You can't sign in after you update to Office 2016 build 16.0.7967 or later on Windows 10

Applies to: Office 365 ProPlus

Overview


This article contains information about a new authentication framework for Microsoft Office 2016.

By default, Microsoft Office 365 ProPlus (2016 version) uses Azure Active Directory Authentication Library (ADAL) framework-based authentication. Starting in build 16.0.7967, Office uses Web Account Manager (WAM) for sign-in workflows on Windows builds that are later than 15000 (Windows 10, version 1703, build 15063.138).

Symptoms


You may experience one of the following symptoms after you update to Microsoft Office 2016 build 16.0.7967 or a later version on Windows 10.

Symptom 1

The Office sign-in workflow stops or shows no on-screen progress. The sign-in window shows a "Signing in" message or a blank authentication screen. 

A screenshot of the sign in page

This issue occurs because WAM is disabling non-HTTPS traffic to prevent security threats, such as someone stealing user credentials. To verify that you are experiencing this issue, follow these steps:

  1. Open Event viewer.
  2. Go to Applications and Services Logs > Microsoft > Windows > AAD.
  3. In the Operational logs, locate the following message:

To resolve this issue and secure user credentials, we recommend that you enable HTTPS on the Identity servers.

Symptom 2

When you try to open or save a document in Microsoft SharePoint Online, OneDrive for Business, or SharePoint, or you try to synchronize email messages or your calendar in Microsoft Outlook, you’re prompted for credentials. After you enter credentials, you’re prompted again. This issue may occur for the following reasons:

  • A device is disabled by the user, the Enterprise administrator, or a policy because of a security concern or by mistake. To verify that you are experiencing this issue, follow these steps:
    1. Open Event viewer.
    2. Go to Applications and Services Logs > Microsoft > Windows > AAD.
    3. In the Operational logs, locate the following message:
    To resolve this issue, we recommend that the Enterprise administrator enable the device in Active Directory or Azure Active Directory (Azure AD). For information about how to manage devices in Azure AD, see the Device management tasks section of the How to manage devices using the Azure portal topic on the Microsoft Docs website.
     
  • The Enterprise administrator or a policy deleted a device because of a security reason or by mistake. To verify that you are experiencing this issue, follow these steps:

    1. Open Event viewer.
    2. Go to Applications and Services Logs > Microsoft > Windows > AAD.
    3. In the Operational logs, locate the following message:

    To resolve this issue, we recommend that you recover the device by using a rejoining procedure, as follows.

    • Hybrid Azure AD join

      Note
      This is safe to do.

      Run the Dsregcmd /leave command in an administrative Command Prompt window, and then lock or unlock the system.
    • Add Work Account (AAD registered)

      Note This is safe to do.

      Remove the work account within Setting > Accounts > Access work or school, and then restore the work account.
    • Azure AD join

      Note 
      Back up your data first.

      Create a new local administrator. Disconnect from the domain (Setting > Accounts > Access work or school > Disconnect). Then, log in as the new local administrator, and reconnect to Azure AD.
    Note If nobody on the Enterprise deleted the device, please file a support ticket and provide an example of a device that is not recovered.

     

Symptom 3

You have a non-persistent Virtual Desktop Infrastructure (VDI) environment that has a federated Identity Provider (IdP) that is configured as Single-Sign On (SSO). You do not expect to be prompted to activate or sign in because SSO is configured. However, you are prompted to sign in for each new session. Office ULS logs display the following error message:


Note Please open a support case if you experience this issue. We require more log entry reports to help isolate the issue.

Symptom 4

You receive a "You’ll need the Internet for this" message when you switch networks or your computer wakes up after a long suspension or sleep.

Note The issue occurs because network outages are not propagated correctly in different layers in Microsoft Office. (The dialog box may still appear and contain other error codes for other issues.)

A screenshot of the error message saying you need the internet

To resolve this issue, we recommend that you update to Office 2016 build 16.0.9126.2259 or a later build.

More information


The following guidelines apply to this article:

  • On Windows 7, Windows 8, Windows 8.1, or Windows 10 builds that are earlier than 15000, ADAL authentication is the only option.
  • The Windows build should be later than 15000 (Windows 10, version 1703, build 15063.138, Generally Available). For more information, see Windows 10 release information.
  • This article applies whether you use Microsoft Federation or non-Microsoft Federation solutions.

For more information, see the following Knowledge Base article:

4347010 Error Code: 0x8004deb4 when signing in to OneDrive for Business