OneDrive for Business 0x8004de40 sign-in error keeps returning for VPN users: Fix Guide
🔍 WiseChecker

OneDrive for Business 0x8004de40 sign-in error keeps returning for VPN users: Fix Guide

by

VPN users frequently encounter the OneDrive for Business sign-in error 0x8004de40, which prevents file sync and access to cloud files. This error occurs when the OneDrive client cannot validate your credentials through the VPN tunnel due to network restrictions or cached authentication tokens. The error message typically reads “Something went wrong” or “Sign in required” and reappears even after you enter your password. This article explains why VPN connections trigger this error and provides six tested methods to eliminate it permanently.

Key Takeaways: Fixing 0x8004de40 for VPN Users

  • VPN split tunneling configuration: Prevents OneDrive traffic from going through the VPN by routing Microsoft 365 domains through the local internet connection.
  • Windows Credential Manager > Windows Credentials > OneDrive Cached Credentials: Remove stale login tokens that cause authentication conflicts when switching between VPN and direct networks.
  • OneDrive Settings > Account > Unlink this PC: Resets the sync relationship and forces a fresh authentication handshake with Microsoft servers.

ADVERTISEMENT

Why the 0x8004de40 Error Occurs Specifically on VPN Connections

The 0x8004de40 error is a Windows authentication failure that happens when the OneDrive client cannot establish a secure token exchange with Microsoft’s identity service. VPN connections introduce three specific problems that trigger this error.

VPN Tunnel Interference with Microsoft 365 Endpoints

Corporate VPNs route all internet traffic through a central gateway. This gateway may block or delay traffic to Microsoft 365 authentication servers such as login.microsoftonline.com and aadrm.com. When OneDrive attempts to refresh its sign-in token, the VPN tunnel either drops the request or returns a response from a cached proxy that does not match the expected security certificate. The client then displays error 0x8004de40.

Stale Credential Cache from Previous Network Profiles

OneDrive stores your sign-in token in Windows Credential Manager. When you connect through a VPN, the token may be associated with a different network profile than your direct internet connection. If the token expires or becomes misaligned with the VPN’s DNS suffix, OneDrive cannot validate it and forces a new sign-in that also fails.

Azure AD Conditional Access Policies

Many organizations enforce Conditional Access policies that require device compliance checks or multi-factor authentication from trusted IP ranges. If your VPN exit point falls outside the allowed IP range or the VPN does not forward device compliance data correctly, Azure AD rejects the token request and returns error 0x8004de40 to the OneDrive client.

Methods to Resolve the 0x8004de40 Sign-In Error for VPN Users

Apply these methods in the order listed. Test OneDrive sign-in after each method before proceeding to the next.

Method 1: Configure VPN Split Tunneling for Microsoft 365

  1. Open your VPN client settings
    Locate the split tunneling or route configuration section. This is usually under Advanced Settings or Network Settings in your VPN software.
  2. Add Microsoft 365 domains to the split tunnel exclusion list
    Add these domains so they bypass the VPN tunnel: login.microsoftonline.com, aadrm.com, onedrive.live.com, and your tenant-specific SharePoint domain such as yourcompany.sharepoint.com. Also include files.1drv.com and all subdomains.
  3. Apply the changes and reconnect the VPN
    Disconnect the VPN, then reconnect. Open OneDrive and attempt to sign in again.

Method 2: Clear OneDrive Cached Credentials in Windows Credential Manager

  1. Open Windows Credential Manager
    Press the Windows key, type Credential Manager, and select the app from the search results.
  2. Switch to Windows Credentials
    Click the Windows Credentials tab.
  3. Locate OneDrive-related entries
    Scroll through the list and find entries that contain OneDrive, MicrosoftOffice, or Microsoft.AAD.BrokerPlugin. Entries often start with Microsoft.OneDrive or Microsoft.Office.OneDrive.
  4. Remove each entry
    Click the arrow to expand each entry, then click Remove. Confirm the deletion when prompted.
  5. Restart OneDrive
    Close OneDrive from the system tray, reopen it, and sign in with your work or school account.

