OneDrive Sync, Permission, and Access Errors, All Fixes

Microsoft Fix Intermediate 14 min read Official Docs Grounded Updated April 20, 2026
What's in This Guide
  1. Why This Happens
  2. The Quick Fix
  3. Step-by-Step Solution
  4. Advanced Troubleshooting
  5. Prevention & Best Practices
  6. FAQ

Why OneDrive Sync Errors Keep Happening

You open your laptop, click a file in your OneDrive folder, and nothing happens. Or worse, you get a cryptic browser message like DNS_PROBE_FINISHED_NXDOMAIN when you try to load OneDrive on the web, or a maddening pop-up that says "Can't open online-only file" even though your Wi-Fi bars are full. I've seen these OneDrive sync errors on dozens of machines across both home users and large enterprise environments, and the one thing they all have in common is that the error message itself tells you almost nothing useful.

OneDrive sync issues fall into a few distinct buckets, and understanding which bucket you're in is the fastest way to get back to work. Here's what's actually going on under the hood.

Subscription and DNS problems. The DNS_PROBE_FINISHED_NXDOMAIN error when accessing OneDrive or SharePoint is almost always one of two things: your Microsoft 365 subscription has lapsed (or been suspended), or your local machine's DNS cache is holding onto stale records that point nowhere. Both look identical from the browser's perspective, it simply can't resolve the address. Your computer isn't broken. The path to Microsoft's servers is just broken.

File availability conflicts. When OneDrive is set to "Files On-Demand," files you haven't opened recently exist only as placeholders on your hard drive. They're real files in the cloud, but locally they're just shortcuts. If a low-level component called the User Experience Virtualization Agent (UE-V) is running and hasn't been told to play nice with OneDrive's compatibility layer, Windows will refuse to open those placeholder files even when you're perfectly online. This is the root cause behind most "Can't open online-only file" errors and it's a surprisingly common OneDrive sync permission issue on managed enterprise devices.

Graph API and location-based policy conflicts. If your organization uses location-based conditional access policies in Microsoft Entra ID (formerly Azure AD), you may hit 401 Unauthorized errors when apps try to query OneDrive through the Microsoft Graph API. The reason isn't that the app lacks permissions, it's that the Graph API layer doesn't pass the user's IP address through to SharePoint, so SharePoint can't verify the user is inside the trusted network boundary. The result: access denied, even when the user is sitting right inside the office network. This is a known Microsoft platform limitation.

Sysprep deployment failures. In enterprise environments where IT deploys Windows images using SysPrep, OneDrive often breaks for users after they join the domain. This happens because OneDrive was installed into the sysprepped image in a way that ties it to the original profile, not the new user's profile. The fix requires both a reinstall for affected users and a corrected deployment process going forward.

I know how frustrating these OneDrive sync errors are, especially when they block access to files you need right now for a meeting or deadline. The good news is that every one of these issues has a documented resolution. Let's fix them. Browse all Microsoft fix guides →

The Quick Fix, Try This First

Before diving into registry edits and Group Policy, there's a fast triage sequence that resolves the majority of OneDrive sync errors and access failures in under five minutes. Work through this before anything else.

Step 1: Check your Microsoft 365 subscription status. Open a browser and go to portal.microsoft.com. Sign in and look at the top of the page, if your subscription has expired, Microsoft will display a prominent warning banner. An expired or suspended subscription is the single most common cause of the DNS_PROBE_FINISHED_NXDOMAIN error when accessing OneDrive. If you see a warning, reactivate your subscription first. Everything else depends on it.

Step 2: Flush your DNS cache. Even if your subscription is active, a stale DNS cache can keep your machine pointing at a dead address. This takes about 30 seconds to fix. Open Command Prompt as Administrator, run ipconfig /flushdns, then try accessing OneDrive again. This alone clears a surprising number of access error complaints.

Step 3: Restart the OneDrive sync client. Find the OneDrive cloud icon in your taskbar notification area. Right-click it and choose Close OneDrive. Wait 10 seconds, then reopen it from the Start menu. A full client restart clears temporary sync state that can cause OneDrive file sync errors to persist well past their actual cause.

Step 4: Sign out and sign back in. If the sync client shows a red X or a persistent "sync pending" state, click the OneDrive icon in the taskbar, select the gear/settings icon, go to Settings > Account > Unlink this PC, and then sign in again. This resets the local authentication token, which fixes a large class of OneDrive permission errors without touching any system settings.

If you've run through all four of these and the problem persists, you need the full step-by-step solutions below. The specific error you're seeing will tell you exactly which path to take.

