When an external guest clicks a sharing link to a file or folder in OneDrive for Business, they see an access denied page instead of the content. This error usually occurs because of incorrect sharing link permissions, tenant-level external sharing restrictions, or expired link settings. This article explains the root causes of the access denied error and provides step-by-step troubleshooting steps to resolve it.
Key Takeaways: Fixing Access Denied for External Guests on OneDrive Sharing Links
- Sharing link type (Anyone vs Specific people): Only links set to “Anyone” allow anonymous access; “Specific people” links require the guest to sign in with a Microsoft account or organization account.
- Microsoft 365 admin center > Settings > Org settings > Sharing > OneDrive: Controls tenant-wide external sharing permissions, domain allowlists and blocklists, and link expiration defaults.
- OneDrive sync client > Settings > Account > Manage storage: Verifies that the file or folder exists and is synced to the cloud, not just a local placeholder.
Why External Guests See Access Denied on OneDrive Sharing Links
The access denied error occurs when the external guest does not meet the conditions required by the sharing link or the tenant-level sharing policy. OneDrive sharing links have three permission levels: Anyone, People in your organization, and Specific people. An “Anyone” link does not require the recipient to sign in. A “Specific people” link requires the recipient to authenticate with a Microsoft account or an Azure AD guest account. If the link was created with the “Specific people” option but the guest does not have a matching account, or if the guest’s account is blocked by a domain rule, access is denied.
Tenant-wide settings in the Microsoft 365 admin center can also block external sharing entirely or restrict it to specific domains. Additionally, the sharing link may have expired, or the file may have been moved or deleted after the link was created. Understanding these factors is necessary to diagnose and fix the error.
Step-by-Step Troubleshooting for Access Denied on External Sharing Links
Method 1: Verify the Sharing Link Type and Permissions
The most common cause is using a link that requires sign-in when the guest cannot sign in. Check the link settings in OneDrive.
- Open the file or folder in OneDrive on the web
Go to onedrive.com and sign in with your work or school account. Locate the item that is shared. - Click the Share button
In the toolbar at the top, click the Share icon. The Share dialog opens. - Review the current link settings
Click the gear icon next to the link to open Link settings. Check the permission type: Anyone, People in your organization, or Specific people. - If the link is set to Specific people, change it to Anyone
Select “Anyone” to allow anonymous access. Click Apply. Copy the new link and send it to the guest.
Method 2: Check Tenant-Level External Sharing Settings
Your organization may have turned off external sharing or restricted it to certain domains. Verify in the Microsoft 365 admin center.
- Sign in to the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with your administrator account. - Go to Settings > Org settings > Sharing
In the left navigation, expand Settings and select Org settings. Then click the Sharing tab. - Select OneDrive
Under the Sharing section, click OneDrive. The OneDrive sharing settings page opens. - Verify the external sharing level
Check that the external sharing option is set to “Anyone” or “New and existing guests” depending on your policy. If it is set to “Only people in your organization,” change it to allow external sharing. - Check domain allowlists and blocklists
Scroll down to Advanced settings for external sharing. If a domain allowlist is enabled, the guest’s email domain must be on the list. Add the domain if needed.
Method 3: Verify the Guest Account Exists and Is Active
If the link requires sign-in, the guest must have an Azure AD guest account that is not blocked.
- Sign in to the Azure portal
Go to portal.azure.com and sign in with your administrator account. - Go to Azure Active Directory > Users
In the left navigation, select Azure Active Directory, then Users. - Search for the guest user
Type the guest’s email address in the search box. If the user appears, check the User type column. It should say “Guest.” If the user does not appear, the guest has not been invited as a guest. The sharing link alone does not create a guest account. - Check the guest account status
Click the user name. In the user profile, check that Sign-in is allowed. If it is blocked, click Edit and set Sign-in to Allowed.
Method 4: Check Link Expiration and File Location
Sharing links can have expiration dates, and the file may have been moved or deleted.
- Open the file or folder in OneDrive on the web
Go to onedrive.com and sign in. - Click the Share button
Click the Share icon for the item. - Click the gear icon next to the link
In Link settings, check the Expiration date field. If a date is set, the link will stop working after that date. Remove the expiration or set a future date. - Verify the file or folder still exists
Navigate to the original location of the item. If it has been moved or deleted, the link will show access denied. Restore the item from the Recycle bin if needed.
If External Guests Still See Access Denied
The Guest Is Using a Personal Email and the Link Requires a Work or School Account
When a sharing link is set to “Specific people” and the guest uses a personal email like gmail.com or outlook.com, they must sign in with a Microsoft account. If the guest does not have a Microsoft account, they cannot access the file. The fix is to change the link to “Anyone” or invite the guest using their work email if they have one.
The Guest Receives a Blank Page or Infinite Redirect Loop
This usually indicates a browser cache or cookie issue. Ask the guest to clear their browser cache and cookies, or try opening the link in a private browsing window. If the problem persists, the guest may be blocked by a conditional access policy that requires device compliance or multi-factor authentication.
The Link Works for One Guest but Not for Another
If the link is set to “Specific people” and only certain recipients are listed, other guests will see access denied. The sender must add each guest individually in the Share dialog. Alternatively, use an “Anyone” link to allow all recipients without listing them.
Sharing Link Types vs Guest Access Requirements
| Item | Anyone link | Specific people link |
|---|---|---|
| Sign-in required | No | Yes |
| Guest account needed | No | Yes, Azure AD guest or Microsoft account |
| Link expiration | Can be set | Can be set |
| Domain restrictions apply | Yes, tenant-level blocklist applies | Yes, tenant-level blocklist applies |
| File moved or deleted | Link breaks | Link breaks |
When an external guest sees access denied, the first check should be the link type. An Anyone link bypasses most authentication requirements. A Specific people link requires the guest to sign in with an account that has been granted access. If the tenant policy blocks external sharing to certain domains, the link will fail regardless of the link type.
Now you can diagnose and fix access denied errors for external guests on OneDrive sharing links. Start by checking the link type and the tenant-level sharing settings. If the issue persists, verify the guest account status and link expiration. For ongoing management, consider setting a default link type of Anyone with an expiration date to avoid repeated access denied complaints.