New employees at your organization try to sign in to OneDrive for Business and see error code 0x8004de40. The error message says the sign-in failed, and clicking Try Again returns the same error. This error usually means OneDrive cannot connect to the Microsoft 365 authentication service because of a cached credential conflict, a network proxy issue, or an incorrect tenant URL. This article explains the root cause of the 0x8004de40 error and provides step-by-step fixes that work for new hires who have never successfully signed in before.
Key Takeaways: Fixing the 0x8004de40 Sign-In Error for New Employees
- Windows Credential Manager > Windows Credentials > Generic Credentials: Remove all entries containing “OneDrive Cached Credential” to clear stale tokens that block fresh authentication.
- OneDrive Settings > Account > Unlink this PC: Disconnects the current broken sync relationship, forcing a clean sign-in flow on next launch.
- Run this command in Command Prompt (Admin):
%localappdata%\Microsoft\OneDrive\onedrive.exe /resetresets OneDrive without deleting local files.
Why Error 0x8004de40 Appears for New Employees
Error 0x8004de40 is an authentication failure that occurs during the OAuth token exchange between OneDrive and Microsoft 365. For new employees, the most common cause is a cached credential from a previous sign-in attempt that used an incorrect username, a personal Microsoft account, or an expired token. When OneDrive finds this stale credential in Windows Credential Manager, it tries to reuse it instead of requesting a fresh token from the organization’s Azure AD tenant. The server rejects the old token, and the error appears.
Another frequent cause is a network proxy or firewall that blocks the authentication endpoints. New employee laptops often inherit proxy settings from a corporate image that may not allow connections to login.microsoftonline.com or onedrive.live.com. If the proxy requires authentication, OneDrive may fail silently and return the 0x8004de40 error.
A third cause is a misconfigured tenant discovery URL. When a new employee’s device has previously joined a different Microsoft 365 tenant or used a personal account, the stored tenant ID conflicts with the current organization’s domain. OneDrive cannot resolve which tenant to authenticate against, and the sign-in fails.
Steps to Clear Stale Credentials and Reset OneDrive Authentication
Perform these steps in order. Do not skip any step. Each step removes a different layer of cached data that causes the error to return.
- Close OneDrive completely
Right-click the OneDrive cloud icon in the system tray and select Close OneDrive. If the icon does not appear, open Task Manager, find Microsoft OneDrive in the Processes list, select it, and click End Task. - Remove cached credentials from Windows Credential Manager
Press Windows key + R, typecontrol, and press Enter. Click User Accounts then Credential Manager. Select Windows Credentials. Scroll to the Generic Credentials section. Look for entries that contain OneDrive Cached Credential or MicrosoftOffice16_Data:ADAL: followed by a GUID. Click the arrow to expand each entry, then click Remove. Confirm the deletion. Remove all entries that reference OneDrive, Office, or Microsoft ADAL tokens. - Unlink the current PC from OneDrive
Open File Explorer, navigate to%localappdata%\Microsoft\OneDrive. Double-click OneDrive.exe to relaunch OneDrive. When the setup window appears, click Sign in. Enter the new employee’s work email address. If OneDrive prompts with “This account is already signed in on this PC,” click Unlink this PC. Then proceed with the fresh sign-in. - Reset OneDrive using the command-line tool
Press Windows key + R, typecmd, then press Ctrl + Shift + Enter to open Command Prompt as Administrator. Type the following command and press Enter:%localappdata%\Microsoft\OneDrive\onedrive.exe /reset
Wait for the command to finish. You will see no confirmation message. The OneDrive process stops automatically. After 30 seconds, launch OneDrive again from the Start menu. The setup window appears. Sign in with the new employee’s work email address. - Verify proxy and firewall settings
Open Command Prompt as Administrator and run:netsh winhttp show proxy
If a proxy server is listed, note its address. Open Internet Explorer or Edge, go to Settings > Network & Internet > Proxy. Under Manual proxy setup, ensure the proxy address matches the one from the command. If the proxy requires authentication, add the new employee’s domain credentials in the proxy settings. Test connectivity by opening a browser and navigating tohttps://login.microsoftonline.com. If the page loads, the proxy is not blocking authentication. - Clear the Office 365 activation cache
Open Command Prompt as Administrator. Typecd %programfiles%\Microsoft Office\Office16and press Enter. Then typeospp.vbs /dstatusand press Enter. Note the last five characters of the product key shown. Then typecscript ospp.vbs /unpkey:XXXXXreplacing XXXXX with the last five characters. Press Enter. This clears the Office activation token, which is sometimes shared with OneDrive authentication. Reopen OneDrive and sign in. - Perform a clean reinstall of OneDrive
Open Settings > Apps > Installed apps. Find Microsoft OneDrive, click the three dots, and select Uninstall. Restart the computer. Download the latest OneDrive sync client fromhttps://www.microsoft.com/en-us/microsoft-365/onedrive/download. Run the installer and sign in with the new employee’s work email address.