Pro Tip
When you're chasing OneDrive sync errors on a domain-joined machine, always check the subscription status at the tenant level, not just your own account. A global admin's lapsed billing can cut off sync for every user in the organization simultaneously, and individual users will have no idea why.
1
Reactivate Your Microsoft 365 Subscription

If you're seeing the DNS_PROBE_FINISHED_NXDOMAIN error in your browser when trying to access OneDrive or SharePoint, the first thing to check, before touching any network settings, is whether your Microsoft 365 subscription is still active. An expired subscription causes this exact error because Microsoft stops resolving OneDrive service endpoints for accounts that are no longer in good standing. From the browser's perspective, the hostname simply doesn't exist anymore.

Here's how to check and reactivate:

  1. Open a browser window and go to https://portal.microsoft.com.
  2. Sign in with your Microsoft 365 account credentials.
  3. If your subscription has expired, you'll see an alert banner near the top of the Microsoft 365 admin center. For personal plans, this shows up on the Microsoft account dashboard.
  4. Navigate to Billing > Your products in the admin center (or Services & subscriptions on personal accounts).
  5. Find your Microsoft 365 plan and select Reactivate.
  6. Update your payment method if prompted and complete the reactivation flow.

Once reactivated, DNS propagation usually takes effect within 15–30 minutes. Don't try to access OneDrive immediately, give it a few minutes, then also flush your DNS cache (covered in Step 2) to make sure your local machine isn't holding onto the old negative response.

If you're an end user and don't have admin access to the Microsoft 365 portal, this is the moment to call your IT department or global admin. They're the ones who can reactivate the subscription. What you should see after a successful reactivation: the DNS_PROBE_FINISHED_NXDOMAIN error disappears, and OneDrive loads normally in the browser.

2
Flush the DNS Cache to Clear Stale Records

Your operating system caches DNS lookups to make browsing faster. Normally that's great, but when something changes on Microsoft's end (a subscription reactivation, a server migration, a service outage that gets resolved), your machine may keep serving up the old, dead address from its local cache for hours. This is exactly why you can sometimes access OneDrive just fine from your phone on the same network while your laptop is still blocked.

Flushing the DNS cache is a safe, non-destructive operation that takes under a minute. Here's exactly how to do it:

  1. Click the Start button.
  2. Type cmd in the search box.
  3. Right-click Command Prompt in the results and select Run as administrator.
  4. In the Command Prompt window, type the following and press Enter:
ipconfig /flushdns

You should see: Windows IP Configuration. Successfully flushed the DNS Resolver Cache.

After that, close Command Prompt and try accessing OneDrive again in a fresh browser window. Don't just refresh the existing tab, a fresh window ensures you're not working from any cached page state.

If you're in a corporate environment where DNS is managed by internal servers, flushing the local cache may not be enough, the issue might be sitting at the corporate DNS server level. In that case, your network admin may need to clear the DNS cache on the internal resolver. For home users, flushing local DNS combined with restarting your home router (which also has its own DNS cache) solves the problem almost every time.

Success looks like: OneDrive or SharePoint loads normally in the browser. If you're still blocked after flushing DNS and your subscription is confirmed active, move on to the network and authentication fixes in Step 3.

3
Fix "Can't Open Online-Only File" With a Registry Edit

This one is specific but common: you're connected to the internet, OneDrive looks synced, yet when you double-click a file that OneDrive has stored as a cloud-only placeholder, you get the error: "Can't open online-only file, Make sure you're connected to the internet, then try again." You are connected. OneDrive is lying to you.

The cause is a conflict between OneDrive's Files On-Demand feature and the User Experience Virtualization (UE-V) agent, a component that's common on enterprise-managed Windows 10/11 devices. UE-V intercepts file open operations and, under certain configurations, blocks the OneDrive sync client from downloading the placeholder file before handing it off to the application. The fix is a single registry value that tells UE-V to apply an Explorer compatibility shim.

Important: Back up your registry before making any edits. Open Registry Editor, go to File > Export, and save a backup to your desktop first.

  1. First, confirm you're on Windows 10 version 1809 or newer. Press Win + R, type winver, and press Enter. Check the version number.
  2. Press Win + R, type regedit, and press Enter to open Registry Editor.
  3. Navigate to this path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UEV\Agent\Configuration
  1. Right-click the Configuration key in the left panel.
  2. Select New > DWORD (32-bit) Value.
  3. Name the new value exactly: ApplyExplorerCompatFix
  4. Double-click the new value and set its data to 1.
  5. Click OK, close Registry Editor, and try opening the online-only file again.

