Managed devices in your organization repeatedly show OneDrive sign-in error 0x8004de40. Users cannot connect to their OneDrive account even after re-entering credentials. This error indicates a broken authentication token, a blocked service endpoint, or a misconfigured Conditional Access policy. This article covers the root causes of the 0x8004de40 error on managed devices and provides a systematic checklist to resolve it across your tenant.
Key Takeaways: OneDrive Admin Checklist for Error 0x8004de40
- Microsoft 365 admin center > Settings > Org settings > OneDrive > Sync: Controls tenant-wide sync restrictions and Known Folder Move settings that can block authentication.
- Azure AD > Conditional Access > Policies: Device compliance, MFA, and session controls can revoke OneDrive tokens and cause persistent 0x8004de40.
- OneDrive > Settings > Account > Unlink this PC: Clears cached credentials and forces a fresh token acquisition on the client side.
Why Error 0x8004de40 Persists on Managed Devices
Error 0x8004de40 is a sign-in failure with a specific numeric code. The error means OneDrive cannot obtain or refresh an authentication token from the Microsoft identity platform. On managed devices, this often happens because of one of these root causes:
Stale or revoked tokens. When a user changes their password, when an admin revokes sessions, or when a Conditional Access policy updates, the cached token on the device becomes invalid. OneDrive retries with the old token and gets error 0x8004de40.
Blocked authentication endpoints. Managed devices connected to a corporate network may have firewall rules or proxy settings that block login.microsoftonline.com, login.live.com, or other Microsoft identity endpoints. OneDrive cannot reach the token service and returns the error.
Conditional Access policy enforcement. A policy that requires device compliance, MFA, or approved client apps can interrupt the OneDrive token flow. If the device is not compliant or the policy is not met, the token request is denied and error 0x8004de40 appears.
Admin Checklist to Resolve 0x8004de40 on Managed Devices
Use this checklist in the order shown. Each step targets a specific layer of the authentication chain. Stop and test after each fix.
- Clear cached credentials on the affected device
On the user machine, open Credential Manager. Go to Windows Credentials. Remove all entries under Generic Credentials that contain MicrosoftOffice or OneDrive. Then restart OneDrive. This forces the client to request a fresh token. - Unlink and relink OneDrive
Right-click the OneDrive cloud icon in the system tray. Select Settings > Account > Unlink this PC. Confirm the unlinking. Wait 30 seconds. Sign in again with the user’s work or school account. This clears the local sign-in cache and triggers a new authentication flow. - Verify network access to Microsoft identity endpoints
Check that the device can reach login.microsoftonline.com, login.live.com, aadcdn.msauth.net, and graph.microsoft.com. Use a browser on the same device to navigate to https://login.microsoftonline.com. If the page does not load, review firewall rules, proxy exclusions, and DNS resolution for these domains and all subdomains. - Review Conditional Access policies in Azure AD
Sign in to the Azure portal. Go to Azure Active Directory > Security > Conditional Access. Review all policies that apply to the user or device group. Look for policies that require device compliance, MFA, or approved client apps. If a policy blocks OneDrive, either exclude the user group temporarily or ensure the device meets the policy requirements. - Check OneDrive sync admin settings
In the Microsoft 365 admin center, go to Settings > Org settings > OneDrive > Sync. Verify that sync is allowed for the user. If sync is restricted by file type or by device platform, error 0x8004de40 can appear during the sign-in attempt. Enable sync for the affected users. - Reset OneDrive sync app on the device
Open Command Prompt as administrator. Run the command:%localappdata%\Microsoft\OneDrive\onedrive.exe /reset. Wait for the process to complete. Run%localappdata%\Microsoft\OneDrive\onedrive.exeto restart OneDrive. This clears all local state and forces a full re-authentication. - Verify device registration and compliance
If the device is Azure AD joined or hybrid joined, confirm it is registered. In Azure AD > Devices, locate the device. Check the compliance status. If the device is non-compliant, run the Company Portal app or use the Settings > Accounts > Access work or school page to re-register. A non-compliant device will be blocked by Conditional Access policies. - Test with a different user account
Sign in to OneDrive on the same device with a different user who has a valid Microsoft 365 license. If that user signs in successfully, the issue is tied to the original user account. Reset the user’s password or revoke their sessions in Azure AD > Users > Sign-ins > Revoke sessions.
If the Error Returns After the Main Checklist
OneDrive error 0x8004de40 appears only on corporate Wi-Fi
The corporate network likely blocks authentication endpoints. Add the Microsoft 365 URLs and IP ranges to the firewall allowlist. Use the Microsoft 365 Network Connectivity Test tool to identify blocked endpoints. After unblocking, clear the DNS cache on the device with ipconfig /flushdns and retry.
Error appears after a password reset or MFA prompt
The token was revoked but OneDrive cached the old one. Run the OneDrive reset command from the checklist step 6. Then have the user sign in again. If MFA is required, ensure the user completes the MFA prompt within the sign-in flow. If MFA is triggered but the user cannot see it, adjust the Conditional Access session control to allow MFA on trusted devices.
Error persists after unlinking and clearing credentials
A third-party security software or VPN client may interfere with the token acquisition. Temporarily disable antivirus real-time protection or the VPN client. If the error disappears, add OneDrive and the Microsoft identity endpoints to the security software exception list. Re-enable the security software.
OneDrive Authentication Methods: Token Refresh vs Full Sign-In
| Item | Token Refresh | Full Sign-In |
|---|---|---|
| Description | OneDrive uses a cached refresh token to silently obtain a new access token | User enters credentials manually or via web sign-in prompt |
| When used | Every 60-90 minutes during normal sync operation | After device unlink, credential clear, or token revocation |
| Trigger for 0x8004de40 | Refresh token is expired, revoked, or blocked by policy | Authentication endpoint unreachable or policy blocks the request |
| Admin fix | Revoke user sessions in Azure AD or reset OneDrive | Unblock endpoints, adjust Conditional Access, or re-register device |
Understanding this difference helps you choose the correct fix. If the error appears during a token refresh, the solution is often on the admin side. If it appears during a full sign-in, the solution is often on the network or device side.
You now have a structured checklist to resolve error 0x8004de40 on managed devices. Start with clearing cached credentials and unlinking OneDrive on one test device. Then verify network access and Conditional Access policies. For persistent cases, review device compliance and third-party software interference. As a next step, enable audit logging in Azure AD to track future token failures and identify affected users before they report the issue.