This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 66%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEN%3C/text%3E%3C/svg%3E)
I have a user who left the company and returned more than 30 days later so their previous account was deleted and a new one was made that had the exact same username/email address as the old account which is what I'm finding causes this ID mismatch issue. Apparently, there's some artifact leftover on the backend that ties her new account to her old ID and the system is looking at the deactivated ID and saying "Nope, it doesn't have access because it's deactivated." Unfortunately, I submitted a ticket on 6/10 and it's still not resolved. Support seems to have no documentation on how to resolve this issue. The fact that the diag tool can diagnose the issue and tells us to contact Support but Support hasn't been given documentation on the resolution is infuriating.
For the last few days Support has just been telling me that they're reviewing the issue. I'm in a nightmare with this issue.
I am currently doing some research on this issue, will let you know as soon as possible.
This issue is now resolved.
The user's new account and old account were in conflict. The source of the conflict existed in the user permission records on the OneDrive accounts of those sharing with the affected user. These users had shared files with her old account, creating a user permission record on their OneDrive accounts. This record remained after the account was deleted so when the new account was created, a new user permission record was not created on the sharing user's OneDrive account and OneDrive was attempting to use that old record to authenticate.
The resolution must be carried out on each individual OneDrive account of those unable to share with the affected user. A Global Admin or SharePoint admin can carry these tasks out, or it can be delegated to the sharing user. If performing this task as an admin, you must first add yourself as a site collection owner on the account of the sharing user. To do this, go to the SharePoint admin center, click on More features, then Open the User profiles section. Search for the sharing user and in the results section, click on the drop-down arrow beside their Account name. Select Manage site collection owners and in the window that appears, add your own account under Site Collection Administrators. This will allow you access to their OneDrive and the ability to remove the old account from the user permissions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 39%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJO%3C/text%3E%3C/svg%3E)
Thank you!!!!!!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 33%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYL%3C/text%3E%3C/svg%3E)
Works. Thanks for the resolution!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 13%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGJ%3C/text%3E%3C/svg%3E)
is there a way of doing this for multiple people as i don't want to have to do this for 700+users
Gareth, I believe there's the ability to do this via Powershell but I can't quite find it right now, nor am I skilled in Powershell.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 7.000000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDW%3C/text%3E%3C/svg%3E)
We are having this same issue, exactly as you describe. A former contractor was hired as an full-time employee. His contractor account was deleted, and a new employee account was created, both with the same UPN (first.last@tenant.com). He cannot access files that are shared with him by people he interacted with in his contractor, but can access files shared by people he never worked with previously.
I am in the former category, so I tried your steps above. In "All People" I clearly have his old ID cached, as it shows his old title and the contractor department, not his new title and employee department. However, when I enter the Step 3 URL, I get a "Sorry, something went wrong" error. If I leave the "&force=true" off of the URL, I am redirected to his page at nam.delve.office.com, so I clearly have the correct "ID=X" for him in the URL.
Any thoughts?
Edit: This may have something to do with how long ago the original account was deleted. We had a second contractor convert to employee as of this past Monday. For him I get to the profile page per the instructions. The one that is returning an error converted right after the start of the year. Additional testing shows that I get the same error for employees who left the company months ago who are still in my OneDrive "All People". Edit2: This gets even odder. I walked through this with another person whose files the contractor->employee person is unable to open, and from his OneDrive we were able to open the profile page. We deleted the cached account from his site collection, and confirmed that the files he shares with the former contractor can be opened where the could not previously. So I have no explanation for why I get an error when I try to access his profile from my OneDrive.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 65%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHN%3C/text%3E%3C/svg%3E)
As your explain, Can we remove/delete the Old Permission Record of MS 365 ?
After doing more research into the issue I noted above (being unable to load the profile page for certain users in my OneDrive "All People"), I have discovered that this issue can be addressed more simply than steps Emily posted above:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 31%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYO%3C/text%3E%3C/svg%3E)
Hi @Anonymous
I have been face same issue on my organizational as well, when i want to "delete user from site collection" it shows that below attachment error. I also open the case for Microsoft Side over Microsoft Office 365 Admin Center but still no luck to find out the solution. I believe that Microsoft needs to be solve this issue as soon as possible. I also followed mentioned web url but doesn't work either.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 36%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIL%3C/text%3E%3C/svg%3E)
Hi @Yucel Osmanoglu , are you a sharepoint or global administrator for the org? You will need these roles a.k.a RBAC to be able to do the above.
Hi,
I’am global administrator on the tenant. The problem is related to backend problem on the microsoft side as far as i understood microsoft agent what told me.
I suggest using attempting answer 2 with the PowerShell script. That was the only solution in the hybrid environment I admin for.
Hi Ian,
I did on powershell script but it doesn't work for me we do not use hybrit system, we're using directly cloud as based on Microsoft 365 Admin Center.
