External sharing links for OneDrive files open as access denied for legal review teams. This error occurs when the link recipient is outside your organization and OneDrive’s sharing policy blocks guest access. The link itself may be valid, but the user sees a permission error page instead of the document.
This problem typically stems from one of three root causes: tenant-level sharing restrictions, site-level sharing settings that override the tenant policy, or a missing guest user account in Azure Active Directory. Legal reviewers often need to access files without signing in, so anonymous links are the preferred method. However, many organizations disable anonymous links for security reasons, which creates this access denied error.
This article explains how to diagnose and fix the access denied error for external sharing links in OneDrive. You will learn where to check tenant and site sharing settings, how to enable anonymous links for legal reviews, and what to do when reviewers still cannot open the file. A checklist at the end helps you verify all settings in the correct order.
Key Takeaways: Diagnosing Access Denied on OneDrive External Sharing Links
- Microsoft 365 admin center > SharePoint > Policies > Sharing: Controls the tenant-wide external sharing policy. Set to “Anyone” to allow anonymous links for legal reviews.
- OneDrive admin center > Sharing: Sets the default link type and expiration for OneDrive sites. Override this per site if needed.
- SharePoint admin center > Active sites > site > Settings: Site-level sharing settings can block anonymous access even when the tenant allows it.
Why External Sharing Links Show Access Denied for Legal Reviewers
When a legal reviewer clicks a OneDrive sharing link and sees access denied, the cause is almost always a sharing policy restriction. OneDrive uses three layers of sharing settings that must all permit the link type. If any layer blocks anonymous access, the link fails.
The three layers are:
- Tenant-level sharing policy: Set in the SharePoint admin center. This is the master switch. Options are: Anyone, New and existing guests, Existing guests, and Only people in your organization.
- Site-level sharing policy: Set per OneDrive site in the SharePoint admin center. This can be more restrictive than the tenant policy but cannot be less restrictive.
- Link-level permissions: Set when the link is created. The link type can be Anyone, People in your organization, People with existing access, or Specific people.
For legal reviews, the link must be an “Anyone” link. This type does not require the recipient to sign in. If the tenant or site policy blocks “Anyone” links, the reviewer sees access denied. Even if the link type is set to “Specific people,” the reviewer must have a guest account in Azure AD. Legal teams often do not have guest accounts, so that link type also fails.
Anonymous Links vs Guest Access
Anonymous links do not require authentication. The recipient clicks the link and views the file directly. Guest access requires the recipient to sign in with a Microsoft account or a work account that is invited as a guest. Legal reviewers are rarely set up as guests because their access is temporary. Therefore, the correct solution is to use anonymous links for legal reviews.
If your organization blocks anonymous links for security reasons, you can create a separate sharing policy for a specific OneDrive site used only for legal reviews. This keeps the tenant policy restrictive while allowing anonymous access for that one site.
Checklist: Step-by-Step Fix for Access Denied on External Sharing Links
Follow these steps in order. Each step addresses one of the three layers. After each change, test the link again before moving to the next step.
- Check the tenant-level sharing policy
Go to the Microsoft 365 admin center. Select SharePoint from the left navigation. In the SharePoint admin center, select Policies then Sharing. Under External sharing, look at the slider for OneDrive. If it is set to anything other than Anyone, anonymous links are blocked. Change it to Anyone if your security policy allows it. If you cannot change it, proceed to the next step to use a site-level override. - Check the site-level sharing policy for the specific OneDrive site
In the SharePoint admin center, select Active sites. Find the OneDrive site that contains the file. The site URL looks likehttps://yourtenant-my.sharepoint.com/personal/username. Select the site, then select Settings. Scroll to External sharing. The default is New and existing guests. Change it to Anyone if the tenant policy allows it. If the tenant policy is Anyone, this setting can also be Anyone. - Recreate the sharing link with the Anyone link type
Go to the OneDrive site where the file is stored. Select the file and choose Share. In the sharing dialog, select the link type dropdown. Choose Anyone with the link. Set an expiration date if your policy requires it. Copy the new link and send it to the legal reviewer. Test the link in a private browser window to confirm it works. - If the reviewer still sees access denied, check the file permissions
Open the file in OneDrive. Select Manage access. If the file has unique permissions that override the site sharing settings, you may need to remove those permissions. Select Advanced settings to see inherited permissions. If the file is in a folder with unique permissions, reset inheritance by selecting Delete unique permissions. This restores the site-level sharing settings. - If all settings are correct but the link still fails, check the Azure AD guest invite settings
Go to the Azure portal. Select Azure Active Directory then External Identities then External collaboration settings. Ensure Guest invite settings is set to Anyone in the organization can invite guest users including guests and non-admins. If this is set to No one in the organization can invite guest users including admins, then even admins cannot create guest accounts. This setting does not affect anonymous links, but if you are using Specific people links, it blocks the invite.
If OneDrive Still Blocks External Sharing Links After the Main Fix
Some issues persist even after you correct the tenant and site policies. The following scenarios cover the most common edge cases.
OneDrive Shows Access Denied for a Link That Worked Yesterday
This usually means the link expired. Check the link expiration date. In OneDrive, select the file and choose Manage access. Find the link and look at its expiration. If it expired, create a new link with a longer expiration. Also check if the file was moved or renamed. If the file is in a different location, the old link breaks.
The Legal Reviewer Is Already a Guest but Still Gets Access Denied
If the reviewer is a guest user in your tenant, the link type must be set to Specific people and include the guest email address. If the link is an Anyone link, it should work without signing in. However, if the guest account is disabled or blocked, the link may fail. Check the guest account status in Azure Active Directory. Go to Azure AD > Users, find the guest user, and ensure the account is enabled.
OneDrive File Is in a Shared Library with Custom Permissions
If the file is in a document library that has custom permissions, the library settings override the site sharing settings. Go to the library settings, select Permissions for this document library, and check if inheritance is broken. If it is, reset inheritance by selecting Delete unique permissions. Then apply the site-level sharing policy.
Anonymous Links vs Guest Access for Legal Reviews: Key Differences
| Item | Anonymous Link (Anyone) | Guest Access (Specific People) |
|---|---|---|
| Authentication required | No | Yes — sign-in with Microsoft or work account |
| Link expiration | Optional — set expiration date | No expiration, but guest account can be disabled |
| User setup | No setup needed | Guest account must be created in Azure AD |
| File access logging | Anonymous — no user identity | Logged per guest user |
| Security risk | Higher — anyone with link can access | Lower — only invited users can access |
| Best for legal reviews | Short-term, ad-hoc reviews | Ongoing reviews with known reviewers |
Anonymous links are the simplest method for legal reviews because they require no user setup. Guest access provides better audit trails but requires Azure AD guest accounts. Choose anonymous links when the review team is small and the documents are low-risk. Choose guest access when the review involves sensitive data that requires tracking who viewed each file.
After applying the fixes in this checklist, legal reviewers should be able to open OneDrive sharing links without seeing access denied. Always test the link in a private browser window to confirm it works from an external perspective. For ongoing legal reviews, consider creating a dedicated OneDrive site with the sharing policy set to Anyone and a short link expiration. This keeps the rest of your tenant secure while allowing temporary external access.