When you replace your computer and sign in to OneDrive for Business, you may see error code 0x8004de40. This error prevents the sync client from connecting to your work files. The error occurs because the old device credentials remain cached in the Microsoft 365 authentication system. This article explains why the error returns after a device swap and provides a complete set of fixes to remove stale credentials and restore sync.
Key Takeaways: Fixing the 0x8004de40 Sign-In Error on a New Device
- Windows Credential Manager > Windows Credentials > OneDrive Cached Credentials: Removing old tokens forces a fresh authentication handshake with Microsoft 365.
- OneDrive Settings > Account > Unlink This PC: Unlinking breaks the association between the old device and the user account in the cloud.
- Microsoft 365 Admin Center > User > Block Sign-In + Sign Out Everywhere: An admin can revoke all sessions and cached tokens for the affected user account.
Why Error 0x8004de40 Occurs After a Device Replacement
Error 0x8004de40 is an authentication failure code. It means OneDrive could not validate your credentials with the Microsoft 365 token service. On a new device, the sync client tries to reuse a cached token from the previous machine. The Microsoft identity platform detects a mismatch between the device ID stored in the token and the new device ID. It rejects the request and returns 0x8004de40.
The device ID mismatch happens because OneDrive registers each computer as a device in Azure AD during the initial sign-in. When you sign in on a replacement computer, the old device registration is still active. The authentication system sees the new device as unauthorized until the old registration is removed or the token is refreshed from scratch.
Another common cause is a leftover credential entry in Windows Credential Manager. The old computer stored a Microsoft Office 16 token or a OneDrive token. That token contains the device ID of the old machine. On the new device, Windows still presents this stale token to the Microsoft 365 sign-in endpoint, triggering the error.
Steps to Clear Stale Credentials and Fix the Sign-In Error
The following steps remove cached credentials, unlink the old device, and force a fresh authentication. Perform them in the order shown. You need local administrator rights on the new computer.
- Close OneDrive and Exit the Process
Right-click the OneDrive cloud icon in the system tray and select Exit. Open Task Manager with Ctrl+Shift+Escape. Confirm no OneDrive.exe process is running under the Processes tab. If one remains, select it and click End Task. - Delete OneDrive Credentials from Windows Credential Manager
Open Control Panel and go to User Accounts > Credential Manager > Windows Credentials. Scroll to the Generic Credentials section. Look for entries that start with MicrosoftOffice16_Data:ADAL: or OneDrive Cached Credential. Click the arrow to expand each entry, then click Remove. Confirm the deletion. Also remove any entry containing your work email address. - Clear the Microsoft 365 Authentication Cache
Press Windows+R, type%localappdata%\Microsoft\OneAuthand press Enter. Delete all files and folders inside the OneAuth folder. Next, press Windows+R again, type%localappdata%\Microsoft\IdentityCacheand delete everything in that folder as well. These folders store cached tokens used by Office and OneDrive. - Unlink the Current OneDrive Sync Client
Open OneDrive. If it opens with the sign-in screen, close it. If it is already signed in, click the OneDrive icon in the system tray, select Help & Settings > Settings. Go to the Account tab and click Unlink This PC. Confirm the action. This command tells OneDrive to remove the device registration from the cloud. - Restart the Computer
Restart Windows to clear any remaining cached data in memory and to reset the authentication pipeline. - Sign In to OneDrive Again
After the restart, open OneDrive from the Start menu. Enter your work email address and click Sign In. When prompted, select Work or school account. Complete the multi-factor authentication challenge if your organization requires it. OneDrive should now sync without error 0x8004de40.
If the Error Persists: Additional Admin Actions
The error still shows after clearing credentials on the new device
If the error returns, the old device registration still has an active session in Azure AD. Ask your Microsoft 365 administrator to perform these steps in the Microsoft 365 admin center:
- Go to the Microsoft 365 admin center
Navigate to Users > Active users. Find the affected user account and click the name. - Block sign-in for the user
Under the Account tab, click Block sign-in. Select Block the user from signing in and click Save. This action invalidates all active sessions and tokens immediately. - Sign out the user everywhere
Still in the user properties, click Sign out everywhere. This revokes all refresh tokens and forces the user to reauthenticate on the next sign-in attempt. - Unblock sign-in
After 30 seconds, return to the Account tab and click Block sign-in again. Select Allow the user to sign in and click Save. - Have the user sign in to OneDrive again
The user must now sign in on the new device. The old device registration is no longer cached, and the new device will be registered properly.
Related Failure Patterns and Their Fixes
OneDrive shows error 0x8004de40 after password change
A password change without signing out of OneDrive can trigger the same error. The cached token becomes invalid. The fix is the same as the main steps above: remove credentials from Windows Credential Manager and the OneAuth folder, then sign in again with the new password.
Error 0x8004de40 appears on a device that was never replaced
This can happen if the user account was recently migrated to a new tenant domain or if Azure AD Conditional Access policies changed. The token issued to the old tenant domain is no longer valid. Run the credential removal steps and sign in again. If the error persists, ask the admin to check the user’s Azure AD device registration and remove any stale entries.
OneDrive remains stuck on Signing In after the fix
If OneDrive shows a spinning loop on the sign-in screen, the authentication process may be blocked by a proxy or firewall. Verify that the following URLs are allowed through your corporate network:
- login.microsoftonline.com and all subdomains
- account.live.com and all subdomains
- syncengine.onedrive.com and all subdomains
- onedrive.live.com and all subdomains
If your organization uses a web proxy, configure Windows to bypass the proxy for these endpoints or add them to the proxy exception list in Internet Options.
Device-Based Tokens vs User-Based Tokens: Key Differences
| Item | Device-Based Token | User-Based Token |
|---|---|---|
| Scope | Bound to a specific device ID registered in Azure AD | Bound to the user principal name and independent of device |
| Lifetime | Renewed every 90 days; invalidated when device is unlinked or removed from Azure AD | Renewed every 14 days; invalidated by password change or admin revoke |
| Error 0x8004de40 trigger | Device ID mismatch between token and new computer | Token expiration or stale refresh token after password change |
| Removal method | Unlink OneDrive + remove Windows Credential Manager entries | Admin block sign-in + sign out everywhere, or user clears OneAuth cache |
The device-based token is the primary cause of error 0x8004de40 during a device replacement. The user-based token can contribute if it was cached from a previous sign-in session. Clearing both types ensures the new device registers a fresh device-based token.
You can now resolve error 0x8004de40 by clearing stale credentials, unlinking OneDrive, and if needed, having an admin revoke all sessions. After the fix, verify that the sync client shows a green checkmark and that files sync correctly. As an advanced tip, use the OneDrive sync health report in the Microsoft 365 admin center to confirm that the new device ID appears under the user’s registered devices.