When a contractor’s employment ends, you remove their Microsoft 365 user account or disable their access. After that step, any external sharing links that the contractor created or owned will display an access denied error when clicked by recipients. This happens because the link’s owner account no longer exists or is disabled, breaking the sharing permission chain. This article explains why the access denied error occurs, how to recover or replace the broken links, and what to do if external recipients still cannot open shared files after the contractor is offboarded.
Key Takeaways: Contractor Offboarding and Broken OneDrive Sharing Links
- OneDrive admin center > Sharing > External sharing: Controls tenant-wide sharing policies that determine whether external links work after an owner is removed.
- Microsoft 365 admin center > Users > Active users > Delete user: Deleting a user account permanently breaks all sharing links owned by that user.
- OneDrive admin center > User profiles > Restore deleted OneDrive: Restores a deleted user’s OneDrive for up to 30 days, which can temporarily re-enable broken links for data recovery.
Why OneDrive External Sharing Links Show Access Denied After Contractor Offboarding
When a contractor creates an external sharing link in OneDrive, the link is tied to that user’s identity and permissions. OneDrive checks the link owner’s account status every time a recipient clicks the link. If the contractor’s account is disabled or deleted, the permission check fails because the owner no longer exists in Microsoft Entra ID. The result is an access denied error for anyone who tries to open the file using that link.
This behavior is by design. Microsoft 365 treats deleted or disabled accounts as invalid security principals. The system cannot verify whether the link was valid at the time of creation because the owner is gone. As a result, all links owned by that user become unreachable, regardless of the sharing permission level set originally.
What Happens to Different Link Types
The exact behavior depends on the link type:
- Anyone links: These links do not require authentication, but they still depend on the owner account for permission evaluation. After the owner is removed, the link breaks and shows access denied.
- People in your organization links: These links require the recipient to sign in with a Microsoft 365 account in the same tenant. After the owner is removed, the link breaks because the tenant no longer has a valid owner to authorize the request.
- Specific people links: These links are tied to individual recipients. After the owner is removed, the link breaks because the permission grant cannot be validated.
Steps to Fix Access Denied Errors on OneDrive External Sharing Links After Contractor Offboarding
The main fix is to replace the broken links by having a new owner share the same files with the original recipients. Follow these steps in order.
- Identify all files shared by the offboarded contractor
Sign in to the Microsoft 365 admin center as a global admin or SharePoint admin. Go to Users > Active users and select the deleted contractor’s account. If the account is already deleted, go to Deleted users and select the account. Click OneDrive in the left navigation. This shows a list of files the user had shared externally. Note the file names and paths. If the account is permanently deleted, use the Microsoft 365 audit log to find sharing activity for that user. - Restore the contractor’s OneDrive temporarily
In the Microsoft 365 admin center, go to Users > Deleted users and restore the contractor’s account if it was deleted within the last 30 days. Alternatively, a SharePoint admin can restore the OneDrive site directly: go to the SharePoint admin center, select Sites > Deleted sites, find the contractor’s OneDrive site, and click Restore. This brings back the files and the sharing links for up to 30 days from deletion. - Copy or move the files to a new location
After restoring the OneDrive, sign in as the restored contractor or as a global admin with access. Navigate to the shared files. Select all files that had external sharing links and choose Copy to or Move to. Move them to a shared location such as a SharePoint document library or a different OneDrive folder owned by an active employee. This preserves the files in a location where a new owner can share them. - Create new external sharing links from the new location
Have the new owner (an active employee) share each file with the original external recipients. Use the same sharing level that the contractor used: Anyone, People in your organization, or Specific people. Send the new links to the recipients via email. Ask recipients to update their bookmarks. - Notify external recipients of the new links
Send an email to all external recipients who were using the old links. Include the new links and a brief explanation that the previous owner is no longer with the company. Provide a deadline by which the old links will stop working permanently.
If OneDrive Still Shows Access Denied After Following the Main Fix
External sharing is blocked at the tenant level
If your organization has disabled external sharing for OneDrive, no new external links can be created. Go to the Microsoft 365 admin center, then Settings > Org settings > Security & privacy > Sharing. Check the external sharing policy for OneDrive. If it is set to Only people in your organization, you must change it to Allow external sharing for specific domains or Anyone to create new links for external recipients.
The contractor’s OneDrive was permanently deleted
If the contractor’s account was permanently deleted more than 30 days ago, the OneDrive site cannot be restored. In this case, you cannot recover the original files through OneDrive. Check if the files were backed up elsewhere, such as in Microsoft 365 retention policies, eDiscovery cases, or a third-party backup solution. If no backup exists, you must ask the external recipients whether they saved local copies of the files.
External recipients cannot sign in with a Microsoft account
For Specific people links, the recipient must sign in with a Microsoft account or a Microsoft 365 work or school account. If the recipient uses a different email provider, the link will fail. In this case, use an Anyone link instead, but be aware that Anyone links do not require authentication and may pose a security risk. Review your organization’s data loss prevention policies before using Anyone links.
OneDrive External Sharing Link Types After Owner Removal: Key Differences
| Item | Anyone links | Specific people links |
|---|---|---|
| Authentication required | No | Yes, Microsoft account or work/school account |
| Link breaks after owner deleted | Yes | Yes |
| Can be recreated by new owner | Yes | Yes, but must specify recipients again |
| Security risk | Higher — anyone with the link can access | Lower — only specified recipients can access |
| Best for contractor offboarding | Not recommended for sensitive data | Recommended if recipients have Microsoft accounts |
Now you can identify why OneDrive external sharing links break after contractor offboarding and restore access by recreating links from an active owner. Before offboarding any contractor, plan to transfer ownership of shared files to an active employee. Use the Microsoft 365 admin center to restore a deleted OneDrive within 30 days as a safety net. For long-term access, move shared files to a SharePoint document library where sharing links are owned by the site collection administrator rather than an individual user.