Clearing AIP client and PowerShell module token cache

The question on how to “log out” of the Azure Information Protection client or the corresponding Office add-in is one that seems to pop up often. The AIP team has actually published information on how to achieve this task in the following article. In a nutshell, in order to reset authentication for the client, you have to delete the TokenCache value under HKEY_CURRENT_USER\Software\Microsoft\MSIP as well as delete the TokenCache file under %localappdata%\Microsoft\MSIP.

In addition, the team has also started gathering feedback on the importance of support for multiple accounts, much like we’ve had for a while now with “pure” RMS in Office. Make sure to vote for the corresponding item on UserVoice and also leave your feedback there!

Now, the above doesn’t cover the AzureInformationProtection PowerShell module, which is another very useful tool. While the module allows for non-interactive mode, by using service principal credentials to execute any operations, it also can be used interactively. Once you provide credentials however, there is no way to actually log out or change the logged in user, and it will persist even across restarts, until the token has expired.

So, in case you want to log out of the module or change the logged in user, you have to again resort to manual actions. The steps are actually similar to the ones above regarding the AIP client, however both the registry key and the file are in different location. Anyway, without further ado, to remove the token and force the module to ask for credentials:

  • Start regedit
  • Navigate to the following key: HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPC\pscmdlet
  • Locate the subkey corresponding to the currently used tenant (either compare the GUID or simply expand the subkeys to check the corresponding user Identity)
  • Once you’ve located the relevant key, delete it
  • Also delete the file storing the token from %LocalAppData%\Microsoft\MSIPC\pscmdlet\Auth (should not be necessary, but just in case)
  • Run any AIP related cmdlet, such as Get-RMSTemplate, and provide the new set of credentials.


The above steps are not really supported by Microsoft, so use at your own risk!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.