If the Error Returns After the Main Fix
OneDrive shows 0x8004de40 immediately after signing in
If the error appears right after a successful sign-in, the tenant discovery URL is incorrect. Open Registry Editor by pressing Windows key + R, typing regedit, and pressing Enter. Navigate to HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Business1. Look for a string value named TenantId. Right-click it and select Modify. Replace the value with the tenant ID provided by your IT administrator. If the key does not exist, create a new String value named TenantId and set its value to the correct tenant GUID. Close Registry Editor and restart OneDrive.
Error 0x8004de40 appears on a domain-joined computer
Domain-joined computers often have Group Policy settings that override OneDrive authentication behavior. Open Command Prompt as Administrator and run gpresult /h gpresult.html. Open the generated HTML file and look for policies under Administrative Templates > Microsoft OneDrive. Check if the policy Silently sign in users to the OneDrive sync client with their Windows credentials is enabled. If it is enabled and the new employee’s Windows credentials do not match the Microsoft 365 account, disable the policy temporarily by contacting IT. After the policy is removed, restart OneDrive and sign in manually.
Error persists after reinstalling Office 365
A full Office 365 reinstall does not remove all authentication artifacts. Run the Microsoft Support and Recovery Assistant (SaRA) from https://aka.ms/SaRA. Select Office then I’m having trouble signing in to Office. Follow the on-screen prompts. SaRA detects and removes leftover token caches that manual steps miss. After SaRA completes, restart OneDrive and sign in.
Authentication Methods: Manual Sign-In vs Silent Sign-In for New Employees
| Item | Manual Sign-In | Silent Sign-In with Windows Credentials |
|---|---|---|
| Description | User types email and password or uses MFA prompt | OneDrive uses the Windows domain credentials to authenticate against Azure AD without user input |
| When error 0x8004de40 occurs | Usually due to cached credential conflict or wrong tenant ID | Usually due to mismatched Windows account and Microsoft 365 UPN or disabled Group Policy setting |
| Best for new employees | Works immediately after clearing credentials | Requires IT to pre-configure the tenant ID and enable the silent sign-in policy |
| Requires network access to | login.microsoftonline.com, onedrive.live.com | Same endpoints plus the organization’s AD FS server if used |
| Credential storage | OAuth token stored in Windows Credential Manager | Token derived from Kerberos or NTLM ticket, stored in LSA |
Next Steps for IT Administrators
After clearing the cached credentials and resetting OneDrive, new employees can sign in without the 0x8004de40 error. If the error returns after a system reboot, check the Windows Credential Manager again for entries that were recreated by another Microsoft 365 application. You can also pre-configure the tenant ID in the registry before the new employee logs in for the first time by deploying a Group Policy preference that sets HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Business1\TenantId to the correct GUID. This prevents the tenant discovery conflict entirely.