When offboarding a contractor, you share OneDrive files via external links, but the contractor sees an access denied message instead of the files. This typically occurs because the contractor’s account was removed from your Microsoft 365 tenant or because the sharing link permissions changed during the offboarding process. This article explains why the access denied error appears and provides the exact steps to restore access, revoke sharing links, and prevent future issues.
Key Takeaways: Restoring Access to OneDrive External Links for Offboarded Contractors
- OneDrive sharing link settings > Manage access: Use this to see who currently has access to a file or folder and to add specific people manually, even if the link type is set to Anyone.
- Microsoft 365 admin center > Users > Deleted users: Restore a deleted contractor account temporarily to re-enable their access to existing sharing links, then permanently remove them after data transfer.
- OneDrive > Info panel > Manage access > Advanced Settings: Navigate to the SharePoint permission page to add external users directly to the item, bypassing the broken link.
Why OneDrive External Sharing Links Show Access Denied for Offboarded Contractors
When you create an external sharing link in OneDrive for Business, the link contains a token that grants access to anyone who clicks it, provided the recipient is authenticated. If the link is set to “Specific people,” the token is tied to the recipient’s email address. If the link is set to “People in your organization” or “Anyone” with sign-in requirements, the recipient must authenticate using a Microsoft account or a work or school account.
The access denied error occurs because the contractor’s account no longer exists in your tenant or their access token has been revoked. During offboarding, an admin typically deletes the user account or removes their licenses. When the contractor clicks the link, OneDrive tries to authenticate them against your tenant. Since the account is gone, authentication fails and OneDrive shows access denied. Even if the link is set to “Anyone,” the link may still require the recipient to sign in with a Microsoft account that is linked to the same domain as your tenant, which the contractor no longer has.
Another common cause is that the sharing link itself was revoked or the permission was changed during offboarding. Some admins bulk-remove external sharing links as part of the offboarding process, which breaks all existing links.
Steps to Restore Access to External Sharing Links for an Offboarded Contractor
Use the following methods to restore access to the files. Choose the method that matches your situation.
Method 1: Restore the Contractor Account Temporarily
- Sign in to the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with a Global Admin or User Admin account. - Navigate to Deleted users
In the left navigation, select Users then Deleted users. Find the contractor’s account in the list. - Restore the user account
Click the contractor’s name, then select Restore user. Confirm the restore. The account will be restored with its previous permissions and licenses. This process takes a few minutes. - Notify the contractor to test the link
Ask the contractor to click the original sharing link again. After authentication, they should see the files. - Download or transfer the files
Have the contractor download the files or transfer them to a new location. Once done, delete the user account again from Active users.
Method 2: Add the Contractor as a Direct Guest User
- Open the file or folder in OneDrive
Navigate to the specific file or folder that the contractor needs. Right-click the item and select Manage access. - Click Advanced Settings
At the bottom of the Manage access panel, click Advanced Settings. This opens the SharePoint permissions page for that item. - Add the contractor as a guest
Click Invite people. Enter the contractor’s email address. Set permissions to Read or Edit as needed. Uncheck the box that says “Send an invitation email” if you plan to share the link manually. - Share a new link
Back in OneDrive, create a new sharing link. Set the link type to Specific people and add the contractor’s email address. Send this new link to the contractor. - Contractor signs in with a Microsoft account
The contractor will need to sign in using a Microsoft account personal account or a work account from another organization. They do not need to be in your tenant.
Method 3: Use a One-Time Access Code for Anyone Links
- Create a new sharing link with Anyone permissions
Right-click the file in OneDrive and select Share. Choose Anyone with the link. Under more settings, enable Allow editing if needed. - Set an expiration date and password
Set the link to expire in a few days. Optionally set a password. Click Apply then Copy link. - Send the link and password separately
Email the link to the contractor. Send the password via a separate channel like SMS or a different email. - Contractor opens the link
The contractor enters the password and can access the file without signing in. This bypasses the authentication issue entirely.
If the Contractor Still Cannot Access Files After the Fix
OneDrive shows “You don’t have permission to access this item” even after restoring the account
The sharing link may have been revoked or the item’s permissions were cleared. Go to the file in OneDrive, click the info icon i in the top right, and check the Manage access panel. If the contractor is not listed, add them again using the steps in Method 2.
The contractor’s account was permanently deleted beyond the 30-day retention period
If the contractor was deleted more than 30 days ago, the account cannot be restored. You must use Method 2 to add them as a guest user. If your tenant does not allow guest sharing, enable it in the SharePoint admin center under Policies > Sharing.
The sharing link was created with a specific domain restriction
Some organizations restrict sharing to specific domains. Check your tenant’s external sharing settings in the OneDrive admin center. If the contractor’s email domain is blocked, you must either allow it temporarily or use the Anyone link method with a password.
External Sharing Link Types and Their Behavior for Offboarded Users
| Link Type | Behavior After Account Deletion | Fix Method |
|---|---|---|
| Anyone with the link | Link works if no sign-in required; fails if sign-in required | Create new Anyone link with password or use guest user method |
| Specific people | Link fails because recipient account no longer exists | Restore account or add as guest user |
| People in your organization | Link fails because contractor is no longer in tenant | Restore account or add as guest user |
The table above shows that only the Anyone link without sign-in requirements can survive a contractor offboarding without additional steps. All other link types require either restoring the account or adding the contractor as a guest user.
How to Prevent Access Denied Issues During Future Contractor Offboarding
Before you delete a contractor’s account, review all sharing links that involve that contractor. Use the OneDrive sharing link report in the Microsoft 365 admin center to list all shared items. Download the files the contractor needs and share them using Anyone links with expiration dates. This way, the contractor can access the files after their account is removed.
Set up a standard offboarding checklist that includes a step to export OneDrive data using the Microsoft 365 admin center’s OneDrive user > Get access to files option. This gives you access to the contractor’s OneDrive files even after deletion. Then share those files with the contractor using the Anyone link method.
Consider using Azure AD B2B guest accounts for contractors instead of creating full user accounts. Guest accounts are easier to manage and can be deactivated without losing access to shared files. When you deactivate a guest account, existing sharing links continue to work because the guest account still exists in the directory, just disabled.