When users sign into Outlook or other Microsoft 365 apps, they may see "Something went wrong. [4usqa]" followed by "We couldn't sign you in. If this error persists, contact your system administrator and provide the error code CAA2000B." This error can also include AADSTS500014 with "The service principal for the resource is disabled."
The Fix
The service principal (enterprise application) required for authentication is disabled in Entra ID. Re-enable it.
Via Entra Admin Center:
1. Sign in to the Microsoft Entra admin center.
2. Navigate to Enterprise applications.
3. Change the "Application type" filter to "All applications" to show disabled apps.
4. Search for the App ID from the error (commonly 40775b29-2688-46b6-a3b5-b256bd04df9f for Microsoft Information Protection API).
5. Open the application and go to Properties.
6. Set "Enabled for users to sign in?" to Yes.
7. Click Save.
8. Wait 5 minutes, then have users restart Outlook and sign in again.
Via PowerShell (Microsoft Graph):
Install-Module Microsoft.Graph -Scope CurrentUser -Force
Connect-MgGraph -Scopes "Application.ReadWrite.All","Directory.ReadWrite.All"
Find the disabled service principal
$sp = Get-MgServicePrincipal -Filter "appId eq '40775b29-2688-46b6-a3b5-b256bd04df9f'"
Re-enable it
Update-MgServicePrincipal -ServicePrincipalId $sp.Id -BodyParameter @{accountEnabled = $true}If the error persists:
Check Microsoft 365 Service Health in the admin center under Health > Service health. If there is an active incident affecting Exchange or authentication, wait for Microsoft to resolve it.
If the error persists:
Review Conditional Access policies that might block the application:
1. In the Entra admin center, go to Security > Conditional Access.
2. Review policies for blocks affecting the app or users.
3. Exclude the app or adjust the policy scope as needed.
If the error persists:
Clear the local credential cache and token data on the affected client:
1. Close Outlook completely.
2. Open Credential Manager (Control Panel > Credential Manager).
3. Remove all credentials under Windows Credentials for MicrosoftOffice16_Data:ADAL and similar Office 365 entries.
4. Delete or rename the folder: %localappdata%\Microsoft\Office\16.0\TokenCache.
5. Restart Outlook and sign in again.
If the error persists:
Verify the system time is synchronized:
# In an elevated PowerShell window
w32tm /resyncOr via the GUI: Settings > Time & language > Date & time > Sync now.
If the error persists:
Repair the Office installation:
1. Go to Settings > Apps > Microsoft 365 Apps > Modify.
2. Select Quick Repair first.
3. If Quick Repair fails, run Online Repair.
4. Restart the machine.
Find all disabled service principals:
Connect-MgGraph -Scopes "Application.Read.All","Directory.Read.All"
Get-MgServicePrincipal -Filter "accountEnabled eq false" -AllVerify
After re-enabling the service principal, users should be able to sign into Outlook without the CAA2000B error. In the Microsoft 365 admin center, under Users > Active users, verify the affected user can sign in. Have the user sign out completely, close all Office apps, and sign back in to test.