, account disablement, Conditional Access, or a tenant-side sign-in block can all stop token issuance before Teams opens fully.
Device Layer
Cached credentials, wrong work account binding, broken PRT state, or a partial Microsoft Entra join can leave the Windows sign-in stack unable to hand Teams a valid token.
Federation Layer
WS-Trust and AD FS become the focus when the organization uses federated sign-in. Token-signing mismatches, claims issues, stale service trust, or inaccessible endpoints matter here.
Useful Signals That Narrow the Root Cause
| Observed Pattern | What It Usually Points To | Best Next Check |
|---|---|---|
| Teams web works, desktop app fails | Local Windows token state, cached credentials, Teams cache, or device registration | Clear Teams cache, sign out fully, inspect dsregcmd /status |
| Several users fail at once | Federation or tenant-side sign-in | Check sign-in logs, federation trust, token-signing certificate, recent policy changes |
| Only one user on one device fails | Profile-specific cache or wrong account binding | Remove stale credentials, disconnect/reconnect work account, reset Teams cache |
| Error appears after password change | Stale Credential Manager or old sign-in state | Remove cached Windows credentials and force a fresh sign-in |
| Sign-in prompts repeat after Windows unlock | PRT refresh problem | Check AzureAdPrt and related timestamps |
The Most Effective Fix Order
- Confirm whether the same account can sign in to Teams on the web.
- Sign out of Teams, then remove stale local account traces.
- Clear the Teams cache for the exact client version in use.
- Check the Windows work or school account connection.
- Run dsregcmd /status and read the device and SSO state, not just the first lines.
- Inspect Event Viewer and Microsoft Entra sign-in logs for the underlying server-side code.
- If the tenant is federated, validate AD FS and WS-Trust related settings.
That order works because it avoids random resets. It starts with the user-visible symptom, moves through the local Windows sign-in chain, and only then reaches the federation or tenant layer. Cleaner diagnosis, fewer unnecessary reinstalls.
Start with a Clean Sign-Out
If Teams still opens far enough to show the profile menu, sign out first. Microsoft’s support steps for Teams also separate signing out from removing an account from the device, which matters because Windows may share the same work account across multiple apps. [✅Source-2]
Clear the Right Teams Cache
New Teams and Classic Teams do not store cache in the same place. Classic Teams uses %appdata%\Microsoft\Teams. New Teams uses %userprofile%\appdata\local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams. Microsoft also notes that the first restart may take longer because the cache is rebuilt. That detail matters; a slow first launch after cleanup is normal. [✅Source-3]
Refresh the Windows Work Account Binding
If the device carries an old or wrong work profile, disconnect and reconnect the work or school account from Settings > Accounts > Access work or school. Microsoft states that disconnecting removes the sign-in information and the related data from the device, which is often exactly what is needed when Teams is trying to reuse a stale device-side identity state. [✅Source-4]
Device Checks That Matter More Than Reinstalling
Read dsregcmd /status Properly
Run dsregcmd /status in the context of the affected user. Then check the Device State, Tenant Details, and SSO State sections. On a healthy hybrid device, you expect AzureAdJoined : YES and DomainJoined : YES. Microsoft also notes that visible MDM URLs do not prove the device is managed; they may appear simply because the tenant has automatic enrollment configured. That saves many people from chasing the wrong problem. [✅Source-5]
Check PRT Health Before Blaming Teams
Microsoft’s Windows authentication guidance makes this explicit: the Primary Refresh Token (PRT) is central to sign-in on Microsoft Entra joined and hybrid joined devices. It is cached locally, and Windows makes a background authentication attempt every four hours to refresh it. If AzureAdPrt shows NO, repeated Teams prompts and token failures become much more likely. [✅Source-6]
A practical reading tip: if the web app signs in normally but desktop Teams fails, the local device token chain deserves attention before tenant-wide changes. If both web and desktop fail, go straight to sign-in logs and account state.
