Issue
When a Guest User, client, or email recipient, clicks on a link to access a shared document or Share Folder link for New Collaborate, the following error is displayed:
- You need permission to access this item.
Cause
The guest user exists in the practice's Microsoft 365 organisation, but has not been given permissions to access the document or share folder.
Solution
Step 1 - Confirm the client's email address with the Shared Document or Folder
You should first check the email address the user is logging with, and compare it with the email added to the Sharing Settings, or the address the document was emailed to.
The email address the client has logged in with can be found on the error message, or by logging into office.com and click on the initials in the top right-hand corner. If the user is logged in with an account that is not the account that was enabled for Collaborate, or the document shared with that email address, the user will need to log out, and log back in with the correct email address.
If the user is still having difficulties, try logging in using an incognito/private browser by clicking Ctrl+Shift+N.
Step 2 - Run the New Collaborate Status Check
In FYI, re-run the New Collaborate Status Check to confirm there are no identified issues. Refer to Troubleshooting New Collaborate using Status Check.
If the Status Check makes any changes or automatically fixes any issues, ask the client to try logging in again to confirm if the issue has been resolved.
Step 3 - Run the Microsoft 365 Administrator Diagnostic Tool
If the user is still unable to log in, the practice's Microsoft 365 Administrator can run the built-in SharePoint Diagnostic Tool. This will check the site to identify any hidden issues.
To run the Diagnostic Tool:
- Log into admin.microsoft.com.
- Click the ? Help question mark in the top right-hand corner.
- The How can we help? drawer will open.
- Enter the search phrase Access denied to SharePoint and click the blue arrow to search, or click the link in the drop-down.
- Enter the SharePoint URL (for the New Collaborate site) and the Email of the Guest User experiencing the issue, then click Run Tests.
- Microsoft will begin running diagnostic tests on the site and the user. If any issues are identified, the error will be displayed along with steps to resolve the issue.
- Once the issues have been resolved, ask the user to try logging in again.
For more details on the Diagnostic Tool, refer to the Microsoft article "Access Denied" or "You need permission" errors in SharePoint Online and OneDrive.
Step 4 - Delete and re-add the user to Sharing Settings
If the user is still unable to log in, delete the user from the client Sharing Settings in FYI.
Note: If the user has been added to several clients, they must be removed from each client to ensure the user is removed from Microsoft Entra.
- In FYI, open the Client - Collaborate - Sharing Settings window.
- Click the X to remove the user from the Sharing Settings.
- A message displays confirming you wish to disable sharing for the user.
- Click Yes to confirm. The Sharing Settings page will be reloaded.
- Close Sharing Settings.
To confirm the Guest User has been deleted from Entra:
- Log into the Microsoft Entra Admin Centre.
- On the menu on the left, click on Users - All users.
- In the Search field, enter the email address for the client that was removed from the Sharing Settings.
- Confirm no results are found.
To confirm the Guest User has been removed from the SharePoint site:
- Open the New Collaborate site, ensuring you are still logged in with the practice's OneDrive Administrator account.
- Click the Settings cog icon and select Site permissions.
- Click the Advanced permissions settings link.
- Click the Site Members group. The New Collaborate Site Name will be displayed as part of the name, for example, "Growth Partners Collaborate Site Members".
- Change the address in the address bar to show MembershipGroupId=0
- A list of all users will be displayed.
- Search for the client to confirm they're not displayed in the list.
You can then re-add the user to the client's Sharing Settings in FYI.
- Display the Client - Collaborate tab for the relevant client.
- Click Sharing Settings to display the Sharing Settings pop-up.
- Click the Give user access button.
- In the Select a contact or enter email address to give access, use the drop-down to select or enter the client or external recipient to share the folder with.
- Click Save.
- Ask the client to retry logging into the site.
Refer to Sharing the Share Folder and Upload Folder with Clients.