Help desk teams often see the 0x8004de40 sign-in error in OneDrive after a user attempts to connect their work or school account. The error appears as a pop-up that says “Something went wrong” or “Your credentials are invalid,” even when the password was just reset. This error occurs because OneDrive cannot verify the user’s identity with Microsoft 365, usually due to a broken token cache, an expired web session, or a misconfigured conditional access policy. This article provides a checklist-style guide for IT administrators to diagnose and resolve the 0x8004de40 error across multiple machines without relying on end-user guesswork.
Key Takeaways: Diagnosing 0x8004de40 with Admin Tools
- OneDrive Settings > Account > Unlink this PC: Forces a fresh token acquisition and clears cached credentials tied to the error.
- Credential Manager > Windows Credentials > Generic Credentials: Delete all entries containing “MicrosoftOffice16” and “OneDrive C2C” to remove stale tokens.
- Azure AD admin center > Conditional Access > Policies: Review and adjust device compliance or session timeout policies that block OneDrive token refresh.
Why the 0x8004de40 Error Occurs in OneDrive
The 0x8004de40 error is a token validation failure. When a user signs in to OneDrive, the client requests an access token from Azure Active Directory. If Azure AD rejects the token because it is expired, malformed, or associated with a blocked session, OneDrive returns error code 0x8004de40. This is not a network connectivity issue or a file corruption problem. The root cause is almost always on the authentication side.
Common triggers include password changes that invalidate existing tokens, conditional access policies that require multi-factor authentication or device compliance, and cached credentials that reference an old user principal name. Help desk teams should treat this error as a sign that the local credential cache and the Azure AD token store are out of sync. Resolving it requires clearing both the local cache and re-establishing a fresh authentication flow.
Admin Checklist to Fix 0x8004de40 on User Machines
Use the following steps in order. Each step addresses a specific layer of the authentication stack. Do not skip steps unless you have confirmed the earlier step did not apply.
- Unlink and re-link the OneDrive account
Open OneDrive settings by right-clicking the cloud icon in the system tray and selecting Settings. Go to the Account tab and click Unlink this PC. Confirm the action. Restart OneDrive. When prompted, sign in again with the user’s work or school account. This clears the local token cache and triggers a fresh authentication request to Azure AD. - Delete stale credentials from Windows Credential Manager
Open Control Panel and go to User Accounts > Credential Manager. Click Windows Credentials. Scroll to the Generic Credentials section. Delete all entries that contain “MicrosoftOffice16”, “OneDrive C2C”, or “Microsoft”. Do not delete credentials that reference network shares or VPNs. After deletion, restart File Explorer or log off and back on. OneDrive will prompt for sign-in again. - Clear the Office activation cache
Press Win+R, type%localappdata%\Microsoft\Office\16.0\Licensing, and press Enter. Delete all folders inside the Licensing directory. This removes cached Office license tokens that can interfere with OneDrive authentication. Open any Office app like Word. It will reactivate. Then restart OneDrive. - Run the Microsoft Support and Recovery Assistant
Download and run the Microsoft Support and Recovery Assistant tool from the Microsoft 365 admin center. Select the OneDrive for Business scenario. The tool automates credential clearing, registry fix scanning, and service status checks. It generates a log file that you can review to confirm what it changed. - Reset OneDrive if the error persists
Open a command prompt as administrator. Run%localappdata%\Microsoft\OneDrive\onedrive.exe /reset. Wait for OneDrive to restart automatically. If it does not restart, run%localappdata%\Microsoft\OneDrive\onedrive.exefrom the same prompt. This performs a deeper reset of the sync engine and removes all cached configuration files.
If OneDrive Still Shows 0x8004de40 After the Main Fix
When the error returns after following the checklist, the problem is likely on the Azure AD tenant side. The following sub-sections cover the most common server-side causes and their fixes.
Conditional access policy blocks token refresh
Sign in to the Azure AD admin center. Go to Security > Conditional Access > Policies. Look for any policy that applies to the user’s group and targets the Office 365 or OneDrive cloud app. Check if the policy requires device compliance, multi-factor authentication, or a session sign-in frequency shorter than the default. If the policy requires device compliance, ensure the user’s machine is enrolled in Microsoft Intune or is domain-joined and compliant. If the policy enforces a session timeout of less than 60 minutes, the token may expire before OneDrive refreshes it. Adjust the session control settings to allow up to 8 hours for OneDrive sync clients.
Azure AD device registration is missing or stale
Open a command prompt on the user machine as administrator. Run dsregcmd /status. Check the AzureAdJoined field. If it says NO, the machine is not registered in Azure AD. Run dsregcmd /join to register it. If the field says YES but the error persists, run dsregcmd /leave followed by a restart and then dsregcmd /join again. This re-registers the device and generates a fresh device certificate that OneDrive uses for authentication.
Federated identity or password hash sync mismatch
If your tenant uses Active Directory Federation Services or password hash synchronization, the user’s password may not have synced to Azure AD yet. Open the Microsoft 365 admin center and go to Users > Active users. Select the affected user and check the sign-in status. If it shows a sync error, ask the user to wait 10 minutes and try again. For federated environments, verify that the ADFS server can resolve the user’s UPN and that the relying party trust for Microsoft 365 is intact. Run Get-ADFSRelyingPartyTrust -Name "Microsoft Office 365 Identity Platform" on the ADFS server to confirm the status.
OneDrive 0x8004de40 vs Other Sign-in Errors: Quick Reference
| Item | 0x8004de40 | 0x8004de4a |
|---|---|---|
| Description | Token validation failure due to expired or malformed credential cache | Account not licensed for OneDrive or tenant policy blocks sync |
| Primary fix | Clear local credential cache and re-authenticate | Assign a OneDrive license in Microsoft 365 admin center |
| Admin tool needed | Credential Manager, Azure AD Conditional Access, dsregcmd | Microsoft 365 admin center > Users > Licenses and apps |
| User impact | OneDrive cannot sync; red X on cloud icon | OneDrive does not start or shows “Account not configured” |
| Recurrence after fix | Unlikely if token cache cleared and conditional access policy adjusted | Does not recur once license is assigned |
The table above compares the two most common OneDrive sign-in error codes that help desk teams encounter. Use the fix column to decide which troubleshooting path to take first. If the error code is 0x8004de40, always start with local credential clearing before checking tenant policies.
After completing the checklist, help desk teams can reduce repeat tickets for the 0x8004de40 error by creating a PowerShell script that runs the credential clearing and device re-registration steps remotely. Use the Invoke-Command cmdlet with the script to apply the fix to multiple machines in one session. This eliminates the need for end-user interaction and ensures consistent results across the organization.