When a department transfer occurs, the former employee’s OneDrive for Business often becomes inaccessible to the new owner, displaying an “Access Denied” error. This problem typically arises because the site permissions and site collection administration are not automatically updated when a user’s department changes in Azure Active Directory. This guide explains the root cause of this permission breakdown and provides the exact steps to restore access using the SharePoint Admin Center and PowerShell.
Key Takeaways: Restoring OneDrive Access After a Department Transfer
- SharePoint Admin Center > Active Sites > Site Address > Permissions: Manually add the new owner as a site collection administrator to override the Access Denied error.
- PowerShell cmdlet Set-SPOUser -IsSiteCollectionAdmin $true: Assigns site collection admin rights to a user without needing the SharePoint Admin Center UI.
- Microsoft 365 admin center > Users > Active Users > Licenses and Apps: Verify the user has an active OneDrive license before attempting any permission changes.
Why Access Denied Occurs After a Department Transfer
OneDrive for Business sites are secured by site-level permissions that are not automatically recalculated when a user’s department attribute changes in Azure AD. When an IT admin transfers a user from Department A to Department B, the OneDrive site that was originally provisioned for the user remains tied to the original user’s identity and its permission set. The new manager or IT staff member who needs to access that site receives an Access Denied error because they were never explicitly granted permission to the site.
The root cause is a permission inheritance break. OneDrive sites inherit permissions from the site collection level, not from Azure AD group membership based on department. Even if the user is added to a security group that has access to the site, the OneDrive site’s unique permissions may not include that group. Additionally, if the original user is deleted or disabled, the site can become orphaned, making it impossible to access through normal navigation.
Another common cause is the OneDrive site being placed on hold for eDiscovery or legal purposes. When a site is on hold, permission changes can be blocked, and existing permissions may be locked. The Access Denied error then appears for any user who is not already a site collection administrator.
Steps to Fix Access Denied After a Department Transfer
Follow these steps in order. The first method uses the SharePoint Admin Center, which is the most accessible approach for most IT admins. The second method uses PowerShell for bulk or automated scenarios.
Method 1: Grant Access via SharePoint Admin Center
- Sign in to the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with an account that has Global Admin or SharePoint Admin role. - Navigate to the SharePoint Admin Center
In the left navigation, select Admin centers and then SharePoint. Alternatively, go directly to admin.microsoft.com/SharePoint. - Open the Active Sites page
In the left menu of the SharePoint Admin Center, select Active sites. This lists all site collections, including OneDrive sites. - Locate the former employee’s OneDrive site
In the search box, type the former employee’s name or email address. The site URL follows the patternhttps://yourtenant-my.sharepoint.com/personal/firstname_lastname_tenantdomain. - Open the site’s permission panel
Select the site row to highlight it, then click Permissions in the toolbar above the list. A panel opens showing current administrators and members. - Add the new owner as a site collection administrator
In the Permissions panel, click Add people. In the dialog, type the email address of the user who needs access (the new manager or IT admin). Select the permission level Site collection administrator from the dropdown. Click Add. - Verify access
Ask the new owner to sign out of OneDrive, then sign in again and navigate tohttps://yourtenant-my.sharepoint.com/personal/firstname_lastname_tenantdomain. They should now have full access to the site content.
Method 2: Grant Access Using PowerShell
This method is faster when you need to grant access to multiple users or automate the process. You need the SharePoint Online Management Shell installed.
- Open SharePoint Online Management Shell
Run Windows PowerShell as an administrator and executeConnect-SPOService -Url https://yourtenant-admin.sharepoint.com. Sign in with a Global Admin or SharePoint Admin account. - Identify the OneDrive site URL
RunGet-SPOSite -IncludePersonalSite $true -Filter "Url -like '/personal/username'"to find the exact site URL. Replaceusernamewith the former employee’s email prefix. - Set the new owner as site collection admin
ExecuteSet-SPOUser -Site. Replace-LoginName -IsSiteCollectionAdmin $true - Confirm the permission change
RunGet-SPOUser -Site. Verify that the IsSiteCollectionAdmin property shows-LoginName True. - Test access
As in Method 1, ask the new owner to sign out and sign in again, then navigate to the OneDrive site URL directly.
If OneDrive Still Shows Access Denied After Adding the New Owner
The former employee’s account is deleted or disabled
If the former employee’s Azure AD account is deleted, the OneDrive site becomes orphaned. You cannot add a new owner through the normal Permissions panel because the site’s owner field is empty or points to a deleted user. In this case, use the SharePoint Admin Center’s Access requests feature or run the PowerShell cmdlet Set-SPOSite -Identity to reassign the site owner. After the owner is reassigned, the new owner can then add additional administrators.
The site is on a litigation hold or eDiscovery hold
When a site is on hold, permission changes are blocked. To check, go to the SharePoint Admin Center > Active sites > select the site > Policies tab. If a hold is applied, you must remove the hold before changing permissions. To remove a hold, go to Microsoft Purview compliance portal > eDiscovery > Holds and delete the hold policy that includes this site. After the hold is removed, repeat the steps in Method 1.
The new owner does not have an active OneDrive license
A user must have a valid OneDrive for Business license to access any OneDrive site, even as a site collection administrator. In the Microsoft 365 admin center, go to Users > Active users, select the new owner’s account, and verify that the OneDrive for Business license is assigned under the Licenses and apps tab. If the license is missing, assign one and wait 15 minutes before testing access again.
SharePoint Admin Center vs PowerShell: Key Differences for Permission Management
| Item | SharePoint Admin Center | PowerShell (SharePoint Online Management Shell) |
|---|---|---|
| Access method | Web browser UI | Command-line interface |
| Best for | Single user permission changes | Bulk or automated permission assignments |
| Requires admin role | Global Admin or SharePoint Admin | Global Admin or SharePoint Admin |
| Can reassign site owner | Yes, via Permissions panel if owner exists | Yes, using Set-SPOSite -Owner |
| Works on orphaned sites | Limited; may need PowerShell for owner reassignment | Yes, with Set-SPOSite -Owner |
| Can check hold status | Yes, under Policies tab | Yes, using Get-SPOSite -Identity |
After completing the steps in this guide, the new owner should have full access to the former employee’s OneDrive for Business site. If the Access Denied error persists, verify the user’s license assignment and check for any site-level holds. As an advanced tip, consider using the SharePoint Admin Center’s Access requests feature to let users request access to an orphaned site, which can be approved by the Global Admin without needing to reassign the owner immediately.