When you prepare for an audit by testing external sharing links in OneDrive for Business, you may encounter an “Access Denied” error. This issue occurs because the link was created with a specific permission scope that no longer matches the current sharing policy or because the link has expired. This guide explains the technical reasons behind this access denial and provides step-by-step methods to restore functionality or create compliant links for audit purposes.
Key Takeaways: Fixing Access Denied on OneDrive External Sharing Links for Audit
- OneDrive admin center > Sharing > External sharing: Controls the tenant-wide policy that determines whether external sharing links are allowed and under what conditions.
- Link expiration settings: If a link has expired, it will always return “Access Denied” even if the file still exists and permissions are intact.
- Audit log search in Microsoft 365 Purview: Use this to verify who created the link, when it was created, and what permissions were assigned at creation time.
Why OneDrive External Sharing Links Return Access Denied During Audit
OneDrive external sharing links are governed by a combination of tenant-level policies, site-level settings, and link-level permissions. When an auditor clicks a link and sees “Access Denied,” the root cause is almost always one of the following:
Link Expiration
Every external sharing link in OneDrive has an expiration date unless the tenant policy allows links that never expire. The default expiration period is 30 days for new links, but administrators can set a shorter or longer window. Once the expiration date passes, the link becomes invalid and returns an access denied error.
Changed Sharing Policy
An administrator may have changed the tenant-wide external sharing policy after the link was created. For example, if the policy was switched from “Anyone” to “Specific people” or from “Allow external sharing” to “Only people in your organization,” existing links that rely on the previous policy will break.
Revoked Link Permissions
A file owner or site administrator can manually revoke an external sharing link at any time. This action immediately invalidates the link, causing any subsequent attempts to access the file through that link to fail with access denied.
File Moved or Deleted
If the file that the link points to has been moved to a different OneDrive folder or deleted, the link becomes orphaned. OneDrive does not automatically update links when files are relocated, so the link leads to a location that no longer contains the file.
Steps to Restore External Sharing Link Access for Audit
Follow these steps to identify and fix the access denied issue on external sharing links. Perform these steps in the order listed below.
- Verify the Link Expiration Date in the Audit Log
Open the Microsoft 365 Purview compliance portal. Go to Audit > Search. Set the date range to cover the time when the link was created. Search for the activity Created a sharing link. Locate the entry for the specific file and link. In the details pane, look for the Expiration field. If the expiration date has passed, the link is expired and cannot be restored. - Create a New External Sharing Link with Audit-Compliant Settings
If the link is expired or the policy has changed, create a new link. Open OneDrive in a browser. Navigate to the file. Right-click the file and select Share. In the sharing dialog, click the dropdown arrow next to Anyone with the link can edit or similar text. Choose Specific people if the tenant policy now restricts external sharing to named users. Enter the auditor’s email address. Set an appropriate expiration date that covers the audit window. Click Apply and then Send or Copy link. - Check Tenant External Sharing Policy for Link Type Restrictions
Go to the Microsoft 365 admin center. Navigate to Settings > Org settings > OneDrive. Under External sharing, review the setting for Let people outside your organization access your files. If this is set to Only people in your organization, external links will always fail. Change it to Allow external sharing and select the appropriate permission level. Note that changes may take up to 24 hours to propagate. - Confirm the File Still Exists at the Original Location
Ask the file owner to open OneDrive and verify the file is still in the folder where the link was created. If the file was moved, the owner can either move it back or create a new link from the new location. If the file was deleted, restore it from the OneDrive recycle bin. Open OneDrive, click Recycle bin in the left navigation, select the file, and click Restore. - Test the Link Immediately After Making Changes
Open a private browser window or a browser session not signed in to Microsoft 365. Paste the link and press Enter. If the link works, the issue is resolved. If access is still denied, repeat steps 1 through 4 and verify that the policy change has taken effect.
If External Sharing Links Still Have Issues After the Main Fix
Link Shows Access Denied Even After Creating a New Link
This occurs when the tenant-level external sharing policy is set to a more restrictive option than the link type you selected. For example, you created an “Anyone” link but the tenant policy only allows “Specific people.” To fix this, go to the admin center and change the external sharing policy to match the link type you need. Alternatively, create a link using the “Specific people” option and add the auditor’s email address directly.
Auditor Cannot Access the Link from a Different Organization
If the auditor belongs to a Microsoft 365 tenant that has blocked external sharing from your domain, the link will fail regardless of your settings. The auditor must use a personal Microsoft account or a guest account to access the file. Ask the auditor to sign in with a personal account or request that their IT administrator allow sharing from your domain.
Link Works for the File Owner but Not for External Users
This usually indicates that the link was created with the People in your organization scope instead of Anyone or Specific people. The file owner may have inadvertently chosen the wrong option. The owner must delete the existing link and create a new one with the correct external scope.
| Item | Expired Link | Policy Change Link |
|---|---|---|
| Description | Link was created with an expiration date that has passed | Tenant policy was changed after link creation to a more restrictive setting |
| Root cause | Link expiration date is in the past | Current policy does not allow the link type used |
| Fix method | Create a new link with a future expiration date | Update the tenant policy or create a link matching the current policy |
| Audit log evidence | Expiration field shows a past date | Policy change event recorded before the link creation time |
You can now identify why an external sharing link returns access denied and apply the correct fix. For ongoing audit preparation, set a reminder to refresh all shared links 48 hours before the audit window opens. Use the Microsoft 365 admin center > Settings > Org settings > OneDrive > External sharing to set a tenant-wide link expiration policy that matches your audit retention requirements.