When an incident responder or IT admin tries to access a former employee’s OneDrive for Business, the approval request sometimes goes to the wrong person. Instead of reaching the correct manager or security officer, the request may route to a former delegate, a stale group, or no one at all. This misrouting delays critical incident response and can leave data inaccessible during an active investigation. The root cause is often a misconfigured OneDrive site permission or an outdated manager attribute in Microsoft Entra ID. This article explains why the approval flow breaks and provides exact steps to fix the routing so the right approver receives the request.
Key Takeaways: Fixing OneDrive Approval Routing for Former Employees
- Microsoft Entra admin center > Users > Manager: The Manager field on the user profile determines who receives the access approval request for a former employee’s OneDrive.
- SharePoint admin center > Active sites > Site permissions: Secondary site collection admins on the former employee’s OneDrive can also receive approval requests if the Manager field is empty or misconfigured.
- Microsoft 365 admin center > Users > Active users > Licenses and apps: Removing all licenses from the former user blocks the site from being accessible to anyone, including the approver, which stops the entire flow.
Why the OneDrive Approval Request Goes to the Wrong Approver
When an admin attempts to access a former employee’s OneDrive through the Microsoft 365 admin center or via PowerShell, the system checks two data sources to determine who should approve the access. The primary source is the Manager attribute in Microsoft Entra ID. If the Manager field is empty, the system falls back to the list of site collection administrators on the former employee’s OneDrive site. If neither source yields a valid approver, the request may timeout or route to a stale user account that no longer exists.
The most common cause of wrong routing is an outdated or incorrect Manager attribute. When a user leaves the organization, their manager field may still point to another former employee or to a person who has since changed roles. The system does not automatically update this field when the user is deprovisioned. Another frequent cause is that the former employee had granted delegate access to a colleague who is not the intended approver. The system treats that delegate as a site collection administrator, so the approval request goes to the delegate instead of the actual manager.
How the Approval Routing Logic Works
The access request flow for a former employee’s OneDrive follows this priority order:
- Manager attribute in Microsoft Entra ID
The system checks the Manager field on the user object. If the Manager field contains a valid user with an active account, the approval request is sent to that person. - Site collection administrators on the OneDrive site
If the Manager field is empty or the manager’s account is disabled, the system looks at the site collection administrators list on the former employee’s OneDrive site. The first active admin in the list becomes the approver. - No approver found
If both sources return no valid active user, the request fails silently or the admin sees an error message stating that no approver could be determined.
Steps to Identify and Correct the Wrong Approver
Follow these steps in order to find the current approver and redirect the request to the correct person. Run all steps as a Global Administrator or SharePoint Administrator in your tenant.
Step 1: Verify the Manager Attribute in Microsoft Entra ID
- Open the Microsoft Entra admin center
Go to https://entra.microsoft.com and sign in with your Global Administrator account. - Navigate to Users
In the left menu, select Users then All users. - Locate the former employee’s account
Search for the user by display name or user principal name. Click on the user’s name to open their profile. - Check the Manager field
Under the Properties tab, look for the Manager attribute. If the field shows a name, click the name to verify that the manager’s account is active and not disabled or deleted. - Update the Manager field if incorrect
If the Manager field is empty or points to the wrong person, click Edit next to the Manager field. Search for the correct manager and select their name. Click Save.
Step 2: Check and Update OneDrive Site Collection Administrators
- Open the SharePoint admin center
Go to https://admin.microsoft.com/SharePoint and sign in as a SharePoint Administrator. - Navigate to Active sites
In the left menu, select Sites then Active sites. - Find the former employee’s OneDrive site
Search for the site using the user’s display name or the URL patternhttps://yourtenant-my.sharepoint.com/personal/user_domain_com. Click on the site name to open the details panel. - Review site permissions
In the details panel, scroll to the Site collection administrators section. Note the list of users who currently have admin access. - Remove incorrect admins and add the correct approver
Click Manage next to Site collection administrators. Remove any users who should not be approvers. Add the correct manager or security team member. Click Save.
Step 3: Confirm the User’s License Status
- Open the Microsoft 365 admin center
Go to https://admin.microsoft.com and sign in as a Global Administrator. - Go to Active users
In the left menu, select Users then Active users. - Select the former employee
Click the user’s name to open their details panel. - Check the Licenses and apps tab
Click the Licenses and apps tab. If the user has no licenses assigned, the OneDrive site is still accessible but the approval flow may fail because the user object is considered inactive. Assign at least one SharePoint Online license to the user temporarily. You can remove the license after the incident response is complete.
Step 4: Test the Approval Flow
- Initiate an access request
In the Microsoft 365 admin center, navigate to Users > Active users, select the former employee, and click OneDrive settings. Choose Access files and follow the prompts to request access. - Verify the approval request destination
Check the email inbox of the person you set as the Manager or site collection admin. The approval email should arrive within a few minutes. If it does not, repeat the steps above to confirm the Manager field and site admins are correct. - Approve the request
Have the designated approver click the Approve link in the email. The requesting admin should then receive access to the former employee’s OneDrive.
If the Approval Request Still Goes to the Wrong Person
OneDrive Approval Request Goes to a Stale Delegate
If the former employee had granted delegate access to a colleague before leaving, that delegate remains a site collection administrator until explicitly removed. To fix this, follow Step 2 above and remove the stale delegate from the site collection administrators list. Then add the correct manager or security officer as the sole admin.
OneDrive Approval Request Goes to a Manager Who No Longer Works at the Company
When the Manager attribute points to a user whose account has been deleted, the system cannot route the request. You must update the Manager field to an active user. Use Step 1 to set a new manager. If you do not know the correct manager, set the Manager field to a security group mailbox or a shared mailbox that the incident response team monitors. Note that the Manager field only accepts individual user objects, not groups. You must use a specific user account.
OneDrive Approval Request Never Arrives
If no approval email arrives, check the spam or junk folder of the intended approver. Also verify that the approver’s mailbox is not full. If the mailbox is full, the approval email will be rejected. Clear space in the mailbox or assign a larger mailbox quota. Then re-initiate the access request from the Microsoft 365 admin center.
| Item | Manager Attribute (Microsoft Entra ID) | Site Collection Admin (SharePoint) |
|---|---|---|
| Priority in approval flow | Checked first | Checked second |
| Can be a group or distribution list | No, only individual user accounts | Yes, security groups and individual users |
| Requires an active user account | Yes, the manager must have an active account | Yes, each admin must have an active account |
| Easiest to update | Updated via Microsoft Entra admin center or PowerShell | Updated via SharePoint admin center or PowerShell |
After correcting the Manager attribute and the site collection administrators list, the approval request for a former employee’s OneDrive will route to the correct person. The incident response team can then access the data without delay. As a next step, consider automating the Manager field update during the offboarding process using PowerShell or a Microsoft Entra ID Governance policy. This prevents the same issue from recurring when the next employee leaves.