When a legal or compliance team attempts to access a former employee’s OneDrive for Business for litigation or eDiscovery purposes, they often encounter an Access Denied error. This occurs because the user account is disabled, deleted, or has its license removed, which automatically revokes all access permissions including site collection administrator rights. This guide explains the root cause of this access block and provides the exact steps to regain access through the Microsoft 365 admin center and SharePoint Admin Center without relying on the former employee’s credentials.
The solution involves temporarily restoring the user or reassigning site collection ownership using PowerShell or the SharePoint Admin Center. You will learn how to use the Microsoft 365 admin center to restore a deleted user, how to add yourself or another admin as a site collection owner via SharePoint Admin Center, and how to handle scenarios where the user was permanently deleted. This article also covers common pitfalls such as retention holds and legal hold conflicts that can further complicate access.
Key Takeaways: Accessing a Former Employee’s OneDrive for Legal Review
- Microsoft 365 admin center > Users > Deleted users > Restore: Restores a deleted user account and its OneDrive site within 30 days of deletion.
- SharePoint Admin Center > Sites > Active sites > Permissions: Adds a new site collection admin to the former employee’s OneDrive site without restoring the user.
- SharePoint Online Management Shell > Set-SPOUser -IsSiteCollectionAdmin $true: PowerShell command to grant site collection admin access to a user on a specific OneDrive site.
Why Access Denied Appears for a Former Employee’s OneDrive
When an employee leaves an organization, the IT admin typically disables the user account, removes the Microsoft 365 license, or deletes the user entirely. Each of these actions directly affects access to the user’s OneDrive for Business. The OneDrive site is a SharePoint site collection owned by that user. When the user account is disabled, all permissions tied to that account are invalidated. When the license is removed, the user cannot sign in, but the site remains. When the user is deleted, the site enters a retention period where no one has explicit access unless configured otherwise.
The Access Denied error occurs because the current admin attempting legal review is not listed as a site collection administrator for that specific OneDrive site. Global admins do not automatically have access to every user’s OneDrive. They must be explicitly added as a site collection admin or the user account must be restored to regain inherited permissions. Additionally, if the user was placed on litigation hold before deletion, the OneDrive content is preserved but access is still blocked until an admin is granted permissions.
Methods to Regain Access to a Former Employee’s OneDrive
There are three primary methods to regain access. Choose the method based on whether the user was deleted or disabled, and whether you need to preserve the existing site structure for legal hold.
Method 1: Restore the Deleted User in the Microsoft 365 Admin Center
This method works if the user was deleted within the last 30 days. Restoring the user reactivates the account and automatically restores access to the OneDrive site for the original user. You can then access the site or delegate access.
- Sign in to the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with a Global Admin account. - Navigate to Deleted users
In the left navigation, select Users then Deleted users. - Find the former employee
Locate the user in the list. If the list is long, use the search box to type the user’s name or email address. - Restore the user
Select the user and click Restore user. Confirm the restore action. The user account becomes active again, and the OneDrive site becomes accessible to that user. - Add yourself as a site collection admin
After restoration, go to the SharePoint Admin Center at admin.microsoft.com/SharePoint. Under Sites > Active sites, find the user’s OneDrive site (usually named with the user’s email). Select the site, then click Permissions. Add your account as a site collection admin.
Method 2: Add an Admin Directly in SharePoint Admin Center
Use this method when the user account is disabled but not deleted, or when the user was deleted more than 30 days ago. This method does not require restoring the user account.
- Open SharePoint Admin Center
Sign in to admin.microsoft.com/SharePoint with a Global Admin or SharePoint Admin account. - Locate the OneDrive site
Go to Sites > Active sites. Use the search bar to find the user’s OneDrive site. The site URL typically follows the patternhttps://[tenant]-my.sharepoint.com/personal/[user_email_domain]. - Open site permissions
Select the site from the list, then click Permissions in the toolbar. - Add a new site collection admin
In the Permissions panel, click Add site collection admin. Enter your email address or the email of the legal review team member. Click Save. - Access the OneDrive site
Open the OneDrive site URL in a browser. You should now have full access to all files and folders.
Method 3: Use SharePoint Online Management Shell (PowerShell)
PowerShell is the fastest method when you need to grant access to multiple users or when the SharePoint Admin Center interface is slow. This method requires the SharePoint Online Management Shell module.
- Install the SharePoint Online Management Shell
Open Windows PowerShell as an administrator. RunInstall-Module -Name Microsoft.Online.SharePoint.PowerShelland confirm the installation. - Connect to SharePoint Online
RunConnect-SPOService -Url https://[tenant]-admin.sharepoint.com. Replace[tenant]with your tenant name. Sign in with a Global Admin or SharePoint Admin account. - Get the OneDrive site URL
RunGet-SPOSite -IncludePersonalSite $true | Where-Object {$_.Owner -eq "formeremployee@domain.com"}to find the exact site URL. Replace the email address with the former employee’s email. - Grant site collection admin access
RunSet-SPOUser -Site https://[tenant]-my.sharepoint.com/personal/formeremployee_domain_com -LoginName admin@domain.com -IsSiteCollectionAdmin $true. Replace the site URL with the one from step 3 and the login name with your admin email. - Verify access
Open the OneDrive site URL in a browser and confirm you can view and download files as needed.
If OneDrive Access Still Fails After Granting Permissions
Even after adding yourself as a site collection admin, you might still encounter Access Denied or other errors. The following issues are the most common.
OneDrive site is in a deleted state and not visible in Active sites
If the user was deleted more than 30 days ago, the OneDrive site moves to the Deleted sites list in SharePoint Admin Center. You cannot access it directly. To recover it, go to Sites > Deleted sites, select the site, and click Restore. After restoration, follow Method 2 to add yourself as an admin.
Retention hold or legal hold prevents file access
If the former employee was placed on a litigation hold or retention policy, the files are preserved but the site might be in a read-only state. You can still access the site as a site collection admin. If you see an error about the site being locked, go to the SharePoint Admin Center, select the site, and click Settings. Under Site closure and deletion, check if the site is locked. Unlock it by removing the lock if you have sufficient permissions.
Permission changes take time to propagate
After adding a site collection admin, it can take up to 15 minutes for the permission change to replicate across all SharePoint servers. Wait 15 minutes and then try accessing the site again. Clear your browser cache or use an InPrivate/Incognito window to rule out cached credentials.
SharePoint Admin Center vs PowerShell: Key Differences for Access Recovery
| Item | SharePoint Admin Center | PowerShell (SharePoint Online Management Shell) |
|---|---|---|
| Access method | Web browser interface | Command-line scripting |
| Time to grant admin | 2-5 minutes | 1-2 minutes after connecting |
| Bulk operations | Not supported; must add users one by one | Supported; can loop through multiple users |
| Requires module installation | No | Yes; requires SharePoint Online Management Shell |
| Can restore deleted sites | Yes; from Deleted sites list | Yes; using Restore-SPODeletedSite |
| Best for | Single user access grant | Multiple sites or automated scripts |
Now you can access any former employee’s OneDrive by restoring the user account or adding yourself as a site collection admin through the SharePoint Admin Center. For ongoing legal review, consider using Microsoft Purview eDiscovery (Premium) to search and export content from OneDrive and other locations without manually granting site-level permissions. This tool preserves audit trails and prevents accidental modification of evidence. As an advanced tip, configure a default OneDrive retention policy for all former employees so that their sites remain accessible to admins for 90 days after account deletion without needing to restore the user.