When you try to sign in to OneDrive on a company-managed device, you may see an error message stating that OneDrive cannot add your account. This usually happens because the device is enrolled in Microsoft Intune or another mobile device management MDM service that enforces specific sync policies. The error can also appear if the device is domain-joined and group policies restrict account configuration. This article explains why the error occurs and provides the steps to resolve it.
Key Takeaways: OneDrive Account Blocked on Managed Devices
- Microsoft 365 admin center > Settings > Org settings > OneDrive > Sync: Controls whether users can sync OneDrive files on managed devices.
- Intune Configuration Profiles > Administrative Templates > OneDrive: Enforces settings like silent sign-in and sync restrictions that block manual account addition.
- Windows Registry key HKLM\Software\Policies\Microsoft\OneDrive: Stores local group policy settings that can prevent OneDrive from adding a new account.
Why OneDrive Cannot Add Your Account on a Managed Device
A managed device is a computer that an organization controls through policies, security settings, and compliance rules. When a device is managed, the IT administrator can enforce restrictions on which Microsoft services the user can access and how they authenticate. OneDrive respects these restrictions. If the admin has disabled personal sync or set the device to allow only work or school accounts that are pre-approved, the standard sign-in flow will fail.
The most common technical cause is a group policy or Intune policy that sets the value of the registry key DisablePersonalSync to 1. This key prevents users from adding a Microsoft account that is not part of the organization’s tenant. Another cause is the SilentAccountConfig policy, which forces OneDrive to sign in automatically with a specific account and blocks the user from adding a different account manually.
Additionally, if the device is configured with conditional access policies in Azure AD, the sign-in attempt may be blocked because the device does not meet compliance requirements. For example, the device might be missing required antivirus software, encryption, or a recent update.
Steps to Allow OneDrive Account Addition on a Managed Device
The following steps require administrative access to the device or to the Microsoft 365 admin center. If you are a standard user, contact your IT department to apply the changes.
Method 1: Check and Modify OneDrive Sync Settings in the Microsoft 365 Admin Center
- Sign in to the Microsoft 365 admin center
Open a web browser and go tohttps://admin.microsoft.com. Sign in with a Global Admin or SharePoint Admin account. - Navigate to Org settings
In the left navigation menu, select Settings and then Org settings. - Open the OneDrive settings page
Scroll down and click on OneDrive. This opens the Sync settings panel. - Allow sync on managed devices
Under the Sync section, ensure the option Let users sync files from OneDrive on devices managed by your organization is set to On. If it is Off, toggle it to On and click Save. - Verify the change
Wait 10 to 15 minutes for the policy to propagate. Then ask the user to restart OneDrive and try adding the account again.
Method 2: Modify Intune Configuration Profiles for OneDrive
- Sign in to the Microsoft Intune admin center
Go tohttps://endpoint.microsoft.comand sign in with an Intune Admin role. - Go to Devices > Configuration profiles
In the left menu, select Devices, then Configuration profiles. - Edit the OneDrive policy
Find the profile that contains OneDrive settings. It may be named something like Windows 10 OneDrive Policies. Click the profile name, then select Properties and click Edit next to Configuration settings. - Disable the policy that blocks account addition
In the list of settings, locate DisablePersonalSync. Set it to Not configured or Disabled. Also check SilentAccountConfig and set it to Not configured if it is currently enabled. - Save and sync
Click OK and then Save. The policy will apply to devices on their next check-in. To force a sync, on the device go to Settings > Accounts > Access work or school, select the MDM enrollment, and click Sync.
Method 3: Remove Conflicting Registry Keys Locally
This method is for devices that are not centrally managed but still show the error due to leftover local group policy settings. You need local administrator rights on the device.
- Open Registry Editor
Press Windows + R, type regedit, and press Enter. Click Yes if prompted by User Account Control. - Navigate to the OneDrive policy key
Go toHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive. If the OneDrive key does not exist, this method does not apply. - Delete the DisablePersonalSync value
In the right pane, right-click DisablePersonalSync and select Delete. Confirm the deletion. If the value SilentAccountConfig exists, delete it as well. - Close Registry Editor and restart OneDrive
Exit Registry Editor. Right-click the OneDrive icon in the system tray and select Quit OneDrive. Then launch OneDrive from the Start menu and try to add your account.
If OneDrive Still Cannot Add the Account After the Main Fix
OneDrive Shows the Error 0x8004de40
Error 0x8004de40 often indicates a problem with the Windows Credential Manager. Open Credential Manager from the Control Panel. Under Windows Credentials, remove any entries that contain OneDrive or MicrosoftOffice. Then restart OneDrive and sign in again.
Account Addition Works on Some Devices But Not Others
This suggests that the policy is applied inconsistently. Check if the failing device is in a different Azure AD group or Intune device group. Verify that the device is compliant with conditional access policies. In the Azure AD admin center, go to Identity > Security > Conditional Access and review the policies that apply to the user and device.
OneDrive Prompts for Credentials but Never Completes Sign-In
This can happen if multi-factor authentication MFA is required but the device is not trusted. In the Microsoft 365 admin center, check the MFA settings for the user. Ensure the device is registered for MFA by going to Settings > Accounts > Access work or school and clicking Info to verify the device status.
Managed Device Policies vs Local Device Policies: Key Differences
| Item | Managed Device Policies | Local Device Policies |
|---|---|---|
| Source of policy | Intune, Group Policy from domain controller, or MDM | Local Group Policy Editor gpedit.msc or Registry Editor |
| Scope | Applies to all devices in a security group or organizational unit | Applies only to the single device where it is configured |
| Ease of change | Requires admin access to Microsoft 365 admin center or Intune | Requires local admin rights on the device |
| Persistence | Reapplies on every sync or group policy refresh | Persists until manually removed or overridden by a managed policy |
| Common OneDrive keys | DisablePersonalSync, SilentAccountConfig, DisableFileSync | Same keys but set via local registry |
Now you know how to identify and resolve the OneDrive account addition error on a managed device. Start by checking the Microsoft 365 admin center sync settings. If the issue persists, review Intune policies or local registry keys. To prevent future blocks, set a reminder to audit your organization’s OneDrive policies every quarter.