You shared a file or folder from OneDrive for Business with an external client, but when they click the link, they see an “Access Denied” or “You need permission” error page instead of the content. This happens because OneDrive sharing settings at the tenant, site, or file level block access for people outside your organization. The error can also occur if the external user is not authenticated, if the sharing link has expired, or if the recipient’s domain is restricted by an allow or block list. This guide explains the exact causes of access denied errors on external sharing links and provides step-by-step fixes for each configuration layer so your clients can open shared files without issues.
Key Takeaways: How to Fix Access Denied Errors on OneDrive External Sharing Links
- Microsoft 365 admin center > SharePoint > Policies > Sharing: Controls the tenant-level external sharing policy for OneDrive, including allowed link types and domain restrictions.
- OneDrive admin center > Sync > Sharing: Sets the default sharing link type (Anyone, Specific people, or People in your org) and expiration defaults for new shares.
- OneDrive sync client > Right-click file > Share > Link settings: Lets you change an existing link from “Specific people” to “Anyone with the link” to bypass authentication requirements.
Why External Users See Access Denied on OneDrive Sharing Links
When you share a file or folder with an external contact, OneDrive generates a link that carries specific permissions. The access denied error occurs when the link’s permissions do not match the recipient’s identity or when the tenant’s sharing policy blocks the request outright. There are four common root causes:
Tenant-Level External Sharing Restrictions
The global SharePoint and OneDrive sharing policy in the Microsoft 365 admin center defines the most permissive level of external sharing allowed across the organization. If this policy is set to “Only people in your organization,” all external sharing links will fail for anyone outside your tenant. Even if a link is created with the “Anyone” option, the tenant policy overrides it and blocks external access.
Link Type Mismatch
OneDrive offers three link types when sharing: “Anyone with the link” grants access without sign-in, “People in your organization” restricts to internal users only, and “Specific people” requires the recipient to authenticate with a Microsoft account or Microsoft 365 guest account. If you choose “Specific people” but the recipient does not have a Microsoft account or has not been added as a guest in your tenant, they will see access denied.
Domain Allow or Block Lists
Tenant administrators can configure domain restrictions that either allow only specific external domains or block certain domains. If your client’s email domain is blocked or not on the allowed list, the sharing link will return an access denied error regardless of the link type.
Expired or Revoked Links
OneDrive sharing links can have an expiration date set by the file owner or enforced by a tenant policy. If the link has passed its expiration date, or if the owner manually revoked the link, the recipient will see access denied. Additionally, if the file has been moved or deleted after the link was created, the link no longer resolves to a valid location.
Steps to Fix Access Denied Errors on OneDrive External Sharing Links
Follow these steps in order. Start with the tenant-level settings, then check the site and file-level configurations. Each step resolves a specific cause of the access denied error.
- Check the tenant-level external sharing policy
Sign in to the Microsoft 365 admin center at admin.microsoft.com. Go to Settings > Org settings > Security & privacy > SharePoint. Under External sharing, select OneDrive. Verify that the slider is set to Anyone or New and existing guests. If it is set to Only people in your organization, external sharing links will not work. Change it to Anyone if your security policy allows links that do not require sign-in, or to New and existing guests if you want recipients to authenticate. Click Save. - Verify domain allow or block lists
In the same External sharing section, scroll down to Domain restrictions. If Allow only specific domains is enabled, ensure your client’s domain is listed. If Block specific domains is enabled, make sure your client’s domain is not on the list. Add or remove domains as needed, then click Save. - Set the default sharing link type for OneDrive
Go to the OneDrive admin center at admin.onedrive.com. Select Sharing from the left menu. Under Default link type, choose Anyone with the link if you want new shares to work without authentication. You can also set a default expiration period here. Click Save. - Change the link type for an existing shared file or folder
Open OneDrive in a web browser. Navigate to the file or folder you shared. Right-click the item and select Share. In the Send link dialog, click the gear icon or Link settings. Under Who would you like this link to work for?, select Anyone with the link. This removes the sign-in requirement. Uncheck Allow editing if you want read-only access. Click Apply, then copy the new link and send it to the client. - Add the external user as a guest in Azure AD
If you must use the Specific people link type, the external user needs a guest account in your Azure Active Directory. Sign in to the Azure portal at portal.azure.com. Go to Azure Active Directory > Users > New guest user. Enter the client’s email address and a display name. Click Invite. The client receives an invitation email. After they accept, the sharing link will work for them. - Check the link expiration and file location
Right-click the shared file in OneDrive and select Share. Click Link settings. Under Expiration, ensure the date has not passed. If it has, remove the expiration or set a future date. Also confirm the file still exists in the original folder. If the file was moved or deleted, create a new sharing link from its current location.
If External Users Still Get Access Denied After the Main Fix
Even after applying the steps above, some edge cases can cause persistent access denied errors. Below are the most common scenarios and their specific fixes.
The client sees a blank page or redirect loop instead of the file
This usually happens when the client is already signed in with a personal Microsoft account that conflicts with the guest account. Ask the client to open an InPrivate or Incognito browser window, then paste the link. If the file opens, the issue is a cached session conflict. The client should sign out of all Microsoft accounts in their regular browser, clear cookies for login.microsoftonline.com, and try again.
The client receives a message that the link is no longer valid
This error appears when the link was created with an expiration date that has passed, or when the file owner has revoked the link. The file owner must create a fresh sharing link. Do not reuse an old link. Right-click the file, select Share, generate a new link with the desired permissions, and send it to the client.
The client is prompted to sign in but their account is not recognized
This occurs when the sharing link is set to Specific people but the recipient’s email address was typed incorrectly, or the recipient is not a guest in your tenant. Verify the email address in the link settings. If it is correct, follow step 5 above to add them as a guest. If you do not want to manage guest accounts, switch the link type to Anyone with the link.
The error appears only on mobile devices or specific browsers
OneDrive sharing links work in all modern browsers, but some browser extensions or security software can block the redirect to the file. Ask the client to try a different browser or disable ad-blockers temporarily. For mobile devices, the OneDrive app is required for some link types. If the client uses a mobile browser, they may be redirected to the app store instead of the file. Instruct them to install the OneDrive app and open the link from within the app.
OneDrive External Sharing Link Types: Comparison for Client Projects
| Item | Anyone with the link | Specific people |
|---|---|---|
| Authentication required | No | Yes — Microsoft account or guest account |
| Best for client projects | Quick file review, no guest setup needed | Controlled access, audit trail required |
| Tenant policy override | Blocked if tenant allows only authenticated users | Works if tenant allows new and existing guests |
| Link expiry | Optional, set by owner or tenant policy | Optional, set by owner or tenant policy |
| File editing permission | Can be allowed or blocked | Can be allowed or blocked |
For most client project scenarios where the recipient does not have a Microsoft 365 account in your tenant, the Anyone with the link option is the simplest and most reliable choice. Use Specific people only when your project requires tracking who accesses the file or when your compliance policy mandates authenticated access.
You can now diagnose and fix access denied errors on OneDrive external sharing links by checking the tenant policy, adjusting the link type, managing guest accounts, and verifying link expiration. After applying the fixes, send a test link to your client from an InPrivate browser session to confirm the issue is resolved. For ongoing client projects, consider setting the default link type to Anyone with the link with a 30-day expiration to balance convenience and security. If you frequently share with the same clients, add their domains to the allowed list in the SharePoint external sharing policy to prevent future blocks.