The 0x8004de40 sign-in error prevents remote workers from connecting OneDrive to Microsoft 365. The error appears as a pop-up or a red banner that says something went wrong during sign-in. This article explains the root causes tied to token expiration, Conditional Access policies, and network proxy configurations. You will get a step-by-step admin checklist to resolve the error permanently across your remote workforce.
Key Takeaways: 0x8004de40 Sign-In Error Fix for Remote Workers
- Microsoft 365 admin center > Conditional Access > Policies: Review and exclude OneDrive from location-based or device compliance policies that block token refresh for remote users.
- Azure AD > Enterprise Applications > OneDrive > User settings: Verify that token lifetime policies are not set below 60 minutes, which forces frequent reauthentication.
- Group Policy > OneDrive > Enable OneDrive Files On-Demand: Ensure the policy is enabled to prevent sync conflicts that trigger token validation errors on VPN connections.
Why Error 0x8004de40 Persists for Remote Workers
Error 0x8004de40 is a token-based authentication failure. When a remote worker signs in to OneDrive, the client requests an access token from Azure Active Directory. If the token expires or is rejected, OneDrive shows the sign-in error. The most common triggers are:
- Conditional Access policies: Policies that require a compliant device, a specific network location, or multi-factor authentication can interrupt token refresh when a remote worker switches networks or reconnects after sleep.
- Token lifetime settings: If an admin has configured a short token lifetime via Azure AD policies, the token expires before the user finishes their work session.
- Proxy or VPN interference: Corporate proxies or VPNs that strip or modify authentication headers cause the token request to fail silently.
- Corrupted credential cache: The Windows Credential Manager stores stale tokens that conflict with the new authentication request.
Remote workers are especially affected because they connect from non-corporate networks, use personal devices, or have intermittent VPN connections. The error reappears because the root cause — a policy or configuration on the tenant side — is not addressed by simply re-signing in.
Admin Checklist to Permanently Fix 0x8004de40
Use the checklist below in order. Each step targets a specific cause of the error. Verify each setting in your Microsoft 365 admin center or Azure AD portal.
Step 1: Review Conditional Access Policies for OneDrive
- Sign in to the Microsoft 365 admin center
Go to admin.microsoft.com and select Identity under Admin centers. This opens the Azure AD portal. - Navigate to Conditional Access
Select Protection > Conditional Access > Policies. - Locate policies that include OneDrive
Click each policy that lists Office 365 or OneDrive under Cloud apps or actions. - Modify the policy to exclude OneDrive
Under Cloud apps or actions, set Include to All cloud apps and then add OneDrive to the Exclude list. Alternatively, create a separate policy that grants access to OneDrive without device compliance or location requirements. - Test with a remote worker
Ask the user to sign out of OneDrive, clear the credential cache using Control Panel > Credential Manager > Windows Credentials (remove entries with “OneDrive” in the name), and sign in again.
Step 2: Verify Token Lifetime Policies
- Open Azure AD > App registrations
In the Azure AD portal, select App registrations > All applications. Search for OneDrive or Office 365. - Check token configuration
Select the app, then Token configuration. Look for any custom token lifetime policy. If present, remove it or set Access token lifetime to at least 60 minutes. - Remove tenant-wide token lifetime policies
Go to Azure AD > Enterprise applications > Token lifetime policies. Delete any policy that sets access token lifetime below 60 minutes. Default Microsoft 365 tokens last 60 to 90 minutes.
Step 3: Configure Network Proxy and VPN Settings
- Ensure proxy does not strip authentication headers
Work with your network team to allowlist the following URLs on the proxy: login.microsoftonline.com and all subdomains, graph.microsoft.com, and onedrive.com. Do not perform SSL inspection on these domains. - Configure VPN split tunneling
In the VPN configuration, route Microsoft 365 traffic directly to the internet instead of through the corporate network. This prevents latency and header modification. - Test by disabling the proxy
Temporarily disable the proxy or VPN on a remote worker device. If the error stops, the proxy or VPN is the cause. Re-enable and refine the allowlist.
Step 4: Clear Credential Cache on Remote Devices
- Open Credential Manager
On the remote device, press Windows + R, type control, and press Enter. Select Credential Manager > Windows Credentials. - Remove OneDrive-related credentials
Look for entries that contain OneDrive, MicrosoftOffice, or Microsoft.AAD.BrokerPlugin. Click the arrow to expand each entry, then select Remove. Confirm the deletion. - Restart OneDrive
Right-click the OneDrive icon in the system tray and select Close OneDrive. Open OneDrive from the Start menu. Sign in with the work account.
Step 5: Reset OneDrive Sync Connection
- Run the OneDrive reset command
Press Windows + R, type %localappdata%\Microsoft\OneDrive\onedrive.exe /reset, and press Enter. A Command Prompt window appears briefly. Wait 30 seconds. - Re-launch OneDrive
Press Windows + R again, type %localappdata%\Microsoft\OneDrive\onedrive.exe, and press Enter. The setup screen appears. - Sign in and verify sync
Enter the user’s Microsoft 365 credentials. Choose the folders to sync. Confirm that the error does not reappear.
If Error 0x8004de40 Still Appears After the Checklist
OneDrive error 0x8004de40 only on VPN-connected devices
The VPN may be forcing all traffic through the corporate network, which adds latency and modifies headers. Configure VPN split tunneling as described in Step 3. If that is not possible, instruct remote workers to disconnect from VPN, sign in to OneDrive, and then reconnect the VPN.
Error occurs after a recent Conditional Access policy update
A new policy that requires device compliance or a specific IP range can block token refresh for remote users. Review the Sign-in logs in Azure AD. Look for failed sign-ins with error code 53003 or 50097, which indicate a Conditional Access block. Adjust the policy exclusion for OneDrive as shown in Step 1.
Error appears on personal devices but not on company-managed devices
Conditional Access policies that require Hybrid Azure AD joined or Compliant device prevent OneDrive from signing in on personal devices. Create a separate policy for the OneDrive cloud app that grants access with multi-factor authentication only, without device compliance requirements.
Conditional Access Policy Settings vs Token Lifetime Policy: Admin Comparison
| Item | Conditional Access Policy | Token Lifetime Policy |
|---|---|---|
| Purpose | Controls who can access OneDrive based on location, device, or risk | Sets how long an access token remains valid before requiring reauthentication |
| Effect on error 0x8004de40 | Blocks token refresh if the user does not meet policy conditions | Forces token expiration too quickly, causing repeated sign-in prompts |
| Configuration location | Azure AD > Conditional Access > Policies | Azure AD > App registrations > Token configuration or Enterprise applications > Token lifetime policies |
| Recommended setting | Exclude OneDrive from location or device compliance policies | Set access token lifetime to 60 minutes or use default Microsoft 365 values |
Now you can systematically eliminate each cause of the 0x8004de40 error for remote workers. Start with Conditional Access policy exclusions, then move to token lifetime and network settings. For devices that still show the error, clear the credential cache and reset the OneDrive sync connection using the commands in Step 5. As an advanced tip, use the Get-AzureADPolicy PowerShell cmdlet to audit all token lifetime policies in your tenant and remove any that set values below 60 minutes.