When a department transfer occurs in your organization, the former employee’s OneDrive access request may be routed to the wrong approver. This happens because OneDrive for Business uses the user’s manager attribute from Microsoft Entra ID to determine the approval chain. The default approval flow does not automatically update when a user changes departments, leading to access requests being sent to the old manager instead of the new one. This guide explains the root cause, provides step-by-step fixes using the Microsoft 365 admin center and PowerShell, and covers related failure patterns.
Key Takeaways: Fixing Wrong Approver for Former Employee OneDrive Access
- Microsoft 365 admin center > Users > Active users: Update the Manager field for the transferred user to route approval requests to the correct person.
- PowerShell cmdlet Set-AzureADUserManager: Bulk-update manager attributes for multiple transferred users at once when the admin center is impractical.
- Microsoft Entra admin center > Users > User settings: Enable the setting “Restrict access to former employee OneDrive to their manager” to enforce correct approval routing.
Why OneDrive Access Approval Goes to the Wrong Person After a Department Transfer
OneDrive for Business relies on the Manager attribute stored in Microsoft Entra ID to determine who should approve access to a former employee’s files. When a user moves to a new department, the Manager attribute is not automatically updated. The approval workflow continues to send requests to the old manager, even though the user now reports to someone else.
The root cause is a misalignment between the HR system (or manual update process) and the OneDrive approval engine. If the Manager field in Microsoft Entra ID is not updated during or immediately after the transfer, the approval chain remains broken. This affects not only OneDrive access but also other Microsoft 365 services that use the same attribute for delegation, such as SharePoint site collection administration and Teams channel moderation.
The Role of the Manager Attribute in OneDrive Approval
The Manager attribute is a single-valued property on each user object. OneDrive for Business uses it to determine the “next of kin” for access requests. When a user is marked as a former employee, the system automatically sends an email to the listed manager asking them to approve or deny access. If the Manager field points to the wrong person, the approval request goes to the wrong mailbox.
The approval workflow also depends on the setting “Restrict access to former employee OneDrive to their manager” in the Microsoft Entra admin center. If this setting is disabled, any user can request access, but the default approval path still uses the Manager attribute. Enabling the setting forces the system to use the Manager field exclusively, making it critical that the field is correct.
Steps to Correct the Manager Attribute and Fix OneDrive Approval Routing
You have two methods to fix the wrong approver issue. Use the Microsoft 365 admin center for single-user changes. Use PowerShell for bulk updates across many transferred users.
Method 1: Update the Manager Field in the Microsoft 365 Admin Center
- Sign in to the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with an account that has Global Administrator or User Administrator role. - Navigate to Active Users
In the left navigation pane, select Users then Active users. - Locate the transferred user
Use the search box to find the user who changed departments. Click the user’s display name to open their profile. - Open the Manager tab
In the user profile pane, select the Manager tab. This tab shows the currently assigned manager. - Click Change manager
Click the Change manager button. A search dialog appears. - Select the correct new manager
Type the name of the user’s new manager in the search field. Select the correct person from the results. Click Save. - Verify the change
Return to the Manager tab and confirm the new manager name appears. The OneDrive approval workflow will now route requests to this person.
Method 2: Use PowerShell to Update the Manager Attribute in Bulk
- Install the Microsoft Graph PowerShell module
Open Windows PowerShell as an administrator. RunInstall-Module Microsoft.Graph -Scope CurrentUserand press Enter. Accept the installation prompts. - Connect to Microsoft Graph
RunConnect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All". Sign in with a Global Administrator account. - Prepare a CSV file with user and manager mapping
Create a CSV file with columnsUserPrincipalNameandManagerUserPrincipalName. Each row maps a transferred user to their new manager. Save the file asC:\Temp\ManagerUpdates.csv. - Run the bulk update script
Execute the following script in PowerShell:$updates = Import-Csv -Path "C:\Temp\ManagerUpdates.csv" foreach ($update in $updates) { $user = Get-MgUser -Filter "userPrincipalName eq '$($update.UserPrincipalName)'" $manager = Get-MgUser -Filter "userPrincipalName eq '$($update.ManagerUserPrincipalName)'" if ($user -and $manager) { Update-MgUser -UserId $user.Id -ManagerId $manager.Id Write-Host "Updated manager for $($update.UserPrincipalName)" } } - Verify the changes
RunGet-MgUser -UserId "user@domain.com" -Property Manager | Select-Object -ExpandProperty Managerto confirm the correct manager is set for each user.
If OneDrive Still Routes to the Wrong Approver After Updating the Manager
OneDrive Access Approval Setting Is Not Enabled
Even with the correct Manager attribute, the approval workflow will not use it if the setting “Restrict access to former employee OneDrive to their manager” is turned off. To enable it, go to the Microsoft Entra admin center at entra.microsoft.com. Navigate to Identity > Users > User settings. Under “OneDrive for Business settings”, set Restrict access to former employee OneDrive to their manager to Yes. Click Save.
Manager Attribute Change Has Not Replicated to OneDrive
Microsoft Entra ID changes can take up to 24 hours to propagate to the OneDrive approval service. If you updated the Manager field recently, wait one full business day and test again. To force a faster sync, run the following PowerShell command: Start-MgDirectoryObjectDirectoryObject -DirectoryObjectId "user-id". Replace user-id with the object ID of the transferred user.
Former Employee Status Not Applied Correctly
If the user is not marked as a former employee in Microsoft Entra ID, the OneDrive approval workflow does not trigger at all. To mark a user as a former employee, go to the Microsoft 365 admin center, select the user, and click Block sign-in. Then remove all licenses. The OneDrive retention policy will then apply, and the approval flow will activate using the Manager attribute.
Manager Attribute Update Methods: Admin Center vs PowerShell
| Item | Microsoft 365 Admin Center | PowerShell (Microsoft Graph) |
|---|---|---|
| Best for | Single user or a few users | Bulk updates of 10 or more users |
| Time to complete | 2-3 minutes per user | 5-10 minutes for 100 users |
| Required permissions | User Administrator or Global Administrator | User.ReadWrite.All and Directory.ReadWrite.All |
| Risk of error | Low due to visual confirmation | Medium if CSV mapping is incorrect |
| Replication speed | Up to 24 hours | Up to 24 hours |
You can now correct the Manager attribute for any transferred user using either the admin center or PowerShell. After updating the attribute, enable the “Restrict access to former employee OneDrive to their manager” setting in the Microsoft Entra admin center to enforce correct approval routing. As an advanced tip, automate the Manager attribute update by integrating your HR system with Microsoft Entra ID using a provisioning tool like Microsoft Identity Manager or a third-party sync solution to prevent future misrouting.