When a former employee leaves your organization, their OneDrive for Business site is automatically locked and access is restricted. During an incident response, your IT security team may see an access denied error when trying to open the former employee’s OneDrive files. This happens because the retention policy and site lock prevent direct access through the user’s account. This article explains the root cause of the access denied error and provides step-by-step methods to regain access for forensic analysis or eDiscovery.
Key Takeaways: Regain Access to a Former Employee’s OneDrive for Incident Response
- Microsoft 365 admin center > User management > Active users: Use this to find the former employee’s account and verify its licensing status before attempting access.
- SharePoint admin center > Access policies > Manage site access: Grant yourself or your incident response team direct site collection admin rights to the former employee’s OneDrive.
- Microsoft Purview compliance portal > eDiscovery (Standard): Add the former employee as a data source and place a hold or search their OneDrive without needing direct user access.
Why Access Denied Occurs on a Former Employee’s OneDrive
When an employee is terminated or leaves the organization, the Microsoft 365 tenant administrator typically removes the user’s license and deletes or disables the account. OneDrive for Business is tied to the user’s Azure AD identity. Once the user account is disabled or the license is removed, the OneDrive site enters a locked state. The site URL remains, but the user’s permissions are revoked. Any attempt to access the site using the former employee’s credentials or through a direct link results in an access denied message.
Microsoft automatically applies a retention policy to deleted OneDrive sites. By default, a deleted user’s OneDrive is retained for 30 days after the account is deleted. During this period, the site exists but is inaccessible to the original user and to anyone who does not have explicit site collection admin rights. The access denied error is the correct behavior enforced by the SharePoint permission model and the user lifecycle policy. Incident response teams must use alternative methods, not the original user’s credentials, to access the data.
Steps to Regain Access to a Former Employee’s OneDrive for Incident Response
Use one of the following methods depending on your role and the tools available. All methods require at least SharePoint admin or Global admin privileges in Microsoft 365.
Method 1: Grant Yourself Site Collection Admin via SharePoint Admin Center
- Find the former employee’s OneDrive URL
Sign in to the Microsoft 365 admin center at admin.microsoft.com. Go to User management > Active users. Locate the former employee’s account. If the account is deleted, use the Deleted users tab. Copy the user principal name (UPN), for example user@contoso.com. The OneDrive URL is https://contoso-my.sharepoint.com/personal/user_contoso_com. - Open the SharePoint admin center
In the admin center, go to Admin centers > SharePoint. In the SharePoint admin center left menu, select Access policies then Manage site access. - Add yourself as a site collection admin
In the Manage site access panel, enter the former employee’s OneDrive URL. Select Add a site collection admin. Enter your own UPN or the UPN of an incident response team member. Click Save. Wait up to 15 minutes for the permission to propagate. - Access the OneDrive site
Open a new browser window and navigate to the former employee’s OneDrive URL. You should now see the site content without the access denied error. Use the Documents library to browse, download, or export files.
Method 2: Use eDiscovery (Standard) in Microsoft Purview
- Open the Microsoft Purview compliance portal
Go to compliance.microsoft.com and sign in with a Global admin or eDiscovery Manager role. In the left navigation, select eDiscovery > Standard. - Create a new eDiscovery case
Click Create a case. Give the case a name like “Incident Response – Former Employee OneDrive”. Add a description and click Save. - Add the former employee as a data source
Open the case you just created. Select the Sources tab and click Add source > Add data sources. Choose Exchange and OneDrive. Enter the former employee’s UPN. Click Add then Done. - Place a hold or search
Select the Holds tab and click Create hold to preserve the data. Alternatively, select the Searches tab and click New search. Configure search criteria such as keywords, date ranges, or file types. Run the search. Review the results in the Results tab. Export files as needed.
Method 3: Restore the Former Employee’s OneDrive via PowerShell
- Install and connect to SharePoint Online Management Shell
Open Windows PowerShell as an administrator. RunInstall-Module -Name Microsoft.Online.SharePoint.PowerShell. Then runConnect-SPOService -Url https://contoso-admin.sharepoint.comand sign in with a Global admin account. - Restore the deleted OneDrive site
Run the commandRestore-SPODeletedSite -Identity https://contoso-my.sharepoint.com/personal/user_contoso_com. Replace the URL with the former employee’s OneDrive URL. This command restores the site and makes it accessible to site collection admins. - Grant yourself admin rights
RunSet-SPOUser -Site https://contoso-my.sharepoint.com/personal/user_contoso_com -LoginName admin@contoso.com -IsSiteCollectionAdmin $true. Replace the URL and login name with your own. - Access the restored site
Navigate to the OneDrive URL in a browser. You now have full access to the content for incident response.
If Access Denied Still Appears After the Main Fix
OneDrive URL returns 404 or Site Not Found
If the former employee’s OneDrive URL returns a 404 error instead of access denied, the site may have been permanently deleted or the 30-day retention period has expired. Check the Deleted users list in the Microsoft 365 admin center. If the user is no longer listed, the site cannot be restored. Use eDiscovery only if the data was preserved via a retention policy or legal hold before deletion.
You cannot add yourself as a site collection admin
If the Manage site access panel in SharePoint admin center does not show the option to add a site collection admin, you may not have SharePoint admin privileges. Request a Global admin to assign you the SharePoint admin role. Alternatively, the site may be in a read-only locked state. Use eDiscovery as a workaround because it does not require direct site admin rights.
eDiscovery search returns no results
If an eDiscovery search returns zero results, the former employee’s OneDrive may not have been indexed. This commonly happens if the user was deleted within the last 24 hours. Wait 24 hours and rerun the search. Also verify that the data source was added correctly and that the user’s UPN is typed exactly as it appears in Azure AD.
Direct Admin Access vs eDiscovery: Key Differences for Incident Response
| Item | Direct Admin Access via SharePoint Admin Center | eDiscovery (Standard) in Microsoft Purview |
|---|---|---|
| Required role | SharePoint admin or Global admin | eDiscovery Manager or Global admin |
| Permission granted | Site collection admin on the OneDrive site | Read-only access to search and export data |
| Data visibility | Full access to all files and folders in the site | Only files matching search criteria |
| Retention impact | Does not place a hold; data can be modified | Can place a hold to preserve data |
| Use case | Immediate full access for forensic collection | Targeted search with legal preservation |
| Time to grant access | Up to 15 minutes for permission propagation | Immediate after case creation |
Both methods are valid for incident response. Use direct admin access when you need the entire file inventory. Use eDiscovery when you need to search specific keywords or dates and preserve the data as evidence.
After completing the incident response, revoke any temporary site collection admin rights you granted. Go to SharePoint admin center > Access policies > Manage site access, enter the OneDrive URL, and remove yourself from the site collection admin list. This prevents unauthorized future access and maintains compliance with data governance policies.