When external users click a sharing link to a OneDrive file or folder, they see an access denied page instead of the expected content. This symptom can appear during audit preparation when you need to verify that sharing permissions are configured correctly across your tenant. The root cause is almost always a mismatch between the sharing link settings at the file, library, site, or tenant level, combined with external sharing policies in Microsoft Entra ID. This article provides a structured checklist to diagnose and fix external sharing link failures and prepare your environment for an audit.
Key Takeaways: External Sharing Link Access Denied Checklist
- SharePoint admin center > Policies > Sharing: Controls tenant-wide external sharing settings for SharePoint and OneDrive, including allowed domains and guest access expiration.
- OneDrive admin center > Sync: Manages sync restrictions, but also contains a sharing settings section that overrides tenant defaults for individual users.
- Microsoft Entra admin center > External Identities > External collaboration settings: Determines guest invite permissions and whether external users can see other members of the tenant.
Why External Sharing Links Fail with Access Denied
An external sharing link can show access denied for several reasons that span multiple layers of configuration. At the tenant level, the global external sharing policy in the SharePoint admin center defines whether sharing is allowed at all, with anyone, or only with existing guests. If this policy is set to Only people in your organization, any link shared with an external user will deny access.
At the site or OneDrive level, the sharing link type matters. A Specific people link will deny access to anyone not explicitly added to the link. An Anyone with the link type bypasses authentication but may still be blocked if the tenant policy restricts anonymous access. Additionally, the sharing link expiration date and password settings can cause a previously valid link to stop working.
Beyond sharing policies, the guest user account itself may be blocked or expired in Microsoft Entra ID. If an external user was invited but never accepted the invitation, or if their guest account was deleted or disabled, they will see access denied. Audit logs in the Microsoft 365 compliance portal can confirm whether the guest account exists and whether the link was accessed.
Step-by-Step Audit Checklist for External Sharing Links
Use the following checklist to verify each configuration layer. Perform these steps in order to isolate the cause of the access denied error.
1. Verify Tenant-Level External Sharing Policy
- Open the SharePoint admin center
Sign in to admin.microsoft.com and go to SharePoint under Admin centers. In the left navigation, select Policies and then Sharing. - Check the OneDrive sharing setting
Under OneDrive, locate External sharing. The dropdown must be set to Anyone if you need to create anonymous sharing links. If it is set to New and existing guests or Only people in your organization, anonymous links will deny access. - Check the SharePoint sharing setting
Under SharePoint, the same dropdown applies to all SharePoint sites. If you need external sharing for specific sites, ensure the tenant setting allows it. You can restrict sharing to specific domains under Limit external sharing by domain.
2. Verify Site-Level or OneDrive-Level Sharing Settings
- Open the specific OneDrive or SharePoint site
In the SharePoint admin center, select Sites > Active sites. Find the site where the file resides and click its URL to open the site settings page. - Check the site sharing policy
On the site settings page, select Sharing under the Permissions section. The dropdown must be set to Anyone if anonymous links are needed. If it is set to Only site members can share or Only site owners can share, confirm that the link creator has permission to share externally. - Check the sharing link type for the specific file
Ask the user who created the link to open the file in OneDrive or SharePoint, select Share, and click Link settings. The link type must match the intended audience. For external users not in your directory, select Anyone with the link and set an expiration date and password if required by policy.
3. Verify Guest Account Status in Microsoft Entra ID
- Open Microsoft Entra admin center
Go to entra.microsoft.com and sign in as a Global Administrator or Identity Administrator. - Check external user accounts
Under Users > All users, filter by User type = Guest. Locate the external user who received the link. Verify that the account status is Active and that the user has accepted the invitation. If the status shows Pending acceptance, resend the invitation. - Check guest sign-in restrictions
Under External Identities > External collaboration settings, ensure Guest user access is set to Guest users have the same access as members or Guest users have limited access, depending on your audit requirements. Also verify that Enable guest self-service sign-up is set appropriately.
4. Review Audit Logs for Sharing Activity
- Open the Microsoft Purview compliance portal
Go to compliance.microsoft.com and select Audit under Solutions. - Search for sharing events
Set the date range to cover the period when the link was shared. Under Activities, select Sharing and access request activities and then Created sharing link and Used sharing link. Click Search. - Analyze the results
In the audit log, look for the specific file URL or the external user email. The Used sharing link event shows whether the external user successfully accessed the file or received a 403 error. If the event is missing, the user never attempted access or the link was blocked before reaching the file.
Common Issues and Their Fixes for External Sharing Access Denied
OneDrive link shows access denied even though tenant policy allows anyone
If the tenant policy allows Anyone links but a specific OneDrive link still denies access, the issue is likely at the OneDrive site level. Go to the SharePoint admin center, select User profiles > Manage user profiles, and locate the affected user. Under Settings, check the External sharing setting for that user’s OneDrive. It may be set to New and existing guests instead of Anyone. Change it to match the tenant policy. Changes take effect within 24 hours.
SharePoint site link works for internal users but denies external users
This typically occurs when the site collection sharing policy is more restrictive than the tenant policy. In the SharePoint admin center, go to Sites > Active sites, select the site, and click Sharing. Change the external sharing setting to Anyone if needed. Note that changing this setting affects all existing and future links on that site. For audit preparation, document each site’s sharing level.
External user sees access denied after a previously working link stops working
The link may have expired or the password was changed. Check the sharing link settings in the file’s Share dialog. The creator can update the expiration date or reset the password. If the link was created with a specific set of users, verify that the external user’s email is still in the link’s allowed list. Also check if the file has been moved or renamed, which breaks the link unless it was created with a direct file ID.
External Sharing Link Types: Tenant Policy vs Site Policy vs Link Settings
| Item | Tenant Policy | Site Policy | Link Settings |
|---|---|---|---|
| Description | Global setting in SharePoint admin center that defines the maximum allowed external sharing level | Per-site setting that can be more restrictive than the tenant policy but cannot exceed it | Per-file or per-folder setting that determines who can access the specific link |
| Allowed values | Anyone, New and existing guests, Existing guests, Only people in your organization | Anyone, New and existing guests, Existing guests, Only people in your organization | Anyone with the link, People in your organization, People with existing access, Specific people |
| Impact on access denied | If set to Only people in your organization, all external links will deny access | If set to Existing guests, anonymous Anyone links will deny access | If set to Specific people but the external user is not in the list, they will see access denied |
| Audit log event | Sharing policy changed | Site sharing policy changed | Created sharing link, Used sharing link |
For audit preparation, document all three layers for each file that needs external access. The most restrictive setting wins. For example, if the tenant policy allows Anyone, but the site policy allows only Existing guests, an Anyone link will fail. The link settings must also match the intended audience.
You can now systematically verify each configuration layer using the checklist above. Start with the tenant-level policy in the SharePoint admin center, then check the site or OneDrive level, then the link settings, and finally the guest account status in Microsoft Entra ID. For ongoing audit readiness, schedule a monthly review of external sharing policies using the Microsoft 365 compliance portal’s built-in sharing reports. An advanced tip is to use the Set-SPOSite PowerShell cmdlet with the -SharingCapability parameter to bulk update site sharing levels and export the results to a CSV file for your audit documentation.