Outlook keeps asking for your password when the app cannot save, validate, or renew the credential token it needs to connect to your mail server. The cause is almost always a broken cached credential, a conflict with Modern Authentication, a corrupted Outlook profile, or a server-side policy such as multi-factor authentication that blocks basic sign-in.
The fix depends on your Outlook version, your account type, and the sign-in rules set by your email provider. A user on classic Outlook 2019 with an on-premises Exchange account will follow a different path than an IT admin troubleshooting a Microsoft 365 tenant after Conditional Access revokes a token. This guide walks through every version, every account type, and every known fix as of April 2026.
According to Microsoft’s 2025 Digital Defense Report, more than 400 million people use Outlook each month, and credential-prompt tickets remain one of the top five Tier-1 helpdesk issues across enterprise environments.
- 🔑 How to clear bad cached credentials from Windows Credential Manager and macOS Keychain
- 🛠️ How to rebuild a broken Outlook profile without losing mail
- 🔐 How Modern Authentication, MFA, and app passwords interact with Outlook
- 🧩 How to read the Autodiscover, OST, and registry clues that reveal the real cause
- 📋 How IT admins fix tenant-wide prompts tied to Conditional Access and token revocation
Why Outlook Keeps Asking for Your Password
Outlook prompts for a password whenever the client cannot present a valid authentication token to the mail server. The mail server can be Exchange Online, on-premises Exchange, IMAP, POP, or Outlook.com. Each server uses its own rules for how long a token lives, how the token is refreshed, and what happens when the token fails.
The prompt itself is a symptom, not the root cause. Behind it sits one of six problems: a stale cached credential, a disabled or misconfigured Modern Authentication setting, a corrupted Outlook profile, a broken Autodiscover lookup, an MFA or Conditional Access block, or a bug in the Outlook build you are running. Each problem has its own fix, and applying the wrong fix wastes time.
The Authentication Handshake in Plain English
When you open Outlook, the client contacts the mail server and asks, who are you and do you trust me? The server answers with a challenge, Outlook responds with a token, and the server either accepts the token or rejects it. If the server rejects the token, Outlook shows the password box.
Modern Authentication replaces the old Basic Authentication handshake with a token system based on OAuth 2.0. The token can be revoked, refreshed, or expired by the server without the user knowing. When a token breaks, the only signal the user sees is the password prompt.
The consequence of ignoring this handshake is simple. You type the password, the server still rejects the token, and the prompt returns in a loop. A common misconception is that the password itself is wrong. The password is almost never the problem.
The Six Root Causes
Every Outlook password loop maps to one of six causes. Cached credential corruption sits at the top of the list because Windows stores the credential in the Credential Manager vault, and that vault can hold a stale entry from a prior mailbox.
The second cause is a Modern Authentication mismatch. If the tenant requires Modern Auth but the client registry forces Basic Auth, the token exchange fails. The third cause is a corrupted Outlook profile, which stores server endpoints, OST paths, and account settings in a binary blob that can break during updates.
The fourth cause is Autodiscover failure, which sends Outlook to the wrong endpoint. The fifth is MFA or Conditional Access, which blocks a legacy client or an untrusted device. The sixth is a buggy Outlook build, and Microsoft has shipped three such bugs in the Current Channel between 2023 and 2026.
Quick Wins Before You Dig Deeper
Before you open the registry or rebuild a profile, run the five fast fixes below. These clear the most common credential cache problems and resolve roughly 60 percent of cases, based on public data from the Microsoft Tech Community support threads.
Start with the simplest step. Close Outlook fully, including any background process in Task Manager. Reopen Outlook and sign in one more time. If the prompt still loops, move to the next step.
Step 1: Clear Windows Credential Manager
Open the Control Panel, choose User Accounts, then Credential Manager, then Windows Credentials. Delete every entry that starts with MicrosoftOffice, MS.Outlook, or the name of your mail server. Close Outlook first, or the entries will rewrite themselves.
The consequence of skipping this step is that Outlook keeps reading the bad cached token and keeps failing. A real example: Maria, a paralegal at a small law firm, changed her Microsoft 365 password after a phishing scare. Outlook kept the old token in Credential Manager, and the prompt looped for three days until she cleared the vault.
A common misconception is that signing out of Windows clears the vault. It does not. The vault survives logoff, reboot, and even Outlook reinstalls.
Step 2: Restart in Safe Mode
Hold the Ctrl key while clicking the Outlook icon, then confirm Safe Mode. Safe Mode loads Outlook without add-ins, custom forms, or COM objects. If the prompt stops in Safe Mode, a rogue add-in is the cause.
