The OneDrive sync client repeatedly shows error code 0x8004de40 during sign-in, even after you enter your credentials. This error indicates that the authentication token has been rejected, often because of a recent change to your organization’s Conditional Access policies. The client cannot refresh the token silently, so it fails every time you try to connect.
Common triggers include enabling multi-factor authentication, changing session timeout rules, or restricting device compliance requirements in the Microsoft Entra admin center. Once the policy update takes effect, existing tokens become invalid, and the sync client does not automatically request a new token in the correct way.
This article explains why the 0x8004de40 error reappears after Conditional Access changes and provides a set of troubleshooting steps to resolve it permanently.
Key Takeaways: Fix the 0x8004de40 Error After Conditional Access Policy Changes
- Sign out of OneDrive and clear stored credentials from Credential Manager: Removes the invalid token that the sync client keeps retrying.
- Run the Microsoft Support and Recovery Assistant (SaRA) for OneDrive: Automatically resets the authentication state and repairs broken registry keys.
- Re-add the work or school account in Windows Settings > Access work or school: Forces a fresh device registration and token issuance compliant with your current Conditional Access policies.
Why the 0x8004de40 Error Occurs After Conditional Access Changes
Error 0x8004de40 is a token rejection error. The OneDrive sync client stores an authentication token issued by Microsoft Entra ID. When your IT admin modifies a Conditional Access policy — for example, requiring multi-factor authentication on every session or blocking non-compliant devices — the existing token no longer satisfies the new conditions. The sync client attempts to use the old token, receives a 0x8004de40 response, and does not automatically trigger a full reauthentication flow.
The error persists because Windows Credential Manager caches the rejected token. Each time OneDrive starts, it retrieves the same invalid token, fails, and shows the error again. The sync client also stores a local authentication state in its own settings database, which can become out of sync with the server-side token policy. Clearing both caches is required to force a fresh authentication cycle.
Another contributing factor is the device registration status. Conditional Access policies often check whether the device is joined to Microsoft Entra ID or marked as compliant. If the device registration token is stale or missing, the authentication request is blocked before it reaches OneDrive. Reconnecting the work or school account in Windows Settings renews this device-level token.
Steps to Resolve the 0x8004de40 Error That Keeps Returning
Perform these steps in the order listed. Do not skip any step, as each one removes a different layer of cached authentication data.
- Sign out of OneDrive completely
Right-click the OneDrive cloud icon in the system tray and select Help & Settings > Sign out. If the icon is missing, open OneDrive from the Start menu, click the gear icon, and choose Sign out. Confirm that you want to unlink this PC. - Clear stored credentials from Credential Manager
Open Control Panel, go to User Accounts > Credential Manager. Select Windows Credentials. Scroll to the Generic Credentials section. Locate any entry that contains “OneDrive Cached Credential” or “MicrosoftOffice16_Data:ADAL:”. Click the arrow to expand each entry, then click Remove. Confirm the removal for every entry that references OneDrive, Office, or Microsoft ADAL tokens. - Reset OneDrive sync by running the SaRA tool
Download the Microsoft Support and Recovery Assistant from the Microsoft 365 admin center or directly from https://aka.ms/SaRA. Open the tool, select OneDrive for Business, then choose the scenario “I’m having problems with OneDrive sync.” Follow the on-screen prompts. SaRA will reset the sync client’s internal authentication state and repair any corrupted registry keys related to token storage. - Disconnect and reconnect the work or school account in Windows Settings
Open Settings > Accounts > Access work or school. Select your organization’s account and click Disconnect. Confirm the action. Wait 30 seconds, then click Connect and sign in with your work credentials. This step forces a fresh device registration and a new token that complies with the current Conditional Access policies. - Restart OneDrive and sign in again
Press Ctrl+Shift+Escape to open Task Manager. Find Microsoft OneDrive in the list, right-click it, and select End task. Open OneDrive from the Start menu. When prompted, sign in with your work or school account. Complete any multi-factor authentication challenge that appears. Verify that the sync icon in the system tray shows a solid cloud or a green check mark.
If OneDrive Still Shows Error 0x8004de40
OneDrive prompts for credentials but fails immediately
This usually means a Conditional Access policy requires a specific authentication method, such as the Microsoft Authenticator app or a FIDO2 security key. Open a web browser, go to https://myapps.microsoft.com, and sign in with your work account. Complete any additional verification steps that appear. After the browser session succeeds, return to OneDrive and try signing in again. The browser-based authentication refreshes the token cache that OneDrive uses.
Error 0x8004de40 appears only on one device
If other devices in your organization work correctly, the problem is likely a stale device registration on the affected machine. Open Settings > Accounts > Access work or school. If the account shows a status of “Connected” but the error persists, click Info and look for a “Device sync required” message. Click Sync to force a device compliance check. If the sync fails, disconnect and reconnect the account as described in step 4 of the main fix.
Conditional Access policy was recently changed but error still returns after sign-out
Some Conditional Access policies apply only to new authentication requests, not to existing sessions. Even after signing out of OneDrive, the Windows token broker may retain a cached primary refresh token. To force a full token refresh, run the following command in an elevated Command Prompt: dsregcmd /leave. This removes the device from Microsoft Entra ID. Restart the computer, then open Settings > Accounts > Access work or school and click Connect to rejoin the device. After rejoining, sign in to OneDrive again.
OneDrive Sign-In Methods: Manual Credential Clear vs SaRA Reset vs Device Rejoin
| Item | Manual Credential Clear | SaRA Reset | Device Rejoin |
|---|---|---|---|
| Scope | Removes stored tokens in Credential Manager only | Resets OneDrive sync state, registry, and token cache | Removes and re-registers the device in Microsoft Entra ID |
| User interaction | Requires manual removal of each credential entry | Guided tool with automatic detection of issues | Requires admin rights and a system restart |
| Effect on other apps | May sign out Office apps that share the same token | Affects only OneDrive and related Office sync components | Signs out all apps that use the device registration |
| Best for | Quick retry after a single policy change | Recurring errors that survive a manual clear | Errors that persist after both manual and SaRA resets |
| Time to complete | 2 minutes | 10 minutes | 15 minutes including reboot |
Error 0x8004de40 caused by Conditional Access changes is now resolved when you clear the token cache, reset the sync client, and re-register the device. If the error returns after a future policy update, repeat only the Credential Manager and SaRA steps — a full device rejoin is rarely needed twice. To prevent recurrence, ask your IT admin to apply a grace period of 7 days when rolling out new Conditional Access policies so existing tokens are not invalidated immediately.