After migrating user data to OneDrive for Business, you need to confirm that file and folder permissions are intact. Users may lose access to shared content if permission inheritance breaks or security group memberships change during the migration process. This article explains how to check permission settings across migrated OneDrive sites using Microsoft 365 admin tools.
Permission validation involves reviewing sharing links, site collection administrators, and folder-level access rights. You will learn the specific steps to run permission reports, inspect sharing policies, and resolve common permission gaps. These checks ensure that migrated data remains accessible to the correct people without exposing files to unauthorized users.
Key Takeaways: Validating Permissions After OneDrive Migration
- SharePoint admin center > Active sites > OneDrive site > Permissions: Lists site collection administrators and sharing settings for each migrated user’s OneDrive.
- Microsoft 365 admin center > Users > Active users > user > OneDrive settings: Shows external sharing controls and default permission levels for the user’s OneDrive.
- OneDrive sync app > Settings > Account > View sync conflicts: Reveals permission errors that occur when syncing files after migration.
Understanding OneDrive Permission Structure After Migration
OneDrive for Business uses a site collection permission model based on SharePoint Online. Each user’s OneDrive is a separate site collection with its own administrator, owner, and member groups. During migration, file and folder permissions are preserved only if the migration tool maps source identities to target identities correctly. If the mapping fails, permissions revert to the default owner-only access.
Permission inheritance in OneDrive is broken by design at the root level. Each folder and file can have unique permissions. When you migrate data, the migration tool must reapply these unique permissions. If the tool does not support permission migration or the identity mapping is incomplete, all content inherits permissions from the root folder. This means users who previously had access to specific subfolders may lose access.
The most common permission components to validate are:
- Site collection administrators: The primary user and any delegated administrators
- Sharing links: Anyone, People in your organization, or Specific people links that were created before migration
- Folder and file unique permissions: Direct access grants that override inheritance
- Guest access: External users who were invited to specific items
Steps to Validate Permissions After OneDrive Migration
Use the following steps to verify that permissions are correct after migration. Perform these checks for each migrated user or for a representative sample of users.
- Check site collection administrators in SharePoint admin center
Sign in to the Microsoft 365 admin center. Go to Admin centers and select SharePoint. In the left navigation, select Active sites. Find the OneDrive site for the migrated user. The site URL format ishttps://yourtenant-my.sharepoint.com/personal/username_domain_com. Select the site row, then click Permissions in the command bar. Review the Site collection administrators list. The primary administrator should be the migrated user. If no administrators are listed, add the user immediately. - Review external sharing settings for the OneDrive site
In the same Permissions panel, locate the Sharing section. Select Manage external sharing. Compare the setting to the pre-migration policy. The options are: Anyone, New and existing guests, Existing guests, and Only people in your organization. If external users need access, ensure the setting is not more restrictive than the original. If the setting is too permissive, change it to match your organization’s security policy. - Run a permission report using SharePoint PnP PowerShell
Open Windows PowerShell as an administrator. Install the PnP PowerShell module if not already installed:Install-Module PnP.PowerShell -Scope CurrentUser. Connect to the OneDrive site:Connect-PnPOnline -Url https://yourtenant-my.sharepoint.com/personal/username_domain_com -Interactive. Run the permission report:Get-PnPListItem -List Documents -PageSize 500 | Get-PnPProperty -ClientSidePage | Select Id, Title, FileRef, @{Name="HasUniquePerms";Expression={$_.HasUniqueRoleAssignments}}. This command lists all files and folders in the Documents library with aTrueorFalsevalue for unique permissions. Compare the list to a pre-migration report to identify items that lost unique permissions. - Inspect sharing links using SharePoint admin center
In the SharePoint admin center, select Active sites and click the migrated OneDrive site. In the site details pane, select Sharing links. Review the list of active sharing links. Verify that links intended for external users still work by opening them in an InPrivate or Incognito browser window. If a link shows an access denied error, recreate the link with the correct permissions. - Test file access from a non-owner account
Sign in to Microsoft 365 as a test user who previously had access to specific files in the migrated OneDrive. Navigate to the OneDrive site using the direct URL or a shared link. Open several files and folders that were shared with this user. If the user receives an access denied message, the permission was not migrated. Use the SharePoint admin center or PowerShell to grant the user access again. - Validate OneDrive sync client permission errors
On a Windows device that uses the OneDrive sync app, open OneDrive settings. Select Account and then View sync conflicts. Look for entries labeled Access denied or Permission error. These errors indicate files that the sync client cannot access due to missing permissions. Right-click the file in File Explorer and select Share to check current sharing settings. Re-share the file with the correct users if needed.
If OneDrive Permissions Still Show Errors After Validation
OneDrive shows “Access Denied” for migrated files
This error occurs when the migration tool did not copy unique permissions. The file inherits permissions from the root folder, which typically grants access only to the site owner. To fix this, restore the unique permissions using the SharePoint admin center. Navigate to the file in the site, select the three dots (ellipsis), choose Manage access, and add the required users or groups with the correct permission level.
External users cannot open shared links after migration
Sharing links created before migration may contain the old site URL or user identity. External users who were invited via email will see an access denied page. Recreate the sharing links from the migrated OneDrive site. Instruct external users to use the new link. If the organization uses Azure B2B guest accounts, verify that the guest user objects exist in Azure AD and are assigned to the correct OneDrive site.
Permission inheritance is broken on too many items
If the permission report shows hundreds of items with unique permissions, manually restoring each one is impractical. Use SharePoint PnP PowerShell to apply permissions in bulk. For example, to grant a user read access to all items in a folder that previously had unique permissions, run: Set-PnPListItemPermission -List Documents -Identity . Run this command for each user and each folder that requires access.
Permissions Before Migration vs Permissions After Migration
| Item | Before Migration | After Migration |
|---|---|---|
| Site collection administrators | User and delegated admins | User only if identity mapping succeeded |
| Unique permissions on files and folders | Preserved per item | Inherited from root if migration tool does not support unique permissions |
| Sharing links (Anyone, Organization, Specific) | Active and functional | Broken if URL changed; must be recreated |
| External guest access | Granted via Azure B2B or direct invite | Guest users may not be re-invited automatically |
| Sync client permission errors | None | Access denied errors on items with missing permissions |
Conclusion
You can now validate permissions after OneDrive migration using the SharePoint admin center, PowerShell reports, and the OneDrive sync client. Start by checking site collection administrators and external sharing settings for each migrated user. Then run a permission report to identify items that lost unique permissions and recreate sharing links that broke during migration. For bulk permission restoration, use SharePoint PnP PowerShell to apply access rights efficiently. An advanced tip is to enable auditing in the Microsoft 365 compliance center to track permission changes after migration.