When a former employee or external collaborator leaves your organization, their user account often remains in OneDrive sharing permissions. These leftover entries are called orphaned users. They appear as names without email addresses or with a grayed-out profile picture in the Manage Access pane. Orphaned users create a security risk because the permissions are still in place even though the account is disabled or deleted. This article explains how to identify orphaned users in OneDrive and remove them using the Microsoft 365 admin center, PowerShell, and the OneDrive web interface.
Key Takeaways: Removing Orphaned Users From OneDrive Permissions
- OneDrive web > Manage Access: Use the Share dialog to manually remove individual orphaned users from files and folders.
- SharePoint Online Management Shell: Run the
Remove-SPOUsercmdlet to bulk-remove orphaned users from a OneDrive site collection. - Microsoft 365 admin center > Deleted users: Restore a deleted user temporarily to revoke permissions from the user interface, then re-delete the account.
What Orphaned Users Are and Why They Persist
An orphaned user in OneDrive is a security principal whose Azure AD account has been soft-deleted or hard-deleted. When a user is removed from Azure AD, the permission entries on OneDrive files and folders do not automatically get cleaned up. OneDrive retains the user identifier as a security identifier, which displays as a name without a working email link. The permission is still active until it is explicitly revoked. If the deleted user account is restored by an attacker or a bad actor, they regain immediate access to all files they previously had permissions to. This is why orphaned user removal is a critical security hygiene task for IT administrators.
Orphaned users appear in the following places: the Share dialog’s Manage Access pane, the site collection permissions in the SharePoint admin center, and the output of PowerShell cmdlets that enumerate permissions. The most common cause is offboarding a user without first removing their explicit sharing links and direct permissions from shared OneDrive content. Another cause is external guest accounts that are deleted from Azure AD B2B collaboration but their permissions remain on shared documents.
Methods to Remove Orphaned Users
There are three reliable methods to remove orphaned users from OneDrive permissions. Choose the method that matches the number of orphaned users and your administrative privileges. Manual removal works for a few files. PowerShell bulk removal is best for hundreds of orphaned entries. The admin center method is useful when you need to restore and re-delete an account to clean up permissions.
Method 1: Manual Removal From OneDrive Web
- Open the OneDrive web app
Go to onedrive.live.com and sign in with your Microsoft 365 admin or owner account. - Navigate to the affected file or folder
Browse to the item that shows an orphaned user in the sharing list. Select the item by clicking the circle checkbox that appears when you hover over it. - Open the Share dialog
Click the Share button at the top of the page. A pane opens on the right side of the screen. - Click Manage Access
At the bottom of the Share pane, click Manage Access. A list of all users with permissions appears. - Locate the orphaned user
Find the entry that shows a name with no email address or a grayed-out icon. The entry may show the user’s display name but the email field is blank. - Remove the orphaned user
Click the dropdown arrow next to the orphaned user’s name. Select Remove direct access. Confirm the removal in the dialog box.
Method 2: Bulk Removal With PowerShell
- Install the SharePoint Online Management Shell
Open Windows PowerShell as an administrator. RunInstall-Module -Name Microsoft.Online.SharePoint.PowerShell. If prompted, confirm the installation. - Connect to SharePoint Online
RunConnect-SPOService -Url https://[tenant]-admin.sharepoint.com. Replace[tenant]with your Microsoft 365 tenant name. Sign in with a SharePoint admin or global admin account. - Get the OneDrive site URL
RunGet-SPOSite -IncludePersonalSite $true -Filter "Url -like '-my.sharepoint.com/personal/'"to list all OneDrive site collections. Identify the URL of the site that contains the orphaned permissions. - List site users
RunGet-SPOUser -Site https://[tenant]-my.sharepoint.com/personal/[user]_[tenant]_com. Review the output for users with a LoginName that shows a GUID or a domain that no longer exists in your tenant. - Remove the orphaned user
RunRemove-SPOUser -Site https://[tenant]-my.sharepoint.com/personal/[user]_[tenant]_com -LoginName "i:0#.f|membership|[orphanedUserGUID]". Replace the login name with the exact value from the previous step. Confirm the removal when prompted. - Repeat for additional sites
If orphaned users exist on multiple OneDrive sites, repeat steps 3 through 5 for each site collection.
Method 3: Restore and Revoke Method
- Restore the deleted user in the admin center
Go to Microsoft 365 admin center > Users > Deleted users. Find the orphaned user account. Select the user and click Restore. The user account is reactivated in Azure AD. - Sign in as the restored user or use admin takeover
Option A: Reset the user’s password and sign in to OneDrive. Revoke all sharing links and remove permissions from files. Option B: Use the SharePoint admin center to remove the user’s permissions directly from the OneDrive site collection. - Remove permissions from the OneDrive site
In the SharePoint admin center, go to Active sites. Find the OneDrive site of the restored user. Select the site, click Permissions, and remove any users that should not have access. - Delete the user account again
Return to the Microsoft 365 admin center. Go to Users > Active users. Select the restored user and click Delete user. Confirm the deletion. The permissions are now cleaned because the user was present during the removal process.
If Orphaned Users Persist After Removal
Orphaned User Still Shows in Manage Access
If you removed an orphaned user but the entry reappears after a page refresh, the user may have been re-added by a sharing link that grants access to Everyone or to a security group. Check all sharing links on the file or folder. In the Share pane, click Manage Access and review the Links section. If a link is set to People in [Your Organization] or Anyone, the orphaned user’s permissions may be inherited from a group membership. Change the link type to Specific people and remove the orphaned entry manually.
PowerShell Returns Error User Not Found
The Remove-SPOUser cmdlet fails with a user-not-found error when the orphaned user’s login name is malformed or the user has been hard-deleted. In this case, use the Set-SPOUser -Site cmdlet with the -IsSiteCollectionAdmin $false parameter if the user is a site collection admin. If the user is a regular member, the only option is to remove the orphaned entry via the SharePoint REST API or by using the Manage Access UI on each file. For bulk cleanup across hundreds of files, consider using a third-party governance tool such as ShareGate or AvePoint.
Orphaned User Is an External Guest
External guest accounts that are deleted from Azure AD B2B leave orphaned entries exactly like internal users. To remove an orphaned external guest, you must first re-invite the guest to your tenant using the same email address. Go to Microsoft 365 admin center > Users > Guest users. Click Add guest user and enter the email address. After the guest is re-created, remove their permissions from OneDrive using Method 1 or Method 2. Then delete the guest account from Azure AD again.
Manual Removal vs PowerShell Bulk Removal: Key Differences
| Item | Manual Removal (OneDrive Web) | PowerShell Bulk Removal |
|---|---|---|
| Scope | Single file or folder at a time | Entire OneDrive site collection |
| Required privilege | Owner or editor of the file | SharePoint admin or global admin |
| Time to complete | 2-5 minutes per orphaned user | 10-30 seconds per site after setup |
| Risk of error | Low — user confirms each removal | Medium — accidental removal of active user |
| Audit trail | Shown in OneDrive audit log | Shown in SharePoint admin audit log |
| Best for | Fewer than 10 orphaned entries | More than 10 orphaned entries |
After removing orphaned users, you have reduced the attack surface of your OneDrive environment. The next step is to set up a recurring audit using the Microsoft 365 compliance center > Audit log. Search for Removed direct access events to confirm that orphaned user cleanup is happening regularly. An advanced tip is to create a PowerShell script that runs weekly via Azure Automation. The script enumerates all OneDrive site collections, compares the permission list against the current Azure AD user list, and automatically removes any orphaned user entries. This eliminates the need for manual checks and keeps your tenant permissions clean.