Disable add-ins one at a time from File > Options > Add-ins > COM Add-ins > Go. Re-enable them one by one until the prompt returns. The last one you turned on is the culprit.
Step 3: Update Outlook
Open File > Office Account > Update Options > Update Now. Microsoft released a fix for a known credential-loop bug in Version 2404 Build 17531.20120 in May 2024, and later builds include more fixes. Running an old build leaves you exposed to bugs Microsoft already patched.
A real example: David, an IT admin at a 200-person engineering firm, spent a week blaming Conditional Access before he noticed half his users were stuck on Build 17328. A single channel update resolved every ticket.
Step 4: Verify Your Password Elsewhere
Sign in to Outlook on the Web with the same account. If the web sign-in works, the password and the account are fine, and the problem lives inside the desktop client. If the web sign-in fails, the issue is your password, your MFA, or a tenant lock.
Step 5: Toggle the “Remember My Credentials” Checkbox
When the password prompt appears, type the password, check Remember my credentials, and click OK. If the checkbox is greyed out, a Group Policy is blocking credential storage. An admin must change the Disable Password Caching policy to allow caching.
Version-Specific Fixes
Each Outlook version handles credentials a little differently. The fix that works on classic Outlook 2019 does not always work on the New Outlook for Windows, and the Mac client uses the Keychain instead of Credential Manager.
Pick your version, then follow the matching steps. Mixing steps across versions often makes the loop worse because some registry keys exist only in older builds.
Classic Outlook 2016, 2019, 2021, and LTSC
Classic Outlook stores account data in an MAPI profile and reads credentials from Credential Manager. To rebuild a profile, open Control Panel > Mail > Show Profiles > Add, create a new profile, and set it as the default. Your OST rebuilds on first launch, and mail redownloads from the server.
A plain-English explanation: the old profile holds a broken pointer to the server, and the new profile asks Autodiscover for a fresh pointer. The consequence of skipping a profile rebuild is that every other fix sits on top of a corrupt foundation.
A real example: Jordan, a finance director at a retail chain, tried three password resets before a profile rebuild fixed the loop in under ten minutes. A common misconception is that rebuilding deletes your mail. It does not, because the mail lives on the server.
Microsoft 365 and Outlook for Microsoft 365
The Microsoft 365 client auto-updates and uses Modern Authentication by default. If the prompt loops, confirm Modern Auth is on at the tenant level in the Microsoft 365 admin center. Then confirm the client registry does not force Basic Auth.
The keys to check live under HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity. Set EnableADAL to 1 and delete DisableADALatopWAMOverride if present. Close Outlook, then reopen. The consequence of leaving EnableADAL at 0 is that Outlook never tries Modern Auth, and Exchange Online rejects the Basic Auth attempt.
New Outlook for Windows
The New Outlook for Windows replaces the classic MAPI stack with a web-based shell. It does not use Credential Manager in the same way. To fix a prompt loop, remove the account from Settings > Accounts > Email accounts, then add it back.
If that fails, reset the app from Windows Settings > Apps > Installed apps > Outlook (new) > Advanced options > Reset. A real example: Priya, a marketing lead, switched to New Outlook during the 2026 rollout, and the prompt loop vanished once she reset the app after a Windows feature update.
Outlook on the Web
Outlook on the Web runs in the browser, and the prompt loop is almost always a cookie problem. Clear the cookies for outlook.office.com, login.microsoftonline.com, and login.live.com, then sign in again. The consequence of skipping cookie cleanup is that a stale session token keeps being presented and rejected.
If cookies are fine, test a different browser or an InPrivate window. If the private session works, a browser extension is blocking the token refresh. Ad blockers and privacy extensions are the most common culprits.
Outlook for Mac
Outlook for Mac stores credentials in the macOS Keychain. Open Keychain Access, search for Exchange, Office, or your server name, and delete every match. Close Outlook first, then reopen.
If the loop continues, remove the account from Outlook > Settings > Accounts, then add it again. A real example: Aiko, a graphic designer on a MacBook Pro, fixed a two-week prompt loop by deleting a stale ADAL keychain entry left behind by a prior Office install.
Outlook for iOS and Android
The mobile apps use a token stored in the app sandbox. To reset it, remove the account from Settings > Accounts, force-stop the app, then add the account back. Do not delete the app unless reset fails, because a delete also wipes local drafts.
If your tenant uses Intune app protection, your admin may need to reset the app protection token. End users cannot do this alone.
