When you share a regulated document from OneDrive using an external sharing link, recipients may see an access denied error instead of the file. This usually happens because the sharing link settings, the document sensitivity label, or the tenant sharing policy blocks external access. The error can occur even when the link appears correctly configured. This article provides a checklist for OneDrive administrators to diagnose and fix external sharing links that return access denied for regulated documents.
Key Takeaways: OneDrive External Sharing Access Denied Checklist
- Microsoft 365 admin center > SharePoint > Policies > Sharing: Controls tenant-wide external sharing settings, including allowed domains and link expiration.
- Microsoft Purview compliance portal > Information protection > Label policies: Sensitivity labels can enforce encryption and restrict access to specific users or groups, overriding sharing links.
- OneDrive sync app > Settings > Account > Pick folders: Local sync status does not affect external sharing — the issue is always server-side policy or label enforcement.
Why External Sharing Links Show Access Denied for Regulated Documents
External sharing links fail with access denied when the document has a sensitivity label that applies encryption or restricts access to specific users. Microsoft Purview Information Protection labels can enforce rights management that overrides the sharing link permission. For example, a label set to “Do Not Forward” or “Encrypt-Only” prevents anyone outside the organization from opening the file, even if the sharing link is set to “Anyone.”
Another common cause is the tenant-level external sharing policy. The SharePoint admin center controls whether external sharing is allowed for specific sites or the entire tenant. If the site where the document resides is set to “Only people in your organization,” external links will always fail. Additionally, domain allowlists or blocklists in the sharing policy can reject external users from certain email domains.
The link type itself matters. OneDrive generates specific link types: Anyone, People in your organization, People with existing access, and Specific people. An “Anyone” link does not require sign-in, but it may still be blocked by the sensitivity label. A “Specific people” link requires the recipient to sign in with a Microsoft account or work account. If the recipient does not have a matching account, access is denied. The access denied error is a security control, not a broken feature.
Checklist to Diagnose and Fix Access Denied on External Sharing Links
Follow these steps in order. Stop when you identify the cause and apply the fix.
- Check the document sensitivity label
In OneDrive or SharePoint, open the document properties. Look for the Sensitivity field. If a label appears, click it to view the label settings. Labels with encryption block external access by default. To fix this, either remove the label or apply a label that does not enforce encryption. Only users with the Information Protection Administrator role can modify label settings. - Verify the tenant external sharing setting
Go to the Microsoft 365 admin center > SharePoint > Policies > Sharing. Under External sharing, confirm the policy is set to “Anyone” or “New and existing guests.” If set to “Only people in your organization,” external links will fail. Change the setting to “Anyone” if your organization allows open sharing. Wait up to 24 hours for the change to propagate. - Review the site-level sharing setting
In the SharePoint admin center, go to Active sites and select the site containing the document. Click Settings > Sharing. Ensure the external sharing setting matches the tenant policy. A site can be more restrictive but not less. For example, if the tenant allows “Anyone” but the site is set to “Only people in your organization,” external links will fail. Change the site setting to “Anyone” or “New and existing guests.” - Check the link type and expiration
In OneDrive, right-click the file and select Share. Click Link settings. Verify the link type. If the link is set to “Specific people,” the recipient must sign in with a Microsoft account or work account. If the recipient cannot sign in, create a new link with the “Anyone” option. Also check the expiration date. If the link has expired, create a new one. - Examine domain allowlists and blocklists
In the SharePoint admin center > Policies > Sharing, scroll to Advanced settings for external sharing. Check the Limit external sharing by domain section. If the recipient’s email domain is blocked or not in the allowed list, access is denied. Add the domain to the allowed list or remove it from the blocked list. - Test with a different external account
Send the same link to an external email address from a different domain. If that recipient can access the file, the issue is specific to the original recipient’s account or domain. If the second recipient also gets access denied, the problem is with the document label or tenant policy. - Review Microsoft Purview conditional access policies
Go to Microsoft Entra admin center > Protection > Conditional Access. Check for policies that block external user access to SharePoint or OneDrive. If a policy requires device compliance or multifactor authentication for external users, the recipient may be blocked. Adjust the policy to exclude the affected users or grant access with appropriate controls.
If External Sharing Still Fails After the Checklist
Access denied for documents with custom permissions
A document with unique permissions that do not include the “Everyone except external users” group can block external sharing. In OneDrive, select the file and click Manage access. Add the recipient as a direct user with Read or Edit permission. Then resend the sharing link.
OneDrive sharing link shows access denied for encrypted email attachments
If the document was attached to an encrypted email using Microsoft 365 Message Encryption, the recipient may not have the required client to open the file. Instruct the recipient to open the attachment in a browser using the one-time passcode sent to their email. This is a separate issue from OneDrive sharing but produces the same error message.
External sharing link works for some users but not others
This indicates the link type is “Specific people” and the blocked user was not added to the link. In OneDrive, right-click the file > Share > Link settings > Specific people. Add the missing user’s email address. Alternatively, change the link type to “Anyone” to allow all external users without individual addition.
OneDrive Sharing Link Types vs Sensitivity Label Behavior
| Item | Anyone Link | Specific People Link |
|---|---|---|
| Authentication required | None | Microsoft account or work account sign-in |
| Blocked by sensitivity label encryption | Yes — label overrides link permission | Yes — label overrides link permission |
| Blocked by site-level sharing setting | Yes — site must allow external sharing | Yes — site must allow external sharing |
| Blocked by tenant domain policy | Yes — domain allowlist or blocklist applies | Yes — domain allowlist or blocklist applies |
| Recipient added to file permissions | Not required | Required — link fails if user not added |
The table shows that sensitivity label encryption blocks both link types. The only way to bypass label enforcement is to remove or change the label. Site-level and tenant policies also apply equally. The key difference is that Specific People links require the recipient to be explicitly added to the file permissions, while Anyone links do not.
You can now systematically check each setting that causes access denied errors for external sharing links. Start with the document sensitivity label, then verify tenant and site sharing settings, and finally review domain policies and conditional access rules. For documents that must remain regulated, consider using Microsoft Purview Data Loss Prevention policies to audit sharing activity instead of removing the label. As an advanced tip, use the SharePoint Online Management Shell to run Get-SPOSite -Identity