When an external guest clicks a OneDrive for Business sharing link, they may see an access denied page instead of the file or folder. This prevents collaboration with clients, partners, or vendors who need temporary access to specific content. The problem occurs when sharing settings, link permissions, or guest authentication requirements block the user. This article explains the root causes and provides step-by-step fixes for administrators and end users.
Key Takeaways: Fixing External Sharing Access Denied in OneDrive
- Microsoft 365 admin center > Settings > Org settings > SharePoint > Sharing: Controls tenant-wide external sharing policy and link expiration defaults.
- OneDrive admin center > Sharing: Per-site external sharing settings override tenant defaults for individual user OneDrive libraries.
- Sharing link > Link settings > Specific people: Requires guests to sign in with a Microsoft account or be added as guests in Azure AD.
Why External Guests See Access Denied on OneDrive Sharing Links
The access denied error occurs because the guest does not meet one or more authentication or authorization requirements enforced by the sharing link or the tenant configuration. OneDrive for Business sharing links can be configured to require sign-in, restrict access to specific people, or block anonymous access entirely at the tenant level. If the link was created with the Specific people option, the guest must be added as an external user in Azure Active Directory and sign in with a Microsoft account or work account. If the link uses Anyone with the link but the tenant blocks anonymous sharing, guests see access denied. Additionally, if the guest account is expired, blocked, or removed from Azure AD, the link will not grant access.
Tenant-Level Sharing Restrictions
Microsoft 365 administrators can set external sharing policies that apply to all SharePoint and OneDrive sites. These policies can block sharing with new external users, restrict sharing to authenticated guests only, or set link expiration and password requirements. If the tenant policy is set to Only people in your organization or Existing guests, new external users cannot access shared content even if the link type is Anyone.
Link Permission Scope
The person who created the sharing link chose a permission scope: Anyone, People in your organization, Specific people, or People with existing access. If the link was set to Specific people and the guest was not individually added, the guest will receive access denied. If the link was set to People in your organization, external guests cannot use the link at all.
Steps to Fix Access Denied for External Guests on OneDrive Links
Method 1: Check Tenant External Sharing Policy
- Sign in to the Microsoft 365 admin center
Go to https://admin.microsoft.com and sign in as a Global or SharePoint administrator. - Navigate to SharePoint settings
Select Settings > Org settings > SharePoint. - Open the external sharing policy
Click External sharing. Verify the tenant-level sharing setting is not set to Only people in your organization. For external guests to access links, the setting must be Anyone or New and existing guests. - Save changes if needed
If you changed the setting, click Save. Wait up to 24 hours for the change to propagate.
Method 2: Verify OneDrive Site Sharing Settings
- Go to the OneDrive admin center
Navigate to https://admin.onedrive.com and sign in as a SharePoint or Global administrator. - Select Sharing in the left menu
Click Sharing under the OneDrive settings section. - Check the external sharing option
Ensure External sharing is set to Anyone or New and existing guests. If it is set to Only people in your organization, change it to a less restrictive option. - Review link expiration and password requirements
If Anyone links must expire in this many days is enabled, the link may have expired. If Anyone links must be password-protected is enabled, the link creator must set a password and share it separately.
Method 3: Recreate the Sharing Link with Correct Permissions
- Open OneDrive in a browser
Go to https://onedrive.live.com and sign in with the account that owns the file or folder. - Locate the shared item
Navigate to the file or folder that is showing access denied for the guest. - Open the Share dialog
Right-click the item and select Share. Alternatively, click the item and select Share from the toolbar. - Select the correct link type
Click Anyone with the link for anonymous access. If you require sign-in, select Specific people and type the guest email address in the field. Click Apply. - Copy and send the new link
Click Copy and send the link to the guest. If you chose Anyone, no sign-in is required. If you chose Specific people, the guest must sign in with a Microsoft account that matches the email you entered.
Method 4: Add the Guest to Azure AD as an External User
- Sign in to the Azure portal
Go to https://portal.azure.com and sign in as a Global administrator or User administrator. - Navigate to Azure Active Directory
Select Azure Active Directory from the left menu. - Open External Identities
Click External Identities > All users. - Add a new guest user
Click New guest user. Enter the guest email address and a display name. Optionally include a welcome message. Click Invite. - Wait for the guest to accept the invitation
The guest receives an email with an invitation link. They must accept the invitation before they can access the shared content. After acceptance, the guest appears in the Azure AD user list with a User type of Guest.
If External Guests Still Get Access Denied After the Main Fix
The guest account is blocked or expired
An external guest account can be blocked by an administrator or automatically expire after 30 days of inactivity if the tenant has a guest access review policy. To check, go to Azure Active Directory > Users and search for the guest. Verify the Block sign-in setting is No. If the account is blocked, unblock it and ask the guest to sign in again.
The link was created with a different account than the file owner
If a user shared a file from their OneDrive but the file resides in a shared library or a folder that is shared separately, the link may point to the parent folder permissions instead of the file. Ask the file owner to verify they are sharing the correct file. If the file is in a shared library, the library owner must grant the guest access at the library level.
The guest is using the wrong Microsoft account
When a guest signs in to access a Specific people link, they must use the exact email address that was entered in the Share dialog. If they have multiple Microsoft accounts, they may accidentally sign in with the wrong one. Ask the guest to sign out, clear browser cache, and sign in with the email address that received the invitation.
Anyone Link vs Specific People Link: Key Differences for External Guests
| Item | Anyone with the link | Specific people |
|---|---|---|
| Guest sign-in required | No | Yes, with a Microsoft account or work account |
| Azure AD guest account needed | No | Yes, the guest must be invited and accept |
| Tenant policy must allow | Anyone sharing enabled at tenant and site level | New and existing guests or Anyone |
| Link expiration | Optional, set by tenant admin | No expiration by default |
| Password protection | Optional, set by tenant admin or link creator | Not available |
If your external guests are blocked, first check the tenant and site sharing policies. Then verify the link type and recreate it if necessary. Add the guest to Azure AD when using Specific people links. These steps resolve the majority of access denied errors for external guests in OneDrive for Business.