Users in your tenant see the 0x8004de40 sign-in error repeatedly, even though you have made changes to Conditional Access policies. This error indicates that OneDrive cannot refresh the user’s authentication token, usually because a Conditional Access policy blocks the token renewal flow. The error reappears because the policy change did not apply to the background token refresh request that OneDrive uses. This article provides a structured checklist for administrators to diagnose why the error persists and apply the correct fix.
Key Takeaways: 0x8004de40 error persists after Conditional Access changes
- Azure AD > Conditional Access > Policies: Verify that the policy includes the Office 365 Exchange Online cloud app, not just OneDrive, because the token refresh uses Exchange Online.
- Azure AD > Conditional Access > Grant > Require compliant device: Check that the policy does not block device code grant flow, which OneDrive uses for silent token refresh.
- OneDrive > Settings > Account > Reset: Clear the cached token on the client machine after updating the Conditional Access policy to force a fresh authentication.
Why the 0x8004de40 Error Returns After Conditional Access Changes
The 0x8004de40 error is a token refresh failure. OneDrive for Business uses a background process to silently refresh the user’s authentication token every hour. When a Conditional Access policy is modified, the new policy may block this silent refresh request. The error reappears because the user’s cached token remains valid until it expires, but the refresh request fails each time it tries to renew.
Two specific scenarios cause the error to persist:
Conditional Access policy targets the wrong cloud app
OneDrive’s token refresh request is sent to the Office 365 Exchange Online resource, not the OneDrive resource. If your Conditional Access policy targets only the OneDrive cloud app, the token refresh request bypasses the policy entirely. The policy never evaluates the request, and the refresh fails because the request lacks the required claims.
Device code grant flow is blocked
OneDrive uses the device code grant flow for silent token renewal. If a Conditional Access policy requires a compliant device or multi-factor authentication and the grant flow is not allowed, the token refresh request is denied. The error 0x8004de40 appears even though the user signed in successfully earlier.
Admin Checklist to Resolve 0x8004de40 Error
Follow this checklist in order. Test the fix after each step to identify the exact cause.
- Step 1: Identify the Conditional Access policy that applies to OneDrive
Sign in to the Azure portal at portal.azure.com. Go to Azure Active Directory > Security > Conditional Access > Policies. Look for any policy with a status of On or Report-only that includes the Office 365 Exchange Online cloud app or the All cloud apps option. Policies that target only OneDrive will not affect the token refresh flow. - Step 2: Verify the cloud app assignment includes Exchange Online
Open the policy. Under Cloud apps or actions, check the Include tab. If the policy includes Select apps, confirm that Office 365 Exchange Online is listed. If it is missing, add it. If the policy uses All cloud apps, no change is needed here. - Step 3: Check the Grant settings for device code grant flow
In the same policy, go to Grant. If the policy uses Require multi-factor authentication or Require device to be marked as compliant, the device code grant flow may be blocked. To confirm, go to Azure Active Directory > Conditional Access > Policy settings > Grant > For multiple controls. If Require all the selected controls is selected, the device code grant flow will fail. Change it to Require one of the selected controls only if your security requirements allow it. Alternatively, add a session control that allows device code grant. - Step 4: Exclude the OneDrive desktop client from the policy
If you cannot change the Grant settings, add an exclusion. Go to the Cloud apps or actions > Exclude tab and add OneDrive Sync Engine as a client app. This exclusion allows the token refresh request from the OneDrive desktop client to bypass the Conditional Access policy while still protecting browser-based access. - Step 5: Apply the policy changes and wait 30 minutes
Conditional Access policies take up to 30 minutes to propagate across Microsoft 365. Do not test immediately. Wait 30 minutes after saving the policy changes. - Step 6: Clear the cached token on the affected client machine
On the user’s machine, open OneDrive. Go to OneDrive settings > Account. Click Unlink this PC. Confirm the unlinking. Restart OneDrive. Sign in again with the user’s work or school account. This forces a fresh authentication that uses the updated Conditional Access policy. - Step 7: Test the fix
Open a file from OneDrive File Explorer. If the error does not appear, the fix is complete. If the error returns, proceed to the next section.
If the Error Still Appears After the Checklist
OneDrive shows 0x8004de40 error on only one machine
If the error persists on a single machine but not on others, the issue is likely a stale token cache or corrupted OneDrive state. Run the OneDrive sync reset command. Close OneDrive. Press Windows key + R, type %localappdata%\Microsoft\OneDrive\onedrive.exe /reset, and press Enter. Wait 60 seconds. Open OneDrive again and sign in.
0x8004de40 error occurs after a password change
When a user changes their password, the cached token becomes invalid. Conditional Access policies that require multi-factor authentication may still block the refresh if the device code grant flow is not allowed. Have the user unlink and relink OneDrive as described in Step 6. If the error returns within 24 hours, check the Azure AD sign-in logs for the token refresh request.
Sign-in logs show Token Issuance error
Go to Azure AD > Sign-ins > User sign-ins. Filter by the affected user and the Failure status. Look for an error code AADSTS50076 or AADSTS53003. These codes indicate that the device code grant flow was blocked. Add the OneDrive Sync Engine exclusion as described in Step 4.
Conditional Access Policy Settings That Affect OneDrive Token Refresh
| Setting | Effect on OneDrive | Recommended Value |
|---|---|---|
| Cloud app assignment | Determines which apps the policy applies to | Include Office 365 Exchange Online or All cloud apps |
| Grant > Require MFA | Blocks device code grant flow if not allowed | Use Require one of the selected controls or exclude OneDrive Sync Engine |
| Grant > Require compliant device | Blocks token refresh from non-compliant devices | Exclude OneDrive Sync Engine client app |
| Client apps > Modern authentication clients | Controls which authentication flows are allowed | Ensure Device code flow is not explicitly blocked |
| Session controls > Use app enforced restrictions | Does not affect token refresh | No change needed |
The most common misconfiguration is targeting only the OneDrive cloud app. Always include Office 365 Exchange Online in the policy scope. The second most common issue is requiring all selected controls, which blocks the device code grant flow. Excluding the OneDrive Sync Engine client app resolves this without weakening security for browser access.
The checklist covers the root causes of the 0x8004de40 error returning after Conditional Access changes. You can now verify the cloud app assignment, adjust the Grant settings, and clear the cached token on the client machine. Next, review your Conditional Access policies for other client apps that use device code grant flow, such as Microsoft Teams. For a permanent setup, create a separate Conditional Access policy for the OneDrive Sync Engine client app with relaxed grant requirements while keeping strict policies for browser-based access.