Account-Type Fixes
The account type sets the rules for how credentials work. Microsoft 365 accounts use OAuth tokens, on-premises Exchange uses NTLM or Kerberos, IMAP and POP use a stored password, and Outlook.com uses a consumer OAuth flow.
Each type has a unique failure pattern. A Microsoft 365 prompt loop usually points to Modern Auth or Conditional Access, while an IMAP loop almost always points to an app password or a server-side security block.
Microsoft 365 and Exchange Online
Confirm Modern Authentication is enabled at the tenant. Run the PowerShell command Get-OrganizationConfig | Format-List OAuth2ClientProfileEnabled after connecting with the Exchange Online PowerShell module. The value must be True.
Next, check Conditional Access. A policy that requires a compliant device or a trusted location will block an untrusted device and trigger a loop. Review the sign-in logs in the Entra admin center under Sign-in logs and filter by the user.
The consequence of ignoring Conditional Access is that the user blames Outlook when the tenant policy is doing exactly what it was designed to do. A common misconception is that disabling MFA for one user fixes the loop. It rarely does, because Conditional Access evaluates many signals beyond MFA.
On-Premises Exchange
On-premises Exchange uses NTLM by default and Kerberos in some enterprise setups. If the prompt loops, confirm the Authentication tab on the Outlook Anywhere settings. It should read Negotiate Authentication for most modern deployments.
Run the Test-OutlookConnectivity cmdlet from the Exchange Management Shell to verify the client access path. A failed test points to a Client Access server problem, not a client problem.
IMAP and POP Accounts
IMAP and POP accounts fail most often because the provider turned off Basic Authentication. Gmail, Yahoo, and many cPanel hosts now require OAuth or an app password. Generate an app password from the provider’s account security page, then paste it into Outlook in place of your real password.
A real example: Samuel, a consultant who uses a Gmail IMAP account in Outlook 2019, fixed a three-day prompt loop by creating a Google app password. A common misconception is that Outlook can renew the app password on its own. It cannot, because the app password is static.
Outlook.com and Hotmail
Outlook.com uses a consumer OAuth flow. If the loop happens, sign in at account.microsoft.com and look for a security alert that blocks the sign-in. Approve the sign-in in the Microsoft Authenticator app when prompted.
If the prompt still loops, remove the account from Outlook and add it back. The re-add step triggers a fresh OAuth consent screen, which creates a new token.
Three Real-World Scenarios
The tables below show the three scenarios that generate the most helpdesk tickets. Each row maps a trigger to the repair step that resolves it.
Scenario 1: Password Change After a Phishing Reset
| Trigger | Repair Step |
|---|---|
| User reset password in Microsoft 365 | Clear Credential Manager, then relaunch Outlook |
| Old token still cached in Windows vault | Delete every MicrosoftOffice entry |
| Outlook keeps presenting the old token | Sign in with the new password, check Remember me |
| Conditional Access requires re-consent | Approve the sign-in in Microsoft Authenticator |
Scenario 2: MFA Turned On for the First Time
| Trigger | Repair Step |
|---|---|
| Admin enabled MFA on the tenant | User must complete MFA registration at aka.ms/mfasetup |
| Old Outlook build does not support Modern Auth | Update to a current build |
| App password required for Outlook 2013 | Generate an app password and paste into the prompt |
| Conditional Access blocks legacy auth | Admin must allow Modern Auth for the client |
Scenario 3: Corrupt Profile After a Windows Update
| Trigger | Repair Step |
|---|---|
| Windows update broke the MAPI stack | Create a new Outlook profile |
| OST file damaged during the update | Let the new profile rebuild the OST |
| Autodiscover returned stale data | Clear the Autodiscover cache in %LocalAppData%\Microsoft\Outlook |
| Credential Manager holds a bad entry | Delete the entry and sign in again |
Advanced Fixes for Stubborn Cases
If the quick wins and the version-specific steps fail, you are in advanced territory. These steps touch the registry, the profile binary, and the tenant policy stack. Back up the registry before you edit it, and document every change.
Advanced fixes work best when you have an error code. Press Ctrl + Right-click on the Outlook icon in the system tray and choose Test E-mail AutoConfiguration. Uncheck Guessmart, leave the others, and run the test. The results show exactly where the handshake breaks.
Fix the Autodiscover Path
Autodiscover points Outlook to the right server. If DNS returns the wrong record, Outlook loops on the wrong endpoint. Run nslookup -type=SRV _autodiscover._tcp.yourdomain.com from a command prompt to confirm the record.
