You invited a guest user to a SharePoint site or Microsoft 365 group. The guest accepted the invitation. But when they try to open the site, they see Access Denied. This happens even though you confirmed the invitation was sent and accepted.
The root cause is almost always a missing or misconfigured sharing policy. SharePoint and Azure AD have separate settings that must both allow guest access. If either setting blocks external users, the guest will see Access Denied after accepting the invitation.
This article explains why the problem occurs and provides the exact steps to fix it. You will learn how to check Azure AD external collaboration settings, SharePoint sharing policies, and site-level permissions to restore access for the guest user.
Key Takeaways: Fix Guest User Access Denied After Accepting Invitation
- Azure AD > External Identities > External collaboration settings: Controls whether guest invitations can be sent and accepted at the tenant level.
- SharePoint admin center > Policies > Sharing: Sets the default sharing link type and external sharing permissions for all SharePoint sites.
- Site-level sharing settings: Override tenant defaults and must be set to allow guests for the specific site where access is denied.
Why Guest Access Is Denied After Accepting the Invitation
When a guest user accepts an invitation, Azure AD creates a guest account in your tenant. The guest can then access resources that explicitly grant them permission. However, several layers of settings can block that access.
The most common cause is that the tenant-level sharing policy in Azure AD restricts guest access. Even if the guest account exists, Azure AD can prevent the guest from signing in or accessing any resource. This setting is found in Azure AD > External Identities > External collaboration settings.
A second cause is the SharePoint sharing policy. SharePoint has its own external sharing setting that can be more restrictive than the Azure AD policy. If SharePoint sharing is set to Only people in your organization, guests will see Access Denied even if they were invited through a Microsoft 365 group.
A third cause is a site-level sharing setting that overrides the tenant policy. Site owners can restrict sharing to Only members or disable external sharing entirely. If the site was created with external sharing turned off, guests cannot access it.
A fourth cause is a conditional access policy in Azure AD that blocks guest sign-ins. For example, a policy requiring multi-factor authentication for all external users may block guests who have not registered for MFA.
Steps to Fix Guest User Access Denied
Follow these steps in order. Each step addresses one of the causes described above. After each step, ask the guest to try accessing the site again.
- Check Azure AD external collaboration settings
Sign in to the Microsoft Entra admin center as a Global Administrator. Go to External Identities > External collaboration settings. Under Guest user access, verify that Guest users have limited access to properties and memberships of directory objects is selected. Under Guest invite settings, verify that Anyone in the organization can invite guest users including guests and non-admins or Member users and users assigned to specific admin roles can invite guest users including guests with member permissions is selected. Do not select No one in the organization can invite guest users including admins unless you intend to block all guest invitations. - Check SharePoint tenant-level sharing policy
Go to the SharePoint admin center. In the left navigation, select Policies > Sharing. Under External sharing, choose the option that matches your needs. For most organizations, Anyone or New and existing guests is appropriate. Click Save. Wait up to 24 hours for the change to propagate, or sign out and sign back in to force a refresh. - Check site-level sharing settings
In the SharePoint admin center, go to Active sites. Select the site where the guest is getting Access Denied. In the command bar, click Sharing. Under External sharing, select Anyone or New and existing guests. Click Save. If the site is a Microsoft 365 group-connected team site, also check the group membership in the Microsoft 365 admin center. - Verify guest account in Azure AD
In the Microsoft Entra admin center, go to Users > All users. Search for the guest user’s email address. Verify that the account exists and its User type is Guest. If the account is blocked, select the user and click Properties. Set Block sign-in to No. Click Save. - Check conditional access policies
In the Microsoft Entra admin center, go to Protection > Conditional Access > Policies. Review each policy that applies to All users or Guest or external users. If a policy requires MFA or device compliance, ensure the guest can meet those requirements. If not, create an exclusion for guest users or modify the policy. - Ask the guest to clear browser cache and cookies
The guest should open their browser, go to browser settings, and clear cached data and cookies. Then they should close and reopen the browser before trying to access the site again.
If SharePoint Still Has Issues After the Main Fix
Guest Can Access the Site But Cannot Open Files
This happens when the guest has access to the site but not to specific document libraries or files. The site owner must grant explicit permissions. Go to the library or file, click Share, and add the guest user. If the library uses unique permissions, the site owner must break permission inheritance first.
Guest Receives a Loop of Sign-In Prompts
This is usually caused by a conditional access policy that requires MFA. The guest must register for MFA in their own tenant. Alternatively, the admin can exclude guest users from the MFA policy in the resource tenant.
Guest Account Was Deleted or Expired
Azure AD guest accounts expire after a set number of days if the guest does not sign in. The default expiration is 30 days. To prevent this, set a longer expiration or disable the guest user expiration policy. In the Microsoft Entra admin center, go to External Identities > External collaboration settings. Under Guest user access, configure the Guest user expiration policy.
Tenant-Level vs Site-Level Sharing: Key Differences
| Item | Tenant-Level Sharing | Site-Level Sharing |
|---|---|---|
| Scope | Applies to all SharePoint sites in the tenant | Applies only to one specific site |
| Where to configure | SharePoint admin center > Policies > Sharing | SharePoint admin center > Active sites > select site > Sharing |
| Effect on existing guests | Does not revoke access for guests already added | Can block guests from accessing that site immediately |
| Override | Can be overridden by site-level settings | Cannot override tenant-level policy if tenant is set to Only people in your organization |
| Propagation time | Up to 24 hours | Immediate |
Now you understand why guest users see Access Denied after accepting an invitation. You can check the Azure AD external collaboration settings, the SharePoint tenant sharing policy, and the site-level sharing settings. After applying the correct configuration, ask the guest to clear their browser cache and try again. For persistent issues, verify conditional access policies and guest account expiration settings.