When an employee leaves your organization, you must verify that their OneDrive files remain accessible to the right people after their account is disabled. Without a permissions check, shared files and folders can become orphaned, leaving critical business data locked away. The root cause of this problem is that OneDrive permissions are tied to the user account, and once the account is deleted, all sharing links break and delegated access is revoked. This article explains exactly which permissions to validate, how to check them using the Microsoft 365 admin center and PowerShell, and what to do before you complete the offboarding process.
Key Takeaways: Validate OneDrive Permissions Before Offboarding
- Microsoft 365 admin center > Users > Active users > select user > OneDrive tab: View who has access to the user’s OneDrive folders and files before disabling the account.
- SharePoint Online Management Shell > Get-SPOSiteGroup and Get-SPOUser: PowerShell cmdlets to list all site-level permissions and identify external or delegated access.
- OneDrive Sync Client > Settings > Account > Manage Backup: Check if the user’s known folders are backed up and if sync is enabled for shared folders that require continued access.
Why Permissions Must Be Validated Before Offboarding
OneDrive for Business stores files in a SharePoint site collection that is unique to each user. When you disable or delete a user account, the associated OneDrive site is automatically set to read-only after 30 days and is deleted after 93 days. During that period, any sharing links that relied on the user’s identity become invalid. Delegated permissions, such as those granted via the OneDrive sharing dialog to specific people, are also removed.
The primary risk is data loss of shared content. For example, a manager may have shared a project folder with a departing employee. After the employee leaves, the manager loses access to that folder unless the permissions were transferred beforehand. Similarly, an employee may have shared their own files with colleagues. Those colleagues lose access once the account is gone.
Validating permissions means checking two layers: the site-level access (who can view the entire OneDrive) and the item-level sharing (who has links to specific files or folders). You must also identify any external users who have guest access to the OneDrive contents. The validation process ensures you can either migrate the permissions to another user or re-share the files before the account is disabled.
Steps to Validate OneDrive Permissions Before Offboarding
Follow these steps in order. Start with the admin center for a quick overview, then use PowerShell for a complete audit.
Step 1: Access the Target User’s OneDrive in the Admin Center
- Open the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with a Global Admin or SharePoint Admin account. - Navigate to Active Users
In the left navigation, select Users and then Active users. - Select the user who is being offboarded
Click the user’s display name to open their details pane. - Open the OneDrive tab
In the user details pane, click the OneDrive tab. This shows the user’s storage usage, sharing links, and a list of users who have access to the OneDrive site. - Review the list of users with access
Under Users with access, you see all internal and external users who have been granted access to the OneDrive. Note any users who should retain access after offboarding. - Click the link to open the OneDrive site directly
Select Open OneDrive to browse the files and folders. This allows you to inspect item-level sharing.
Step 2: Check Item-Level Sharing Links
- Navigate to a folder or file
In the OneDrive site, browse to a folder that contains shared content. Right-click the folder and select Manage access. - Review the sharing dialog
A pane opens listing all people and groups that have direct access to that item. Note the permission type: Can view, Can edit, or Can share. - Check for sharing links
If the item was shared via a link, the link type appears here. Common types are People in your organization, People with existing access, or Specific people. Links that use Anyone will break after the user is deleted because the link is tied to the user’s identity. - Repeat for all critical folders
Perform this check for every folder that contains data needed by other team members. Document the permissions so you can re-create them on a new owner’s OneDrive if needed.
Step 3: Use PowerShell to Export All Permissions
For a complete audit, use the SharePoint Online Management Shell. This method exports all site-level and item-level permissions for the user’s OneDrive site.
- Install and connect the SharePoint Online Management Shell
Open PowerShell as an administrator and runInstall-Module -Name Microsoft.Online.SharePoint.PowerShell. Then runConnect-SPOService -Url https://yourdomain-admin.sharepoint.comand sign in with your admin credentials. - Get the user’s OneDrive site URL
RunGet-SPOSite -IncludePersonalSite $true -Filter "Owner -eq 'user@domain.com'". Replaceuser@domain.comwith the target user’s email. The output includes the site URL, typicallyhttps://yourdomain-my.sharepoint.com/personal/user_domain_com. - List all site collection administrators
RunGet-SPOSite -Identity. This shows who has full control over the OneDrive site.| Select -ExpandProperty Owners - List all site groups and their members
RunGet-SPOSiteGroup -Siteto see groups like Viewers, Members, and Owners. Then runGet-SPOUser -Site(replace Members with the actual group name) to see individual users.-Group "Members" - Export the results to a CSV file
RunGet-SPOSiteGroup -Site. This gives you a portable record to share with the offboarding team.| Export-Csv -Path "C:\temp\permissions.csv" -NoTypeInformation
Step 4: Transfer Permissions to a New Owner
If you identify users who must retain access, transfer the OneDrive ownership to another active user. This is done in the admin center.
- In the admin center, go to the user’s OneDrive tab
Repeat Step 1 to open the user’s OneDrive details. - Click Transfer ownership
Select Transfer ownership and enter the email of the new owner. The new owner receives full control of the OneDrive site, including all files and permissions. - Confirm the transfer
Click Transfer. The new owner appears in the site collection administrators list immediately. Existing sharing links remain active because the site ownership changed, not the identity behind the links.
Common Issues When Validating OneDrive Permissions
Permission lists show only the user themselves
If the OneDrive tab shows no other users with access, the user may have shared files only via links that do not grant direct access. Use the Manage access dialog on individual folders to see link-based permissions. You can also run Get-SPOSite -Identity in PowerShell to see the sharing policy.
External users cannot be found in the permission list
External users with guest access appear in the site groups but not always in the admin center’s summary. Use PowerShell: Get-SPOExternalUser -SiteUrl to list all external users who have accessed the OneDrive. If you need them to retain access, add them to the new owner’s OneDrive sharing list before the offboarding.
Permissions are missing after transfer
When you transfer OneDrive ownership, the new owner becomes a site collection administrator. However, item-level sharing links that were created by the original user are not automatically recreated. The links continue to work only if they were set to People in your organization or Anyone. Links set to Specific people still work because they are tied to the item, not the user. If a link breaks, you must re-share the item from the new owner’s account.
| Item | Manual Check in Admin Center | PowerShell Audit |
|---|---|---|
| Time required | 5-10 minutes per user | 15-30 minutes for bulk export |
| Permission depth | Site-level only | Site-level and item-level via site groups |
| External user detection | Visible only if they have direct access | Full list via Get-SPOExternalUser |
| Export capability | Manual screenshot or copy | CSV export with all group memberships |
| Requires admin role | Global Admin or SharePoint Admin | SharePoint Admin |
After validating and transferring permissions, you can safely proceed with the offboarding. The new owner now has full control over the OneDrive site, and all existing sharing links remain functional. As a final step, set a site policy in the SharePoint admin center to automatically transfer ownership of orphaned OneDrive sites to a manager or IT team using the Site policy settings. This prevents data loss if a user is offboarded without a prior permissions check.