When an access reviewer tries to open a former employee’s OneDrive site during a Microsoft 365 access review, they often see an access denied error. This happens because the former employee’s user account is disabled or deleted, which blocks all delegation and sharing permissions for their OneDrive. The access reviewer, even if assigned as a reviewer, does not automatically inherit the necessary site-level permissions. This article explains the specific permission model that causes the denial and provides the exact steps to grant temporary access so the review can proceed.
Key Takeaways: How to Fix Access Denied During OneDrive Access Review
- Microsoft 365 admin center > Roles > Access reviews: Access reviewers are assigned at the review instance level, but they still need explicit OneDrive site permissions to view the former employee’s files.
- SharePoint admin center > Active sites > Former employee’s OneDrive: The site-level permission grant is the only way to give the reviewer access while the user account is disabled.
- PowerShell cmdlet Set-SPOSite -GrantAccessToAllSiteUsers: This cmdlet can temporarily open the site to all authenticated users, but it is not recommended for access reviews because it grants broad access beyond the reviewer.
Why Access Denied Appears for a Former Employee’s OneDrive
OneDrive for Business sites are secured at the site collection level. When a user leaves the organization, their OneDrive site enters a retention period. The site owner is the former employee’s disabled or deleted user account. No other user, including global administrators, has automatic access unless explicitly added. Access reviews rely on the reviewer being able to view the content to verify that the former employee’s files do not contain sensitive data that should be retained or deleted. However, the reviewer’s role in the access review tool does not translate into any permission on the OneDrive site itself. The reviewer sees access denied because SharePoint Online enforces site-level permissions before any review tool logic is applied. Additionally, if the former employee’s account is licensed for OneDrive, the site remains active but locked to all non-owners until an administrator grants at least read access.
Steps to Grant Access to the Former Employee’s OneDrive for the Reviewer
The following steps use the SharePoint admin center to add the access reviewer as a site collection administrator on the former employee’s OneDrive. This grants the reviewer full read access to all files in that OneDrive. The reviewer must be a licensed user in the tenant.
- Identify the former employee’s OneDrive URL
Go to the Microsoft 365 admin center. Select Users > Active users. Find the former employee’s account. If the account is deleted, use the Deleted users tab. Copy the User Principal Name, for example, jdoe@contoso.com. The OneDrive URL follows the pattern https://contoso-my.sharepoint.com/personal/jdoe_contoso_com. Replace the domain and username as needed. - Open the SharePoint admin center
Go to Admin centers > SharePoint. In the left navigation, select More features and then Active sites. Search for the former employee’s OneDrive site using the URL or the user name. The site name usually appears as OneDrive – Contoso with the user name as the primary administrator. - Add the reviewer as a site collection administrator
Select the site row. In the command bar, click Permissions. Under Site collection administrators, click Add. Type the access reviewer’s email address. Select the reviewer and click Save. The reviewer now has full control of the site, which includes the ability to browse all files and folders. - Verify the access review can proceed
Ask the reviewer to navigate to the access review instance in the Microsoft 365 admin center or the Azure AD access reviews portal. The reviewer should now be able to open the former employee’s OneDrive content without seeing access denied. The permissions grant takes effect immediately. - Remove the reviewer’s access after the review completes
Return to the SharePoint admin center, select the same OneDrive site, click Permissions, and remove the reviewer from the site collection administrators list. This restores the default locked state of the site.
If Access Denied Persists After Granting Site Administrator Access
The reviewer still sees access denied after being added as a site collection administrator
This usually happens when the former employee’s OneDrive site is in a read-only locked state due to the retention policy. Microsoft 365 applies a site lock when the user account is deleted. To check this, go to the SharePoint admin center, select the site, and look at the Lock state column. If it shows Read-only or No access, you must change it. Click the site row, then click Settings. Under Site lock state, select Unlock. This allows the site collection administrator to view the content. After the access review is complete, set the lock state back to Read-only or No access as required by your retention policy.
The reviewer cannot find the former employee’s OneDrive in the access review interface
The access review tool only shows resources that the reviewer has permission to access. If the reviewer was not added as a site collection administrator before the review started, the OneDrive site will not appear in the review list. After granting site administrator access, the reviewer may need to refresh the browser or wait up to 15 minutes for the review tool to detect the new permissions. If the site still does not appear, create a new access review instance that includes the same former employee’s OneDrive. The new instance will recognize the reviewer’s permissions.
The former employee’s OneDrive site does not exist because the retention period expired
OneDrive sites for former employees are automatically deleted after the retention period set in the SharePoint admin center. The default retention period is 30 days after the user account is deleted. If the site is already deleted, access reviews cannot show any content. The only option is to restore the site from the SharePoint admin center’s Deleted sites collection within 93 days of deletion. After restoration, grant site administrator access to the reviewer as described earlier.
Permissions for Access Reviews: Site Collection Admin vs Reviewer Role
| Item | Site Collection Administrator | Access Review Reviewer Role |
|---|---|---|
| Permission source | Explicitly added via SharePoint admin center or PowerShell | Assigned in Azure AD access review instance |
| Access to OneDrive files | Full read and write access to all files and folders | No access unless site permissions are granted separately |
| Affected by user account lock | Yes, site lock overrides administrator permissions | Not applicable because no site permissions exist |
| Duration of access | Until explicitly removed or site is deleted | Only during the active review period |
| Management interface | SharePoint admin center or Set-SPOUser PowerShell | Azure AD admin center or Microsoft 365 admin center |
The access review reviewer role is designed to evaluate whether a user still needs access to a resource. It does not grant any direct permissions to the resource itself. The site collection administrator role is the only reliable way to give a reviewer access to a former employee’s OneDrive. Using the reviewer role alone will always result in access denied.
Conclusion
You can now resolve access denied errors for former employee OneDrive sites during access reviews by adding the reviewer as a site collection administrator in the SharePoint admin center. After the review, remove the reviewer and restore the site lock state to maintain security. For recurring access reviews, consider creating a PowerShell script that automatically adds and removes the reviewer using the Set-SPOUser cmdlet. This approach ensures that reviewers only have access during the active review window and reduces manual administrative work.