The consequence of a bad Autodiscover record is that Outlook asks Office 365 for a Gmail account, or the reverse. A real example: Chen, a small business owner with a mixed GoDaddy and Microsoft 365 setup, fixed a months-long loop by removing a leftover GoDaddy Autodiscover CNAME.
A common misconception is that you can skip Autodiscover by typing the server name. You can in some versions, but Outlook re-runs Autodiscover on every restart and will overwrite your manual setting.
Registry Keys That Force Modern Auth
Three registry values control Modern Auth on classic Outlook. Set them under HKCU\Software\Microsoft\Office\16.0\Common\Identity:
- EnableADAL set to 1 turns on Modern Auth
- Version set to 1 pairs with EnableADAL
- DisableADALatopWAMOverride deleted or set to 0 lets WAM take over
Close Outlook, make the changes, then reopen. WAM, short for Web Account Manager, is the Windows broker that handles tokens on Windows 10 and 11.
Repair the OST File
A bad OST file can cause Outlook to reconnect in a loop and prompt on each reconnect. Close Outlook, then run the SCANPST.EXE tool on the OST path shown in File > Account Settings > Data Files.
If SCANPST reports errors, rename the OST to .old and let Outlook rebuild it on launch. The consequence of running SCANPST on an open OST is a corrupted repair, which makes the loop worse.
Fix Conditional Access Prompts
Open the Entra admin center and review Conditional Access > Policies. Look for policies that target the user and require a compliant device, a trusted location, or a specific client app. A policy that sets Client apps > Mobile apps and desktop clients often blocks older Outlook builds.
The consequence of a mismatched policy is a loop that every single user on that policy will hit. A real example: the IT team at a mid-size consulting firm locked out 40 users overnight with a Conditional Access update that required Intune compliance on every device, including personal laptops.
Clear the Token Cache
Modern Auth tokens cache in two places. The first is %LocalAppData%\Microsoft\IdentityCache. The second is %LocalAppData%\Microsoft\OneAuth. Close Outlook and every Office app, then delete both folders. Sign in fresh on the next Outlook launch.
Deleting these folders does not delete mail, contacts, or settings. It only deletes the token cache, which Outlook rebuilds on sign-in.
Mistakes to Avoid
Every password-loop ticket includes one or more of the mistakes below. Each mistake has a direct negative outcome, and each outcome costs time.
- Resetting the password five times in a row, which locks the account and triggers a smart lockout block
- Reinstalling Outlook before clearing Credential Manager, which leaves the bad cached token in place and repeats the loop
- Editing registry keys without a backup, which can break other Office apps and force a full repair
- Disabling MFA for a single user, which violates tenant security policy and rarely fixes the real cause
- Deleting the OST while Outlook is open, which corrupts the file and forces a full mailbox resync
- Ignoring the Outlook build number, which masks a bug Microsoft already patched
- Blaming the user, which delays the ticket and misses a server-side or policy-side cause
- Skipping the Outlook on the Web test, which wastes hours on a desktop client issue that is really a password issue
- Approving random MFA prompts, which creates a push fatigue security risk and does not fix the loop
- Forcing Basic Auth with a registry key, which will stop working because Microsoft retired Basic Auth in Exchange Online
Do’s and Don’ts
The short list below keeps you on the right path. Each entry explains why it matters.
Do’s:
– Clear Credential Manager first, because a bad cached token is the top cause
– Test Outlook on the Web, because it isolates the problem fast
– Update Outlook, because Microsoft patches credential bugs in every channel
– Back up the registry before edits, because one wrong key can break Office
– Check Conditional Access logs when you manage the tenant, because policy blocks do not show up in Outlook
Don’ts:
– Do not keep resetting the password, because a smart lockout will follow
– Do not reinstall Outlook first, because it leaves the cache in place
– Do not disable MFA as a first step, because it weakens security and rarely helps
– Do not ignore the Outlook build number, because a known bug may be the cause
– Do not skip the Autodiscover test, because a stale DNS record sends Outlook to the wrong server
Pros and Cons of Modern Authentication
Modern Authentication is the framework that replaces the old password-every-time model. It brings real benefits and a few trade-offs.
