When you share a regulated document from OneDrive for Business with an external user, the recipient often sees an access denied page instead of the file. This happens because Microsoft 365 security policies, data loss prevention rules, and sharing settings block external access to sensitive files. The problem is not a bug; it is a deliberate protection that can be adjusted if your organization allows external sharing. This article explains the exact reasons external users get access denied and provides a step-by-step fix for administrators and document owners.
Key Takeaways: Fix Access Denied for External Shared Regulated Documents
- Microsoft 365 admin center > SharePoint > Sharing: Controls organization-wide external sharing settings that override OneDrive sharing links.
- Microsoft Purview compliance portal > Data loss prevention (DLP) policies: Blocks external sharing of regulated documents based on sensitivity labels or content patterns.
- OneDrive sharing link permissions: Use the “Specific people” link type and assign edit or view rights to external users instead of “Anyone” links.
Why External Users See Access Denied on Regulated Documents
Access denied errors for external users are caused by one or more of the following security layers in Microsoft 365. Each layer must allow external sharing for the link to work.
Organization-Level External Sharing Settings
The global admin configures external sharing at the tenant level in the SharePoint admin center. If the organization has set external sharing to “Only people in your organization,” no external user can access any shared file. This setting overrides all other sharing configurations. Even if a document owner creates an “Anyone” link, the tenant policy blocks it.
Site-Level or OneDrive-Level Sharing Settings
Each OneDrive site inherits the tenant sharing default but can be changed by an admin. If the site-level sharing is set to “New and existing guests” or “Existing guests,” external users must have a guest account in Azure AD. Links shared without guest provisioning will fail with access denied.
Data Loss Prevention Policies
Microsoft Purview DLP policies scan files for sensitive information types such as credit card numbers, passport numbers, or custom regulated data. When a DLP policy detects a match and is configured to block external sharing, it revokes the sharing link or blocks the download. The external user sees access denied even if the sharing link is valid.
Sensitivity Labels
Files with sensitivity labels that have the “Encrypt files and email” setting applied restrict access to specific users or groups. If the label is set to “Let users assign permissions” and the external user is not included, the file remains encrypted for them. Access denied is the result.
Steps to Fix Access Denied for External Sharing Links
Follow these steps in order. Stop when the fix resolves the issue for your scenario.
- Verify the tenant external sharing policy
Sign in to the Microsoft 365 admin center. Go to Settings > Org settings > Security & privacy > Sharing. Ensure the toggle for “Let users add new guests to the organization” is turned on. If it is off, no external sharing is allowed. Turn it on and save. Wait up to 30 minutes for the change to propagate. - Check the SharePoint admin center sharing settings
In the admin center, open SharePoint > Policies > Sharing. Under External sharing, select a level that allows sharing with external users. For regulated documents, choose “New and existing guests” or “Anyone” if compliant with your data governance. Click Save. - Review the specific OneDrive site sharing settings
Go to SharePoint > Sites > Active sites. Find the affected user’s OneDrive site. Click the site name, then Settings > Sharing. Ensure the external sharing level is not more restrictive than the tenant setting. For example, if tenant allows “Anyone,” the site can be set to “Anyone” or lower. Set it to the required level and save. - Check DLP policies that affect regulated documents
In the Microsoft Purview compliance portal, go to Data loss prevention > Policies. Locate any policy that targets the regulated data type such as “U.S. Social Security Number” or a custom sensitivity label. Open the policy and select Actions. Ensure the action “Restrict access or encrypt the content” is not set to block external users. If it is, change the action to “Notify users with tip and email” or remove the restriction. Save the policy. - Verify the sensitivity label on the document
Open the document in OneDrive or SharePoint. Select the file, then Details in the right pane. Under Properties, check the sensitivity label. If the label has encryption, the owner must share the file with the external user as a guest in Azure AD. Go to Azure AD > Users > All users > New guest user and invite the external user. Then share the file directly with that guest account using the “Specific people” link. - Recreate the sharing link with correct permissions
In OneDrive, select the regulated document. Click Share. Choose Specific people instead of “Anyone with the link.” Enter the external user’s email address. Set permission to Can view or Can edit as appropriate. Click Send. The external user receives an email with the link. This method bypasses DLP policies that block anonymous access.
If External Users Still Get Access Denied After the Main Fix
External user has not accepted the guest invitation
When you share with “Specific people,” the external user must accept the guest invitation in Azure AD before accessing the file. Check if the user appears as a guest in Azure AD > Users. If the status is “Pending acceptance,” resend the invitation from the share dialog or from Azure AD. The user must click “Accept” in the email to complete the process.
The file is checked out or locked by another user
If the document is checked out in SharePoint or locked by a co-authoring session, external users see access denied. Ask the owner to check in the file. In OneDrive, select the file and click Check in from the toolbar. After check-in, share the link again.
Conditional Access policies block the external user
Azure AD Conditional Access policies may require multi-factor authentication, compliant devices, or specific IP ranges. If the external user does not meet these requirements, access is denied. Check Azure AD > Security > Conditional Access for policies that target guest users or external identities. Work with your security team to create an exception for regulated document sharing if needed.
External Sharing Link Types for Regulated Documents: Comparison
| Item | Anyone with the link | Specific people with guest access |
|---|---|---|
| Description | Anonymous access; no sign-in required | Requires Azure AD guest account and sign-in |
| Access control | No authentication | Authenticated via Microsoft account or work account |
| DLP policy impact | Often blocked by DLP for regulated data | Allowed if DLP policy permits guest sharing |
| Sensitivity label encryption | Not supported; encrypted files cannot be accessed anonymously | Supported if the guest is included in the label permissions |
| Audit trail | Limited; only IP address and anonymous token | Full audit log with user identity |
| Best for regulated documents | Not recommended | Recommended |
For regulated documents, always use the “Specific people” link type. This ensures the external user authenticates and complies with your organization’s security policies. The “Anyone” link type bypasses authentication and is more likely to be blocked by DLP and sensitivity labels.
You can now identify which security layer blocks external sharing for regulated documents and apply the correct fix. Start by checking the tenant sharing policy, then move to DLP and sensitivity labels. As a next step, review your organization’s Conditional Access policies for guest users. An advanced tip: create a dedicated DLP policy with an exception for guest sharing to reduce support tickets while maintaining data protection.