I set up a new user’s machine with a temporary password and logged into the Windows 10 Work or School account (in addition to AD). When the user changed her password, DirSync synced it to Azure AD, but Outlook would not accept the password when setting up the Outlook profile for the first time (password dialog kept coming up and not letting us proceed).
I checked the Event Log under Applications and Services Log > Microsoft > AAD > Operational. Check for errors with even ID 1098, similar to this:
Error: 0xCAA20003 Authorization grant failed for this assertion.
Description: AADSTS50173: The provided grant has expired due to it being revoked. The user might have changed or reset their password. The grant was issued on ‘2019-04-12T22:05:16.5783198Z’ and the TokensValidFrom date for this user is ‘2019-04-15T13:47:47.0000000Z’.
I had set her machine up on Friday evening 4/12. What was happening? Outlook must have been sending the Work or School account with the old/temporary password, not the new password the user was entering.
Don’t disable the device like it says below. Re-add the account first (instructions at the bottom of this page) and see if that works.
I went to Manage work or school account page in Windows 10 Settings, clicked on the account, then clicked Manage: On the web page that opens, I clicked Disable device and then Yes on the next pop up that appears.
Then on the same Manage work or school account settings screen, I had her re-add the account with her new password (since there is no Delete/Remove button). The “hold on while we apply the policy” screen was still spinning when I left, but she was finally able to log into Outlook with her new password.
Moral of the story – don’t add the work or school account unless you really need it.