Produce an error "Remove-SPOUser : Cannot complete this action." (didn't have time to investigate), but the script works and does the job. ( It doesn't work for me.)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 86%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Had the same problem, Powershell script to remove the mismatched user from ALL the users in the company is as follows:
#Set Parameters
$AdminCenterURL="https://yourcompany-admin.sharepoint.com/"
#user with the ID mismatch
$UserLoginID = "i:0#.f|membership|name.surname@yourcompany.com"
#enter user, that is sharepoint admin
$SiteCollectionAdmin = "sharepoint.admin@yourcompany.com"
#Connect to SharePoint Online
Connect-SPOService -Url $AdminCenterURL
#Get all Personal Site collections
$PSitesUrl = Get-SPOSite -Template "SPSPERS" -limit ALL -includepersonalsite $True | Select URL
Foreach ($PSiteUrl in $PSitesUrl.url)
{
#Add Site collection Admin
Set-SPOUser -site $PSiteUrl -LoginName $SiteCollectionAdmin -IsSiteCollectionAdmin $True
#remove the user from "All people" personal site
Remove-SPOUser -Site $PSiteUrl -LoginName $UserLoginID
#Remove Site collection Admin
Set-SPOUser -site $PSiteUrl -LoginName $SiteCollectionAdmin -IsSiteCollectionAdmin $False
}
The users that dont have the problematic mismatched-user in their "all people" group, produce an error "Remove-SPOUser : Cannot complete this action." (didn't have time to investigate), but the script works and does the job.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 2%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESE%3C/text%3E%3C/svg%3E)
This script is not working can you please advice me how to do it this
sravani, you will need to be an administrator e.g. have the RBAC role SharePoint Administrator or Global Administrator.
Very simple script thank you very much for posting it I've copied and modified for our environment.
I also found removing via powershell was effective compared to the web method as when re-sharing it would still add the cached old account and after deleting via the web method the old account still showed when you run Get-SPOUser cmdlet. After removing via Remove-SPOUser cmdlet re-sharing then shares with the new account. The script posted will be great for cleanup processes. If others haven't noticed same thing in exchange old accounts retain mailbox access when checked via PS but doesn't show in EAC.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 49%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEJ%3C/text%3E%3C/svg%3E)
Thanks for sharing the script, but how does it distinguish between the old and the new user who have the same UPN? We want the old user to be deleted but not the new one.
Hi,
Microsoft suggested to me mentioned url : Diagnostics which we sent: https://aka.ms/PillarCheckUserAccess
Please use this as affected url and affected user email address.
Microsoft couldn't solve this problem on the backend either.
That's a good tool, but it requires action every time the problem occurs, which isn't very practical.
Yes, but it has only way to do it once it's resolved it doesn't take any other actions but of course if you have more than one user facing this issue doesn't meaningful either.
But it's not just that the tool needs to be used for every user who encounters the problem. It needs to be used separately for every site within the site collection.
Hi @Emily Nelson
This issue most frequently occurs when a user is deleted and re-created with the same user principal name (UPN). The new account is created by using a different Unique ID value. When the user tries to access a site collection or OneDrive, the user has an incorrect ID.
To fix this issue, delete the new UPN if it exists, and then restore the original UPN.
For more information, you could refer to:
https://learn.microsoft.com/en-us/sharepoint/troubleshoot/administration/access-denied-or-need-permission-error-sharepoint-online-or-onedrive-for-business
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Unfortunately, the user's old account no longer appears under Deleted Users so we cannot use the instructions you provided. The user's original account was deleted more than 30 days before she was rehired so it has long since disappeared from Deleted Users and cannot be restored which is why we created a new account when she was rehired. She was gone for 5 months (Dec '21 - May '22) so her old account is long gone.
Hi @Emily Nelson
You may mistake the meaning in the article. You could try to delete the new UPN and then restore the original UPN.
I don't think I did mistake the meaning of the article. You want me to delete the new account and restore the original account; that's very clear. What is also very clear are the instructions in the article and I followed them. The instructions are called "Restore or remove a recently deleted user using Azure Active Directory" but this user was not recently deleted and therefore does not appear in the list of Deleted Users in order to be restored. The instructions even say very clearly "View your restorable users - You can see all the users that were deleted less than 30 days ago. These users can be restored." This user was deleted more than 6 months ago and therefore her account is not available to be restored. If you still believe I am mistaken, can you be more specific about what I'm not understanding?
The issue @Yi Lu_MSFT is the UPN is being re-used e.g. contractor turns employee after usually >30 days. So when a new Entra ID account is created with same UPN any unique IDs e.g. ExchangeGUIDs will be different. SharePoint (and EXO) I found caches the old accounts and when another user attempts to share files from a Teams site or OneDrive site people picker looks up the new user but SP uses the cached old account for permissions resulting in new account not receiving permissions. Through my testing I saw this occur as the old account no longer had properties such as job title whereas the new account shows a job title. The web method didn't work in the hybrid environment I admin for however after using Remove-SPOUser cmdlets this fully removed any cached records of the old account and the new user account could successfully access re-shared files/folders again.
The key here for resolving this will be having sharepoint and/or global administrator roles (RBAC) and for my case it only solution was removal via PowerShell. The 2nd listed answer with a PS script is great solution.