When a contractor tries to access a former employee’s OneDrive for Business to clean up or transfer files, they often see an Access Denied error. This happens because the former employee’s account is disabled or deleted, which also disables sharing links and direct permissions. Permissions do not automatically transfer to IT staff or cleanup contractors. This guide explains why the error occurs and provides the exact steps to grant temporary access so a contractor can clean up the former employee’s OneDrive.
Key Takeaways: Granting Contractor Access to a Former Employee’s OneDrive
- Microsoft 365 admin center > Users > Active users: Restore or temporarily unblock the former employee’s account to re-enable OneDrive access.
- OneDrive admin center > User > Files tab > Give admin access: Assign the contractor as a secondary site collection admin for that specific OneDrive.
- OneDrive admin center > User > Files tab > Transfer files: Move files directly to another user’s OneDrive without needing the contractor to have full access.
Why Access Denied Appears for a Contractor Accessing a Former Employee’s OneDrive
Microsoft 365 ties OneDrive access directly to the user account. When an employee leaves the organization, the IT team typically disables or deletes the user account in the Microsoft 365 admin center. Disabling the account immediately revokes all access to the user’s OneDrive, including direct permissions, sharing links, and delegated access. The OneDrive site itself remains in a retention period, but no one can access it unless an administrator explicitly grants permission. Contractors who are not SharePoint admins or global admins by default cannot bypass this restriction. The root cause is that the former employee’s identity is no longer valid, so Microsoft 365 blocks all authentication attempts to that OneDrive.
Steps to Grant a Contractor Access to a Former Employee’s OneDrive
Follow these steps in order. You need to be a Global Admin or SharePoint Admin in Microsoft 365 to perform these actions.
- Restore or unblock the former employee’s account
Go to the Microsoft 365 admin center at admin.microsoft.com. Select Users > Active users. Find the former employee. If the account is deleted, select Deleted users, choose the user, and click Restore user. If the account is blocked, select the user, go to the Account tab, and under Sign-in status set it to Allowed. Click Save changes. - Reset the user’s password temporarily
In the same user profile, select the Account tab and click Reset password. Set a temporary password. Do not share this password with the contractor yet. This step re-enables the user object for authentication. - Open the OneDrive admin center
In the admin center, go to Admin centers > OneDrive. Alternatively, go directly to admin.onedrive.com. - Find the former employee’s OneDrive
In the OneDrive admin center, select Users. Search for the former employee’s name or email address. Click on the user to open their details. - Select the Files tab and give admin access
In the user’s details, click the Files tab. Click Give admin access. In the panel that opens, enter the contractor’s email address. Choose the permission level Site collection admin. Click Add and then Close. - Have the contractor access the OneDrive
The contractor can now open a web browser, go to onedrive.com, and sign in with their own work account. They can then navigate directly to the former employee’s OneDrive URL. The URL format ishttps://yourtenant-my.sharepoint.com/personal/formeremployee_domain_com. Replace the placeholder with the actual user principal name. - Remove the contractor’s access after cleanup
Return to the OneDrive admin center, select the same user, go to the Files tab, click Manage access, and remove the contractor. Then block the former employee’s account again or delete it as per your policy.
If the Contractor Still Cannot Access the OneDrive
The OneDrive site is in a deleted state
If the former employee’s account was deleted more than 30 days ago, the OneDrive site may be permanently deleted. In the OneDrive admin center, check under Deleted users. If the site is listed, you can restore it within 93 days of deletion. Select the user, choose Restore, and then assign admin access as described above.
The contractor is not a SharePoint admin
The Give admin access feature in the OneDrive admin center only works if the contractor has a valid Microsoft 365 license and is an active user. If the contractor is external, you must invite them as a guest in Azure AD first. Go to the Microsoft 365 admin center, select Users > Guest users, and click Add guest user. After the guest accepts the invitation, you can assign them admin access to the OneDrive.
Access denied when using the direct URL
If the contractor receives Access Denied even after being added as a site collection admin, clear the browser cache or use an InPrivate window. Also confirm the URL is correct. The easiest way to get the correct URL is from the OneDrive admin center: in the user’s details, the Files tab shows a direct link under OneDrive URL.
Transfer Files Instead of Granting Full Access: Alternative Method
If the goal is only to move files and not to give the contractor browsing or editing access, use the built-in transfer feature. In the OneDrive admin center, select the former employee, go to the Files tab, and click Transfer files. Enter the email address of the target user who should receive the files. All OneDrive contents transfer to that user’s OneDrive root. The contractor does not need any access to the original OneDrive. This method is faster and more secure than granting temporary admin rights.
| Item | Grant Admin Access | Transfer Files |
|---|---|---|
| Description | Gives a specific user full control over the former employee’s OneDrive | Moves all files to another user’s OneDrive |
| When to use | Contractor needs to review, organize, or delete files selectively | Only need to preserve files without review |
| Contractor license needed | Yes, active Microsoft 365 user or guest | No contractor access needed |
| Time to complete | Immediate after assignment | Up to 24 hours for large transfers |
Both methods require the former employee’s account to be either active or recently deleted within the retention window. Always verify that the contractor or target user has a valid OneDrive license before starting.
You can now grant a contractor access to a former employee’s OneDrive by restoring the user account and assigning site collection admin rights from the OneDrive admin center. If full access is not needed, use the transfer files feature to move data directly. As an advanced tip, create a PowerShell script using the Set-SPOSiteAdmin cmdlet to automate granting temporary access for bulk cleanup scenarios.