You need to grant a colleague or an IT administrator temporary access to a specific user’s OneDrive for Business to recover files, audit content, or complete a migration. OneDrive for Business does not include a built-in expiration timer for sharing a user’s entire OneDrive. Instead, you must use the Microsoft 365 admin center to assign the necessary site collection administrator permissions and then manually revoke them after the task is complete. This article explains the exact steps to grant time-limited access to another user’s OneDrive and how to remove that access securely.
Key Takeaways: Granting Temporary OneDrive Access
- Microsoft 365 admin center > Active users > OneDrive tab: Assign the “Site collection administrator” role to a user to grant full access to another user’s OneDrive.
- Manual revocation: You must remove the site collection administrator role after the temporary access period ends because OneDrive does not auto-expire this permission.
- Audit log review: Use the Microsoft 365 Purview compliance portal to track when the temporary access was granted and revoked for security compliance.
Understanding Temporary Access to Another User’s OneDrive
OneDrive for Business stores each user’s files in a dedicated SharePoint site collection. By default, only the user whose OneDrive it is has access. To grant another person full access to that user’s OneDrive, you must assign that person the site collection administrator role on the target site collection. This role provides the same permissions as the original user, including the ability to view, edit, delete, and download all files and folders. There is no built-in way to set an automatic expiration for this access. You must track the grant date and manually remove the role when the task is finished. The Microsoft 365 audit log records all permission changes, so you can verify when access was added and removed.
Before you begin, ensure you have the global administrator role or the SharePoint administrator role in your Microsoft 365 tenant. You also need the username or email address of the target user whose OneDrive you want to access, and the username or email address of the person who needs temporary access. This process works in both the Microsoft 365 admin center and the SharePoint admin center, but the admin center method is faster for a single user.
Steps to Grant and Remove Temporary OneDrive Access
Follow these steps to assign the site collection administrator role to a user for a specific OneDrive site collection, then remove it after the temporary task is complete.
- Open the Microsoft 365 admin center
Sign in to admin.microsoft.com with an account that has global administrator or SharePoint administrator permissions. In the left navigation pane, expand Users and select Active users. - Find the target user
In the list of active users, locate the user whose OneDrive you need to access. Click the user’s display name to open the user details panel. - Open the OneDrive tab
In the user details panel, click the OneDrive tab. This tab shows the URL of the user’s OneDrive site collection. Click the link that says Create link to files or simply note the URL shown under OneDrive. - Go to the OneDrive site collection
Click the OneDrive URL to open the user’s OneDrive in a new browser tab. If prompted, sign in again with your admin account. - Access site permissions
In the user’s OneDrive, click the gear icon in the upper-right corner and select Site information. Then click View all site settings. Under Users and Permissions, click Site permissions. - Add the temporary user as a site collection administrator
On the Site Permissions page, click Advanced permission settings. On the ribbon at the top, click Site Collection Administrators. In the dialog box, type the email address or username of the person who needs temporary access. Click OK. This person now has full access to all files in that OneDrive. - Notify the temporary user
Inform the person that access has been granted. They can now browse the user’s OneDrive by navigating to the same OneDrive URL directly in their browser. They do not need to sync the library. - Remove the temporary access when the task is complete
After the temporary work is finished, repeat steps 1 through 6. In the Site Collection Administrators dialog box, remove the email address or username you added earlier. Click OK. The person can no longer access the user’s OneDrive.
If You Need to Verify or Audit the Access Grant
The Microsoft 365 audit log records all site collection administrator changes. Use this log to confirm when access was granted and when it was removed.
- Go to the Microsoft 365 Purview compliance portal
Open compliance.microsoft.com and sign in with an account that has audit log permissions. In the left navigation, click Audit. - Search for permission changes
Under Search, set the date range to cover the period when you granted access. In the Activities dropdown, select Added site collection admin and Removed site collection admin. Click Search. - Review the results
The audit log shows the user who made the change, the target user, the date and time, and the specific site collection URL. Use this data to confirm the temporary access window.
Common Mistakes and Limitations When Granting Temporary Access
“I assigned the user as a site collection admin but they cannot access the OneDrive”
The user must navigate directly to the OneDrive URL. They cannot see the target user’s OneDrive in their own OneDrive or in the SharePoint admin center by default. Provide the exact OneDrive URL to the temporary user. Also verify that the user account is active and has a valid license.
“I need to grant access to multiple users at once”
The site collection administrator role can include multiple users. In step 6, add each person’s email address separated by a semicolon. Remove each person individually when their access is no longer needed.
“The temporary user needs to move files instead of just viewing them”
The site collection administrator role includes full control permissions. The user can move, copy, delete, or download files. If you want to restrict actions, consider using SharePoint site permissions with a custom permission level instead of the site collection administrator role. However, this requires more granular setup and is not covered in this article.
Site Collection Administrator vs Direct Sharing: Key Differences
| Item | Site Collection Administrator | Direct Sharing of Files or Folders |
|---|---|---|
| Scope of access | All files and folders in the user’s OneDrive | Only the specific files or folders that are shared |
| Permission management | Must be added and removed manually in site settings | Can be shared with expiration dates and password protection |
| Use case | IT recovery, legal hold, full migration | Collaboration on a limited set of documents |
| Audit trail | Logged in Microsoft 365 audit log | Logged in Microsoft 365 audit log |
Use the site collection administrator method only when you need unfettered access to the entire OneDrive. For sharing a few specific files, use the standard OneDrive sharing feature with an expiration date and password.
You can now grant temporary access to any user’s OneDrive by assigning the site collection administrator role and manually revoking it after the task is complete. Always verify the access grant in the audit log to maintain a clear security record. For a more secure temporary access approach, consider using Azure AD Privileged Identity Management for SharePoint administrators, which can require approval and limit the access duration automatically.