Office and some other “modern auth” apps can store MFA-equivalent tokens in the TPM to minimise the number of “tap the thing on the phone” prompts during single sign on.

I discovered this when I recovered a dead laptop’s disk image to a VM and the sudden absence of a TPM killed all of my cached Office credentials.