You should now see the file download automatically from the cloud and open normally. If the UE-V key path doesn't exist in your registry, that actually means UE-V isn't installed on your machine, the culprit is something else, and you should move to the advanced troubleshooting section for alternative diagnostics.

4
Fix OneDrive After Sysprep Domain Join Breaks It

This is an IT admin problem, but it also affects end users who suddenly can't start or open OneDrive after their work laptop gets reimaged or after joining a new domain. The symptom: OneDrive simply doesn't launch. Nothing happens when you click it. Sometimes there's a brief loading icon and then silence.

The root cause is that the Windows image was sysprepped with OneDrive already installed and tied to the image's original user profile. When a new user logs in on a domain-joined machine built from that image, OneDrive's installation is essentially orphaned, it points to a profile that no longer exists in the normal sense.

For affected end users, here's the immediate fix:

  1. Sign in to the affected machine as the user who can't start OneDrive.
  2. Download the latest OneDrive installer directly from Microsoft's official download page.
  3. Run the installer, it will detect and replace the broken installation.
  4. After reinstall, launch OneDrive from the Start menu and sign in with your Microsoft 365 credentials.

For IT admins, the correct way to deploy OneDrive through Sysprep going forward:

Before running sysprep on the master image, do the following in this exact order:

  1. Uninstall OneDrive from the image first:
onedrivesetup.exe /uninstall
  1. Add a RunOnce registry key so OneDrive installs fresh for each new user on first login:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Value name: OneDriveSetup
Value data: C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup
  1. Then run sysprep normally.

This ensures every new user who logs into a machine built from that image gets a clean, correctly configured OneDrive installation on their first login rather than inheriting a broken one from the original image profile.

5
Work Around the 401 Graph API Error With Conditional Access

If your organization has enabled location-based access policies in Microsoft Entra ID, a common security practice that restricts SharePoint and OneDrive access to approved IP ranges or physical locations, you may run into a frustrating scenario: applications that call the Microsoft Graph API to access OneDrive data return 401 Unauthorized errors, even when the user is physically sitting inside the office on the approved network.

This is a confirmed platform behavior. The Graph API doesn't forward the user's IP address to SharePoint, so SharePoint has no way to confirm the user is within the trusted boundary. Currently, the only apps that fully support location-based policies are Viva Engage and Exchange. Every other app, including many line-of-business applications that read or write OneDrive data, gets blocked regardless of the user's actual location.

The supported workaround is to configure Conditional Access policies in Microsoft Entra ID to handle this gap:

  1. Sign in to the Microsoft Entra admin center at https://entra.microsoft.com.
  2. Navigate to Protection > Conditional Access > Policies.
  3. Create a new policy or edit an existing one that targets the affected application.
  4. Under Conditions > Locations, configure named locations that represent your trusted IP ranges.
  5. Set the policy to grant access when the user is within a named location, rather than relying on the SharePoint-level location-based restriction for Graph API calls.
  6. Test with a pilot user before rolling out broadly.

This shifts the location trust decision from the SharePoint layer (where the Graph API can't pass IP info) to the Entra ID authentication layer (where it can). Microsoft is actively developing a proper solution to make Graph API calls location-aware natively, but until that ships, Conditional Access is the documented path forward. Check Microsoft Support for the latest status on this issue.

Advanced Troubleshooting

If you've worked through all five steps above and you're still dealing with OneDrive sync errors, access failures, or permission issues, it's time to dig into the lower layers. Here's what to check when the surface-level fixes don't stick.

Event Viewer, Find the Real Error Code

The OneDrive sync client logs detailed errors to Windows Event Viewer that never surface in the UI. Press Win + R, type eventvwr.msc, and expand Applications and Services Logs. Look for a OneDrive folder. Inside, you'll find event IDs that pinpoint exactly what's failing, authentication token expiry, network timeouts, file system permission denials, and more. This is the fastest way to distinguish a sync error caused by a network issue from one caused by a file permission conflict.

Group Policy, Managed Devices Acting Differently

On domain-joined machines, Group Policy can override OneDrive settings in ways that confuse even experienced users. If OneDrive sync is disabled, restricted to certain libraries, or blocked from using Files On-Demand, a policy is likely responsible. Run gpresult /h gpresult.html in an elevated Command Prompt to generate a full Group Policy results report. Open the HTML file and search for "OneDrive" to see exactly which policies are applied and from which Group Policy object they originate. Share this with your IT admin, it tells them precisely where the conflicting setting lives.

