When a former employee leaves your organization, Microsoft 365 admins must transfer or delete their OneDrive files. The default approval workflow routes access requests to the former employee’s manager. If the former employee is a contractor or temp worker with no active manager in Azure AD, the approval request goes to the wrong person or gets stuck. This article explains why the default delegation fails for contractors and how to reassign approval authority correctly.
Key Takeaways: Fix Contractor OneDrive Approval Routing
- Microsoft 365 admin center > User management > Active users > Manager field: The Manager field in Azure AD determines who receives the OneDrive access approval request for a former employee.
- SharePoint admin center > Access requests > Send approval requests to: This setting lets you choose between sending to the site owner, the former employee’s manager, or a custom group for all access requests.
- Azure AD > Users > Deleted users > Restore user: Restoring a deleted user temporarily allows you to update the Manager field before re-deleting the account to fix approval routing for contractor cleanup.
Why OneDrive Access Requests Go to the Wrong Approver for Contractors
Microsoft 365 uses a default approval flow when someone requests access to a former employee’s OneDrive. The system looks at the Manager attribute in Azure Active Directory for the deleted user. If the Manager field is empty, outdated, or points to another contractor who has also left, the request is sent to an unintended recipient. For contractors and temporary workers, this scenario is common because organizations often skip assigning a manager in Azure AD for short-term staff.
The approval request email is sent to the manager listed in the user’s profile at the time of deletion. If no manager is set, the request goes to the OneDrive site owner, which is typically the global admin or SharePoint admin. This can cause delays or security gaps if the wrong person approves access to sensitive files.
The Role of the Manager Attribute in Azure AD
Azure AD stores a Manager attribute for every user object. This field is used by multiple Microsoft 365 services, including OneDrive access delegation. When you delete a user, the system retains this attribute. Any future access request for that user’s OneDrive is routed to the manager specified in the attribute. If the manager is also deleted, the request fails silently or goes to a fallback approver, often the global admin.
Why Contractors Are Affected More Often
Contractors and vendors are frequently onboarded without a manager assignment. HR systems may not sync the manager field for non-employee accounts. Even when a manager is assigned, that manager might be a contractor who leaves before the cleanup process. This creates a broken approval chain that the default tools cannot resolve.
Steps to Correctly Route OneDrive Approval for Former Contractors
To fix the approval routing, you must update the Manager attribute on the deleted user object. This requires restoring the user, assigning a valid manager, and re-deleting the user. Follow these steps in order.
- Identify the former contractor in deleted users
Go to the Microsoft 365 admin center. Select User management > Deleted users. Find the contractor’s account. Note the user principal name UPN and the current manager if one is listed. - Restore the deleted user
Select the user and click Restore user. This action reactivates the account. Wait 30 seconds for the change to propagate. - Assign a valid manager to the restored user
Navigate to User management > Active users. Open the restored user’s profile. Go to the Manager section. Click Edit and select an active employee who will handle the OneDrive cleanup. Save the change. - Delete the user again
Return to Active users. Select the restored contractor account. Click Delete user. Confirm the deletion. The user moves back to the Deleted users list. - Verify the approval routing
Open a browser in private mode. Try to access the former contractor’s OneDrive URL:https://yourtenant-my.sharepoint.com/personal/UPN. Observe the access request flow. The approval email should now go to the manager you assigned.
Alternative Method: Use a Shared Mailbox or Security Group as Approver
If you cannot restore the user, you can change the default approval behavior at the tenant level. Go to the SharePoint admin center. Select Policies > Access control > Access requests. Under Send approval requests to, choose Specific people or group. Enter a shared mailbox or security group that handles contractor offboarding. This method redirects all access requests for all sites, not just OneDrive.
If the Approval Request Still Goes to the Wrong Person
Even after updating the manager, some scenarios cause persistent misrouting. Check these common failures.
The Manager Field Is Not Synced from On-Premises Active Directory
If your organization uses Azure AD Connect to sync from on-premises Active Directory, the Manager attribute may be overwritten during the next sync cycle. After restoring and updating the manager in Microsoft 365, force a delta sync from your on-premises server. Run this PowerShell command: Start-ADSyncSyncCycle -PolicyType Delta. Then re-delete the user.
The Former Contractor’s OneDrive Is Already in a Retention Hold
When a OneDrive is placed on hold for eDiscovery or legal retention, access request routing is blocked. The approval request will not be sent to any manager. You must remove the hold before changing the approval flow. Check the Microsoft Purview compliance portal under eDiscovery > Holds for any holds applied to the user’s OneDrive.
The Manager Is a Guest User or External User
If the former employee’s manager is a guest user in your tenant, approval requests may fail because guest accounts lack permissions to approve OneDrive access. Replace the guest manager with an internal user using the restore-and-reassign method described above.
OneDrive Approval Routing Options for Former Employees
| Item | Default Manager Routing | Custom Group Routing |
|---|---|---|
| Approver | Manager listed in Azure AD at deletion time | Specific security group or shared mailbox |
| Setup location | Azure AD user Manager field | SharePoint admin center > Access requests |
| Best for | Full-time employees with active managers | Contractors, temps, or users with missing managers |
| Delay after change | Immediate after user restore and re-deletion | Up to 24 hours for tenant-wide setting to apply |
| Fallback if empty | OneDrive site owner global admin | No fallback; group must exist and have members |
You now have two reliable methods to control who approves access to a former contractor’s OneDrive. The restore-and-reassign method is the fastest fix for a single user. The tenant-level custom group approach is better for organizations that frequently onboard and offboard contractors. For ongoing management, consider using a Microsoft 365 group dedicated to offboarding tasks and set it as the default approver for all access requests.