When you share a regulated document from OneDrive for Business using an external sharing link, recipients may see an access denied error instead of the file. This error occurs because the sharing link configuration, tenant policies, or file-specific permissions block the external user. The document may be regulated by sensitivity labels, data loss prevention policies, or conditional access rules. This article explains the root causes of the access denied error for external sharing links and provides step-by-step fixes for administrators and document owners.
Key Takeaways: Fixing OneDrive External Sharing Link Access Denied Errors
- Microsoft 365 admin center > SharePoint > Policies > Sharing: Controls tenant-level external sharing settings including link types and expiration.
- OneDrive admin center > Sync > External sharing: Manages per-user external sharing permissions for OneDrive libraries.
- Microsoft Purview compliance portal > Data classification > Sensitivity labels: Configures encryption and user rights that can block external access.
Why External Sharing Links Show Access Denied for Regulated Documents
The access denied error occurs when the external sharing link cannot authenticate or authorize the recipient. This happens because of a conflict between the link type, the document’s sensitivity label, and the tenant’s sharing policies. Regulated documents often have encryption that restricts access to specific users or groups. Even when a sharing link is set to Anyone, the document’s encryption policy may still block external users.
Three main layers control external access: the tenant-level sharing policy, the site-level or OneDrive-level sharing settings, and the file-level permissions or label. If any of these layers denies external access, the user sees access denied. Additionally, conditional access policies that require managed devices or specific IP ranges can block external sharing links.
The Role of Sensitivity Labels in Blocking External Access
Sensitivity labels with encryption can restrict file access to users inside the organization. When a label is applied to a document, the link type becomes irrelevant if the encryption policy does not include external users. Labels can be configured to allow external access only when specific conditions are met, such as requiring the recipient to authenticate with a Microsoft account.
How Sharing Link Types Affect Access
OneDrive supports three external link types: Anyone links, People in your organization links, and Specific people links. Anyone links allow anonymous access but can be blocked by tenant policies or file encryption. People in your organization links require the recipient to have a Microsoft 365 account in the same tenant. Specific people links require the recipient to authenticate with a Microsoft account or work account. If the link type does not match the recipient’s authentication method, access is denied.
Steps to Diagnose and Fix Access Denied for External Sharing Links
Step 1: Verify the Tenant External Sharing Policy
- Open the SharePoint admin center
Go to Microsoft 365 admin center > SharePoint > Policies > Sharing. Under External sharing, confirm that the tenant allows sharing with authenticated external users or Anyone links depending on your needs. If the policy is set to Only people in your organization, external links cannot work. - Check the link default type
In the same Sharing page, under File and folder links, verify the default link type. If it is set to Internal, new links default to People in your organization. Change it to Anyone if anonymous sharing is required for regulated documents.
Step 2: Review the OneDrive Site External Sharing Settings
- Open OneDrive admin center
Go to Microsoft 365 admin center > OneDrive admin center > Sync > External sharing. Verify that the external sharing setting for the user’s OneDrive is not set to Only people in your organization. If it is, change it to Allow external sharing for authenticated external users or Allow external sharing for anyone. - Check per-site settings
In the SharePoint admin center, go to Active sites, select the user’s OneDrive site, and click Sharing. Confirm that the site-level setting matches the tenant policy. If the site is set to a more restrictive level than the tenant, external links will fail.
Step 3: Inspect the Document’s Sensitivity Label
- Open the document in OneDrive
Right-click the document and select Details. In the Information panel, look for a sensitivity label. If a label is present, click it to view the label settings. - Check encryption settings
In Microsoft Purview compliance portal, go to Information protection > Sensitivity labels. Find the label applied to the document and review its encryption settings. If encryption is configured with Let users assign permissions, the document owner may have restricted access to specific users or groups. If the label uses Do not allow external access, external sharing links will always fail. - Remove or reapply the label
If the label blocks external access, remove it from the document or replace it with a label that allows external sharing. To remove a label, right-click the file, select Details, and clear the label selection. To reapply, select a label with appropriate encryption settings.
Step 4: Verify the Sharing Link Itself
- Generate a new link
In OneDrive, select the file and click Share. Choose the link type that matches your scenario: Anyone for anonymous access, People in your organization for internal users, or Specific people for named external users. Click Apply and then Copy link. - Test the link in an incognito browser
Open a private browsing window and paste the link. Sign in if prompted. If access is still denied, note the exact error message. Common messages include Access denied, You don’t have permission, or This link is no longer valid. - Check link expiration and password settings
If the link has an expiration date or requires a password, the recipient must meet those conditions. In the Share dialog, confirm the expiration date and password settings. Resend the link with updated settings if needed.
Step 5: Review Conditional Access Policies
- Open Microsoft Entra admin center
Go to Microsoft Entra admin center > Protection > Conditional Access > Policies. Look for policies that target SharePoint Online or OneDrive. Policies that require compliant devices, managed apps, or specific IP ranges can block external sharing links. - Check the policy effect
Select each policy and review the Assignments and Access controls. If a policy blocks access from unmanaged devices, external users on personal devices will be denied. Create an exclusion for external users if needed.
If External Sharing Links Still Fail After the Main Fix
OneDrive Shows Access Denied for Anyone Links Even When Tenant Allows It
This usually happens because the file has a sensitivity label with encryption that does not include anonymous access. Even when the link type is Anyone, the encryption policy overrides the link. Remove the sensitivity label or apply a label that allows external sharing. If the label is mandatory, configure the label to allow external access by setting encryption to Assign permissions now and adding a group that includes external users.
External User Receives a Blank Page or Download Button Is Missing
This occurs when the file is a regulated document protected by Azure Information Protection. The external user must have a Microsoft account or work account to view the file. If the user tries to access the link anonymously, they see a blank page. Instruct the user to sign in with their Microsoft account. If they do not have one, create a link type that does not require authentication, such as Anyone, and remove the sensitivity label.
Sharing Link Works for Some External Users but Not Others
This indicates that the link type is Specific people and the denied user was not added to the link. The document owner must add the denied user’s email address to the link. In OneDrive, select the file, click Share, and under Specific people, add the user’s email. Re-send the link. Also verify that the user’s domain is not blocked by the tenant’s domain allowlist or blocklist in SharePoint admin center > Policies > Sharing > Advanced settings.
External Sharing Link Types vs Sensitivity Label Encryption: Key Differences
| Item | Anyone Link | Specific People Link | Sensitivity Label Encryption |
|---|---|---|---|
| Authentication required | None | Microsoft account or work account | Depends on label configuration (user or group) |
| Encryption override | Label encryption can block anonymous access | Label encryption can restrict to specific users | Always applied regardless of link type |
| Expiration and password | Configurable in link settings | Configurable in link settings | Not configurable in link settings |
| Best for regulated docs | Not recommended if label encryption is required | Works if label includes external recipients | Required for compliance with data protection policies |
Now you can diagnose and fix access denied errors for external sharing links on regulated documents in OneDrive for Business. Start by verifying the tenant and site sharing policies, then inspect the document’s sensitivity label. If the error persists, review conditional access policies and regenerate the link with the correct type. For ongoing compliance, use sensitivity labels with encryption that explicitly allows external users.