When an HR team member tries to open a former employee's OneDrive to retrieve files during a handover, they often see an access denied error. This happens because the former employee's account is disabled or deleted, and the default sharing permissions expire or are removed. Microsoft 365 does not automatically grant access to HR or IT admins for a disabled user's OneDrive. This article explains the root cause of the access denied error and provides a step-by-step checklist to restore access for HR handover.
Key Takeaways: Restoring OneDrive Access for Former Employee Handover
- Microsoft 365 admin center > Users > Active users > Select user > OneDrive tab: Grants direct access to a former employee's OneDrive for up to 30 days after account deletion.
- SharePoint admin center > User profiles > Manage user profiles > Find user > Manage site collection owners: Adds HR as a site collection owner for long-term access to the OneDrive site.
- PowerShell cmdlet Set-SPOUser -IsSiteCollectionAdmin $true: Adds a user as a site collection admin to a former employee's OneDrive site, bypassing the access denied error.
Why Access Denied Appears for a Former Employee's OneDrive
When a user leaves an organization, the HR or IT team typically disables or deletes their Microsoft 365 account. Once the account is disabled, the user's OneDrive site remains but its permissions change. The former employee loses access, and no other user automatically gains access unless explicitly granted. The access denied error appears because the HR staff member's account is not listed in the OneDrive site permissions.
Microsoft 365 retains a disabled user's OneDrive files for 30 days after account deletion by default. During this period, a global admin or SharePoint admin can restore access. After 30 days, the OneDrive site is deleted and files are moved to the recycle bin, where they remain for another 93 days. Without admin intervention, HR cannot access the files needed for a handover.
The Role of Site Collection Ownership
Each OneDrive site is a site collection with one primary site collection administrator: the original user. When that user is disabled, the site collection has no active admin. To grant access, an admin must add a new site collection owner or grant explicit permissions to the HR team member. This is not done automatically by Microsoft 365.
Steps to Grant OneDrive Access to HR for Handover
Use the following checklist to restore access. Perform these steps within 30 days of account deletion for best results.
- Verify the former employee's account status
Sign in to the Microsoft 365 admin center at admin.microsoft.com. Go to Users > Deleted users. Confirm the former employee's account is listed. If the account is still active but disabled, go to Users > Active users, select the user, and check the account status. - Open the former employee's OneDrive from the admin center
In the Microsoft 365 admin center, go to Users > Active users. Select the former employee's name. In the user details panel, click the OneDrive tab. Click Create link to files or Access files. This opens the OneDrive site in a new browser tab. If you see an access denied error here, proceed to the next step. - Grant site collection admin access using SharePoint admin center
Open the SharePoint admin center at admin.microsoft.com/SharePoint. In the left menu, expand Policies and select User profiles. Under People, click Manage user profiles. Search for the former employee's display name or user principal name. Select the profile, then click Manage site collection owners. In the dialog, add the HR staff member's email address as a site collection owner. Click OK. The HR user can now access the OneDrive site directly. - Alternatively, use PowerShell to add site collection admin
Open Windows PowerShell as an administrator. Install the SharePoint Online Management Shell if not already installed:Install-Module -Name Microsoft.Online.SharePoint.PowerShell. Connect to SharePoint Online:Connect-SPOService -Url https://[tenant]-admin.sharepoint.com. Replace [tenant] with your tenant name. Run:Set-SPOUser -Site https://[tenant]-my.sharepoint.com/personal/[user_upn] -LoginName [hr_email] -IsSiteCollectionAdmin $true. Replace [user_upn] with the former employee's user principal name (for example, john.doe_contoso.com). The HR user can now access the OneDrive site. - Grant explicit folder permissions if needed
If the HR user only needs specific folders, do not grant site collection admin access. Instead, open the former employee's OneDrive site in a browser. Click Documents or navigate to the folder. Select the folder, click the ellipsis (three dots), then choose Manage access. Click Add people, enter the HR user's email, and set the permission level to Can edit or Can view. Click Grant access. - Notify HR of the access method
Send the HR user the direct URL to the former employee's OneDrive site. The URL format is: https://[tenant]-my.sharepoint.com/personal/[user_upn]. Replace [tenant] with your tenant name and [user_upn] with the former employee's user principal name with underscores replacing dots. For example, https://contoso-my.sharepoint.com/personal/john_doe_contoso_com.
If OneDrive Access Still Fails After the Main Fix
HR user still sees access denied after adding site collection owner
This usually happens when the former employee's OneDrive site is in a different region or the site URL is incorrect. Verify the site URL by going to the Microsoft 365 admin center, selecting the user, and clicking the OneDrive tab. Copy the exact URL shown. Use that URL when granting permissions. Also confirm the HR user is not a guest user in the tenant — guest accounts cannot become site collection owners on OneDrive sites.
Former employee's OneDrive site is not accessible because it was deleted
If more than 30 days have passed since account deletion, the OneDrive site may be in the first-stage recycle bin. A global admin can restore it. Go to the SharePoint admin center, select Recycle bin, find the site by the former employee's name, select it, and click Restore. After restoration, follow the steps above to grant access. Sites deleted more than 93 days ago are permanently removed and cannot be restored.
HR user needs to copy or move files to another location
After access is granted, the HR user can select files and folders, click the ellipsis, and choose Copy to or Move to. Select a destination such as a shared SharePoint library or another user's OneDrive. This avoids downloading and re-uploading large file sets.
Admin Center vs PowerShell: Key Differences for Granting OneDrive Access
| Item | Microsoft 365 Admin Center | PowerShell (SharePoint Online Module) |
|---|---|---|
| Access method | User profile > Manage site collection owners | Set-SPOUser -IsSiteCollectionAdmin $true |
| Time required | 2-3 minutes per user | 30 seconds per user after script setup |
| Bulk operation | Not supported — one user at a time | Supported with a CSV loop |
| Permission level granted | Site collection owner (full control) | Site collection admin (same as owner) |
| Requires global admin role | Yes | Yes |
| Audit log entry | Yes — tracked as admin action | Yes — tracked as PowerShell action |
Use the admin center for one-off requests. Use PowerShell when you need to grant access to multiple former employee OneDrive sites at once. Both methods work only while the OneDrive site exists and the tenant has an active SharePoint Online subscription.
You can now grant HR access to a former employee's OneDrive using either the admin center or PowerShell. After access is granted, the HR user can browse, copy, or move files as needed. To prevent future access denied errors, consider setting up a retention policy for OneDrive sites of departed employees. A retention policy preserves the site for up to 365 days after account deletion, giving HR more time to complete the handover.