You invited a guest user to your SharePoint site or Microsoft 365 group. The guest accepted the invitation. But when they try to open the site, they see an Access Denied message. This problem occurs because SharePoint permissions and Microsoft 365 group membership are not automatically synchronized in all scenarios. This article explains the root cause and provides step-by-step fixes to grant the guest access.
Key Takeaways: Fix Guest Access Denied After Invitation
- SharePoint admin center > Policies > Sharing: Controls external sharing defaults for SharePoint sites and OneDrive.
- Microsoft 365 admin center > Groups > Active groups: Verify guest membership and re-add the user if needed.
- Site permissions > Share: Manually grant the guest access to the site or document library.
Why Guest Users See Access Denied After Accepting an Invitation
When you send an invitation to a guest user, Microsoft 365 creates a guest account in Azure Active Directory. The guest receives an email with a link to accept the invitation. After acceptance, the guest account is added to the Azure AD tenant but not automatically added to every SharePoint site or Microsoft 365 group. Access Denied appears when the guest tries to reach a resource that the invitation did not explicitly cover. Common causes include:
- The invitation was sent for a Microsoft 365 group, but the group’s SharePoint site has unique permissions that block guests.
- The invitation was sent for a specific document or folder, but the guest tries to access the parent site or library.
- The organization’s external sharing policy restricts guest access to certain site collections.
- The guest account was deleted or disabled before the user accepted.
Steps to Grant Access to a Guest User After Acceptance
Follow these steps in order. Test access after each step before moving to the next.
Step 1: Verify Guest Account Status in Azure Active Directory
- Open Azure AD admin center
Go to https://aad.portal.azure.com. Sign in as a Global Administrator or User Administrator. - Navigate to Users
Select Azure Active Directory > Users > All users. - Find the guest user
Filter by User type = Guest. Locate the guest email address. Check the Account enabled column. It must show Yes. If disabled, select the user, then select Edit and set Block sign in to No.
Step 2: Verify Guest Membership in the Microsoft 365 Group
- Open Microsoft 365 admin center
Go to https://admin.microsoft.com. Sign in as a Global Administrator. - Go to Groups
Select Teams & groups > Active teams & groups. - Open the group
Find the group that owns the SharePoint site. Select the group name. - Check Members tab
Select the Members tab. Confirm the guest user is listed. If not, select Add members and type the guest email address. Select Add.
Step 3: Grant Direct Access to the SharePoint Site
- Open the SharePoint site
Navigate to the site URL. Sign in as a site owner. - Open site permissions
Select Settings (gear icon) > Site permissions. - Share the site
Select Share site. In the dialog, type the guest email address. Choose a permission level: Full control, Edit, or Read. Select Send. - Ask the guest to test
The guest will receive a new email invitation. After accepting, they can access the site.
Step 4: Check External Sharing Settings for the Site
- Open SharePoint admin center
Go to https://admin.microsoft.com. Select Admin centers > SharePoint. - Go to Active sites
Select Policies > Active sites. Find the site in the list. - Check external sharing
Select the site name. In the panel, look for External sharing. It must be set to Anyone or New and existing guests. If set to Existing guests only or Only people in your organization, change it to New and existing guests. Select Save.
Step 5: Clear Browser Cache and Re-authenticate
- Instruct the guest
Ask the guest to clear browser cache and cookies for the Microsoft 365 domain (login.microsoftonline.com and sharepoint.com). - Sign out and sign in again
The guest must sign out of all Microsoft accounts, close the browser, then sign in again using the same email address.
If the Guest Still Gets Access Denied
The guest was removed from Azure AD before accepting
If an admin deleted the guest account before the user accepted, the invitation link becomes invalid. Resend the invitation from the Microsoft 365 admin center. Go to Users > Guest users. Find the guest, select Resend invite.
The guest is trying to access a subsite with unique permissions
SharePoint subsites can have permissions that do not inherit from the parent site. The guest must be added explicitly to the subsite. Open the subsite, select Settings > Site permissions > Share site, and add the guest.
The organization’s external sharing policy blocks the site
A tenant-wide policy may restrict external sharing to specific domains. In SharePoint admin center, go to Policies > Sharing. Under External sharing, confirm that Allow sharing with external users is enabled. If domain restrictions are set, add the guest’s domain to the allowed list.
The guest uses a personal Microsoft account that does not match the invitation
When a guest accepts an invitation with a personal account (for example, user@gmail.com), Microsoft 365 treats it as a separate identity. The guest must accept the invitation using the exact email address that received it. If they used a different account, cancel the original invitation and send a new one to the correct email.
Guest Access Scenarios: Comparison Table
| Item | Direct Site Invitation | Group Invitation |
|---|---|---|
| Access scope | Only the specific site or library | All resources connected to the group (site, documents, Teams, Planner) |
| Permission inheritance | Does not auto-add to parent site | Group membership grants access to all group resources |
| Typical error | Access Denied if guest tries to reach another site | Access Denied if guest tries to reach a resource outside the group |
| Fix | Share the site again from site permissions | Add guest to group in Microsoft 365 admin center |
Conclusion
You can now fix Access Denied errors for guest users by verifying the guest account in Azure AD, checking group membership, and granting direct site permissions. Always confirm that the external sharing settings for the site allow guests. For recurring issues, check the Azure AD audit log to see if the guest was deleted or blocked. As a final tip, use the SharePoint admin center’s Sharing report to monitor guest access activity across all sites.