OneDrive for Business former employee OneDrive access troubleshooting for incident response: shows access denied

When an incident response team needs to access a former employee’s OneDrive for Business, the most common roadblock is an “Access Denied” error. This happens because the user account is disabled or deleted, which severs the permission link between the site and the team. The default retention policies in Microsoft 365 can keep the data intact for a set period, but the access path is blocked. This article explains the exact technical reasons for the denial and provides the step-by-step methods to regain access through the Microsoft 365 admin center and SharePoint admin center.

Why OneDrive Shows Access Denied for Former Employees

When a user leaves an organization, the IT team typically disables or deletes the Microsoft 365 account. This action removes the security principal that grants access to the OneDrive site. The OneDrive site itself is a SharePoint site collection, and its permission list relies on the user account being active. Once the account is disabled, the site’s permissions become orphaned — the site still exists, but no one can authenticate to it using the former employee’s credentials.

The OneDrive site is not immediately deleted when the user account is removed. Microsoft 365 applies a retention policy that keeps the site for a default period of 30 days after deletion. During this window, the data is physically present on the server, but the access control list does not include any active accounts. Incident responders see “Access Denied” because their own account is not listed in the site’s permissions. The goal of the troubleshooting steps is to either restore the user account temporarily or to add an incident responder as a site collection administrator.

Steps to Access a Former Employee’s OneDrive

Method 1: Create a Link to Files in the Microsoft 365 Admin Center

This method works if the user account is still in the Active users list — meaning it is disabled but not yet deleted. You must have Global admin or SharePoint admin privileges.

1. Open the Microsoft 365 admin center
   Go to admin.microsoft.com and sign in with an account that has Global admin or SharePoint admin role.
2. Navigate to the user’s account
   Select Users > Active users. Find the former employee in the list. Click the user’s display name to open the details panel.
3. Locate the OneDrive section
   In the details panel, click the OneDrive tab. If the user account is disabled, you will see a message stating that the user is blocked from signing in.
4. Create a link to files
   Click Create link to files. The system generates a URL that points directly to the user’s OneDrive root folder. Copy this URL.
5. Open the link from a browser
   Paste the URL into a browser window. You may be prompted to sign in again. Use your own Global admin or SharePoint admin account to authenticate. The site should load and show the former employee’s files.

If you still see “Access Denied” after using the link, proceed to Method 2.

Method 2: Add Yourself as a Site Collection Administrator via SharePoint Admin Center

This method works for both disabled and deleted users, as long as the OneDrive site collection still exists. You need the exact URL of the former employee’s OneDrive.

1. Get the OneDrive site collection URL
   If you do not have the URL, open the Microsoft 365 admin center, go to Users > Active users, select the former employee, click the OneDrive tab, and note the URL shown under “OneDrive site”. If the user is deleted, you can find the URL by running a SharePoint search for the user’s name in the SharePoint admin center.
2. Open the SharePoint admin center
   Go to admin.microsoft.com, select Admin centers > SharePoint.
3. Navigate to the site collection
   In the SharePoint admin center, select Active sites. Find the former employee’s OneDrive site in the list. The site name typically matches the user’s email address. Click the site name to open its properties.
4. Add a site collection administrator
   In the site properties panel, scroll to the Administrators section. Click Add a site collection administrator. Enter the email address of the incident responder who needs access. Click Save.
5. Access the OneDrive site
   The incident responder can now open the OneDrive URL directly. They should be able to browse and download files without the “Access Denied” error.

Method 3: Restore the Deleted User Account Temporarily

If the former employee’s account has been deleted within the last 30 days, you can restore it to re-enable access. This method is useful when you need the user’s original permissions to remain intact for eDiscovery or litigation hold purposes.

1. Open the Microsoft 365 admin center
   Go to admin.microsoft.com and sign in with a Global admin account.
2. Go to Deleted users
   Select Users > Deleted users. A list of users deleted within the last 30 days appears.
3. Restore the user
   Find the former employee in the list. Click the user’s name, then click Restore user. Confirm the restoration. The user account is reactivated and assigned a temporary password.
4. Access the OneDrive site
   Sign in to the restored account using the temporary password. You can now browse the OneDrive directly. After completing the incident response tasks, you can delete the user account again.

If OneDrive Still Shows Access Denied After the Main Fix

The OneDrive site was permanently deleted

If the former employee’s OneDrive site was deleted more than 30 days ago, the site collection is permanently removed from SharePoint. In this case, no admin action can recover the data. To prevent this in future incidents, configure a longer retention policy for OneDrive sites in the Microsoft 365 compliance center. Go to Compliance center > Data lifecycle management > Retention policies and create a policy that retains OneDrive content for 90 days or more.

You do not have the required admin role

The methods above require at least a SharePoint admin role. If you receive “Access Denied” when trying to add a site collection administrator, your account may lack the necessary permissions. Ask a Global admin to assign you the SharePoint admin role in the Microsoft 365 admin center under Roles > Role assignments.

The former employee’s OneDrive is under a litigation hold

A litigation hold preserves the OneDrive site even after the user is deleted. The site remains accessible to admins. Use Method 2 to add a site collection administrator. The hold does not block admin access; it only prevents deletion of the site. If you still cannot access the site, check that the site collection URL is correct by searching for the user’s name in the SharePoint admin center under Active sites.

Methods for Accessing a Former Employee’s OneDrive: Key Differences

Item	Create Link to Files (Admin Center)	Add Site Collection Admin (SharePoint Admin Center)	Restore Deleted User
User account state required	Disabled, not deleted	Disabled or deleted	Deleted within 30 days
Admin role needed	Global admin or SharePoint admin	SharePoint admin	Global admin
Data access method	Direct URL link	Direct site collection admin	Full user sign-in
Time to complete	2 minutes	5 minutes	10 minutes
Risk of data loss	None	None	None during restoration

The “Create Link to Files” method is the fastest for disabled accounts. The “Add Site Collection Admin” method works for both disabled and deleted users. The “Restore Deleted User” method is best when you need the original user context for eDiscovery or compliance searches.

After gaining access, download the required files to a secure location and log the access event for audit purposes. Review your organization’s retention policy for OneDrive to ensure that data from former employees remains available for the duration required by your incident response plan. For ongoing investigations, consider using Microsoft 365 eDiscovery tools to search across all former employee sites without granting direct access to each site individually.