OneDrive for Business external sharing links troubleshooting for audit preparation: open as access denied

When preparing for an audit, you need to verify that external sharing links in OneDrive for Business work correctly. A common problem is that these links open with an “Access Denied” error even when the sharing settings appear correct. This issue usually occurs because of a mismatch between the link’s permission level, the recipient’s authentication method, or tenant-wide sharing policies. This article explains the root causes of access denied errors on external sharing links and provides step-by-step troubleshooting steps to resolve them before your audit.

Why External Sharing Links Return Access Denied

An external sharing link in OneDrive for Business can fail with “Access Denied” for several technical reasons. The most common cause is that the link type does not match the recipient’s authentication method. For example, a link set to “People in your organization” will deny access to anyone outside the tenant. Another frequent cause is the tenant-level external sharing policy in the SharePoint admin center, which can block all external sharing even if the individual OneDrive folder settings allow it. Additionally, if the recipient’s account is a guest user that has been expired or removed from Azure Active Directory, the link will fail. Finally, the link may have been created with a specific expiration date or password requirement that the recipient cannot meet.

During audit preparation, you must test each link type under the exact conditions that external auditors will use. This means testing with a non-tenant account, from a different network, and with browser privacy mode enabled to avoid cached credentials. The steps below cover all these scenarios.

Steps to Diagnose and Fix Access Denied on External Sharing Links

1. Verify the link type in OneDrive
   Open OneDrive in your browser. Right-click the file or folder that has the external link. Select Share and then Manage access. Check the link type shown under the link entry. If the link type is “People in your organization” or “People with existing access,” it will not work for external users. Change the link type to “Anyone” or “Specific people” and set the permission level to View or Edit as needed. Click Apply to save.
2. Check tenant-level external sharing policy
   Go to the Microsoft 365 admin center. Navigate to Settings > Org settings > SharePoint. Under Sharing, view the external sharing setting for OneDrive. The setting must be set to Anyone or New and existing guests for external links to work. If it is set to Only people in your organization, external links will always fail. Change the setting to the appropriate level and click Save.
3. Check the link’s expiration and password settings
   In the same Manage access panel, click the link entry. Look for Expiration date and Password required settings. If the link has expired, it will show Access Denied. If a password is required, the recipient must enter it correctly. For audit testing, remove the password requirement and set the expiration date to at least 30 days in the future. Click Apply.
4. Test the link from a private browser window
   Open a private or incognito browser window. Paste the external sharing link into the address bar. If you are prompted to sign in, use a personal Microsoft account or a guest account that has been invited to the tenant. If you see Access Denied, note the exact error message. Common messages include “This link is expired,” “Your organization’s policy does not allow you to share this item,” or “You need permission to access this item.” Each message points to a different root cause.
5. Verify guest user status in Azure Active Directory
   Go to the Azure Active Directory admin center. Select Users > All users. Filter by User type and select Guest. Find the recipient’s guest account. Check the Account enabled status. If it is No, the account is blocked. Also check Last sign-in to see if the account has been inactive. If the account is disabled, enable it and ask the guest to sign in again. If the guest user does not exist, the link will always fail until you invite them.
6. Check domain allow and block lists
   In Azure Active Directory, go to External Identities > External collaboration settings. Under Collaboration restrictions, check if the recipient’s email domain is on the Deny list. If it is, remove it. If the domain is not on the Allow list and the tenant uses an allow list, add the domain. Click Save.
7. Use the SharePoint Sharing Report for audit proof
   Go to the SharePoint admin center. Under Reports > Sharing, generate a sharing report for the specific file or folder. This report shows who the link was shared with, the link type, expiration date, and whether the link was accessed. Export this report as a CSV file for your audit documentation. Compare the report data with the link settings you verified in step 1.

If External Sharing Links Still Fail After the Main Fix

The link works for internal users but fails for external users

This indicates the link type is set to “People in your organization” or “People with existing access.” Change the link type to “Anyone” or “Specific people” and share it again. Also verify the tenant-level policy allows sharing with anyone.

The link works for one external user but not another

Check if the failing user’s domain is blocked in Azure AD external collaboration settings. Also verify the failing user’s guest account is enabled and has not expired. If the link requires sign-in, the user must use the same email address that was invited.

The link shows “This link is expired” even though no expiration was set

OneDrive for Business has a default link expiration policy that can be set at the tenant level. Go to the SharePoint admin center > Policies > Sharing. Under Choose expiration and permissions options for sharing links, check the default expiration for anyone links. If a default is set, you must create new links that override it, or change the tenant default to a longer period.

The link asks for a password but no password was set

The tenant may have a policy that requires a password for all external sharing links. Go to the SharePoint admin center > Policies > Sharing. Under Choose expiration and permissions options for sharing links, uncheck Require a password for all external sharing links. After changing this setting, create a new link and test it.

External Link Types and Their Audit Implications

Item	Anyone Link	Specific People Link
Description	Anyone with the link can access the item without signing in	Only invited users with a Microsoft account or guest account can access the item after signing in
Authentication required	No authentication needed	User must sign in with an account that matches the invited email
Audit trail detail	Shows only that the link was accessed, not who accessed it	Shows the specific user account that accessed the item
Tenant policy dependency	Requires tenant policy set to Anyone	Requires tenant policy set to New and existing guests or Anyone
Best for audit	Only when anonymous access is acceptable and detailed user tracking is not needed	Preferred for audit because each access is tied to a specific user identity

For audit preparation, use Specific People links whenever possible. They provide a clear audit trail showing exactly who accessed each file and when. Anyone links do not track individual user identities, which can make audit reports incomplete.

After completing the steps above, you can now test and fix external sharing links that show Access Denied. For your next audit run, generate the SharePoint Sharing Report for each shared file to document the link configuration and access history. As an advanced tip, use the Set-SPOSite SharingCapability PowerShell cmdlet to bulk-check and update sharing policies across all OneDrive sites in your tenant, which saves time during large-scale audit preparation.