When a former employee leaves your organization, their OneDrive for Business account is typically converted to a site collection and the license is removed. During an access review, reviewers often see an “access denied” message when trying to open that former employee’s OneDrive. This happens because the access review tool tries to access the OneDrive using the reviewer’s permissions, but the site collection may have unique permissions or the reviewer lacks direct access. This article explains why the access denied error occurs and provides a step-by-step fix to grant reviewers the necessary permissions so they can complete the review.
Key Takeaways: Fix Access Denied for Former Employee OneDrive in Access Reviews
- Microsoft 365 admin center > SharePoint admin center > Site collections: Locate the former employee’s OneDrive site collection and check its permission settings.
- Add reviewer as site collection administrator: The reviewer must be added explicitly to the site collection to bypass the access denied error.
- PowerShell command Set-SPOSite -Identity -SiteCollectionAdmin: Use this cmdlet to bulk-add reviewers to multiple former employee OneDrive sites at once.
Why Access Reviews Show Access Denied for Former Employee OneDrive
When an employee leaves your organization, their OneDrive site is converted to a site collection and the user account is disabled or deleted. The access review tool in Microsoft 365, such as Azure AD Access Reviews, attempts to access the OneDrive site to verify who still has access. However, the reviewer performing the review does not automatically have permission to view that site collection. The site collection may have unique permissions that were set when the employee was active, or the site collection may be locked after the account is disabled. Additionally, the access review tool itself uses the reviewer’s identity to browse the site, so if the reviewer is not a site collection administrator or a member of the site’s visitors group, the tool returns an access denied error.
The error is not a sign that the review is broken. It is a permission boundary. The reviewer needs to be granted at least read access to the site collection to complete the review. This is a deliberate security measure by Microsoft to prevent unauthorized access to data that might contain sensitive information about the former employee’s work.
Steps to Grant Reviewer Access to Former Employee OneDrive Sites
Follow these steps to resolve the access denied error for access reviews. You need SharePoint admin permissions or Global admin permissions to perform these actions.
- Identify the former employee’s OneDrive site collection URL
Go to the Microsoft 365 admin center at admin.microsoft.com. Select Users > Active users. Find the former employee’s account. If the account is deleted, use the Deleted users tab. Under the OneDrive column, click the link that says Create link to files or Open OneDrive. The URL will look likehttps://yourtenant-my.sharepoint.com/personal/username_domain_com. - Open the SharePoint admin center
In the admin center, go to Admin centers > SharePoint. In the left navigation, select Site collections (or Active sites if using the new admin center). - Locate the former employee’s OneDrive site
Search for the site URL you copied in step 1. Click the site name to open its properties. - Add the reviewer as a site collection administrator
In the site properties panel, scroll to Site collection administrators. Click Edit. Enter the email address of the reviewer who needs to complete the access review. Click Save. This gives the reviewer full administrative access to the site, which is sufficient for the access review tool to read permissions. - Confirm the access review can now proceed
Ask the reviewer to go back to the access review in the Azure AD admin portal. They should now be able to see the former employee’s OneDrive and complete the review without an access denied error.
Using PowerShell to Add Multiple Reviewers to Multiple Sites
If you have many former employees and need to add the same reviewer to all their OneDrive sites, use PowerShell. First, install the SharePoint Online Management Shell. Then run the following commands:
- Connect to SharePoint Online
Connect-SPOService -Url https://yourtenant-admin.sharepoint.com - Get a list of all OneDrive sites
Get-SPOSite -Template "SPSPERS#10" | Select-Object Url
This lists all personal site collections (OneDrive sites). - Add the reviewer to each site
Get-SPOSite -Template "SPSPERS#10" | ForEach-Object { Set-SPOSite -Identity $_.Url -SiteCollectionAdmin "reviewer@yourtenant.com" }
Replacereviewer@yourtenant.comwith the reviewer’s email.
If Access Reviews Still Show Access Denied After Adding the Reviewer
Reviewer is still seeing access denied for a specific file or folder
The site collection administrator permission gives access to the entire site. If the reviewer sees access denied on a specific item, it means that item has unique permissions that block even site collection administrators. This is rare because site collection administrators normally bypass all permission settings. Check if the item is in a sub-site with broken inheritance. In that case, add the reviewer directly to that sub-site as an administrator.
Access review is trying to access a deleted user’s OneDrive that no longer exists
When a user is deleted and their OneDrive is not retained, the site collection is removed after 93 days. If the access review is referencing a site that no longer exists, the review will always show an error. You must remove that user from the access review scope. Go to Azure AD > Identity Governance > Access Reviews, edit the review, and exclude the deleted user’s account.
Reviewer is in a different tenant or is an external guest
External reviewers cannot access internal OneDrive site collections unless they are added as external users in SharePoint. For access reviews, it is best to use internal reviewers. If you must use an external reviewer, add them as an external user in the SharePoint site collection and assign them the appropriate permission level.
Site Collection Administrator vs Access Review Permission Levels
| Item | Site Collection Administrator | Access Review Required Permission |
|---|---|---|
| Description | Full control over the entire site collection, including permissions, content, and settings | Read access to the site collection to enumerate users and their permissions |
| Permission level | Full Control | Read or higher |
| Effect on access review | Reviewer can see all users and their permissions | Reviewer can see users and permissions but cannot modify the site |
| Ease of setup | Simple via SharePoint admin center or PowerShell | Requires adding reviewer to Visitors group or custom permission level |
| Security risk | High — reviewer gets full control of the site | Low — reviewer only gets read access |
For access reviews, adding the reviewer as a site collection administrator is the quickest fix. However, if you want to limit the reviewer’s access to read-only, add them to the Visitors group of the site collection instead. To do this, go to site permissions, click Grant permissions, enter the reviewer’s email, and select the Read permission level. This still allows the access review tool to work because the tool only needs to read the permission settings.
After completing the access review, you should remove the reviewer’s permissions to maintain security. Use the SharePoint admin center or PowerShell to remove the reviewer from the site collection administrators list or from the Visitors group.