You're seeing "We couldn't sign you in" with error codes CAA20003, CAA20002, or CAA2000B in Outlook, Teams, or other Office apps. This is a Microsoft 365 authentication failure, often due to a disabled service in Azure or a corrupted local client cache.
The Fix
Start with the most common solutions. Work through these in order.
1. Check for a Service Incident
Sign in to the Microsoft 365 admin center, go to Health > Service health, and check for active incidents related to Exchange Online or Microsoft Entra ID. If Microsoft has reported an incident, wait for resolution and restart your clients.
2. Enable the Disabled Service Principal (Global Admin Required)
This is the official fix for many CAA2000B errors. The service principal for "Microsoft Information Protection" can become disabled.
1. Go to the Azure portal.
2. Navigate to Microsoft Entra ID > Enterprise applications.
3. Search using the resource ID: 40775b29-2688-46b6-a3b5-b256bd04df9f.
4. Select the application, go to Properties, and set Enabled for users to sign-in? to Yes. Save.
You can also use PowerShell (Microsoft Graph module):
Connect-MgGraph -Scopes "Application.ReadWrite.All"
$sp = Get-MgServicePrincipal -Filter "appId eq '40775b29-2688-46b6-a3b5-b256bd04df9f'"
Update-MgServicePrincipal -ServicePrincipalId $sp.Id -AccountEnabled:$trueAfter enabling, restart the Office application.
If That Doesn't Work:
3. Clear the Outlook RoamCache and Create a New Profile
Close all Office apps first.
1. Open File Explorer and paste this path: %localappdata%\Microsoft\Outlook\
2. Rename or delete the RoamCache folder.
3. Open the Windows Control Panel, go to Mail (Microsoft Outlook), and click Show Profiles.
4. Create a new profile, add the affected account, and set it as the default.
If That Doesn't Work:
4. Repair Office and Clear App Caches
For a broad client repair:
1. Go to Windows Settings > Apps > Apps & features.
2. Find your Microsoft 365 installation, select it, and click Modify.
3. Choose Online Repair.
For Teams specifically, close Teams and clear its cache via PowerShell:
Stop-Process -Name "Teams" -Force -ErrorAction SilentlyContinue
Remove-Item -Recurse -Force "$env:APPDATA\Microsoft\Teams\*" -ErrorAction SilentlyContinue
If That Doesn't Work:
5. Check TLS and System Time
Ensure the client can negotiate a modern TLS connection.
1. Open Internet Options > Advanced tab.
2. Under Security, ensure TLS 1.2 (and TLS 1.3 if present) is checked. Uncheck TLS 1.0 and 1.1.
3. Right-click the system clock and select Adjust date/time. Verify Set time automatically is on and correct.
Verify
Authentication should now succeed. In Outlook, send a test email. In Teams, check for presence updates. For admins, check the sign-in logs in the Microsoft Entra admin center for the user to confirm a successful login.