Drake Companies IT Help Desk Knowledgebase
Microsoft still pointing to old tenant after migration
Suggested knowledgebase articles:

Microsoft still pointing to old tenant after migration

After a Microsoft tenant to tenant migration a users PC may still be using cached data that point to the old Microsoft tenant. To clear the cache and sign the user into the new tenant after a migration follow these steps.

  • Settings > Accounts > Access work or school account

Remove all accounts listed here. If the user had already signed into the new tenant account successfully and it appears here, go ahead and remove it as well. It will be added back later.

  • Settings > Accounts > Email & accounts

Remove all accounts listed here. If the user had already signed into the new tenant account successfully and it appears here, go ahead and remove it as well. It will be added back later.

After removing accounts above, open Credential Manager 

In Credential Manager navigate to Windows Credentials and remove all credentials except any mapped drives and/or RDP credentials.

Once credentials have been cleared. Open PowerShell as Administrator and run the following script to clear Microsoft cache

 

<# 
  Fix-AADStaleTenant.ps1
  Purpose: Flush old-tenant tokens/caches so Windows & Office sign-in look at the new tenant.
  Safe: Removes cached tokens and app caches only. Users will need to sign in again.
#>

#--- Helper functions ---
function Remove-PathSafe {
  param([string]$Path)
  try {
    if (Test-Path -LiteralPath $Path) {
      Get-ChildItem -LiteralPath $Path -Recurse -Force -ErrorAction SilentlyContinue |
        Remove-Item -Recurse -Force -ErrorAction SilentlyContinue
      # Try removing the folder itself if empty
      Remove-Item -LiteralPath $Path -Recurse -Force -ErrorAction SilentlyContinue
      Write-Host "Cleared: $Path"
    }
  } catch { Write-Host "Skipped (in use): $Path" }
}

function Remove-RegKeySafe {
  param([string]$Key)
  try {
    if (Test-Path $Key) {
      Remove-Item $Key -Recurse -Force
      Write-Host "Deleted registry key: $Key"
    }
  } catch { Write-Host "Skipped registry key (locked): $Key" }
}

#--- Kill common Microsoft apps that hold locks ---
$procs = 'OneDrive','onedrive.exe','ms-teams','Teams','Outlook','Winword','Excel','PowerPoint','lync','msteams','Acrobat'
Get-Process -ErrorAction SilentlyContinue | Where-Object {
  $procs -contains $_.Name
} | Stop-Process -Force -ErrorAction SilentlyContinue

#--- Unregister device from current AAD/workplace (ignore errors if not joined) ---
try { & dsregcmd /leave | Out-Null } catch {}

#--- Clear Web Account Manager / AAD Broker caches ---
$tokenPaths = @(
  "$env:LOCALAPPDATA\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker",
  "$env:LOCALAPPDATA\Microsoft\TokenBroker\Cache",
  "$env:LOCALAPPDATA\Microsoft\OneAuth",                        # includes MSAL/OneAuth tokens
  "$env:LOCALAPPDATA\Microsoft\Office\16.0\Licensing",          # Office 365 licensing cache
  "$env:LOCALAPPDATA\Microsoft\Office\16.0\IdentityCache"
)
$tokenPaths | ForEach-Object { Remove-PathSafe $_ }

#--- Clear Office connected services identities (registry) ---
$regKeys = @(
  'HKCU:\Software\Microsoft\Office\16.0\Common\Identity',
  'HKCU:\Software\Microsoft\IdentityCRL',
  'HKCU:\Software\Microsoft\OneAuth',
  'HKCU:\Software\Microsoft\Windows\CurrentVersion\AAD'
)
$regKeys | ForEach-Object { Remove-RegKeySafe $_ }

#--- Teams cache (classic & new) ---
$teamsPaths = @(
  "$env:APPDATA\Microsoft\Teams\Application Cache\Cache",
  "$env:APPDATA\Microsoft\Teams\blob_storage",
  "$env:APPDATA\Microsoft\Teams\Cache",
  "$env:APPDATA\Microsoft\Teams\databases",
  "$env:APPDATA\Microsoft\Teams\GPUCache",
  "$env:APPDATA\Microsoft\Teams\IndexedDB",
  "$env:APPDATA\Microsoft\Teams\Local Storage",
  "$env:APPDATA\Microsoft\Teams\tmp",
  "$env:LOCALAPPDATA\Packages\MSTeams_8wekyb3d8bbwe\LocalCache" # new Teams (Store)
)
$teamsPaths | ForEach-Object { Remove-PathSafe $_ }

#--- OneDrive Business settings (forces fresh sign-in) ---
$odPaths = @(
  "$env:LOCALAPPDATA\Microsoft\OneDrive\settings\Business1",
  "$env:LOCALAPPDATA\Microsoft\OneDrive\settings\Business2",
  "$env:LOCALAPPDATA\Microsoft\OneDrive\settings\Business3",
  "$env:LOCALAPPDATA\Microsoft\OneDrive\settings\Business4"
)
$odPaths | ForEach-Object { Remove-PathSafe $_ }

#--- Optional: clear legacy WebCache that can pin MS login cookies (safe to skip) ---
# Note: This can fail if Explorer has a lock; it’s optional and not required in most cases.
$webCache = "$env:LOCALAPPDATA\Microsoft\Windows\WebCache"
Remove-PathSafe $webCache

Write-Host "`nDone. Reboot now. After reboot:"
Write-Host "1) Use an InPrivate/Edge window for the first sign-in or clear site data for login.microsoftonline.com."
Write-Host "2) Go to Settings > Accounts > Access work or school > Connect, and sign in with the NEW tenant UPN."
Write-Host "   Or run: dsregcmd /forcerecovery to trigger the join flow."
Write-Host "3) Verify with: dsregcmd /status  (AzureAdJoined/WorkplaceJoined and TenantId should reflect the new tenant)."

 

After running this PowerShell script, reboot the PC and attempt Microsoft logins again.

Was this article helpful? Yes | No

Article Details

Article ID:
4
Category:
Knowledgebase
Rating :