When a contractor leaves your organization, you often need to transfer their files or retain access for a short period. However, after you disable their account or remove their license, shared links to files in their OneDrive may start showing an access denied error for external recipients. This happens because the sharing link relies on the original owner’s identity and account state. This article explains why the access denied error occurs during contractor offboarding and provides a step-by-step checklist to prevent or fix it. You will learn the exact admin settings to check, how to transfer OneDrive ownership, and how to re-share files so external links continue working.
Key Takeaways: OneDrive Admin Checklist for Contractor Offboarding
- Microsoft 365 admin center > Users > Active users > Select user > Block sign-in: Blocking sign-in immediately breaks all existing sharing links from that user.
- OneDrive admin center > User > Access > Transfer files: Transfers all files to another user so sharing links based on the new owner remain valid.
- SharePoint admin center > Sharing > External sharing: Tenant-level setting must allow sharing with external users for links to work after transfer.
Why External Sharing Links Show Access Denied After Contractor Offboarding
When a user creates an external sharing link in OneDrive, the link is tied to that user’s identity and permissions. The link contains a token that references the original owner. If the owner’s account is disabled, deleted, or has its license removed, the token becomes invalid. The external recipient then receives an access denied error because the system can no longer verify the link’s validity.
Additionally, if you remove the contractor from Azure Active Directory or block their sign-in, all sharing links associated with that user stop working immediately. This is by design for security, but it can cause disruption if you intended to keep files accessible for a transition period.
The most common offboarding actions that trigger this issue are:
- Blocking sign-in for the contractor’s account
- Removing the Microsoft 365 license assigned to the contractor
- Deleting the contractor’s user object from Azure AD
- Changing the contractor’s password without notifying the system
Each of these actions invalidates the existing sharing links. The only way to restore access is to transfer ownership of the files and re-share them from a new owner account.
Admin Checklist to Prevent Access Denied on External Sharing Links
Use the following ordered checklist before you disable or delete a contractor’s account. This ensures external recipients retain access to shared files.
- Identify all external sharing links from the contractor’s OneDrive
Go to the Microsoft 365 admin center > Users > Active users. Select the contractor’s account, then click OneDrive. Under Access, click View sharing links. This lists all external links created by this user. Note the file paths and recipients. - Transfer OneDrive files to another user
In the same OneDrive section, click Transfer files. Enter the email address of the user who will take over the files. Choose whether to notify the new owner. Click Start transfer. The transfer process can take from a few minutes to several hours depending on file volume. - Re-share the transferred files with external recipients
After the transfer completes, the new owner can re-share the files. Log in as the new owner, navigate to the transferred files, and create new sharing links. Send these new links to the original external recipients. The old links will no longer work. - Verify tenant-level external sharing settings
Go to SharePoint admin center > Policies > Sharing. Under External sharing, ensure that the setting for OneDrive is set to Anyone or New and existing guests depending on your security requirements. If set to Only people in your organization, external links will never work. - Block sign-in only after confirming links are re-created
Only block the contractor’s sign-in after you have transferred files and the new owner has re-shared all necessary links. This prevents any window where external recipients lose access. - Remove the license last
If you must remove the license, do so after all file transfers and re-sharing are complete. Removing the license reduces the OneDrive storage quota to 1 GB, which may cause files to become inaccessible if the quota is exceeded.
If External Sharing Links Already Show Access Denied
If the contractor’s account is already blocked or deleted, follow these steps to restore access for external recipients.
- Restore the contractor’s user account
In the Microsoft 365 admin center > Users > Deleted users, find the contractor’s account. Select it and click Restore user. This brings back the user object and their OneDrive data. The account will be in a disabled state. - Re-enable sign-in temporarily
Go to Active users, select the restored contractor account, and click Unblock sign-in. This makes the account active again so sharing links can be accessed. - Transfer files to another user
Follow the transfer steps from the checklist above. After the transfer, the new owner can re-share the files. - Delete the restored contractor account
Once the transfer is complete and new links are distributed, you can delete the contractor account again. This time, do so only after confirming all external recipients have received new links.
OneDrive Shows a Red X on Shared Office Files After Offboarding
If external recipients see a red X icon on shared Office files, the link may be broken because the owner’s account is disabled. The fix is the same: restore the account, transfer files, and re-share. The red X indicates that the file’s sharing token is no longer valid.
External Recipient Receives a Blank Page or Error Page
A blank page or a generic error page when clicking an external link usually means the link points to a file in a OneDrive whose owner is deleted. The only resolution is for the admin to restore the owner account and transfer the files. External recipients cannot access files from a deleted user.
Before vs After Offboarding: Comparison of External Link Behavior
| Item | Before Account Modification | After Account Blocked or Deleted |
|---|---|---|
| External sharing link status | Works for all recipients | Access denied for all recipients |
| Link owner identity | Contractor account active | Contractor account disabled or deleted |
| File accessibility | Full read or edit access | No access |
| Admin recovery method | Not needed | Restore user account, transfer files, re-share |
| Time to restore access | Immediate | 30 minutes to 2 hours depending on transfer size |
This table shows that the critical difference is the account state of the link owner. Keeping the account active until files are transferred is the only way to avoid access denied errors.
Conclusion
You can now prevent access denied errors on external sharing links by following a specific offboarding order: transfer files first, re-share from the new owner, then block sign-in and remove the license. If links are already broken, restore the contractor account, transfer the files, and re-share before deleting the account again. Use the OneDrive admin center’s transfer files feature to move all data to a new owner in one step. As an advanced tip, consider using a PowerShell script with the Set-SPOTenant cmdlet to audit all external sharing links before offboarding any user.