When a former employee leaves your organization, you may need to access their OneDrive for incident response, legal holds, or data recovery. But when you try to open the site, you see an access denied error instead of the expected file list. This error occurs because the user account was deleted or disabled in Microsoft Entra ID, which removes the site-level permissions for all administrators. This article explains the exact cause of the access denied error and provides a step-by-step checklist for regaining access to a former employee’s OneDrive using the Microsoft 365 admin center, SharePoint Online Management Shell, and eDiscovery tools.
Key Takeaways: Regaining Access to a Deleted User’s OneDrive
- Microsoft 365 admin center > Users > Deleted users > Restore user: Restoring the user account within 30 days restores OneDrive permissions and site access for admins.
- SharePoint admin center > More features > User profiles > Manage user profiles: Use this path to find the deleted user’s profile and set a new site collection admin.
- Microsoft 365 admin center > Compliance > Content search: Run a content search against the former employee’s OneDrive URL to export files without needing site-level access.
Why Access Denied Appears for a Former Employee’s OneDrive
When a user account is deleted from Microsoft Entra ID, the corresponding OneDrive site enters a retention period. During this period, the site is not deleted, but the site-level permissions for that user are removed. Because the user no longer exists, SharePoint Online cannot resolve the user’s security principal. This breaks the default permission inheritance that grants site collection administrators access.
Even if you are a global admin or SharePoint admin, you do not automatically inherit access to a deleted user’s OneDrive. The site exists as an orphaned site collection with no active site collection admin. The only way to access it is to either restore the user account or explicitly grant yourself permissions through the SharePoint admin center or PowerShell.
The retention period for a deleted user’s OneDrive is 30 days by default. After that period, the site is permanently deleted and cannot be recovered. If you need access for incident response, you must act within this window. The checklist below covers both scenarios: user still in the deleted users list and user already purged beyond 30 days.
Checklist: Steps to Gain Access to a Former Employee’s OneDrive
Option 1: Restore the User Account Within 30 Days
If the user was deleted less than 30 days ago, the quickest method is to restore the user account. This re-establishes the security principal and automatically grants site collection admin access to global admins.
- Open the Microsoft 365 admin center
Go to https://admin.microsoft.com and sign in as a global admin. - Navigate to Deleted users
In the left navigation, select Users then Deleted users. A list of users deleted within the last 30 days appears. - Select the former employee
Click the user’s name to open the details pane. - Restore the user
Click Restore user. Confirm the action. The user account is re-created in an inactive state. - Wait for replication
Allow up to 30 minutes for the permission changes to propagate to SharePoint Online. - Access the OneDrive
Openhttps://yourtenant-my.sharepoint.com/personal/useralias_yourtenant_comin a browser. You should now have full access.
Option 2: Grant Yourself Site Collection Admin via SharePoint Admin Center
If restoring the user is not feasible because the account was purged or you need immediate access without reactivating the user, use the SharePoint admin center to add yourself as a site collection admin on the orphaned OneDrive site.
- Open the SharePoint admin center
Go to https://admin.microsoft.com/SharePoint. - Go to Active sites
In the left menu, select Sites then Active sites. The former employee’s OneDrive appears as a site collection with the URL patternhttps://yourtenant-my.sharepoint.com/personal/.... - Select the OneDrive site
Click the checkbox next to the site name to select it. - Open the Permissions panel
In the toolbar, click Permissions. - Add yourself as a site collection admin
In the Site collection administrators section, click Add site collection admins. Enter your email address and click Save. - Access the OneDrive
Open the OneDrive URL. You now have full administrative access to the site.
Option 3: Use SharePoint Online Management Shell
For bulk operations or when the SharePoint admin center does not show the site, use PowerShell to add yourself as a site collection admin.
- Install the SharePoint Online Management Shell
Open Windows PowerShell as administrator and runInstall-Module -Name Microsoft.Online.SharePoint.PowerShell. If prompted, choose Yes to install from PSGallery. - Connect to SharePoint Online
RunConnect-SPOService -Url https://yourtenant-admin.sharepoint.comand sign in as a global admin. - Get the OneDrive site URL
RunGet-SPOSite -IncludePersonalSite $trueand locate the site with the former employee’s name in the URL. - Add yourself as a site collection admin
RunSet-SPOUser -Site "https://yourtenant-my.sharepoint.com/personal/alias_tenant_com" -LoginName "admin@yourtenant.com" -IsSiteCollectionAdmin $true. - Verify access
Open the OneDrive URL in a browser. You should now have full access.
If OneDrive Access Still Fails After These Steps
The OneDrive site shows a 404 or site not found error
This indicates the site was permanently deleted because the 30-day retention period expired. Use the Microsoft 365 compliance center to search for content that was backed up through retention policies or eDiscovery holds. If no backup exists, the data is lost. For future incidents, configure a default retention policy for all OneDrive sites to prevent permanent loss.
Access denied even after adding yourself as site collection admin
This can happen if the site has custom permission inheritance that removed the site collection admin group. Use the SharePoint Online Management Shell to reset permission inheritance. Run Set-SPOSite -Identity "site-url" -DenyAddAndCustomizePages $false and then re-add yourself as site collection admin. If the issue persists, the site may be locked by a compliance policy or litigation hold. Check the site’s lock state with Get-SPOSite -Identity "site-url" | Select LockState.
You need to export files for legal or incident response without granting full site access
Use the Microsoft 365 compliance center’s Content search tool. Go to Compliance > Content search and create a new search. In the locations step, choose Choose specific sites and paste the OneDrive URL. Run the search and export the results. This method does not require site-level permissions and exports files directly to a .pst or Microsoft 365 mailbox.
Methods to Access Former Employee OneDrive: Comparison
| Item | Restore User Account | Add Site Collection Admin | Content Search (eDiscovery) |
|---|---|---|---|
| Time required | 10 minutes plus replication wait | 5 minutes | 15 minutes |
| User account status | Must be in Deleted users list (under 30 days) | User can be deleted or purged | User can be deleted or purged |
| Permissions granted | Full site collection admin | Full site collection admin | Read-only export of files |
| Side effects | Re-activates user license if available | None | None |
| Best for | Quick full access when user was recently deleted | Immediate admin access without restoring user | Legal or incident response where full admin access is not required |
Now you have three reliable methods to regain access to a former employee’s OneDrive when you see access denied. Start with restoring the user if the account was deleted within 30 days. If not, use the SharePoint admin center or PowerShell to grant yourself site collection admin. For compliance-only scenarios, use Content search in the compliance center. Configure a default OneDrive retention policy of at least 30 days to ensure you always have a recovery window for incident response.