This is apparently a continuing issue with Microsoft's Modern Authentication & in my numerous searches for a resolution I'm seeing similar complaints even back in 2018.
My environment is very similar to yours: RDS, onsite AD sync to Azure AD, FSLogix, Office 365 Office 2019 local install and licensed for each user who has Microsoft 365 Business Premium.
I've been experiencing these authentication issues with Office 365 Office 2019 products (need to do so just once for all Office products to work), as well as separate authentications for Microsoft Teams and separately for Microsoft Edge.
Note that their MS web access is not affected, such as logging in to Office.com
Note that we much less seldomly have the Office365 reauthentication issue on laptops, but it does happen, for which we have to run dsregcmd /debug /leave & dsregcmd /forcerecovery and for laptops that fixes things nearly every time. I cannot believe this is a solution that Microsoft expects end users to run. It happens frequently enough that I finally made desktop icons on the laptops with these 2 commands in a batch script.
The frustrating part is that the "reauthenticate to O365 with each new logon to RDS" problem arises and remains for days, weeks, even months ; and then goes away without reason and things are fine for days, weeks, usually months ; and then comes back again even though nothing has changed in our environment, seemingly without any reason.
Recently, I've noticed that one of my users who is experiencing this "reauthenticate to O365 with each new logon to RDS" issue, upon a login to RDS and launching an Office product, gets the the ! (exclamation) by her avatar but I noticed that the avatar is an old picture of her, probably back from 2018, because we had new company photos taken after that. After she completes the Office (365) Modern Authentication sign-in, it then shows her more recent photo.
I've even deleted her FSLogix virtual drive and upon logon FSLogix created her a new profile VHDX (virtual drive file), but the exact same issue continues.
This leads me to the suspicion that this is a cloud-based issue. I suspect some of Microsoft's servers for AD (active directory) are not syncing with one another. This might explain why users can go for a few months without issues, and then a few weeks where they must sign in every day, and then the issue suddenly goes away again.
The typica errors we receive are:
* error “Trusted Platform Module has malfunctioned .. error code 80090030
* “Something went wrong. Your account was not set up on this device because device management could not be enabled. … error code: 8018001c … Server message: Unknown error code 0x8018001c” --- note that this 8018001c can be usually be ignored in an RDS environment. If after the 1st authentication prompt you uncheck "allow my organization to manage my device" then you often will not get the 8018001 error.
* error “Something went wrong. Your computer’s Trusted Platform Module has malfunctioned. … error code 80090016. … Server message: Keyset does not exist”
* error caa50021 "number of retry attempts exceeds expectation".
* error “sorry, another account from your organization is already signed in on this computer.”
* error “an encrypted connection to your mail server is not available”
I've wasted tens of hours on this issue, trying a myriad of anecdotal fixes offered by our wonderful MS community (not much help from Microsoft, unfortunately). Sometimes the fix suggestions do instantly resolve an issue for a few weeks or months, but other times not. And then the next time the problem happens again for the user, I will try the exact same fix that I noted worked last time, but it doesn't work this time. Then, a weekend passes by and on Monday the user may even report things are back to normal again.
I've tried all the following:
* with user logged in run command line: dsregcmd /debug /leave & dsregcmd /forcerecovery --- this one usually works
* login to RDS or laptop as another user and then authenticate O365 as the problematic user account --- often this works! But then logging back in to RDS as the problem user and then authentication to O365 as that problem user still is problematic.
* delete problematic user's FSLogix VHDX and let FSLogix create a new profile. --- this exact same O365 reauthentication issue continues. Note, however, if you have a user for whom the O365 gets stuck in a continual loop & won't let the application be used, then I've found this method worked once (apparently a bad or missing directory somewhere in user profile).
* Delete everything under these branches: "%localappdata%/Microsoft/OneAuth" and "%localappdata%/Microsoft/IdentityCache"
* powershell command: if (-not (Get-AppxPackage Microsoft.AAD.BrokerPlugin)) { Add-AppxPackage -Register "$env:windir\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode -ForceApplicationShutdown } Get-AppxPackage Microsoft.AAD.BrokerPlugin
* as an administrator launch regedit and go to : HKEY_USERS\{user SSID}\software\microsoft\office\16.0\Common\Identity , then right pane right-click > new > dword 32 > name: EnableADAL , value=1 and HKEY_USERS\(user SSID}\Software\Microsoft\Office\16.0\Common\Identity , “DisableADALatopWAMOverride”=dword:00000001 ---- some people say to toggle these back to 0, wait like an hour, try reauth which probably won't work, then change back to 1 and wait an hour and try reauth again, didnt' work for me.
* in cloud Microsoft 365 Admin Center, enable and then enforce Multi-factor Authentication (MFA) for user, wait a few minutes, try end-user's reauthentication to Office products again, if fails, then toggle to Disabled the MFA , wait a few minutes, then try reauth to MS Office products again.
* Ensure all necessary user directories exist in his profile, especially the %TEMP% directory. I wrote a script to delve the user registry and recreate missing driectories and also ensure he has full access to each. In this case it may be easiest to just copy his Desktop and My Documents, etc. files to a network drive then log him off and rename his old FSLogix VHDX and have him login again and let FSLogix create a new profile VHDX for him.
* clear the stored keys first then do desregcmd -- for me, this one fixed error caa50021 "number of retry attempts exceeds expectation"
cmdkey.exe /delete:MicrosoftAccount:target=SSO_POP_Device
cmdkey.exe /delete:WindowsLive:target=virtualapp/didlogical
cmdkey.exe /delete:LegacyGeneric:target=teamsIv/teams
cmdkey.exe /delete:LegacyGeneric:target=teamsKey/teams
del /S /Q "%localappdata%\Microsoft\OneAuth"
rmdir /S /Q "%localappdata%\Microsoft\OneAuth"
del /S /Q "%localappdata%\Microsoft\IdentityCache"
rmdir /S /Q "%localappdata%\Microsoft\IdentityCache"
del /S /Q "%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy"l
rmdir /S /Q "%localappdata%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy"
del /S /Q "%localappdata%\Microsoft\Office\16.0\Licensing"
rmdir /S /Q "%localappdata%\Microsoft\Office\16.0\Licensing"
My users are so irritated. And I am sick of working after-hours to try to fix their accounts. I could almost hire a person full time to just go through these fix attempts for the staff.