Pros:
– Supports MFA, which cuts account takeover risk, per the CISA MFA guidance
– Uses short-lived tokens, which reduce the value of a stolen credential
– Works with Conditional Access, which enforces device and location rules
– Eliminates stored passwords in Outlook, which removes one attack surface
– Enables single sign-on across Office apps, which improves the user flow
Cons:
– Requires a supported Outlook build, which forces upgrade cycles
– Breaks when registry keys force Basic Auth, which creates support tickets
– Depends on Entra ID availability, which adds a cloud dependency
– Can trigger confusing prompts during token refresh, which frustrates users
– Requires admin setup of Conditional Access, which adds policy complexity
Step-by-Step: Rebuilding an Outlook Profile
A profile rebuild is the single most effective advanced fix. Follow each step in order, and do not skip the backup step.
- Close Outlook and confirm OUTLOOK.EXE is gone from Task Manager
- Copy the existing OST from %LocalAppData%\Microsoft\Outlook to a safe folder
- Open Control Panel > Mail and click Show Profiles
- Click Add, name the new profile, and enter the account email
- Let Autodiscover find the server and accept the defaults
- Set the new profile as the default under Always use this profile
- Open Outlook, sign in when prompted, and let the OST rebuild
- Confirm mail arrives, then delete the old profile from the same panel
Each step has a consequence if skipped. Skipping the Task Manager check locks the profile file. Skipping the OST backup leaves you without a rollback if the rebuild fails. Skipping the default-profile step means Outlook keeps loading the old profile.
Key Entities to Know
Several companies, tools, and concepts shape the credential prompt landscape. Knowing each one speeds up your troubleshooting.
Microsoft Entra ID is the identity service behind Microsoft 365. It issues tokens, stores MFA settings, and enforces Conditional Access. Every Outlook prompt tied to Microsoft 365 runs through Entra ID.
Exchange Online is the mailbox service. It checks the token, serves the mail, and logs the sign-in. Autodiscover is the lookup service that tells Outlook where the mailbox lives. Windows Credential Manager is the local vault that stores the cached credential.
Microsoft Authenticator is the app that approves MFA prompts. The Office Deployment Tool is the admin tool for installing and updating classic Outlook. Intune is the device management service that enforces app protection and compliance.
A Court Ruling Worth Knowing
In 2023, a federal court in the SolarWinds SEC case highlighted how credential security failures can become a regulatory issue. While the case focused on SolarWinds, the ruling put every public company on notice that weak authentication, including reliance on Basic Auth, can lead to shareholder lawsuits and SEC enforcement.
The practical takeaway for Outlook admins is simple. Do not re-enable Basic Auth to silence a prompt loop. The fix is short-term and the risk is long-term. Microsoft formally removed Basic Auth for most protocols in Exchange Online, and workarounds will not survive audit.
FAQs
Does changing my password fix Outlook asking for my password?
No. A password change only helps if the real password is wrong. The loop almost always comes from a cached token, a profile issue, or a policy block, not a bad password.
Can I disable MFA to stop the prompt loop?
No. Disabling MFA weakens security and rarely fixes the cause. Conditional Access, token cache, and profile problems trigger loops even with MFA off.
Will reinstalling Outlook solve the password prompt?
No. A reinstall does not clear Credential Manager, the registry keys, or the OST. The bad cache survives the reinstall and the loop returns.
Do I need an app password for Gmail in Outlook?
Yes. Gmail requires an app password or OAuth for IMAP access in Outlook. Generate the app password from your Google account security page.
Is the New Outlook for Windows affected by the same bugs as classic Outlook?
No. New Outlook uses a different stack and a different credential store. It has its own bugs, but the classic MAPI bugs do not apply.
Can a Windows update cause Outlook to prompt for a password?
Yes. Feature updates can damage the MAPI profile and the OST file. A profile rebuild usually clears the loop.
Should I delete my OST file to fix the prompt?
Yes. A corrupt OST can cause the loop. Back it up first, then let Outlook rebuild it on the next launch.
Does clearing the browser cache help Outlook on the Web?
Yes. A stale cookie is the most common cause of an Outlook on the Web prompt loop. Clear cookies for the sign-in domains.
Will editing the registry void my Microsoft support?
No. Microsoft publishes the registry keys for Modern Auth. Back up the registry first, follow the published guidance, and you remain supported.
Can Conditional Access cause an Outlook prompt loop for one user?
Yes. A policy that targets a group, a location, or a device state can block one user while sparing others. Check the sign-in logs to confirm.
Is it safe to delete entries in Credential Manager?
Yes. Outlook rewrites the entries on next sign-in. Deleting them does not remove your mail or your account.
Does running SCANPST on an OST file work the same as on a PST?
Yes. SCANPST repairs both file types. Close Outlook first, point SCANPST at the file, and let it run.