A guest has been given access to a SharePoint site but when they try to access the site they receive the error “Access Denied x does not have permissions to access this resource.”

Running a “Check Permissions” in the site’s Advanced Permissions settings page shows the permission levels given to the user which should allow them access to the site and then under “The following factors also affect the level of access” it lists Deny access to many required permissions.

According to Microsoft support this is due to a number of factors. The first is the user is marked as inactive against the site. Also the external sharing policy is set to limit sharing by domain. Finally when the guest account was created if there is an existing email contact with the same address then the correct email address is not synced from Azure AD to SharePoint users.

Fixes

Until the Microsoft product teams fix the issues in the products there are the following workarounds. Either of the following:

1. Remove the user from the SharePoint site permissions and  https://domain2.sharepoint.com/sites/site1/_layouts/15/people.aspx?MembershipGroupId=0, and then reshare the site to them explicitly. This makes them an active user.
2. Change the external sharing policy not limit it by domain.
3. Add the tenant domain name which is associated with the guest users. For john.doe_domain1#@domain2 it would be domain2.

If you need to limit access by domain then a PowerShell script can easily be run to add the domain to all affected sites.