OneDrive Admin Checklist: 0x8004de40 sign-in error keeps returning for device replacement
🔍 WiseChecker

OneDrive Admin Checklist: 0x8004de40 sign-in error keeps returning for device replacement

by

When you replace a user’s device and set up OneDrive, error 0x8004de40 appears during sign-in. The error message says the sign-in could not be completed, and it returns repeatedly even after clearing credentials. This error occurs because the device identity or authentication token cached in the Windows credential manager conflicts with the Microsoft Entra ID device record. This article explains the root cause, provides a step-by-step checklist for administrators to resolve the error permanently, and covers related failures that may appear during device replacement.

Key Takeaways: Resolving OneDrive Error 0x8004de40 After Device Replacement

  • Microsoft Entra admin center > Devices > Device ID: Locate and delete the old device record tied to the replaced machine to break the stale authentication link.
  • Windows Credential Manager > Windows Credentials: Remove all cached entries containing MicrosoftOffice16_Data:ADAL or OneDrive Cached Credentials to clear corrupted tokens.
  • OneDrive Settings > Account > Unlink this PC: Unlink and re-link OneDrive on the new device to force a fresh token acquisition from Microsoft Entra ID.

ADVERTISEMENT

Why Error 0x8004de40 Returns After Device Replacement

Error 0x8004de40 is a sign-in failure that originates from a mismatch between the device identity stored in Microsoft Entra ID and the device identity presented by the new computer. When a user replaces a device, the old hardware is decommissioned but its device registration remains in Microsoft Entra ID. OneDrive and Microsoft 365 apps rely on device-based Conditional Access policies and primary refresh tokens. If the old device record is not removed, the authentication service sees the new device as unauthorized because the token was issued to the old device ID.

The error persists because the Windows credential manager on the new device may still hold cached tokens from a previous attempt, or the new device was inadvertently joined to Microsoft Entra ID with a duplicate name. In some cases, the user profile was migrated from the old device, carrying over corrupted token caches. The error returns each time OneDrive tries to refresh the token because the stale device record is still present in the tenant.

How Device Identity Affects OneDrive Authentication

Microsoft Entra ID maintains a list of devices that are registered or joined to the tenant. Each device has a unique Device ID. When a user signs in to OneDrive on a new device, OneDrive requests a Primary Refresh Token that is bound to that device. If the old device record still exists, the token request may be matched to the wrong device ID, causing the sign-in to fail with error 0x8004de40. This is especially common when the new device has the same hostname as the old device or when the user profile was restored from a backup.

Administrator Checklist to Permanently Fix Error 0x8004de40

Follow these steps in order. Each step targets a specific layer of the authentication chain. Skipping steps may leave stale records that cause the error to return.

  1. Delete the old device record from Microsoft Entra ID
    Go to the Microsoft Entra admin center at entra.microsoft.com. Select Identity > Devices > All devices. Locate the old device by hostname or User Principal Name. Select the device, click Delete, and confirm. This removes the stale device identity that conflicts with the new device.
  2. Clear Windows credential manager on the new device
    On the user’s new computer, open Control Panel > User Accounts > Credential Manager. Click Windows Credentials. Scroll to the Generic Credentials section. Remove all entries that contain MicrosoftOffice16_Data:ADAL or OneDrive Cached Credentials. Also remove any entry with the old device hostname. Restart the computer after clearing credentials.
  3. Unlink and re-link OneDrive on the new device
    Right-click the OneDrive cloud icon in the system tray. Select Settings > Account. Click Unlink this PC. Confirm the action. After unlinking, sign in again with the user’s work or school account. OneDrive will request a new token bound to the new device record.
  4. Verify Conditional Access policies that require compliant devices
    In the Microsoft Entra admin center, go to Protection > Conditional Access > Policies. Review any policy that targets All cloud apps or Office 365 and requires device compliance. If the new device is not enrolled in Microsoft Intune or not marked compliant, the sign-in will fail. Ensure the new device is enrolled and marked compliant before the user attempts to sign in to OneDrive.
  5. Force a device re-registration if the new device was joined with a duplicate name
    If the new device has the same hostname as the old device, open an elevated PowerShell prompt and run dsregcmd /leave. Wait 30 seconds, then run dsregcmd /join. This re-registers the device with Microsoft Entra ID and generates a new Device ID. After the command completes, restart the computer and sign in to OneDrive again.
  6. Reset OneDrive sync if the error persists after sign-in
    Open a Run dialog with Win + R. Type %localappdata%\Microsoft\OneDrive\onedrive.exe /reset and press Enter. Wait for OneDrive to restart. This clears the local sync database without removing files. After reset, sign in again.

ADVERTISEMENT

If OneDrive Error 0x8004de40 Still Returns After the Checklist

User sees error 0x8004de40 when signing into Office apps, not just OneDrive

The same stale device record affects all Microsoft 365 apps that use device-based authentication. Follow the checklist above, but also clear the Office activation state. Open any Office app, go to File > Account, click Sign out under User Information. Close all Office apps, clear the credential manager entries again, and sign in from any Office app. This forces a full re-activation.

Error 0x8004de40 appears after a user profile migration

If the user profile was migrated from the old device using Windows Easy Transfer or a third-party tool, the credential manager vault may contain tokens tied to the old device. Delete the user’s profile on the new device and create a fresh profile. Then rejoin the device to Microsoft Entra ID using dsregcmd /leave and dsregcmd /join. This is the most thorough fix for migration scenarios.

Device shows as duplicate in Microsoft Entra ID after re-registration

If the new device appears twice in the All devices list, delete both entries. Run dsregcmd /leave on the device, restart, then run dsregcmd /join. The device will register with a single new Device ID. Then delete any remaining stale entries from the admin center.

Old Device Record vs New Device Record: Key Differences

Item Old Device Record (Stale) New Device Record (Active)
Device ID Assigned to the replaced hardware Assigned to the current computer
Join type Microsoft Entra joined or registered Microsoft Entra joined or registered
Compliance status Unknown or expired Evaluated by Intune
Primary Refresh Token Bound to old Device ID Bound to new Device ID
OneDrive authentication Fails with 0x8004de40 Succeeds with fresh token

After completing the checklist, the user can sign in to OneDrive on the replacement device without error 0x8004de40. The key action is deleting the old device record from Microsoft Entra ID before the user attempts to sign in. As an advanced step, enable automatic device cleanup in Microsoft Entra ID using the Devices > Device Settings blade to set a stale device grace period of 30 days. This prevents similar errors during future device replacements.

ADVERTISEMENT

← Back to WiseChecker HomeMore in OneDrive

🔍 Recommended for You