When an executive leaves the company, IT admins often need to access the former employee’s OneDrive to recover critical business files. However, you may see an ‘access denied’ error when trying to open the executive’s OneDrive, even though you are a global admin or SharePoint admin. This error occurs because OneDrive for Business enforces strict permission inheritance and site-level access policies that block even admins from directly opening another user’s OneDrive without explicit configuration. This article explains the root cause of the ‘access denied’ error for former employee OneDrive access and provides a step-by-step checklist to regain access, including the correct admin center settings, PowerShell commands, and site collection permission adjustments.
Key Takeaways: Regaining Access to a Former Executive’s OneDrive
- Microsoft 365 admin center > Users > Active users > former user > OneDrive tab: Direct link to the former employee’s OneDrive; if blocked, you must first assign site collection admin permissions.
- SharePoint admin center > Sites > Active sites > former user OneDrive URL: Manage site permissions and add yourself as a site collection admin to bypass access denied errors.
- SharePoint Online Management Shell > Set-SPOUser -IsSiteCollectionAdmin: PowerShell command to grant yourself site collection admin rights on the former employee’s OneDrive without needing the user interface.
Why You See ‘Access Denied’ When Opening a Former Employee’s OneDrive
OneDrive for Business is a personal site collection (mysite) that, by default, grants access only to the owner and delegated admins. Even global admins and SharePoint admins are not automatically added as site collection administrators on every user’s OneDrive. Microsoft designed this restriction to protect user privacy and prevent unauthorized access to personal files. When the employee leaves the company and their account is disabled or deleted, the OneDrive site collection remains but inherits the same permission restrictions. If you try to navigate directly to the former employee’s OneDrive URL, you see ‘access denied’ because your admin account lacks explicit permissions on that specific site collection.
Site Collection Permission Inheritance
Every OneDrive is a separate site collection under the tenant’s SharePoint Online hierarchy. Site collection administrators are the only users who can access all content within that site. Global admins are not automatically site collection admins on every site. To access a former employee’s OneDrive, you must either become a site collection admin on that specific site or use the ‘Add site collection admin’ feature in the SharePoint admin center.
Account State and Retention Policy Impact
If the former employee’s Microsoft 365 account is deleted before you access their OneDrive, the site collection enters a retention period (default 30 days). During this period, the site is still accessible but only to site collection administrators. If the account is disabled, the OneDrive remains accessible to the owner until the retention period expires. In both cases, you need to add yourself as a site collection admin to bypass the access denied error.
Checklist to Regain Access to the Former Executive’s OneDrive
Follow these steps in order. Each step builds on the previous one. If one method fails, proceed to the next.
- Verify the former employee’s account status
Go to the Microsoft 365 admin center at admin.microsoft.com. Select Users > Active users. Find the former employee. If the account is deleted, you cannot use the OneDrive tab in the admin center. If the account is disabled but not deleted, proceed to step 2. If the account is still active, you must first block sign-in or delete the account per your company policy. - Access the OneDrive from the admin center
In the Microsoft 365 admin center, select the former employee’s user account. Click the OneDrive tab. Click Create link to files or Open OneDrive. If you see ‘access denied’, the admin center cannot grant you direct access. Move to step 3. - Open SharePoint admin center and find the OneDrive site
Go to the SharePoint admin center at admin.microsoft.com/sharepoint. Select Sites > Active sites. Search for the former employee’s name or the OneDrive URL pattern:https://[tenant]-my.sharepoint.com/personal/[user]_[domain]_com. Click the site name to open the site details panel. - Add yourself as a site collection admin
In the site details panel, click the Permissions tab. Under Site collection administrators, click Add site collection admin. Enter your admin email address. Click Save. Wait 5 minutes for permissions to propagate, then navigate directly to the former employee’s OneDrive URL. You should now see the files. - Use PowerShell if the SharePoint admin center fails
If the site does not appear in the active sites list or you cannot add yourself via the UI, use the SharePoint Online Management Shell. Open PowerShell as an administrator. RunConnect-SPOService -Url https://[tenant]-admin.sharepoint.com. Then runSet-SPOUser -Site https://[tenant]-my.sharepoint.com/personal/[user]_[domain]_com -LoginName admin@[tenant].onmicrosoft.com -IsSiteCollectionAdmin $true. Replace placeholders with your tenant and user details. After execution, test access by opening the OneDrive URL in a browser. - Transfer files using the ‘Add to OneDrive’ or ‘Copy to’ feature
Once you have access, select the files you need. Use the Copy to command in the OneDrive toolbar to copy files to your own OneDrive or a shared location. Alternatively, use the Move to command to reorganize content. Do not delete the former employee’s OneDrive until you have confirmed all required files are copied.
If You Still Get ‘Access Denied’ After Adding Yourself
The OneDrive site is in a deleted state
If the former employee’s account was deleted more than 30 days ago, the OneDrive site may have been moved to the SharePoint recycle bin. Go to SharePoint admin center > Sites > Deleted sites. If the site appears, select it and click Restore. Then follow the steps above to add yourself as a site collection admin.
Executive-level retention policy blocks admin access
Some organizations apply a ‘site lock’ or ‘legal hold’ on executive OneDrive sites. If the site is under a retention hold, you cannot modify permissions directly. Contact your compliance or legal team to release the hold temporarily. After the hold is removed, add yourself as a site collection admin.
Conditional Access policies block your admin account
If your tenant uses Conditional Access policies that restrict access to OneDrive based on IP range or device compliance, your admin account may be blocked. Temporarily add your admin account to an exclusion group in Azure AD Conditional Access, or access the OneDrive from a compliant device within the allowed IP range.
Admin Center Access vs Site Collection Admin: Key Differences
| Item | Microsoft 365 Admin Center OneDrive Tab | Site Collection Admin (SharePoint Admin Center) |
|---|---|---|
| Access method | Click user > OneDrive tab > Open OneDrive | Add yourself in site permissions or via PowerShell |
| Required permission level | Global admin or SharePoint admin | Global admin or SharePoint admin to add yourself |
| Works for deleted accounts | No – user must exist | Yes – site must exist in active or deleted sites |
| Works for disabled accounts | Yes – but may still show access denied | Yes – directly grants full access |
| Requires explicit permission grant | No – uses delegated access | Yes – you must be added as site collection admin |
The admin center OneDrive tab is a convenience feature that attempts to open the user’s OneDrive using your existing permissions. It does not grant you any new permissions. If you see ‘access denied’ there, you must use the site collection admin method to gain access.
After you have regained access and copied the necessary files, you can remove yourself as a site collection admin to maintain security. To remove yourself, go to the SharePoint admin center, open the former employee’s site, click Permissions, and remove your admin account from the site collection administrators list. Consider setting a OneDrive retention policy for all former employees to automatically transfer ownership to a shared mailbox or admin account after account deletion.