If Microsoft Teams Error Code 0xCAA90057 appears during sign-in, start by treating it as a desktop authentication-path issue, not as a chat, meeting, or file-content problem. Teams uses modern authentication and single sign-on, so this error usually shows up when the local account state, cached identity data, saved credentials, device registration, or the Windows account broker is out of sync. [✅Source-1]
What makes this error sticky is local state. Microsoft notes that Teams can cache general user information for up to three days, while some client-side data such as display name and phone number can stay cached for up to 28 days, and profile photos for up to 60 days. That does not mean the error waits that long to clear, but it does explain why a stale sign-in state can survive a simple restart. [✅Source-2]
Teams supports over 320 million monthly active users. That scale matters because sign-in failures like 0xCAA90057 are rarely random; they usually map to a small number of repeatable desktop-side causes. [✅Source-3]
WAM plug-ins are installed in the user profile context. On a shared PC, one Windows profile may fail while another signs in normally. That clue is easy to miss. [✅Source-4]
The underlying Windows value 0x80070057 means an invalid parameter or argument. In practice, that pushes troubleshooting toward account state, token state, or device state before anything else. [✅Source-5]
Contents on This Page
What Error Code 0xCAA90057 Usually Points to
0xCAA90057 usually behaves like a local sign-in state mismatch. Administrators often compare cases like this with other documented Microsoft Teams authentication and sign-in error codes to determine whether the failure belongs to the Windows identity layer, the local client cache, or the broader Microsoft 365 authentication path. The Teams desktop client is trying to complete authentication, but a parameter, token handoff, account binding, or Windows-side identity component is not lining up the way the sign-in stack expects. Short version: the app can reach the sign-in flow, yet the flow cannot finish cleanly.
That is why the most useful split is this one: cloud account problem or local device problem. If the Teams web app signs in but the desktop client does not, the balance shifts toward cache, credentials, WAM, device registration, or Windows account state. If both web and desktop fail, start with account, tenant, compliance, or network checks.
A practical reading of this code: it is not a “reinstall first, hope later” error. It is a sign-in chain error. The fix usually comes from removing stale identity state in the right order.
| What You See | What It Usually Means | What to Do Next |
|---|---|---|
| Teams web works, desktop fails | Local cache, saved credential, WAM, or device state issue | Clear Teams cache, remove stale credentials, then inspect WAM and PRT |
| Teams, Outlook, and other Microsoft 365 apps all fail | Windows authentication layer is affected | Check WAM packages and browser sign-in path |
| Wrong tenant or old organization appears | Stale work or school account is still bound to Windows | Disconnect the old account and sign in again |
| Sign-in window closes, hangs, or flashes | Broker or WebView path is not finishing | Check WAM plug-ins and app repair/reset options |
| AzureAdPrt : NO | Primary Refresh Token is missing or not refreshing | Investigate device registration and PRT health first |
The Fastest Way to Narrow the Fault
- Try the Teams web app with the same account.
- Check whether Outlook, Word, or another Microsoft 365 app shows the same sign-in behavior.
- Look under Settings > Accounts > Access work or school for an old tenant, duplicate tenant, or a work account that should no longer be there.
- Run dsregcmd /status and inspect both the Device State and SSO State sections.
- Only after that, move to app reset or repair.
This order saves time. A full reinstall can still leave behind the same broken identity state, especially on Windows devices that hold stale tokens or a damaged account broker path.
Fix Order That Solves Most Cases
Use the sequence below and stop as soon as Teams signs in normally. That keeps the fix clean and avoids removing more state than necessary.
Sign Out Fully and Remove Stale Account State
If the device still holds an old employer, test tenant, or duplicate work account, Teams can keep pulling the wrong account context. In Windows, open Settings > Accounts > Access work or school, select the old or unwanted entry, and choose Disconnect. Microsoft documents that path directly in Windows account management. [✅Source-6]
Do this especially when Teams keeps offering the wrong organization, loops back to the same bad prompt, or signs in everywhere except on one Windows device. Often, stale account binding is the whole story. Quietly, but often.
Clear Teams Cache or Reset the App
Microsoft’s official cache paths are different for classic Teams and new Teams. For classic Teams on Windows, the cache path is %appdata%\Microsoft\Teams. For new Teams, Microsoft lists either the built-in Reset action in Windows or the local cache path %userprofile%\appdata\local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams. [✅Source-7]
That distinction matters. Many articles still mix the old cache path with the new client. If you clear the wrong location, the bad state stays in place and the next launch looks unchanged.
Classic Teams cache:
%appdata%\Microsoft\Teams
New Teams cache:
%userprofile%\appdata\local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeamsRemove Saved Windows Credentials
Windows stores saved sign-in items in Credential Manager. If Teams or a related Microsoft 365 component is reusing an old token target, stale credential, or mismatched account reference, the desktop client may never reach a clean sign-in. Open Credential Manager, review both Web Credentials and Windows Credentials, and remove outdated Microsoft 365 or organization entries that no longer match the account you should be using. [✅Source-8]
Be selective. Remove the stale items, not every credential on the machine. On managed devices, stay inside what your policy allows.
Check Device Join State and PRT Health
Run dsregcmd /status and look first at the Device State section. Microsoft shows that the output tells you whether the device is Microsoft Entra joined, domain joined, or Microsoft Entra hybrid joined. If that state is not what your organization expects, Teams sign-in can fail even when the username and password are correct. [✅Source-9]
Then read the SSO State section. Microsoft says that if AzureAdPrt is set to NO, the device could not acquire a Primary Refresh Token. It also says that if AzureAdPrtUpdateTime is more than four hours old, there is likely a refresh problem; locking and unlocking the device can force a refresh attempt. [✅Source-10]
dsregcmd /statusWhat to watch for: the wrong join type, DeviceAuthStatus not healthy, AzureAdPrt : NO, or a stale PRT update time. Any one of those can keep Teams from finishing sign-in.