Method 3: Unlink and Relink Your OneDrive Account

  1. Open OneDrive settings
    Right-click the OneDrive cloud icon in the system tray and select Settings.
  2. Go to the Account tab
    Click the Account tab.
  3. Click Unlink this PC
    Click Unlink this PC and confirm the action. OneDrive will stop syncing and close.
  4. Reopen OneDrive and sign in
    Open OneDrive from the Start menu. Enter your work or school credentials. The client will rebuild the sync relationship with a fresh token.

Method 4: Reset OneDrive Sync Engine

  1. Press Windows + R to open the Run dialog
    Type %localappdata%\Microsoft\OneDrive\onedrive.exe /reset and press Enter.
  2. Wait for the reset to complete
    A command prompt window appears briefly. OneDrive will close and restart automatically after a few seconds.
  3. Sign in again
    If OneDrive does not reopen automatically, launch it from the Start menu. Enter your credentials.

Method 5: Verify Azure AD Conditional Access Exclusions

  1. Contact your Microsoft 365 administrator
    Explain that VPN users receive error 0x8004de40 during OneDrive sign-in.
  2. Request a Conditional Access policy review
    Ask the admin to check if there is a policy that requires trusted IPs or compliant devices. The admin can add the VPN exit IP range to the trusted IP list or create an exclusion for the OneDrive desktop client.
  3. Test after policy changes
    Once the admin makes changes, disconnect and reconnect the VPN, then sign in to OneDrive.

Method 6: Reinstall the OneDrive Sync Client

  1. Uninstall OneDrive
    Go to Settings > Apps > Installed apps, locate Microsoft OneDrive, click the three dots, and select Uninstall.
  2. Download the latest OneDrive client
    Go to https://www.microsoft.com/en-us/microsoft-365/onedrive/download and download the OneDrive installer.
  3. Run the installer and sign in
    Run the installer, wait for the installation to finish, then sign in with your work or school account while connected to the VPN.

ADVERTISEMENT

If OneDrive Still Shows the 0x8004de40 Error After These Fixes

OneDrive sync pauses every few minutes on VPN

This symptom indicates that the VPN is dropping the OneDrive connection intermittently. Configure your VPN client to use UDP instead of TCP if the option is available. UDP reduces latency for authentication traffic. If UDP is not available, increase the VPN keepalive interval to 30 seconds in the VPN advanced settings.

The error appears only when connecting from home Wi-Fi through VPN

Home networks often use carrier-grade NAT or ISP proxies that interfere with VPN traffic. Connect your computer directly to the modem with an Ethernet cable. Disable IPv6 on the VPN adapter in Windows Network and Sharing Center > Change adapter settings > right-click VPN adapter > Properties > uncheck Internet Protocol Version 6.

Multiple users on the same VPN report the same error

This points to a VPN gateway configuration issue. The VPN administrator must ensure that the gateway allows TLS 1.2 and TLS 1.3 traffic to Microsoft 365 endpoints. The gateway should also bypass SSL inspection for traffic to login.microsoftonline.com because SSL inspection can break the certificate chain that OneDrive uses for authentication.

VPN Split Tunneling vs Full Tunnel: Impact on OneDrive Sign-In

Item VPN Split Tunneling Full Tunnel
Microsoft 365 traffic routing Routes OneDrive and Microsoft 365 traffic directly through the local internet Routes all traffic including OneDrive through the VPN gateway
Authentication reliability High — no interference with token exchange Low — VPN gateway may block or alter authentication packets
Network latency for file sync Low — files travel directly from Microsoft servers to your device High — files travel through the VPN gateway before reaching your device
Conditional Access compliance Device may appear as coming from your local IP, potentially triggering Conditional Access policies Device appears as coming from the VPN exit IP, which is easier to whitelist in Conditional Access
Best for Users who need fast file sync and have Conditional Access policies that allow direct internet access Organizations that require all traffic to be inspected and logged at the VPN gateway

The 0x8004de40 error for VPN users is now resolved by applying split tunneling, clearing credential caches, or unlinking the account. After completing the fix, test OneDrive by opening a file from File Explorer and saving a new document to verify sync works in both directions. As an advanced tip, set up a persistent VPN route for the specific Microsoft 365 IP range using the PowerShell command Add-VpnConnectionRoute -ConnectionName "YourVPN" -DestinationPrefix 13.107.6.0/24 to ensure OneDrive traffic always bypasses the VPN tunnel even after network changes.

ADVERTISEMENT

← Back to WiseChecker HomeMore in OneDrive

🔍 Recommended for You