Network-Level Fixes, Proxy and Firewall Interference

Corporate proxy servers and firewalls are a surprisingly common cause of OneDrive sync errors and access denials that look nothing like network problems from the outside. OneDrive needs access to a specific set of Microsoft endpoints on ports 443 and 80. If your proxy is doing SSL inspection and hasn't been configured to exempt Microsoft's OneDrive endpoints, you'll see authentication failures and sync errors that look identical to permission problems. Check that the following domains are in your proxy's exclusion list:

*.onedrive.com
*.sharepoint.com
*.microsoft.com
login.microsoftonline.com
accounts.live.com

Your network admin can verify whether traffic to these endpoints is being intercepted or modified by running a packet capture while reproducing the error.

OneDrive Sync Client Version

Outdated sync clients are responsible for a category of OneDrive sync permission errors and file access failures that can't be fixed any other way. The client updates itself automatically by default, but on managed machines this auto-update is often disabled. Right-click the OneDrive icon in the taskbar, go to Settings > About, and check the version number. Compare it against the current production release listed in Microsoft's official release notes. If you're more than two major versions behind, an upgrade should be your next step.

Reset the OneDrive Sync Client

When the sync client itself is in a corrupted state, not the settings, not the files, just the running process, a full reset clears it. This doesn't delete your files; it just forces the client to re-sync everything from scratch. Run this command:

%localappdata%\Microsoft\OneDrive\onedrive.exe /reset

Wait 30 seconds, then launch OneDrive from the Start menu. Allow it to complete the initial sync check before assuming it didn't work.

When to Call Microsoft Support
If you've worked through every fix in this guide, reactivated your subscription, flushed DNS, applied the registry fix, corrected the Sysprep deployment, configured Conditional Access, reset the sync client, and verified Group Policy, and you're still hitting OneDrive sync errors or access failures, it's time to escalate. Reach out to Microsoft Support directly. Before you call, have these items ready: the specific error message and any error codes from Event Viewer, your Microsoft 365 tenant ID (found in the Entra admin center under Overview), whether affected machines are domain-joined, and a gpresult report. The more specific you can be, the faster support can triage it.

Prevention & Best Practices

The single best thing you can do to prevent OneDrive sync errors from interrupting your work is to treat OneDrive like any other critical business service, monitor it proactively rather than waiting for it to break. Most of the issues covered in this guide give warning signs before they become full failures.

Set up billing alerts for your Microsoft 365 subscription. The DNS_PROBE_FINISHED_NXDOMAIN error caused by an expired subscription is 100% preventable. In the Microsoft 365 admin center, go to Billing > Billing notifications and make sure at least two admins are receiving renewal reminder emails. Set a calendar reminder 30 days before the renewal date as a backup. A lapsed subscription is never a surprise, it's always a missed reminder.

Keep Windows up to date on all devices. Several OneDrive sync error fixes, including the registry solution for the "Can't open online-only file" problem, specifically require Windows 10 version 1809 or later. Running outdated Windows versions is one of the most common reasons fixes that should work simply don't. Enable Windows Update on all devices and don't delay feature updates indefinitely.

Standardize your OneDrive deployment process before imaging. If your organization uses SysPrep, make sure your IT team documents and follows the correct OneDrive deployment steps outlined in Step 4 of this guide. One bad image can break OneDrive for every machine built from it. Build a checklist that includes uninstalling OneDrive before running sysprep and adding the RunOnce registry entry. Test it on a VM before rolling it to production hardware.

Audit your Conditional Access and location-based policies quarterly. Location-based policies in Entra ID are powerful but fragile. As your organization's IP ranges change, as users work from new offices, or as new applications are onboarded, your existing policies can start blocking legitimate OneDrive access. A quarterly review of active Conditional Access policies, cross-referenced against which apps are calling the Graph API, catches problems before users start hitting 401 errors.

Watch the search visibility change for private OneDrive content. Microsoft has made a change to how private OneDrive content appears in Microsoft 365 Search. Previously, if you were granted Site Collection Administrator access to someone else's OneDrive through governance policies, that content would show in your search results. That behavior has changed, content that hasn't been explicitly shared with you will no longer appear. If users in your organization suddenly report that files they could previously find through search have "disappeared," this policy change is the likely explanation, not a sync error.

Quick Wins
  • Set Microsoft 365 billing renewal reminders 30 days in advance, in your calendar, not just email.
  • Add ipconfig /flushdns to your IT troubleshooting runbook as a first-response step for any OneDrive access complaint.
  • Test your Sysprep OneDrive deployment in a VM before applying it to any physical hardware in production.
  • Maintain a record of all named locations configured in Entra Conditional Access, update it every time your office IP ranges change.

