When you run a OneDrive sharing report in the Microsoft 365 admin center, you may see guest accounts listed as “Deleted” even though those guests still have access to shared files. This happens because Azure AD does not fully remove a guest user object when you delete the guest from the Microsoft 365 admin center. Instead, the guest object enters a soft-deleted state, and the sharing report reflects this status as “Deleted” while the guest can still access shared content if the sharing link is still active.
This article explains why OneDrive sharing reports show deleted guest accounts, how Azure AD guest lifecycle works, and what steps you can take to permanently remove guest access. You will also learn how to verify actual guest access and clean up sharing links to prevent security risks.
Understanding this behavior is critical for IT administrators who rely on sharing reports to audit external access. Misreading the “Deleted” status can lead to a false sense of security or incomplete audit trails.
Key Takeaways: Why Guest Accounts Show as Deleted in OneDrive Sharing Reports
- Azure AD soft-delete behavior: Deleting a guest from the Microsoft 365 admin center only soft-deletes the user object, leaving sharing links intact.
- OneDrive sharing report data source: The report pulls guest status from Azure AD, not from active sharing link status, so “Deleted” does not mean revoked access.
- Permanent guest removal requires two steps: Delete the guest from Azure AD using the admin center or PowerShell, then remove or expire all sharing links for that guest.
Why OneDrive Sharing Reports Show Deleted Guest Accounts
The root cause is how Azure Active Directory handles guest user deletion. When you delete a guest user from the Microsoft 365 admin center under Users > Guest users, Azure AD does not permanently remove the user object. Instead, it marks the object as soft-deleted and moves it to the Deleted Users list. In this state, the guest user object still exists in the directory for up to 30 days, and any sharing permissions that were granted to that guest remain active.
The OneDrive sharing report queries Azure AD for the user object status. If the guest is in the soft-deleted state, the report displays the status as “Deleted.” However, the report does not check whether the guest still has active sharing links. This means a guest can appear as “Deleted” in the report while still being able to access files through a direct sharing link or an invitation that was accepted before deletion.
Soft-Delete vs Hard-Delete in Azure AD
Azure AD uses a soft-delete mechanism for guest users to prevent accidental permanent loss of user data and group memberships. A soft-deleted guest can be restored within 30 days. A hard-delete removes the user object permanently and cannot be undone. The OneDrive sharing report only reflects the soft-delete state. It does not show whether the guest has active sessions or tokens.
Sharing Link Independence from Guest User Status
When you share a file or folder with a guest, OneDrive creates a sharing link that is tied to the guest’s user object ID. Deleting the guest user does not automatically invalidate the sharing link. The link remains valid until it is manually removed, expired, or the guest user object is hard-deleted. This is why a deleted guest can still access files.
Steps to Verify and Remove Guest Access from OneDrive
Follow these steps to confirm whether a deleted guest still has access and to permanently revoke that access.
- Run the OneDrive sharing report in the admin center
Go to Microsoft 365 admin center > Reports > Usage > OneDrive files. Select the Sharing tab. Look for guest accounts with status “Deleted.” Note the guest email address and the files shared. - Check if the guest is soft-deleted or hard-deleted
In the admin center, go to Users > Deleted users. If the guest appears in the list, it is soft-deleted. If the guest does not appear, it may have been hard-deleted or removed more than 30 days ago. - Test guest access to a shared file
Open the shared file URL in a private browser window or ask the guest to try accessing the file. If the guest can open the file, the sharing link is still active. - Permanently delete the guest user from Azure AD
In the admin center, go to Users > Deleted users, select the guest, and choose “Delete permanently.” Alternatively, use PowerShell:Remove-AzureADUser -ObjectId "guest@domain.com" -RemoveFromRecycleBin $true. This hard-deletes the user object. - Remove or expire all sharing links for the guest
Go to the OneDrive site where files were shared. For each file or folder, select the share icon, click the three dots next to the guest’s name, and choose “Remove direct access.” Alternatively, use SharePoint Online Management Shell:Remove-SPOExternalUser -UniqueId "guest@domain.com". - Verify that access is revoked
Attempt to open the shared file URL in a private browser window. You should see an access denied message. If the guest reports continued access, repeat step 5 for all shared items.
If Deleted Guest Accounts Still Appear in Future Reports
Even after hard-deleting a guest and removing sharing links, the OneDrive sharing report may still show the guest as “Deleted” for up to 24 hours. This is because the report caches data from Azure AD and OneDrive activity logs. Wait one full business day and re-run the report. If the guest still appears, check whether the guest was re-invited or if a shared folder was set to allow anyone with the link.
Guest Reappears After Deletion
If a guest reappears in the report after you hard-deleted them, it likely means someone re-invited the guest to a shared file or folder. OneDrive automatically re-creates the guest user object when a new sharing invitation is sent. To prevent this, audit all sharing links for that file or folder and change the sharing permission to “Specific people” or remove the link entirely.
Sharing Report Shows Guest as Deleted but Access Is Still Active
This is the most common scenario. The guest user object is soft-deleted, but the sharing link is still valid. Follow the steps in the previous section to hard-delete the guest and remove all sharing links. If you cannot find the specific file or folder, use the “Shared with me” view in the guest’s OneDrive to identify all items they can access.
OneDrive Sharing Report Guest Status Compared to Actual Access
| Item | Sharing Report Status | Actual Guest Access |
|---|---|---|
| Guest user object in Azure AD | Deleted (soft-delete) | Still exists in directory as soft-deleted |
| Sharing link validity | Not reported | Remains active until removed or expired |
| Guest can access files | Deleted | Yes, if sharing link is active |
| Guest cannot access files | Deleted | No, if sharing link was removed or expired |
This table shows that the sharing report status alone cannot determine whether a guest has active access. You must verify the sharing link status separately.
Now you understand why OneDrive sharing reports show deleted guest accounts and how to permanently remove guest access. Start by running the report to identify affected guests, then hard-delete the guest user from Azure AD and remove all associated sharing links. For ongoing auditing, schedule a weekly review of the sharing report and use PowerShell scripts to automate the removal of soft-deleted guests with active sharing links. This ensures your external sharing remains secure and fully auditable.