After your organization updates or resets Multi-Factor Authentication settings, OneDrive for Business may stop signing in correctly. You might see repeated password prompts, error 0x8004de40, or a message that your credentials are no longer valid. This happens because the cached authentication token stored by OneDrive is tied to the old MFA configuration and becomes invalid after the change. This article explains how to clear the invalid token, re-authenticate with the new MFA method, and prevent the sign-in error from returning.
Key Takeaways: Fixing OneDrive Sign-In After MFA Changes
- Windows Credential Manager > Windows Credentials: Remove the legacy OneDrive cached credentials that still reference the old MFA token.
- OneDrive Settings > Account > Unlink this PC: Forces OneDrive to discard the current authentication session and request a fresh token.
- Microsoft 365 admin center > User > MFA re-registration: Confirm the user has completed the new MFA enrollment before attempting to sign in again.
Why OneDrive Sign-In Fails After MFA Changes
OneDrive for Business uses OAuth 2.0 tokens to authenticate with Microsoft 365. When your administrator modifies MFA policies — for example, changing the authentication app, adding a phone number, or resetting a user’s MFA registration — the existing token cached on your computer becomes invalid. OneDrive does not automatically detect this change. It keeps trying to use the old token, which the server rejects.
The result is a loop where OneDrive prompts for credentials, you enter them, but the sign-in fails again. The problem is not with your password. It is the cached token that is tied to an MFA method no longer active. Clearing the token and creating a new authentication session resolves the issue.
Common Error Codes Related to This Problem
Users may see error 0x8004de40, 0x8004de44, or a generic message that the account needs to be re-authenticated. These codes all indicate a token or credential mismatch caused by an MFA change.
Steps to Restore OneDrive Sign-In After MFA Modifications
Follow these steps in order. Do not skip the credential removal step — simply unlinking OneDrive without clearing credentials often leaves the old token behind.
- Open Windows Credential Manager
Press the Windows key, type Credential Manager, and select the app. Click Windows Credentials. Scroll to the Generic Credentials section. Look for entries that contain OneDrive or MicrosoftOffice16. Click the arrow next to each entry, then click Remove. Confirm the removal. - Unlink OneDrive from the PC
Right-click the OneDrive cloud icon in the system tray. Select Settings. Go to the Account tab. Click Unlink this PC. Confirm when prompted. This tells OneDrive to discard its current authentication session. - Restart the OneDrive Process
Press Ctrl + Shift + Esc to open Task Manager. Find Microsoft OneDrive in the list. Right-click it and select End task. Then press the Windows key, type OneDrive, and press Enter to relaunch the app. - Sign In with the New MFA Method
When OneDrive starts, it will show the sign-in window. Enter your work or school email address. On the password page, enter your password. Complete the MFA challenge using the method now required by your organization — for example, approve a push notification from the Microsoft Authenticator app, enter a code from an SMS, or use a hardware token. - Verify Sync Status
After signing in, open File Explorer and navigate to your OneDrive folder. Confirm that files are syncing. The cloud icon in the system tray should show a solid blue cloud or a spinning circle indicating active sync.
If OneDrive Still Has Issues After the Main Fix
If the sign-in error persists, one of the following scenarios is likely the cause. Check each one.
OneDrive Shows Error 0x8004de40 After Re-authentication
This error indicates that the credential removal in Step 1 did not fully clear the old token. Open Credential Manager again and search for any remaining entries containing OneDrive, MicrosoftOffice, or Microsoft.AAD.BrokerPlugin. Remove all of them. Then restart your computer and repeat the sign-in process.
MFA Registration Is Incomplete
Your administrator may have changed the MFA policy but you have not completed the new registration. Open a web browser, go to https://aka.ms/mfasetup, and sign in with your work account. Follow the prompts to register the new MFA method. After successful registration, try signing into OneDrive again.
OneDrive Keeps Prompting for Password Even After Fix
This usually means that the Office credential cache is still active. Open Control Panel, go to User Accounts > Credential Manager. Under Windows Credentials, remove any entry that starts with MicrosoftOffice16_Data. Then restart OneDrive.
OneDrive Sign-In Methods: Cached Token vs Fresh Authentication
| Item | Cached Token (Old) | Fresh Authentication (New) |
|---|---|---|
| Description | Stored OAuth token from the previous MFA method | New token obtained after completing the current MFA challenge |
| How it is created | Generated during the first successful sign-in | Generated after clearing credentials and re-entering password + MFA |
| Validity after MFA change | Invalid — server rejects it | Valid — matches current MFA policy |
| Location stored | Windows Credential Manager and OneDrive internal cache | Windows Credential Manager and OneDrive internal cache |
| How to switch | Remove via Credential Manager and unlink OneDrive | Sign in again and complete new MFA challenge |
Understanding the difference between a cached token and a fresh authentication token helps you diagnose future sign-in failures. When MFA changes occur, always start by removing the old cached token instead of repeatedly trying to sign in with the same invalid credentials.
After completing the steps in this article, OneDrive should sign in successfully using the new MFA method. If the problem reappears after a future MFA update, repeat the credential removal and unlinking process. For administrators, consider using the Revoke-AzureADUserAllRefreshToken PowerShell cmdlet to invalidate all tokens for a user after an MFA reset, which prevents the cached token issue from occurring on multiple devices.