Frequently Asked Questions

Why does OneDrive show DNS_PROBE_FINISHED_NXDOMAIN even though my internet is working fine?

This error means your browser can't resolve the hostname for OneDrive or SharePoint, it's not getting a valid IP address back from DNS. There are two main reasons this happens specifically with OneDrive: your Microsoft 365 subscription has expired (Microsoft stops serving the DNS records for lapsed accounts), or your local DNS cache has a stale negative entry from a previous outage or failed lookup. Try flushing your DNS cache first with ipconfig /flushdns in an elevated Command Prompt. If that doesn't fix it, log in to the Microsoft 365 portal and check your subscription status. Both fixes take under five minutes.

How will I see the change to private OneDrive search results in Microsoft 365?

This change only affects a specific group of users: those who have been granted Site Collection Administrator access to another user's OneDrive through governance policies or ownership changes, not through a direct share. If you're in that group, you'll notice that some OneDrive content from other users no longer shows up in your Microsoft 365 search results, even though you technically have admin access to that site. This is intentional, Microsoft is aligning search results with what users perceive as private. Content that wasn't explicitly shared with you through standard Microsoft 365 sharing mechanisms simply won't appear in search anymore. Your own OneDrive content and content explicitly shared with you are completely unaffected.

Why do I get a 401 error when my app accesses OneDrive through Graph API, even though the user is on the trusted network?

This is a known platform limitation. The Microsoft Graph API doesn't pass the user's IP address along to SharePoint, so SharePoint's location-based access policy can't verify that the user is inside the trusted network boundary, and it fails closed with a 401 Unauthorized error. Microsoft is actively working on a fix, but for now the supported workaround is to configure Conditional Access in Microsoft Entra ID to handle location trust at the authentication layer instead of the SharePoint layer. This lets Entra ID verify the user's location before issuing the token, so SharePoint doesn't need to re-check it when the Graph API call arrives.

I'm getting "Can't open online-only file" but I'm definitely connected to the internet, what's wrong?

This is almost certainly a conflict between OneDrive's Files On-Demand feature and the User Experience Virtualization (UE-V) agent, which is common on enterprise-managed Windows 10 and 11 devices. The fix is a registry edit: navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UEV\Agent\Configuration, create a new DWORD value named ApplyExplorerCompatFix, and set it to 1. Make sure you're running Windows 10 version 1809 or newer before trying this, older versions don't support the compatibility shim that this registry value enables. After adding the value, try opening the file again without restarting first.

OneDrive won't open after our IT team imaged my laptop, how do I get it working again?

This is a Sysprep deployment issue. When OneDrive is included in a Windows image and that image is sysprepped, OneDrive gets tied to the original image's user profile. When you log in as yourself on the domain-joined machine, OneDrive's installation doesn't know how to start for your profile. The fix is straightforward: download the latest OneDrive installer directly from Microsoft and reinstall it while logged in as yourself on the affected machine. The reinstall will detect and replace the broken deployment. After reinstalling, launch OneDrive from the Start menu and sign in with your Microsoft 365 work account, it should sync normally from that point on.

What OneDrive endpoints do I need to whitelist in my corporate firewall to stop sync errors?

OneDrive sync requires outbound HTTPS access on port 443 to several Microsoft service domains. At minimum, your firewall and proxy should allow traffic to *.onedrive.com, *.sharepoint.com, login.microsoftonline.com, accounts.live.com, and *.microsoft.com. If your proxy performs SSL inspection, make sure these domains are in the SSL bypass list, intercepting Microsoft's certificate chain causes OneDrive sync errors that look exactly like authentication or permission failures. Microsoft publishes the full, current list of required endpoints in the Microsoft 365 URL and IP address ranges documentation, which is worth bookmarking since it gets updated periodically.

Related Microsoft Fix Guides

Microsoft Fix
How to Fix Windows Update Errors (Error 0x80070003 & More)
Microsoft Fix
Fix Microsoft 365 Sign-In Problems, Complete Guide
Microsoft Fix
Azure Active Directory Troubleshooting Guide
Browse All
5,000+ Microsoft Fix Guides →
H
Sai Kiran Pandrala
Our team includes certified Microsoft engineers, Azure architects, and system administrators with 10+ years of enterprise IT experience. Every guide is written from hands-on troubleshooting, not guesswork. We test every fix before publishing.