The Hybrid Admin

Clear thinking for complex systems

Waiting for Approval: Navigating Teams Error 0xCAA20004

If you have encountered Error 0xCAA20004, you have essentially reached the “waiting room” of the authentication process. This code indicates that your login request was successful, but the server is now waiting for a specific condition to be met—usually a missing approval from a Conditional Access policy or a stuck Multi-Factor Authentication (MFA) prompt.

Unlike a standard password error, this is a gatekeeping issue. The server knows who you are, but it hasn’t been “convinced” yet that your current session is secure.

Step 1: Check for Ghost MFA Prompts

The most common cause for this error is a “silent” MFA request. Your phone might not have buzzed, but the server is refusing to proceed until you acknowledge the notification.

  1. Open the Microsoft Authenticator app (or whichever MFA method your company uses) manually on your mobile device.
  2. Refresh the app or check the “Activity” log to see if there is a pending request that didn’t trigger a push notification.
  3. If you use SMS codes, ensure your mobile signal is strong and check for delayed texts.

Step 2: Re-Authenticate via “Access Work or School”

Because 0xCAA20004 is often tied to device compliance (making sure your laptop meets company security standards), refreshing your device’s registration with Entra ID can clear the block.

  1. Go to Windows Settings > Accounts > Access work or school.
  2. Select your account and click Info.
  3. Click the Sync button to ensure your device’s security status is up to date with the server.
  4. If the “Sync” fails, you may need to Disconnect and Reconnect the account to trigger a fresh approval flow.

Step 3: Clear the BrokerPlugin Cache

The “BrokerPlugin” is the Windows component that manages these approvals. If it caches a “pending” state, it might stay stuck there even after you’ve approved the login on your phone.

  1. Close Teams completely.
  2. Open File Explorer and navigate to: %localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Cache
  3. Delete the files in this folder (this will not delete your account, just the temporary “handshake” data).
  4. Restart Teams and try the login again.

Step 4: Verify Device Compliance

If your organization uses Microsoft Intune, this error may appear if your computer is flagged as “Non-Compliant”—perhaps due to an outdated Windows update or a disabled firewall.

  1. Open the Company Portal app on your PC (if installed).
  2. Check the Devices tab to see if your computer has a red “X” or a warning.
  3. Follow the prompts to fix compliance issues (like installing a pending update), then click Check Compliance.

More Posts