In this blog post, we’ll walk through a common yet frustrating scenario that Microsoft 365 administrators often face: users receiving an “Access Denied” error when trying to access their OneDrive for Business.
Table of contents
Specifically, we’ll address situations where this error occurs due to a mismatch between a user’s Microsoft Entra ID (formerly Azure AD) account and their associated SharePoint Online profile.
This issue usually surfaces with a typical error message indicating that the user doesn’t have permission to access their own OneDrive for Business:
Access Denied
[masked_user] does not have permissions to access this resource.
Correlation ID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Date and Time: [Date and Time]
User: [masked_user]
Issue Type: User does not have permissions.This is perplexing for users and administrators alike, as permissions seem correctly assigned at a glance.
There are two common scenarios causing this mismatch:
1. User Account Restoration
When a user account is deleted—intentionally or unintentionally—and subsequently restored, Microsoft Entra ID assigns a new ID to the restored account. However, SharePoint Online continues to reference the old ID, causing an internal mismatch. Consequently, the user experiences the “Access Denied” error since SharePoint no longer recognizes the account based on its new Entra ID.
2. Conversion of External to Internal Users
A similar issue arises when an external user (guest user) is converted into an internal Entra ID user. Here, the external user’s original ID in SharePoint is mismatched with the new internal ID created during conversion, leading to access problems with their OneDrive for Business.
How CPI Consulting Resolved the Issue
Recently, CPI Consulting encountered exactly this scenario with a client. After analyzing the underlying cause, our team successfully rectified the issue through targeted adjustments in the SharePoint Online admin center.
Here are the high-level steps we undertook:
- Identify the Mismatch We first confirmed the user’s current Entra ID and compared it against their SharePoint profile. This allowed us to verify the ID mismatch.
- Reset Permissions in SharePoint Online From the SharePoint Online admin center, under User Profile Management, we removed all user permissions for the impacted OneDrive account. It’s crucial to save these changes before proceeding to ensure the permission reset fully propagates.
- Assign New Site Collection Owner After clearing permissions, we reassigned the user as the site collection owner of their OneDrive for Business account. This step re-synchronized the user’s current Entra ID with the corresponding SharePoint site.
Outcome and Best Practices
Following these steps, the user regained full access to their OneDrive for Business. To avoid such issues, we recommend closely monitoring account changes, especially restorations or user type conversions. Regular audits and proactive permission reviews are beneficial practices that CPI Consulting consistently implements for clients.
If your organization faces similar Microsoft 365 permission challenges, CPI Consulting can help quickly identify and resolve these issues, minimizing downtime and maintaining productivity.
Contact CPI Consulting today to ensure your Microsoft 365 environment is efficiently managed and optimized.
Discover more from CPI Consulting Pty Ltd Experts in Cloud, AI and Cybersecurity
Subscribe to get the latest posts sent to your email.