Fix issues with AppLocker CSP and O365 authentication

Most of us we are working from our homes these days. You can't protect the Devices with the Applocker . You need something more.

This is the Applocker CSP or Configuration Servicer Provider.

Configure Service Provider is used to specify which application allow or deny. The CSP can used by the Intune to define configuration in the Windows Devices.

When you have to work with the AppLocker CSP you have to remember that it has some major changes with the AppLocker on-premises.

The changes include Packages that blocked by default in the AppLocker CSP but not in AppLocker On-premises.

Today I would like to explain you what you need to allow in the AppLocker CSP and avoid  Office 365 authentication issues.

Let's start !!!


You have opened the Excel file and the Office asks you for the authentication.

Type your username and Click Next. Then it appears a new blank window without access to type your password.


You are wondered how can type my password to verify my user and open the Office?

The main reason when a blank box appears while you try to type the password for the Office 365 is because the Microsoft.AAD.BrokerPlugin does not work properly/

What is Microsoft.AAD.BrokerPlugin

It is a package that is use it by ADAL responsible for the authentication in O365.

If this package it's not installed ,it's corrupted or is missing you can't login to your Office.


In the Applocker CSP must allow the specific package because by default it's blocked.

So let's explain how can allow the package before break things in your environment.


We must create the Rule in the AppLocker on-premises as i have described in the article ........

Once the Rule is created, then we must import in the AppLocker CSP.

  • From a Server/Workstation that has the Microsoft.AAD.BrokerPlugin open the Group Policy Management Editor. 
  • If you don't have installed anywhere then setup the Group Policy Management Feature in the Server/Workstation
  • Create a new Group Policy.
  • Navigate to Computer Configuration -- Security Settings -- AppLocker.
  • Expanded and select Packages Αpp Rules.
  • Right click and select Create New Rule. Click Next.





  • Leave the Action Allow and select the Group that you want to apply the Rule.


  •  Leave the Use an installed package as  a reference.
  • Click Select. On the Search type aad and select  the Microsoft.AAD.Broker Package.


  • You can use the slider to select which properties define the rule. 


  • Use the Exception and allow you to exclude an app that probably included in the Rule.


  • You can change the name or leave it and click Next.


The rule has been created and now you must to export the rule and import in the Intune.

You can find all the available steps in How to implement AppLocker with the Intune to the paragraph #How to import AppLocker Rules to Intune.

You can send me an email at  or do your comments in Twitter or Facebook. I invite you to follow me on Twitter or Facebook. If you have any questions, send email to me at

Disqus Comments