Look in the Right Logs
Two Windows log locations are especially useful. For device registration and hybrid join details, use Applications and Services Logs > Microsoft > Windows > User Device Registration; Microsoft highlights event IDs 304, 305, and 307 when locating join-phase and authentication-phase errors. For broker and Microsoft Entra operational traces, use Applications and Services Logs > Microsoft > Windows > Microsoft Entra ID > Operational. [✅Source-7]
Read the Server-Side Error, Not Only the Teams Popup
0xCAA90014 is the client-side signpost. The real answer is often in the server-side sign-in logs. Microsoft’s error catalog makes several common root causes easy to separate: AADSTS50055 means the password is expired, AADSTS50056 means an invalid or null password condition, and AADSTS50057 means the account is disabled. When those codes appear, the fix belongs to the account, not to Teams. [✅Source-8]
Where the Problem Usually Sits in Federated Environments
When the organization uses federated sign-in, this error very often belongs to that path. Microsoft’s AD FS troubleshooting workflow points to several recurring causes: redirection problems, broken SSL reachability on port 443, claims mismatches, token-signing certificate mismatches, stale Credential Manager entries after password changes, or token settings that no longer match Microsoft Entra expectations. All of those can surface as a Teams desktop sign-in failure even when the user only sees a short code. [✅Source-9]
| Federated Check | Why It Matters for 0xCAA90014 | Who Usually Fixes It |
|---|---|---|
| WS-Trust endpoint availability | Teams cannot complete a federated token request if the required endpoint does not answer correctly | Identity or AD FS admin |
| Token-signing certificate alignment | A valid token can still be rejected if Microsoft Entra and AD FS no longer trust the same signing certificate | Identity admin |
| Claims mapping | UPN or immutable identifier mismatches break token acceptance after issuance | Identity admin |
| Stale Windows Credential Manager entries | Old credentials can keep resubmitting the wrong password or stale secret after a password change | User or support desk |
Admin Checks That Solve Repeated Reports Faster
- Compare affected users. If only one user fails, stay close to the device and profile. If many users fail within the same period, check federation trust, certificate rollover, Conditional Access, and recent password or policy changes first.
- Review whether the device is truly joined and healthy. A machine can look partly connected and still fail token acquisition when the join or PRT state is incomplete.
- Treat registry hacks with caution. Microsoft explicitly states that disabling ADAL or WAM is not a supported fix for Microsoft 365 sign-in issues, and doing so can place the client in an unsupported state. Microsoft also notes that WAM became part of the Windows sign-in workflow for Microsoft 365 apps on Windows builds later than 15000, starting from app build 16.0.7967. [✅Source-10]
A Short Repair Path for Help Desks
- Test the same account in Teams web.
- Sign out of Teams on the device.
- Clear the correct Teams cache path for the installed client.
- Remove or refresh the work or school account binding in Windows if it is stale or incorrect.
- Capture dsregcmd /status output.
- Read Event Viewer and Microsoft Entra sign-in logs for the real server-side code.
- If the tenant is federated, hand the case to the identity team with the event details and timestamps.
This sequence is usually faster than reinstalling Office or Teams. It is also far more precise. The desktop app only exposes the symptom; the logs expose the reason.
FAQ
Does 0xCAA90014 mean the Teams password is wrong?
Not by itself. The code points to a token request failure during authentication. A wrong or expired password can be the underlying cause, but so can stale cached credentials, broken PRT state, or a federation-side issue.
Why does Teams on the web sometimes work while the desktop app fails?
That pattern often points to a local Windows sign-in path problem rather than a full tenant outage. Cached Teams data, stale work account binding, Credential Manager entries, WAM state, or incomplete device registration are stronger suspects in that case.
Should I reinstall Teams first?
Usually no. Start with sign-out, cache cleanup, work or school account refresh, and dsregcmd /status. Reinstalling the app does not repair a broken federation path or account-side failure.
Which logs are most useful for this error?
For device-side details, check User Device Registration and Microsoft Entra ID > Operational in Event Viewer. For tenant-side diagnosis, read the Microsoft Entra sign-in logs and look for the exact AADSTS failure code and failure reason.
Can disabling WAM fix stubborn Teams sign-in failures?
Microsoft does not support that as a fix. It can leave the client in an unsupported configuration and hide the actual issue instead of resolving it.