When you run an access review for a former employee’s OneDrive, the review tool shows “access denied” instead of the expected file list or permissions data. This happens because the former employee’s user account is disabled or deleted in Microsoft Entra ID, which breaks the access review’s ability to query the site. This article explains the root cause, provides a step-by-step checklist to restore review visibility, and covers related failure patterns you may encounter during the process.
Key Takeaways: Restoring Access Review Visibility for a Former Employee’s OneDrive
- Microsoft Entra admin center > Users > Deleted users: Restore the former employee’s user object before the 30-day soft delete window expires to re-enable access review queries.
- OneDrive admin center > User > Access > Add external user: Grant the access reviewer explicit site-level permissions when the user object cannot be restored.
- Microsoft 365 admin center > Setup > Organization insights > Access reviews: Schedule recurring reviews for active users only and handle former employees separately to avoid “access denied” errors.
Why Access Reviews Show Access Denied for a Former Employee’s OneDrive
Microsoft Entra access reviews rely on the user object in the directory to query OneDrive site permissions. When an administrator deletes or disables the former employee’s user account, the directory no longer returns valid authentication tokens for that identity. The access review engine then receives an “access denied” response because the site cannot confirm the reviewer’s permissions against a non-existent or disabled user object.
The OneDrive site itself remains accessible if you have a direct link, but the access review tool uses the reviewer’s identity to enumerate permissions. If the reviewer’s account does not have explicit Site Collection Administrator rights on that OneDrive, the review fails. The default permission inheritance for a former employee’s OneDrive is broken when the user is deleted, leaving only the site collection admin as a valid access path.
Key Technical Detail: Soft Delete vs Hard Delete
When you delete a user from the Microsoft 365 admin center, the user object moves to a soft-deleted state in Entra ID for 30 days. During this window, you can restore the user object and the OneDrive access review will work again. After 30 days, the user is permanently removed and the OneDrive becomes orphaned. Access reviews cannot query orphaned sites without manual permission assignment.
Checklist to Fix Access Denied in Access Reviews for Former Employees
Follow these steps in order. Each step resolves one layer of the access review failure.
- Restore the former employee’s user account if still in soft-delete window
Go to the Microsoft Entra admin center at https://entra.microsoft.com. Select Identity > Users > Deleted users. Find the former employee’s user principal name. Select the user and click Restore user. Wait five minutes for directory replication. The access review tool will now be able to query the OneDrive site. - Assign the access reviewer as Site Collection Administrator
Open the SharePoint admin center at https://admin.microsoft.com/SharePoint. Select Active sites and locate the former employee’s OneDrive site (the URL ends with /personal/ followed by the user name). Select the site, then click Permissions in the command bar. Click Add users, enter the access reviewer’s email address, and select Site Collection Administrator as the permission level. Click Add. This grants the reviewer direct access to enumerate site permissions. - Re-run the access review
Go to the Microsoft 365 admin center at https://admin.microsoft.com. Expand Setup and select Organization insights. Under Access reviews, locate the review that failed. Click the review name, then click Start or Run now. The review should now load the OneDrive permissions without an access denied error. - If the user is hard-deleted, grant explicit permissions to the reviewer
When the user object is permanently removed, you cannot restore it. In the SharePoint admin center, select the orphaned OneDrive site. Click Permissions, then Add users. Add the access reviewer as a Site Collection Administrator as described in step 2. The review tool will now have the necessary permissions to query the site. - Remove the reviewer’s permissions after the review completes
After the access review finishes, return to the SharePoint admin center, select the OneDrive site, click Permissions, select the reviewer’s name, and click Remove user permissions. This prevents lingering access to the former employee’s data.
If Access Reviews Still Show Access Denied After the Main Fix
The OneDrive site is in a different geo location
For multi-geo tenants, the access review tool may not route correctly to the site’s geo location. Confirm the reviewer’s account has the correct geo location permissions. Go to the SharePoint admin center, select Geo locations, and verify the reviewer’s user profile is assigned to the same geo location as the OneDrive site. If not, update the reviewer’s preferred data location in Microsoft Entra ID under Users > User properties > Usage location.
The review was created with a deleted user as the reviewer
If the access review itself was assigned to the former employee as a reviewer, the review will fail because the user object is gone. Edit the review in the Microsoft 365 admin center under Access reviews. Change the reviewer field to an active user account. Save the review and restart it.
OneDrive site has custom permission inheritance
If the former employee’s OneDrive has broken permission inheritance, the access review tool may not be able to enumerate all unique permissions. In the SharePoint admin center, select the site and click Permissions. Click Manage permission inheritance and select Inherit permissions from the parent. This restores default inheritance and allows the review tool to query all permissions on the site.
Active User Review vs Former Employee Review: Key Differences
| Item | Active User Review | Former Employee Review |
|---|---|---|
| User object status | Enabled and active in Entra ID | Disabled or deleted |
| Access review behavior | Queries site permissions automatically | Shows access denied unless reviewer has explicit site admin rights |
| Required permissions | Reviewer needs SharePoint admin or Global admin role | Reviewer needs Site Collection Administrator on the specific OneDrive |
| Recommended review schedule | Quarterly or semi-annual | Run immediately after offboarding and before user deletion |
This table clarifies why the access denied error occurs only for former employees. For active users, the directory returns a valid user object that the review tool can use to query permissions. For former employees, the missing or disabled user object forces manual permission assignment to the reviewer.
You can now restore a soft-deleted user, assign the reviewer as a Site Collection Administrator, and re-run the access review to clear the access denied error. Next, consider automating the offboarding process with a lifecycle workflow in Microsoft Entra ID Governance that triggers an access review before the user account is deleted. One advanced tip is to use the Microsoft Graph API with the beta/accessReviews endpoint to programmatically assign the reviewer as a site admin when a user is deleted, eliminating the manual steps entirely.