When a former employee leaves your organization, you often need to access their OneDrive files quickly for incident response or eDiscovery. But if the access request goes to the wrong approver, you cannot get the files when you need them. This happens because OneDrive assigns a default site collection administrator based on the user’s manager field in Microsoft Entra ID. This article explains why the wrong person receives the approval request and provides a step-by-step checklist to fix the issue and prevent it from recurring.
Key Takeaways: Fixing Wrong Approver for Former Employee OneDrive Access
- Microsoft Entra ID > Users > Manager field: OneDrive uses this field to determine the default site collection administrator who receives access approval requests.
- SharePoint admin center > User profiles > Manage user profiles: You can override the default approver by editing the former employee’s OneDrive site collection administrators directly.
- Microsoft 365 admin center > Setup > Organization insights: Use this to audit and verify which manager is assigned before deprovisioning a user.
Why OneDrive Access Requests Go to the Wrong Approver
OneDrive for Business inherits the site collection administrator from the user’s manager property in Microsoft Entra ID. When you delete or disable a user account, OneDrive does not automatically reassign the site collection administrator. If the manager field is outdated, empty, or points to someone outside the incident response team, the access request will be sent to that incorrect person. This is not a bug. It is by design to simplify initial provisioning, but it becomes a problem during incident response when speed is critical.
The default behavior applies only when the manager field is populated. If the manager field is blank, OneDrive assigns the global admin as the site collection administrator. However, in large organizations, the global admin may not be the correct approver for incident response. The result is a delay of hours or days while you track down the right person to approve access.
How the Manager Field Controls OneDrive Access
Microsoft Entra ID stores the manager attribute per user. When you create a user, you can set the manager. OneDrive uses this attribute to set the initial site collection administrator. If you later change the manager in Entra ID, OneDrive does not update the site collection administrator automatically. You must update the OneDrive site directly or use PowerShell to change the administrator.
Steps to Redirect Former Employee OneDrive Access to the Correct Approver
Follow these steps to ensure that incident response teams receive OneDrive access requests for former employees. Perform these steps before deprovisioning the user account.
- Check the manager field in Microsoft Entra ID
Sign in to the Microsoft Entra admin center. Go to Users > All users. Select the former employee’s account. Under the Properties tab, locate the Manager field. If the field is blank or points to the wrong person, note the current value. - Update the manager field to the incident response approver
If you need to change the manager, click Edit in the user properties. In the Manager field, type the name of the correct incident response team member or security admin. Click Save. This change takes effect immediately for future provisioning but does not update the existing OneDrive site. - Change the OneDrive site collection administrator directly
Open the SharePoint admin center. Go to Active sites. Search for the former employee’s OneDrive site. The URL format ishttps://yourtenant-my.sharepoint.com/personal/username_domain_com. Select the site and click Settings in the toolbar. Under Permissions, click Manage site collection administrators. Remove the old manager and add the correct incident response approver. Click Save. - Verify the change by simulating an access request
Open a private browser window. Navigate to the former employee’s OneDrive URL. Click Request access. Confirm that the approval email is sent to the new site collection administrator. If the email goes to the wrong person, repeat step 3 and ensure you saved the change. - Set a retention policy for the OneDrive site
In the Microsoft Purview compliance portal, go to Data lifecycle management > Microsoft 365 retention policies. Create a new policy or edit an existing one. Add the former employee’s OneDrive site as a location. Set the retention period to match your incident response requirements. This prevents automatic deletion of files during the investigation. - Document the change in your incident response playbook
Record the former employee’s name, the previous manager, the new approver, and the date of the change. Store this information in a secure location accessible to the incident response team. This step ensures that future responders know who has access.
If OneDrive Access Still Goes to the Wrong Person
Even after following the steps above, you might see that access requests continue to go to the original wrong approver. This usually happens because the user’s OneDrive site still has cached permissions or because the change was not applied to the correct site.
The site collection administrator list does not update
If the SharePoint admin center shows the old manager even after you added the new one, wait 15 minutes and refresh the page. If the change does not appear, use PowerShell to force the update. Run the following command in SharePoint Online Management Shell:
Set-SPOUser -Site "https://yourtenant-my.sharepoint.com/personal/username_domain_com" -LoginName "newapprover@domain.com" -IsSiteCollectionAdmin $true
Then remove the old manager with Set-SPOUser -Site "..." -LoginName "oldmanager@domain.com" -IsSiteCollectionAdmin $false.
The manager field was changed after the user was deleted
If you already deleted the user account from Microsoft Entra ID, you cannot edit the manager field directly. In that case, you must use the SharePoint admin center or PowerShell to update the site collection administrators. You cannot rely on the manager field because the user object no longer exists.
OneDrive Access Methods for Former Employees: Default vs Corrected
| Item | Default Behavior (Wrong Approver) | Corrected Behavior (Right Approver) |
|---|---|---|
| Approver source | Manager field in Microsoft Entra ID | Manually set site collection administrator |
| Update method | Automatic based on Entra ID manager | SharePoint admin center or PowerShell |
| Time to apply | Immediate for new users | 15 minutes for existing sites |
| Persistence after user deletion | Manager field becomes uneditable | Site collection admin remains until changed |
| Incident response suitability | Poor, because approver may be unavailable | Good, because approver is a designated responder |
Use this checklist before deprovisioning any user who might require incident response access. Update the manager field in Entra ID, then manually set the site collection administrator in the SharePoint admin center. Verify the change by requesting access from a test account. This process ensures that your incident response team can access former employee OneDrive files without delay.