When you share a OneDrive file or folder with an external legal reviewer, they may click the link and see an Access Denied error instead of the document. This problem typically occurs when tenant sharing settings, link permissions, or authentication requirements block the external user. In this article, you will learn the exact causes of this error and the step-by-step fixes to restore access for external reviewers.
Key Takeaways: Fixing Access Denied on External Sharing Links for Legal Reviews
- Microsoft 365 admin center > Settings > Org settings > Sharing: Controls tenant-level external sharing policies that can block all external access.
- OneDrive sync > Settings > Account > Choose folders: Unsync the folder before sharing to prevent sync-based permission conflicts.
- Share dialog > Link settings > Specific people: Use this option instead of Anyone links to avoid authentication issues with legal reviewers.
Why External Sharing Links Show Access Denied for Legal Reviewers
The Access Denied error on an external sharing link occurs when the recipient cannot authenticate or is not authorized to view the content. OneDrive for Business enforces three layers of permission: tenant-level sharing policies, site-level sharing settings, and link-level permissions. If any layer blocks external access, the link fails.
Tenant-Level Sharing Restrictions
Microsoft 365 global administrators can restrict external sharing at the tenant level. The setting Sharing controls in the Microsoft 365 admin center determines whether users can share files with people outside the organization. If the tenant is set to Only people in your organization, all external sharing links produce Access Denied errors. Legal reviewers from outside your company cannot bypass this restriction.
OneDrive Site-Level Sharing Settings
Even if the tenant allows external sharing, the specific OneDrive site may have more restrictive settings. The OneDrive admin in the SharePoint admin center can set the default sharing link type to People in your organization or Existing guests. A link created on a site with these settings will deny access to any external user who is not already a guest in your tenant.
Link Permission Type and Expiration
The link itself has its own permissions. Three types exist: Anyone (anonymous), People in your organization, and Specific people. If you use an Anyone link, the recipient does not need to sign in. However, if your tenant blocks anonymous links, that link type is unavailable. If you use a Specific people link but the reviewer is not listed as an email recipient, they see Access Denied. Additionally, if the link has an expiration date and the reviewer clicks after that date, the link fails.
Steps to Resolve Access Denied for External Legal Reviewers
- Verify tenant-level external sharing settings
Go to the Microsoft 365 admin center at admin.microsoft.com. Navigate to Settings > Org settings > Security & privacy > Sharing. Under External sharing, ensure that Let users add new guests to the organization is enabled. Also confirm that the external sharing option is not set to Only people in your organization. If it is, change it to Anyone or New and existing guests depending on your compliance needs. - Check OneDrive site-level sharing settings
Open the SharePoint admin center at admin.microsoft.com/sharepoint. Select Policies > Sharing. Under OneDrive, verify the external sharing setting. Set it to Anyone if you need anonymous links, or New and existing guests if you require authentication. Click Save. - Create a new sharing link with the correct permissions
In OneDrive, select the file or folder you want to share. Click Share. In the share dialog, click the gear icon to open Link settings. Choose one of these options:
– Anyone with the link: Best for external reviewers who do not have a Microsoft account. This link does not require sign-in.
– Specific people: Enter the external reviewer email address. This link requires the reviewer to authenticate with a Microsoft account or a one-time passcode.
Set an expiration date if required by your legal review policy. Click Apply and then Send. - Add the external reviewer as a guest user
If you use a Specific people link, the reviewer must be a guest in your Azure AD. Go to the Microsoft 365 admin center. Navigate to Users > Guest users. Click Add guest user. Enter the reviewer email and assign the Guest role. An invitation email is sent. The reviewer must accept it before accessing the link. - Test the link in a private browser window
Copy the sharing link. Open a private or incognito browser window. Paste the link and press Enter. If the link is an Anyone link, the file should open without sign-in. If it is a Specific people link, the reviewer must sign in with the Microsoft account associated with their guest invitation.
If OneDrive Still Shows Access Denied After the Main Fix
The reviewer receives a message that the link is expired or invalid
Check the link expiration date. In OneDrive, open the sharing link list by clicking the Share button and then Manage access. Look for the link you sent. If an expiration date is set and has passed, click the three dots next to the link and select Edit link. Extend the expiration date or remove it entirely. Resend the link to the reviewer.
The reviewer cannot sign in with their corporate email
External reviewers must authenticate using a Microsoft account or a one-time passcode. If they use a work email from another organization, they may be blocked by your tenant’s cross-tenant access settings. Go to the Microsoft 365 admin center and navigate to Settings > Org settings > Security & privacy > Cross-tenant access. Ensure that inbound access from the reviewer organization is not blocked. Alternatively, switch to an Anyone link to bypass authentication.
The file is synced to a local folder and the link points to the sync path
If you copied the link from the Windows File Explorer OneDrive context menu, the link may be a local path instead of a web sharing link. Always generate the sharing link from the OneDrive website or the OneDrive sync icon in the system tray. Right-click the file in the system tray, select View online, and then click Share from the browser.
External Sharing Link Types for Legal Reviews: Comparison
| Item | Anyone with the link | Specific people |
|---|---|---|
| Authentication required | No | Yes, Microsoft account or one-time passcode |
| Best for | External reviewers without a Microsoft account | Legal reviewers who need audit trails and access logs |
| Expiration support | Yes | Yes |
| Blocked by tenant policy | If anonymous links are disabled | If guest sharing is disabled |
| Risk of unauthorized access | Higher, anyone with the link can access | Lower, only specific recipients can access |
Now you can identify why an external legal reviewer sees Access Denied and apply the correct fix. Start by verifying tenant and site sharing settings, then create a link with the appropriate permission type. For audit compliance, use Specific people links and add the reviewer as a guest. To test without affecting live documents, create a test file in a separate OneDrive folder and share it with your own external email address before sending to the reviewer.