When a legal team requests access to a former employee’s OneDrive for Business files, the access request sometimes routes to the wrong approver. This causes delays in legal review and data collection. The problem occurs because the access approval system uses a specific delegation chain that may not match the expected manager or legal contact. This article explains why the approval goes to the wrong person and provides step-by-step fixes to reroute the request correctly.
Key Takeaways: Redirecting OneDrive Legal Hold Access Requests
- Microsoft 365 admin center > User management > Active users: Verify the former employee’s manager field — this is the default approver for access requests.
- Microsoft Purview compliance portal > Data lifecycle management > Microsoft 365 retention: A retention label or eDiscovery hold overrides the default approval chain and sends requests to the compliance team.
- OneDrive admin center > Settings > Access policy: The “Allow access requests” toggle and the designated approver email field control who receives the approval email.
Why OneDrive Access Requests Go to the Wrong Approver
When a user requests access to a former employee’s OneDrive, Microsoft 365 follows a predefined approval chain. The system first checks if the former employee has a manager listed in Azure Active Directory. If a manager exists, the request goes to that person. If no manager is listed, the request goes to the tenant global admin by default.
The wrong approver scenario typically arises from three root causes:
Incorrect Manager Attribute in Azure AD
The former employee’s user object in Azure Active Directory may have an outdated or incorrect manager field. This can happen when the employee changed teams before leaving but the HR system did not update the manager. The access request then routes to a person who no longer oversees that employee’s data.
Retention Policy or eDiscovery Hold Overrides
If the organization has placed a Microsoft 365 retention label or an eDiscovery hold on the former employee’s OneDrive, the access request may be rerouted to the compliance team or the person who created the hold. This override is by design but can surprise legal teams expecting the request to go to the former manager.
Custom Access Policy in OneDrive Admin Center
Tenant administrators can configure a custom approver for access requests in the OneDrive admin center. If this field is set to a specific person or group, all access requests for any user in the tenant go to that custom approver instead of the manager. This setting is often overlooked during legal hold setup.
Steps to Correct the Approver for a Former Employee’s OneDrive Access Request
Follow these steps in order. Each step addresses a different root cause. Stop when the request routes to the correct approver.
Step 1: Update the Manager Field in Azure AD
- Open Microsoft 365 admin center
Go to admin.microsoft.com and sign in with a Global Admin or User Admin account. - Navigate to Active Users
Select Users > Active users from the left navigation menu. - Find the former employee
Search for the former employee’s name or email address in the search box. Click the user name to open their profile. - Check the Manager field
On the profile page, click the Mail tab. Locate the Manager field. If it shows a person who is not the intended approver, click Edit next to Manager. - Assign the correct manager
Type the name or email of the correct approver. Click Save. Wait 30 minutes for the change to propagate before testing the access request again.
Step 2: Check for Retention Labels or eDiscovery Holds
- Open Microsoft Purview compliance portal
Go to compliance.microsoft.com and sign in with a Compliance Admin or eDiscovery Manager account. - Go to Data lifecycle management
Select Data lifecycle management > Microsoft 365 retention from the left menu. - Review retention labels applied to the user
Click the Labels tab. Search for any label that is published to the former employee’s OneDrive. If a label is present, note the label name and its policy settings. - Check eDiscovery holds
Select eDiscovery > Cases. Open any case that might involve the former employee. Under Holds, check if the user’s OneDrive is included. If yes, the hold creator is the override approver. - Modify the hold or label if needed
To change the approver, edit the eDiscovery hold and add the correct legal contact as a case member with review permissions. For retention labels, you may need to publish a new label or remove the existing one if the legal review is complete.
Step 3: Adjust the OneDrive Access Policy
- Open OneDrive admin center
Go to admin.onedrive.com and sign in with a Global Admin or SharePoint Admin account. - Go to Access policy
Select Settings > Access policy from the left menu. - Check the Allow access requests setting
Ensure the toggle Allow access requests is turned on. If it is off, no one can request access at all. - Review the Designated approver field
Below the toggle, there is a text field labeled Designated approver. If this field contains an email address, all access requests go to that person. Clear the field to revert to manager-based approval, or enter the correct legal team email address. - Save changes
Click Save at the bottom of the page. Changes take effect immediately.
If OneDrive Access Still Goes to the Wrong Approver
The request goes to the global admin even after updating the manager
This happens when the manager field is empty or the user account is in a deleted state. Verify that the former employee’s account is not soft-deleted. In the Microsoft 365 admin center, go to Users > Deleted users. If the account appears there, restore it first, then update the manager field. After restoration, the access request will follow the manager chain.
The request goes to a person in a different department
Check if the former employee was part of a group or team that has a separate access policy. In the OneDrive admin center, go to Settings > Sharing. Under External sharing, verify that the sharing policy for the user’s site collection is not overriding the access request settings. If the site collection has a custom policy, you may need to edit it directly via SharePoint admin center.
Legal team members do not receive the approval email
The approval email is sent to the approver’s primary email address. If the approver has a forwarding rule or a mailbox that is not monitored, the request may be missed. Ask the approver to check their junk email folder. Alternatively, add a secondary email address to the approver’s user profile in Azure AD so the notification goes to both addresses.
Default Approver vs Custom Approver: Key Differences
| Item | Default Approver (Manager) | Custom Approver (Designated) |
|---|---|---|
| Configuration location | Azure AD user profile Manager field | OneDrive admin center > Access policy > Designated approver |
| Scope | Per user | Tenant-wide |
| Override behavior | Overridden by retention labels and eDiscovery holds | Overrides the manager for all users |
| Best for | Standard employee departures where the manager handles data | Legal holds and compliance scenarios where a central team must approve all access |
You can now identify why a former employee’s OneDrive access request goes to the wrong approver and apply the correct fix. Start by verifying the manager field in Azure AD, then check for retention labels or eDiscovery holds, and finally review the OneDrive access policy. For ongoing legal reviews, consider setting a custom approver in the OneDrive admin center to ensure all requests route to the legal team. A concrete tip: use a shared mailbox or distribution group as the designated approver so multiple team members can see and approve requests.