Finance teams in your organization share OneDrive files with external auditors, tax advisors, and vendors. When those external recipients click the sharing link, they see an access denied error instead of the file. This problem typically occurs because the external sharing link type or permissions are restricted by a tenant-wide sharing policy, a site-level sharing setting, or a conditional access policy that blocks external users. This guide explains the three most common causes and provides the exact steps to resolve each one so finance teams can share files successfully with external partners.
Key Takeaways: Fixing Access Denied for External OneDrive Links
- Microsoft 365 admin center > Settings > Org settings > SharePoint > Sharing: Controls the tenant-wide external sharing level — set to "Anyone" or "New and existing guests" to allow link access.
- OneDrive admin center > Sharing > External sharing: Per-user sharing level that overrides the tenant setting for specific users such as finance team members.
- Azure AD > Conditional Access > All policies: Blocks external user sign-in if a policy requires MFA from trusted IPs — exclude the external user scope or set session controls to allow guest access.
Why External Recipients See Access Denied on OneDrive Links
When a finance team member creates a sharing link in OneDrive, the link contains an access token that the recipient must redeem. The token fails during redemption if any of the following conditions are true:
The tenant-level external sharing setting is set to "Only people in your organization." This blocks all external link access regardless of the link type. The per-user sharing setting for the finance user is more restrictive than the tenant setting. Conditional Access policies in Azure Active Directory require the external user to meet security conditions they cannot satisfy, such as being on a trusted corporate network or using managed devices.
The access denied error appears immediately after the recipient clicks the link. The recipient does not see a sign-in prompt or a request for a verification code. This behavior distinguishes a policy block from an authentication failure.
Steps to Fix OneDrive External Sharing Access Denied for Finance Teams
Follow the steps in the order listed below. After each change, ask the external recipient to try the link again. If the link still fails, move to the next step.
Step 1: Check and Adjust the Tenant-Level External Sharing Setting
- Sign in to the Microsoft 365 admin center
Go to https://admin.microsoft.com. Use an account with Global Admin or SharePoint Admin role. - Open the SharePoint admin center
In the left navigation, click Show all and then select SharePoint. - Navigate to the sharing settings
In the SharePoint admin center, click Policies > Sharing. - Review the external sharing level for OneDrive
Under External sharing, locate the OneDrive section. The current setting is displayed. For finance teams that share with external auditors and vendors, select Anyone if the files are non-confidential. For confidential files, select New and existing guests. The "Anyone" option creates links that do not require sign-in. The "New and existing guests" option requires the recipient to authenticate with a Microsoft account or a work account. - Save the change
Click Save. Allow up to 30 minutes for the change to propagate.
Step 2: Verify the Per-User External Sharing Setting for Finance Team Members
- Open the OneDrive admin center
Go to https://admin.onedrive.com and sign in with a SharePoint Admin or Global Admin account. - Select the user
In the left navigation, click User settings. In the Users list, find the finance team member who created the link. Click the user’s display name. - Check the external sharing setting
In the user details pane, scroll to External sharing. The value must match or be less restrictive than the tenant setting. If it shows "Only people in your organization," change it to Anyone or New and existing guests to match the tenant setting. - Save the change
Click Save at the bottom of the pane.
Step 3: Review and Modify Conditional Access Policies That Block External Users
- Sign in to the Azure portal
Go to https://portal.azure.com with a Global Admin, Security Admin, or Conditional Access Admin account. - Open Conditional Access
In the left navigation, click Azure Active Directory > Security > Conditional Access. - Review each policy
Click Policies and examine each policy in the list. Look for policies that have All users or Guest or external users in the Users and groups assignment and that require conditions external users cannot meet, such as Require MFA from trusted IPs or Require compliant device. - Edit the policy to exclude external users
Click the policy name. Under Assignments > Users and groups, select Exclude. Choose Guest or external users. Click Select and then Save. - Alternatively, create a session control policy for external users
If you want to keep the block for internal users, create a new policy that applies only to Guest or external users and uses session controls such as Use app-enforced restrictions instead of blocking access.
If OneDrive External Sharing Links Still Show Access Denied
The link was created before the policy change
Sharing links created before a policy change carry the permissions that were valid at creation time. The finance user must delete the old link and create a new one. Instruct the user to go to the file in OneDrive, click Share, choose the link type, and send the new link to the external recipient.
The recipient is in a domain that is blocked by domain restrictions
In the SharePoint admin center under Policies > Sharing, check Limit external sharing by domain. If the recipient’s email domain is in the blocked list, the link will fail. Add the domain to the allowed list or remove it from the blocked list.
The file is marked as sensitive by a sensitivity label
If the finance team uses Microsoft Purview Information Protection sensitivity labels, a label may have encryption that blocks external access. Open the file’s properties in OneDrive and check the Sensitivity column. If a label with encryption is applied, the finance user must either remove the label or use a label that permits external sharing. This action requires the appropriate rights to change labels.
OneDrive Sharing Link Types vs External Access Requirements
| Item | Anyone link | People in your organization link |
|---|---|---|
| External access | Allowed — no sign-in required | Blocked — external users cannot redeem |
| Authentication | None | Requires Microsoft 365 work or school account |
| Best for finance | Non-confidential files shared with vendors | Internal-only files |
| Expiration | Can be set in link settings | Can be set in link settings |
| Policy override | Blocked if tenant sharing level is "Only people in your organization" | Blocked if tenant sharing level is "Only people in your organization" |
Finance teams should use Anyone links only for files that do not contain confidential data. For files with sensitive financial data, use Specific people links and add the external recipient as a guest user in Azure AD. This approach gives you audit logging and the ability to revoke access per user.
You can now identify and fix the three most common policy causes of access denied errors on external OneDrive links. Start with the tenant-level sharing setting in the SharePoint admin center, then check the per-user setting for the finance team member. If the link still fails, review Conditional Access policies in Azure AD. For ongoing management, create a standard operating procedure for finance teams that includes a checklist of sharing settings to verify before sending links to external recipients.