You shared a OneDrive file or folder with an external user, but when that guest clicks the link, they see an access denied message or are blocked from opening the content. Internal users in your organization can access the same link without problems. This issue usually occurs because of a misconfiguration in your organization’s external sharing settings, a blocked guest domain, or a conditional access policy that restricts guest access. This article explains the specific settings that cause this behavior and provides step-by-step instructions to resolve it for both OneDrive and SharePoint.
Key Takeaways: Why Guests Cannot Open OneDrive Shared Links
- Microsoft 365 admin center > Settings > Org settings > SharePoint > Sharing: Controls the external sharing level for OneDrive and SharePoint. If set to “Only people in your organization,” guests are denied access.
- Microsoft 365 admin center > Settings > Org settings > SharePoint > Sharing > Let people add new guests: When disabled, users cannot share with guests who are not already in your directory.
- Azure AD > External Identities > External collaboration settings: Contains domain allowlists and blocklists that can prevent guests from specific email domains from accepting invitations.
Why OneDrive Shared Links Block Guests
OneDrive sharing relies on two layers of permission: the organization-wide sharing policy and the per-user sharing policy. When a guest receives a shared link, their access is evaluated against both layers plus any Azure Active Directory conditional access policies. The most common cause is that the organization-level sharing setting is configured to allow sharing only with internal users. Even if a user creates a sharing link with the option “Specific people” and enters a guest email, the guest cannot authenticate if the tenant-level policy blocks external sharing.
A second common cause is that the guest’s email domain is blocked in the Azure AD external collaboration settings. For example, if your organization blocks all Gmail addresses, a guest with a Gmail address cannot accept the invitation regardless of the OneDrive sharing link type. A third cause is a conditional access policy that requires device compliance or multi-factor authentication for external users, and the guest cannot meet those requirements.
Steps to Allow Guests to Access OneDrive Shared Links
- Check the organization-level sharing setting
Sign in to the Microsoft 365 admin center as a Global Administrator or SharePoint Administrator. Go to Settings > Org settings > SharePoint > Sharing. Under External sharing, select Anyone or New and existing guests. The option Only people in your organization blocks all guest access. Click Save. - Verify the per-user sharing setting
Still in the SharePoint admin center, scroll to OneDrive > Sharing. Ensure Allow external sharing is set to Anyone or New and existing guests. This setting overrides the organization-level setting for OneDrive users. Click Save. - Enable guest invitations for users
In the SharePoint admin center, under Sharing > External sharing, check the box Let people add new guests. When this is disabled, users can only share with guests already in the Azure AD directory. Click Save. - Review Azure AD external collaboration settings
Go to the Azure portal and navigate to Azure Active Directory > External Identities > External collaboration settings. Under Collaboration restrictions, choose Allow invitations to be sent to any domain or add the guest’s domain to the allowed list. If you have a domain blocklist, remove the guest’s domain from it. Click Save. - Check conditional access policies
In the Azure portal, go to Azure Active Directory > Security > Conditional Access. Review any policies that target External users or Guest users. If a policy requires device compliance or multi-factor authentication, guests may be unable to satisfy the requirement. Either exclude guests from the policy or adjust the grant controls. Click Save. - Resend the sharing invitation
After making changes, the guest must receive a new invitation. Go to OneDrive, locate the shared file or folder, click Share > Shared with, remove the guest, and then share again with the guest’s email address. This triggers a fresh invitation that respects the updated policies.
If Guests Still Cannot Access the Link
Guest receives “Access Denied” even after policy updates
If the guest still sees an access denied page, check whether the sharing link type is set to People in your organization. The link type is selected when the link is created. A link set to People in your organization works only for users who have a Microsoft 365 account in your tenant. To fix this, the user who created the link must change the link type to Specific people and enter the guest’s email address, or choose Anyone with the link if the organization allows it.
Guest cannot sign in with their Microsoft account
OneDrive shared links require the guest to authenticate with a Microsoft account or an Azure AD B2B guest account. If the guest uses a non-Microsoft email provider such as Gmail or Yahoo, they can sign in with that email address as a Microsoft account. If they already have a Microsoft account with a different email, they must sign in with the email address that received the invitation. To verify this, ask the guest to open the link in a private browser window and sign in using the exact email address where the invitation was sent.
OneDrive link works on desktop but not on mobile
This is often caused by a conditional access policy that applies to mobile device platforms. In the Azure portal, go to Conditional Access and find any policy that targets iOS or Android. If the policy blocks external users, either exclude guests or add the OneDrive mobile app as an exception. After the policy is updated, the guest must sign out and sign in again on the mobile device.
OneDrive External Sharing Settings: Organization vs Per-User vs Link Type
| Item | Organization-level setting | Per-user setting | Link type |
|---|---|---|---|
| Location | SharePoint admin center > Sharing | SharePoint admin center > OneDrive > Sharing | OneDrive web UI > Share > Link settings |
| Scope | All SharePoint and OneDrive sites | Only the user’s OneDrive | Individual file or folder |
| Options for guests | Anyone, New and existing guests, or Only people in your org | Anyone, New and existing guests, or Only people in your org | Anyone, People in your org, Specific people, or People with existing access |
| Override behavior | Base policy | Cannot be less restrictive than org level | Must be compatible with both org and per-user settings |
By checking all three layers, you can identify exactly where guest access is being blocked. The organization-level setting is the most restrictive. The per-user setting cannot exceed the organization-level setting. The link type must be compatible with both.
After you update the organization-level setting to allow guests, the per-user setting automatically inherits the change, but existing links created with the People in your organization type remain restricted. Users must re-share the file with a link type that explicitly includes the guest email address.
If your organization uses a domain blocklist in Azure AD, the guest’s email domain must not appear on that list. Verify this in Azure AD > External Identities > External collaboration settings > Collaboration restrictions. Add the domain to the allowed list if necessary.