When a former employee’s OneDrive shows access denied for a contractor who needs to clean up files, the standard site collection admin or delegated access methods often fail. This happens because OneDrive site permissions are tied to the user’s identity in Azure AD, and after account deletion or license removal, the site enters a restricted state. Microsoft 365 admins must use specific admin tools—not direct sharing—to regain access for cleanup. This article explains the root cause and provides a step-by-step checklist to resolve access denied errors for contractors.
Key Takeaways: Restoring Contractor Access to a Former Employee’s OneDrive
- Microsoft 365 admin center > Users > Active users > Former employee account: If the user account still exists but is disabled, reassign a license and reset the password to restore site access for the contractor.
- SharePoint Admin Center > Sites > Active sites > Former employee OneDrive URL: Add the contractor as a site collection admin to bypass permission errors directly.
- Microsoft 365 admin center > Setup > Data migration > OneDrive migration: Use the OneDrive Migration tool to transfer files to the contractor’s OneDrive when direct access is blocked.
Why OneDrive Shows Access Denied for Contractors After Employee Departure
When a user leaves the organization, Microsoft 365 removes or disables their license after a retention period. The OneDrive site itself remains for 30 to 93 days depending on the tenant’s retention policy, but the site’s permission model relies on the user’s Azure AD identity. Once the account is disabled or deleted, the site owner (the former employee) no longer exists as an active security principal. Contractors who were previously granted access via sharing links or direct permissions see access denied because SharePoint evaluates the site’s owner status first. The site does not automatically transfer ownership to a manager or admin. Without explicit admin intervention, the contractor cannot browse, download, or delete files.
The Role of the OneDrive Site Owner
Every OneDrive site has a single site owner—the original user. When that user’s account is soft-deleted, the site owner field becomes empty or points to a deleted object. SharePoint Online treats this as an orphaned site. Standard permission inheritance breaks, and any user who is not a site collection admin receives access denied. Only global admins or SharePoint admins can add new administrators to orphaned OneDrive sites using the SharePoint Admin Center or PowerShell.
Why Contractor Access Fails Specifically
Contractors are external users or guest accounts in Azure AD. Even if the contractor was previously added as a member of the site, the orphaned site state prevents any new permission evaluation. The access denied error appears because SharePoint cannot validate the site owner’s identity, so it defaults to denying all non-admin requests. This is a security measure to prevent unauthorized data access after an employee leaves.
Checklist: Steps to Grant a Contractor Access to a Former Employee’s OneDrive
Follow these steps in order. If the former employee’s account is already deleted, skip to step 3.
- Check if the former employee account still exists in Azure AD
Go to the Microsoft 365 admin center > Users > Deleted users. If the account is listed, restore it within 30 days of deletion. Select the user and choose Restore user. This re-establishes the OneDrive site owner identity. - Reassign a OneDrive license to the restored account
If the restored user has no license, go to Users > Active users, select the user, then Licenses and apps. Assign a OneDrive for Business license. Wait up to 24 hours for the site to become active again. - Locate the former employee’s OneDrive URL
In the SharePoint Admin Center, go to Sites > Active sites. Search for the user’s name or email. The URL follows the patternhttps://[tenant]-my.sharepoint.com/personal/[user]_[domain]_com. Copy this URL. - Add the contractor as a site collection admin
In the SharePoint Admin Center, select the OneDrive site, then click Permissions in the command bar. Under Site collection administrators, click Add site collection admin. Enter the contractor’s email address. Click Save. The contractor now has full admin access to the site. - Have the contractor access the OneDrive directly
Provide the contractor with the OneDrive URL. They should sign in with their Microsoft 365 account. They can now browse, download, copy, or delete files as needed. - Transfer files to the contractor’s OneDrive if needed
To move files permanently, use the OneDrive Migration tool in the Microsoft 365 admin center. Go to Setup > Data migration > OneDrive migration. Select the source site (former employee OneDrive) and the destination (contractor’s OneDrive). Start the migration. This is faster than downloading and re-uploading. - Remove the contractor’s admin access after cleanup
After the contractor finishes, return to the SharePoint Admin Center, select the site, click Permissions, and remove the contractor from the site collection administrators list. This prevents ongoing access to sensitive data.
If the Account Is Permanently Deleted or Past the Retention Period
When the former employee’s account is permanently deleted or the retention period has expired, the OneDrive site is also deleted. In this case, access is irrecoverable. Ensure you have a backup policy in place. Use the Microsoft 365 compliance center > Data lifecycle management > Retention policies to set a minimum retention period for OneDrive files. For future departures, configure OneDrive retention to 365 days in the SharePoint Admin Center > Settings > OneDrive.
Common Issues During Contractor Cleanup
Contractor Receives Access Denied After Being Added as Site Collection Admin
This typically happens when the contractor is a guest user in a different tenant. SharePoint does not support cross-tenant site collection admin access. The contractor must have an account in the same tenant as the former employee. If the contractor is external, you must first add them as a guest in Azure AD: Microsoft Entra admin center > Users > New user > Invite external user. After they accept the invitation, add them as a site collection admin.
The Former Employee’s OneDrive Does Not Appear in Active Sites
If the OneDrive site is not listed, it may be in the Recycle bin of the SharePoint Admin Center. Go to Sites > Deleted sites. If the site is there, restore it. If it is not in the recycle bin, it has been permanently deleted.
Contractor Cannot See Files Even with Admin Access
Some files may have unique permissions that block even site collection admins. As a site collection admin, the contractor can override permissions. They should navigate to the file, click the three dots, select Manage access, and then Advanced permissions settings. From there, they can break inheritance or add themselves directly.
OneDrive Access Methods for Contractor Cleanup: Comparison
| Item | Site Collection Admin via SharePoint Admin Center | OneDrive Migration Tool |
|---|---|---|
| Description | Grants full admin access to the contractor temporarily | Transfers files from the former employee’s OneDrive to the contractor’s OneDrive |
| Best for | Reviewing, organizing, or deleting files in place | Moving all files to a new location for long-term retention |
| Requires | Contractor account in same tenant; site must be active | Both source and destination OneDrive sites must be active |
| Time to complete | 5 minutes | Minutes to hours depending on file volume |
| Post-cleanup access | Must manually remove admin rights | No further access needed; files are moved |
You can now restore a contractor’s access to a former employee’s OneDrive using the SharePoint Admin Center or the OneDrive Migration tool. Always remove admin permissions after cleanup to maintain security. For ongoing protection, configure a OneDrive retention policy of at least 365 days in the SharePoint Admin Center under Settings > OneDrive. This ensures you have enough time to recover files before the site is deleted.