When a user resets their Microsoft 365 password and connects through a VPN, OneDrive may fail to sign in with error code 0x8004de40. This error indicates that OneDrive cannot refresh its authentication tokens because the VPN is blocking traffic to the Microsoft identity platform endpoints. The error often appears immediately after a password change, even if the VPN was working before the reset. This article explains the root cause, provides a step-by-step checklist for administrators to resolve the issue, and lists related failure patterns to watch for.
Key Takeaways: Fixing 0x8004de40 After Password Reset on VPN
- VPN split tunneling configuration: Route login.microsoftonline.com and graph.microsoft.com outside the VPN tunnel to allow token refresh.
- Windows Credential Manager > Windows Credentials > OneDrive Cached Credentials: Remove stale tokens after password reset to force a fresh authentication request.
- OneDrive Settings > Account > Unlink This PC: Forces a full re-authentication and re-creates the credential cache.
Why 0x8004de40 Occurs After a Password Reset on VPN
Error 0x8004de40 is a token refresh failure. When a user changes their Microsoft 365 password, OneDrive must request a new access token from the Microsoft identity platform. The VPN connection intercepts that request if the VPN policy routes all traffic through the corporate gateway. Many VPNs block or degrade traffic to non-corporate endpoints, including login.microsoftonline.com and graph.microsoft.com. The token refresh times out, and OneDrive shows the sign-in error.
The error is not caused by an incorrect password. The password reset itself succeeds. The failure happens because OneDrive still holds a cached token that is now invalid after the password change, and the VPN prevents OneDrive from contacting the authentication server to get a new token.
The Role of Cached Credentials
Windows stores OneDrive authentication tokens in Credential Manager under Windows Credentials. When a user changes their password, the existing token becomes invalid. OneDrive tries to refresh it automatically. If the VPN blocks the refresh endpoint, the refresh fails with 0x8004de40. The cached credential is not cleared automatically in this scenario, so the error persists until the credential is removed or the VPN configuration is adjusted.
VPN Traffic Routing
Most corporate VPNs use a force-tunnel configuration where all internet traffic goes through the VPN gateway. This setup can break Microsoft 365 authentication because the gateway may not route traffic to Microsoft endpoints correctly. Split tunneling, which routes Microsoft 365 traffic outside the VPN, prevents this issue. After a password reset, the need for a fresh token makes the routing problem visible immediately.
Checklist for Administrators to Resolve 0x8004de40
Step 1: Remove Stored OneDrive Credentials
- Open Credential Manager
On the affected user’s Windows device, open Control Panel and select Credential Manager. Switch to Windows Credentials. - Locate OneDrive entries
Look for entries that contain “OneDrive Cached Credential” or “MicrosoftOffice16_Data:ADAL:”. These are the tokens that need to be removed. - Remove each entry
Click the arrow to expand the entry, then select Remove. Confirm the deletion. Repeat for all OneDrive-related credentials. - Restart OneDrive
Close OneDrive from the system tray. Open File Explorer and navigate to %localappdata%\Microsoft\OneDrive\OneDrive.exe. Run the executable. OneDrive will prompt for sign-in.
Step 2: Configure VPN Split Tunneling
- Identify Microsoft 365 endpoints
Microsoft publishes a list of URLs and IP ranges for Microsoft 365. The critical endpoints for authentication are login.microsoftonline.com, graph.microsoft.com, and outlook.office365.com. Include all subdomains of these domains. - Edit VPN policy
In your VPN management console, create a split tunneling rule that routes traffic to the identified Microsoft 365 endpoints outside the VPN tunnel. The exact steps depend on your VPN provider. For Windows VPN, use the Set-VpnConnection PowerShell cmdlet with the -SplitTunneling parameter. - Test the configuration
After applying the policy, ask the user to disconnect and reconnect the VPN. Then sign in to OneDrive. The token refresh should now complete without error.
Step 3: Unlink and Re-link OneDrive
- Unlink OneDrive
Right-click the OneDrive cloud icon in the system tray. Select Settings. Go to the Account tab and click Unlink This PC. Confirm the action. - Clear remaining cached data
Open File Explorer and delete the contents of %localappdata%\Microsoft\OneDrive\settings. This removes any leftover configuration files. - Re-link OneDrive
Open OneDrive again. Sign in with the user’s new password. OneDrive will create fresh credentials and sync should start normally.
Step 4: Verify Network Connectivity to Microsoft Endpoints
- Test endpoint reachability
From the user’s device while connected to VPN, open a command prompt and run: nslookup login.microsoftonline.com. A successful response shows an IP address. If the lookup fails or times out, the VPN is blocking DNS resolution. - Check firewall rules
Ensure that outbound HTTPS traffic to Microsoft 365 endpoints is allowed. The VPN firewall may block ports 443 or 80 for traffic that does not match corporate IP ranges. - Test without VPN
Have the user disconnect the VPN temporarily and try signing in to OneDrive. If the error disappears, the VPN configuration is the root cause.
If OneDrive Still Shows 0x8004de40 After the Main Fix
OneDrive Shows Error Immediately After Password Reset, Even Without VPN
If the error occurs without a VPN connection, the issue is likely a corrupted credential cache or a time mismatch. Check that the system clock is synchronized with an internet time server. Open Settings > Time & Language > Date & Time and enable Set time automatically. Then remove the OneDrive credentials from Credential Manager as described in Step 1.
OneDrive Shows Error on Multiple Devices After a Single Password Reset
This pattern indicates that the user changed their password and then tried to sign in on multiple devices before the token cache cleared. On each device, remove the OneDrive credentials and unlink the account. The user must sign in fresh on each device. There is no tenant-wide setting that clears all tokens at once.
OneDrive Shows Error Only When Using a Specific VPN Profile
If the error appears with one VPN profile but not another, compare the split tunneling settings between the profiles. The problematic profile likely uses force-tunnel routing. Duplicate the working profile’s split tunneling rules to the broken profile, or switch the user to the working profile.
VPN Split Tunneling vs Force Tunnel for OneDrive Authentication
| Item | Split Tunneling | Force Tunnel |
|---|---|---|
| Traffic routing | Microsoft 365 traffic goes directly to the internet | All traffic goes through the VPN gateway |
| Token refresh after password reset | Works without error | Fails with 0x8004de40 if endpoints are blocked |
| VPN security risk | Slightly higher because some traffic bypasses the gateway | Lower because all traffic is inspected |
| Administrator effort | Requires endpoint list maintenance | No endpoint configuration needed |
| OneDrive sync performance | Faster because traffic avoids VPN latency | Slower due to additional routing hop |
After following the checklist, the user should be able to sign in to OneDrive without error 0x8004de40. The key actions are clearing the stale credential cache and configuring split tunneling for Microsoft 365 endpoints. For ongoing management, monitor the Microsoft 365 endpoint list for changes and update your VPN policy quarterly. As an advanced tip, use PowerShell script Get-VpnConnection to audit all VPN profiles for split tunneling settings across your organization.