When an external guest clicks a sharing link from OneDrive and sees an access denied page instead of the file, the sharing workflow breaks. This symptom occurs when one or more tenant-level settings block the guest from reaching the shared content. The error can appear even if the link was created correctly by the internal user. This article walks through the complete admin checklist to identify and fix the setting that is causing the denial.
Key Takeaways: Restoring External Guest Access to OneDrive Links
- Microsoft 365 admin center > Settings > Org settings > Sharing: Controls external sharing for SharePoint and OneDrive at the tenant level.
- SharePoint admin center > Policies > Sharing: Sets sharing links default type, expiration, and permission level for external guests.
- Azure AD > External Identities > External collaboration settings: Manages guest invite restrictions and domain allow or block lists.
Why External Guests See Access Denied on OneDrive Sharing Links
OneDrive sharing links rely on a chain of permissions. When an internal user shares a file with a guest, SharePoint Online generates a unique token embedded in the link. The guest must authenticate with a Microsoft account or a work or school account. If the tenant has restricted external sharing at any of three layers – tenant sharing settings, site-level sharing settings, or Azure AD external collaboration settings – the token validation fails and the guest sees access denied. Common root causes include the tenant being set to Only people in your organization, a domain allow list that does not include the guest’s email domain, or a sharing link that was created with the Specific people option but the guest was not explicitly added.
Complete Admin Checklist for External Sharing Link Access Denied
Use the following checklist in order. Each step targets one potential block. Do not skip steps because a later setting can override an earlier one.
- Verify the tenant-level external sharing setting
Go to the Microsoft 365 admin center. Select Settings > Org settings > Sharing. Under External sharing, confirm that the slider is set to Allow users to share with external users and use external links. If it is set to Only people in your organization, external guests will always see access denied. Change the slider and click Save. - Check the OneDrive site-level sharing setting
In the SharePoint admin center, go to Active sites and select the URL for the OneDrive site that contains the shared file. On the site details panel, click the Sharing tab. Under External sharing, confirm that the option is set to Anyone or New and existing external users. If it is set to Only people in your organization, change it to New and existing external users and click Save. - Review sharing link default settings
In the SharePoint admin center, select Policies > Sharing. Under File and folder links, verify that the default link type is not set to Only people in your organization. If it is, external guests will be denied even when the user manually selects a specific guest. Set the default to Anyone with the link or Specific people depending on your organization’s security needs. Also check the Expiration and Allow edit permission settings as needed. - Check Azure AD external collaboration settings
Go to the Azure Active Directory admin center. Select External Identities > External collaboration settings. Under Guest invite settings, ensure that Anyone in the organization can invite guest users including guests and non-admins is selected. If the setting is restricted to only admins, non-admin users cannot send invitations that will work. Also check the Collaboration restrictions section. If Allow invitations only to the specified domains is selected, the guest’s email domain must be in the allow list. If Deny invitations to the specified domains is selected, the guest’s domain must not be in the block list. - Verify the guest user account status in Azure AD
In the Azure AD admin center, go to Users > All users. Find the guest user by email address. Check that the account is not disabled and that the Sign-in status is Allowed. If the account is disabled or blocked, the guest will see access denied. Re-enable the account or re-invite the guest from the file sharing dialog in OneDrive. - Check the sharing link itself
Ask the internal user to recreate the sharing link. In OneDrive, right-click the file and select Share. In the sharing dialog, click the link settings gear icon. Confirm that the link type is Anyone with the link or Specific people. If Specific people is selected, verify that the guest’s email address is in the list. Click Apply and then Send. Test the new link. - Examine SharePoint Online sharing policies for guest access
In the SharePoint admin center, go to Policies > Sharing. Under External sharing, confirm that Allow external users to access content from people in your organization is checked. Also confirm that Allow external users to share content they have access to is set as desired. If the latter is unchecked, guests cannot reshare the link, but they should still be able to access the original link. - Test with a different external email domain
If the checklist does not reveal the block, test the link with a guest from a different domain, such as a personal Gmail or Outlook.com account. If that guest can access the file, the problem is specific to the original guest’s domain. Review the domain allow or block lists in Azure AD and the SharePoint sharing policies.
If External Guests Still See Access Denied After the Checklist
If the problem persists, additional factors can block access. Check the following scenarios.
The guest account is from a domain that is blocked by Azure AD tenant restrictions
Azure AD tenant restrictions can block sign-ins from certain domains at the network level. This is a separate setting from the collaboration restrictions. Go to Azure AD > Conditional Access > Policies. Look for a policy that applies to external users and blocks access. If such a policy exists, the guest will see access denied regardless of sharing settings. Work with your security team to create an exception for the guest’s domain.
The file is in a OneDrive that has unique permissions
If the internal user has set unique permissions on the file or folder, those permissions can override the sharing link. Ask the user to check the file’s permissions by right-clicking the file in OneDrive, selecting Manage access, and verifying that the guest is listed. If the guest is not listed, add them directly. Then recreate the sharing link.
The guest is trying to access a link that has expired
If the tenant has a default link expiration policy set, the link may have expired. The guest will see access denied even if the link was valid at the time of creation. Ask the internal user to create a new link and ensure the expiration date is in the future. The user can also change the link to Never expire if the policy allows it.
| Setting | Location in Admin Center | Effect on External Guests |
|---|---|---|
| Tenant external sharing | Microsoft 365 admin center > Settings > Org settings > Sharing | If set to Only people in your organization, all external guests are denied |
| OneDrive site sharing | SharePoint admin center > Active sites > select site > Sharing tab | If set to Only people in your organization, guests cannot access that OneDrive |
| Default link type | SharePoint admin center > Policies > Sharing | If set to Only people in your organization, new links default to internal only |
| Azure AD guest invite settings | Azure AD > External Identities > External collaboration settings | Restricts who can invite guests and which domains are allowed or blocked |
| Guest account status | Azure AD > Users > select guest user | Disabled or blocked accounts show access denied |
| Sharing link type | OneDrive share dialog > link settings | Specific people link must include the guest’s email address |
After completing the checklist, external guests should be able to access shared links from OneDrive. Test the link with a private browser window or a different Microsoft account to confirm the fix. For ongoing management, consider setting up a review policy in the SharePoint admin center to audit sharing links and external user access on a regular schedule. If the issue returns, recheck the Azure AD collaboration restrictions first because those settings change less frequently and are often the root cause of intermittent failures.