Some time ago, one of my customers had the problem that after his environment was migrated to the cloud (hybrid with Microsoft 365), some users had sporadic logon problems with Microsoft 365 services.

The phenomena can be described as follows:
Users can log on to Microsoft 365 Services via the browser without any problems (everything is ok).
SSO partially does not work
Users lose their logon in Office applications such as Word, Outlook or Teams.
Re-logon in the Office products has to be repeated several times
Re-logon does not always work directly (user gets an error message)

Some of the users have also received the following message during re-logon:

It was also interesting that only a handful of people were affected.

 

Solving the problem

I had done a deeper analysis of the possible synchronization problems on different levels. The customer had configured the Azure AD Connect as hash sync.
After a deeper look in the Event Viewer, I noticed that there was a problem with the Session Broker.

One of the solutions was to reload the Session Broker plugin for the affected clients. (This can be done with the following command):

if (-not (Get-AppxPackage Microsoft.AAD.BrokerPlugin)) { Add-AppxPackage -Register "$env:windir\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode -ForceApplicationShutdown } Get-AppxPackage Microsoft.AAD.BrokerPlugin

However, this only really helped one user, and only temporarily. Therefore, I had to continue my analysis and was able to find the right solution.

The problem was the Anti Virus Client (in this case the product from Trendmicro). After I had carried out the following points, the problem was finally solved:

 

Go to SECURITY AGENTS > go to the specific group where the issue occurs

 

I. Under Real-Time Scan / Scheduled Scan / Manual Scan> click +Add

Add the following directories in the Folders tab:

C:\Users\*\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy*

C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy*

Add the following directories in the Files tab:

C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe

 

II. Add the following Under the Behavior Monitoring Approved List:

C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe

C:\Users\*\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy*

 

III. Add the following files below for Trusted Program List:

Go to Policies> Policy Management> Global Security Agent Settings> Trusted Program List > Add+

C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe