OneDrive for Business 0x8004de40 sign-in error keeps returning for Conditional Access changes: Fix Guide

The OneDrive sync client error 0x8004de40 appears when you try to sign in to OneDrive for Business but the authentication process stops before completion. This error occurs most frequently after your IT team updates a Conditional Access policy in Microsoft Entra ID. The sync client retains an outdated token that the new policy rejects, causing the sign-in to fail repeatedly.

This article explains why the 0x8004de40 error returns even after you close and reopen OneDrive. You will learn how to clear the stale credential cache, re-authenticate with your organization’s updated policy, and prevent the error from recurring. The steps cover both manual token reset and the use of the Microsoft Support and Recovery Assistant for Microsoft 365.

Why the 0x8004de40 Error Returns After Conditional Access Changes

The 0x8004de40 error is an authentication failure code that indicates the OneDrive sync client cannot obtain a valid token from Microsoft Entra ID. When your IT administrator modifies a Conditional Access policy — for example, requiring multifactor authentication on a new device platform or blocking legacy authentication — the OneDrive client must present a token that satisfies the new requirements. The client stores the previous token in the Windows Credential Manager and in its own local cache. Because the old token does not meet the updated policy conditions, Microsoft Entra ID rejects it and returns the 0x8004de40 error.

The error persists because OneDrive automatically retries the same failed token instead of requesting a new one. Simply restarting OneDrive or signing out and back in through the system tray menu does not remove the cached token. The client continues to present the rejected credential until you manually delete the stored token entries. The same behavior occurs if you have multiple Microsoft 365 accounts on the same device — each account stores its own token, and any account affected by the policy change will exhibit the error.

Steps to Clear the Cached Credentials and Re-authenticate OneDrive

Follow these steps in order. Do not skip the credential removal step, as it is the only action that eliminates the root cause. You do not need administrator rights on the computer to perform these steps, but you must know your Microsoft 365 sign-in credentials.

1. Close OneDrive completely
   Right-click the OneDrive cloud icon in the system tray notification area. Select Settings. On the Account tab, click Unlink this PC. Confirm the unlink prompt. After unlinking, right-click the OneDrive icon again and select Quit OneDrive. Verify that no OneDrive process is running by opening Task Manager (Ctrl+Shift+Escape) and checking the Processes tab for Microsoft OneDrive.
2. Delete cached credentials from Windows Credential Manager
   Press the Windows key and type credential manager. Select Credential Manager from the search results. Click Windows Credentials. Scroll to the Generic Credentials section. Look for any entry that includes OneDrive, MicrosoftOffice16, Microsoft.AAD.BrokerPlugin, or Microsoft.ADAL. Click the arrow to expand each entry and select Remove. Confirm the removal. Remove all entries that contain these keywords. Do not remove entries that belong to other applications unless you are certain they are related to OneDrive.
3. Clear the browser token cache for your Microsoft 365 account
   Open your default web browser. Navigate to https://login.microsoftonline.com. If you are already signed in, click your profile picture in the top-right corner and select Sign out. Close all browser windows. Open a new browser window and go to https://login.microsoftonline.com/logout. This URL clears any remaining session tokens for your Microsoft 365 tenant.
4. Restart the computer
   Restarting ensures that any cached token data held in memory is discarded. After the restart, do not open any browser or OneDrive yet.
5. Sign in to OneDrive with your work or school account
   Press the Windows key and type OneDrive. Open the OneDrive desktop app. Enter your work or school email address and click Sign in. Complete the authentication flow. If your organization requires multifactor authentication or a Conditional Access grant control, complete those prompts. OneDrive will now request a new token that satisfies the current policy.
6. Verify that the error is resolved
   After sign-in completes, check the OneDrive system tray icon. It should show a solid blue cloud or a green check mark. Open File Explorer and navigate to your OneDrive folder. Right-click a file and select View online to confirm that the web connection works. If the 0x8004de40 error returns, proceed to the next section for additional fixes.

If OneDrive Still Shows the 0x8004de40 Error After the Main Fix

OneDrive Keeps Reusing the Old Token from a Secondary Account

If you have multiple Microsoft 365 work or school accounts linked to OneDrive on the same computer, you must remove cached credentials for each account. Repeat step 2 from the main fix and look for credential entries that contain the user principal name (UPN) of the secondary account. If you cannot identify which account owns a credential entry, remove all entries that contain OneDrive or MicrosoftOffice16. After removal, restart the computer and sign in to each account one at a time through OneDrive Settings > Account > Add a account.

The Error Appears Only When Opening Specific Office Files from OneDrive

This symptom indicates that the Office desktop apps are using a separate token cache that was not cleared. Open Control Panel > User Accounts > Credential Manager > Windows Credentials. Remove any entry that begins with MicrosoftOffice followed by a number, such as MicrosoftOffice16_Data:ADAL:…. After removal, close all Office apps, reopen them, and navigate to File > Account > Sign out under your work or school account. Sign in again and retry opening the file.

OneDrive Fails to Sync After the Error Is Resolved

If the sign-in succeeds but files do not sync, the Conditional Access policy might block the sync client from accessing SharePoint. Contact your IT administrator and ask them to verify that the OneDrive sync client is not blocked by a device compliance policy or an app protection policy. The admin can check the sign-in logs in the Microsoft Entra admin center under Identity > Monitoring & health > Sign-in logs. Look for the failed sign-in event with error code 0x8004de40 and review the Conditional Access policy details.

Manual Token Reset vs Microsoft Support and Recovery Assistant: Key Differences

Item	Manual Token Reset	Microsoft Support and Recovery Assistant (Sara)
Description	User deletes credential entries from Windows Credential Manager and unlinks OneDrive	Automated tool that detects stale tokens, removes them, and reconfigures OneDrive sign-in
Administrator rights required	No	No, but some advanced scans require local admin
Time to complete	5 to 10 minutes	2 to 5 minutes
Scope of cleanup	Windows Credential Manager and OneDrive cache only	Windows Credential Manager, registry entries, and Office token cache
Best for	Users who want full control over which credentials are removed	Users who prefer a guided, automated process and have limited technical experience

The 0x8004de40 error is caused by a mismatch between the token your OneDrive client holds and the updated Conditional Access requirements in your tenant. By removing the stale credentials from Windows Credential Manager and unlinking and relinking your account, you force a fresh authentication that satisfies the new policy. If the error persists after the manual fix, run the Microsoft Support and Recovery Assistant with the OneDrive for Business sign-in scenario. After the fix is complete, check the OneDrive sync status once per week to confirm that no new policy changes have broken the authentication. As an advanced tip, ask your IT administrator to review the Conditional Access policy session settings — setting the sign-in frequency to 24 hours can reduce the chance of stale tokens causing repeated errors.