Repair Broken WAM Components
When the issue reaches beyond Teams and affects other Microsoft 365 apps, move your attention to Web Account Manager. Microsoft states that the WAM plug-ins used for sign-in and renewal are installed in the affected user’s profile, which is why one Windows profile can fail while another still works on the same device. Microsoft also gives check commands for Microsoft.AAD.BrokerPlugin and Microsoft.Windows.CloudExperienceHost. [✅Source-11]
Get-AppxPackage Microsoft.AAD.BrokerPlugin
Get-AppxPackage Microsoft.Windows.CloudExperienceHost
explorer.exe shell:appsFolder\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy!App
explorer.exe shell:appsFolder\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy!AppIf the packages are missing or the account windows do not open, Microsoft also provides a way to re-register the broker package. For work accounts, the Microsoft Entra WAM plug-in can be repaired with PowerShell. [✅Source-12]
if (-not (Get-AppxPackage Microsoft.AAD.BrokerPlugin)) {
Add-AppxPackage -Register "$env:windir\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode -ForceApplicationShutdown
}
Get-AppxPackage Microsoft.AAD.BrokerPluginOn a managed corporate device, check with IT before you change broker components yourself. Still, from a diagnosis angle, this step is gold. If WAM is broken, Teams is only the messenger.
Verify Network, Proxy, and Browser Sign-In Path
Microsoft recommends a clean network test: open https://login.microsoftonline.com in Edge. If that fails to redirect to your sign-in destination, the problem is more likely tied to network environment, firewall, proxy, or antivirus inspection than to Teams itself. Microsoft also points admins to the AAD > Operational log when tracing sign-in failures. [✅Source-13]
This test is worth doing early when users say, “The internet works, everything else loads, only Teams fails.” A filtered auth endpoint, HTTPS inspection, or a local security layer can produce that exact pattern.
Repair or Reset the Teams App
If the account state looks clean and the network path is fine, use Windows’ built-in Repair or Reset options for the app. Microsoft documents the path through Settings > Apps > Installed apps, then Advanced options, where available. Start with Repair. Use Reset when repair does not change the behavior. [✅Source-14]
Reinstalling can still help, but on this error it should come after account-state cleanup, not before it. Otherwise, the same stale sign-in state comes right back with a fresh executable.
Checks That Matter in Managed Work Devices
- Conditional Access or compliance rules: if the device must be compliant or joined in a specific way, the account can be valid while the device state still blocks sign-in.
- Shared PCs: profile-specific WAM damage can affect one user only. Test with another Windows profile if policy allows.
- Security tools: Microsoft notes that broken or tampered WAM plug-ins can come from security software behavior, and it even lists package and folder exclusions for affected environments.
On corporate machines, a missing or damaged broker plug-in is not always an app bug. Endpoint security, old filtering drivers, or tenant policy can sit behind the symptom. That is why the same user may sign in on the web or on another PC while one specific device keeps failing.
What Not to Do
Do not jump straight to registry hacks that disable WAM or force legacy sign-in behavior. Microsoft explicitly says that disabling ADAL or WAM is not a supported fix for Microsoft 365 sign-in issues, and it can put the client into an unsupported state. [✅Source-15]
Avoid these moves: random registry edits copied from forums, deleting every credential on a managed PC, removing device enrollment without checking policy, or reinstalling Teams five times in a row. None of those steps tells you where the fault really sits.
When to Hand the Issue to IT
If the device is company-managed, the cleanest escalation is a short evidence bundle. It helps the admin fix the real layer instead of repeating generic reinstall steps.
- The exact text: Microsoft Teams Error Code 0xCAA90057
- Whether Teams on the web works with the same account
- Whether Outlook or other Microsoft 365 apps also fail on the same Windows profile
- The key lines from dsregcmd /status: join state, DeviceAuthStatus, AzureAdPrt, and AzureAdPrtUpdateTime
- A note showing whether an old or duplicate work account appears under Access work or school
- The result of opening login.microsoftonline.com in Edge
That set of details usually tells IT whether they should fix account binding, device registration, WAM, or network inspection. Clear signal. Less guesswork.
FAQ
Does 0xCAA90057 always mean the password is wrong?
No. A wrong password can break sign-in, but this code more often behaves like a local sign-in state problem on Windows. Saved credentials, stale work accounts, missing PRT, or damaged WAM components are more common patterns.
If Teams works in the browser, should I reinstall the desktop app first?
No. Start with cache, credentials, account binding, and device state. Browser success usually means the account itself is still valid, so a blind reinstall is rarely the fastest fix.
What is the single most useful command for this error on work devices?
dsregcmd /status. It shows whether the device is joined the way your organization expects and whether the Primary Refresh Token is present and updating.
Can old company accounts cause this error even after leaving that organization?
Yes. A stale entry under Access work or school or a saved credential in Windows can keep calling the wrong tenant or the wrong cached account context.
Should I disable WAM if online fixes suggest it?
No. Microsoft does not support using WAM disablement as a fix for sign-in issues. Clean repair steps are safer and more reliable.
Is this error limited to Teams?
Not always. When the root cause sits in Windows authentication components, other Microsoft 365 apps can show similar sign-in failures on the same user profile.