Error 0x8004def7 appears when OneDrive for Business fails to sync files, often accompanied by a message that sync is blocked or cannot start. This error typically occurs because the user account lacks proper authentication or the device is not correctly joined to the organization’s network. In many cases, the root cause is a cached credential conflict or an Azure AD registration issue. This article explains why error 0x8004def7 occurs and provides step-by-step fixes to restore OneDrive sync.
Key Takeaways: Fixing Error 0x8004def7 in OneDrive for Business
- Windows Credential Manager > Windows Credentials > OneDrive Cached Credentials: Remove stale tokens that cause authentication failure.
- Settings > Accounts > Access Work or School > Disconnect: Re-register the device with Azure AD to refresh the identity token.
- OneDrive Settings > Account > Unlink This PC: Reset the local sync relationship without deleting files.
Why Error 0x8004def7 Occurs in OneDrive for Business
Error 0x8004def7 is a Windows authentication error that blocks OneDrive from connecting to the Microsoft 365 cloud. The error code maps to a failure in the Web Account Manager WAM, which handles modern authentication tokens. When the cached token expires or becomes corrupt, OneDrive cannot verify the user’s identity against Azure Active Directory. This problem is more common on devices that are not Azure AD joined or hybrid joined. It also appears after a password change, a tenant migration, or when the user account has been removed from the organization’s allowed sync list. The sync client receives a 401 unauthorized response from the server and displays error 0x8004def7 instead of syncing.
Common Triggers for the Authentication Failure
The error can be triggered by any of these conditions:
- Stale credentials stored in Windows Credential Manager from a previous sign-in session.
- The device is not registered with Azure AD, or the registration is out of sync.
- The user account has been disabled in Microsoft 365 admin center or is blocked from syncing.
- A third-party security application interferes with the WAM authentication pipeline.
Step-by-Step Fix for Error 0x8004def7
Follow these steps in order. Test sync after each step. If the error persists, proceed to the next step.
- Clear Stored Credentials in Windows Credential Manager
Press the Windows key and type credential manager. Open Credential Manager. Select Windows Credentials. Scroll to the Generic Credentials section. Look for any entry that contains OneDrive, MicrosoftOffice, or Microsoft.AAD. Click the arrow to expand each entry, then select Remove. Confirm the removal. Close Credential Manager. Restart OneDrive by right-clicking the OneDrive cloud icon in the system tray and selecting Close OneDrive, then launch it again from the Start menu. - Disconnect and Reconnect Work or School Account
Open Windows Settings by pressing Windows key + I. Go to Accounts > Access Work or School. Select your organization account and click Disconnect. Confirm the action. Restart your computer. After the restart, open Settings again, go to Accounts > Access Work or School, and click Connect. Sign in with your Microsoft 365 work or school credentials. This re-registers the device with Azure AD. - Unlink and Relink OneDrive on This PC
Right-click the OneDrive cloud icon in the system tray. Select Settings. Go to the Account tab. Click Unlink this PC. Confirm the unlinking. OneDrive will close and reopen. Sign in again with your work or school account. Select the folders you want to sync and click Start Sync. This resets the sync relationship without deleting any local files. - Reset OneDrive Sync Client Using Command Line
Press Windows key + R to open the Run dialog. Type %localappdata%\Microsoft\OneDrive\onedrive.exe /reset and press Enter. A command window will flash briefly. Wait for OneDrive to restart automatically. If it does not restart, type %localappdata%\Microsoft\OneDrive\onedrive.exe in the Run dialog and press Enter. This clears the sync cache and reinitializes the client. - Verify Azure AD Device Registration Status
Open a Command Prompt as administrator. Type dsregcmd /status and press Enter. Look for the line AzureAdJoined. It should show YES. If it shows NO, the device is not joined. In that case, go to Settings > Accounts > Access Work or School and click Connect to join the device. Also check DomainJoined if your organization uses hybrid join. A value of NO indicates the device is not connected to the on-premises domain. - Check Microsoft 365 Admin Center Sync Restrictions
If you are a global admin or have appropriate permissions, sign in to the Microsoft 365 admin center at admin.microsoft.com. Go to Settings > Org settings > OneDrive. Under Sync, ensure Allow syncing only on PCs joined to specific domains is either disabled or includes your device. If this setting is enabled and your device is not listed, sync will be blocked. Adjust the setting or add your device to the allowed list.
If OneDrive Still Shows Error 0x8004def7 After the Main Fix
Some environments require additional steps to fully resolve the authentication failure. The following sections cover specific scenarios that persist after the standard fix.
OneDrive Sync Fails After a Password Change
When you change your Microsoft 365 password, cached tokens become invalid. OneDrive may show error 0x8004def7 until the token is refreshed. To force a refresh, open OneDrive Settings > Account and click Sign out. Sign back in with your new password. If the error remains, complete the credential removal step from the main fix above, then sign in again.
Third-Party Security Software Blocks WAM Authentication
Some antivirus or endpoint protection products interfere with the Web Account Manager. Temporarily disable the security software and test OneDrive sync. If sync works, add OneDrive.exe and the WAM process to the software’s exclusion list. The WAM process is typically located at C:\Windows\System32\TokenBroker\tbauth.dll. Contact your security vendor for specific exclusion instructions.
OneDrive Sync Blocked by Group Policy
If your organization uses Group Policy to restrict OneDrive sync, error 0x8004def7 may appear even after fixing credentials. Check the local Group Policy by running gpedit.msc and navigating to Computer Configuration > Administrative Templates > Windows Components > OneDrive. Ensure the policy Prevent the usage of OneDrive for file storage is set to Not Configured or Disabled. On a managed device, contact your IT administrator to adjust the policy.
Error 0x8004def7 vs Other OneDrive Sync Errors: Key Differences
| Item | Error 0x8004def7 | Error 0x8007016a |
|---|---|---|
| Description | Authentication failure due to invalid or missing Azure AD token | Cloud file provider not running or stopped |
| Root cause | Stale credentials, device not joined, or WAM corruption | OneDrive service stopped or Files On-Demand disabled |
| Primary fix | Clear credential manager and rejoin Azure AD | Restart OneDrive service or reinstall the sync client |
| User impact | Sync completely blocked; user cannot sign in | Files show placeholder icons; sync partially works |
Error 0x8004def7 is specific to authentication. Other errors like 0x8007016a indicate the sync engine itself is not running. The table above helps you distinguish between the two so you apply the correct fix.
After clearing cached credentials and re-registering the device with Azure AD, OneDrive sync should resume. If the error persists, verify that your account is active in the Microsoft 365 admin center and that no security software is blocking WAM. As an advanced step, you can run dsregcmd /leave in an elevated Command Prompt followed by dsregcmd /join to force a full device re-registration. This command removes the device from Azure AD and re-joins it, which often resolves stubborn authentication errors.