When a former employee leaves your organization, the HR team needs to access that user’s OneDrive files for handover or records retention. But in many Microsoft 365 tenants, the access request or data transfer action routes to the wrong person — often the former employee’s manager or a random global admin instead of the designated HR approver. This happens because OneDrive access management relies on the manager attribute in Microsoft Entra ID and the default sharing policy for the site. This article explains why the approver is wrong and how to reconfigure the tenant so HR receives the access request.
Key Takeaways: Redirecting Former Employee OneDrive Access to HR
- Microsoft Entra admin center > Users > Manager field: The manager attribute controls the default access request approver for a former employee’s OneDrive. If the manager is wrong, the request goes to the wrong person.
- SharePoint admin center > OneDrive access policy: The “Notify people who can request access” setting determines who receives the email. Override this to send requests to a shared HR mailbox or security group.
- Power Automate or Graph API: Use automation to reassign the manager attribute or trigger a custom approval flow when a user is deleted or disabled, ensuring HR is always the approver.
Why the Former Employee OneDrive Access Request Goes to the Wrong Approver
When a user is deleted from Microsoft Entra ID, their OneDrive site is retained for 30 days by default (or up to 3,650 days if you configure retention). During this period, anyone who tries to access the former employee’s OneDrive will see a request access page. The request email is sent to the person listed in the Manager field of the deleted user’s Microsoft Entra ID profile. If the manager field is empty, outdated, or points to a person outside the HR team, the request goes to the wrong approver. Additionally, if the manager has left the organization or no longer has permissions, the request may never be approved. The default behavior assumes the manager is the right person to approve data handover, but in many organizations, HR handles this process.
The Role of the Manager Attribute in Microsoft Entra ID
The Microsoft Entra ID Manager attribute is a simple user property that stores the distinguished name or user principal name of the user’s manager. This field is used by several Microsoft 365 features, including OneDrive access requests, Teams membership expiration, and MyApps portal. When a user is deleted, the system reads this attribute to determine who should be notified about access requests to the user’s OneDrive. If the manager field is not set, the request goes to the SharePoint admin or a site collection administrator. If the manager is set but is no longer active, the email delivery fails silently.
Default OneDrive Sharing Policy Behavior
The OneDrive sharing policy in the SharePoint admin center includes a setting called Notify people who can request access. By default, this is set to the site owner (the former employee) and the site collection administrator. But for deleted users, the system falls back to the manager because the site owner no longer exists. The policy does not automatically route requests to a specific group or mailbox unless you configure it. This is why the request goes to the wrong person: the system uses a fallback logic that most organizations do not customize.
Steps to Redirect Former Employee OneDrive Access Requests to HR
To ensure HR receives the access request, you must update the manager attribute for the departing user before deletion, or configure the OneDrive access policy to send requests to a shared mailbox. The following steps cover both methods.
Method 1: Update the Manager Attribute Before User Deletion
- Sign in to the Microsoft Entra admin center
Go to https://entra.microsoft.com and sign in with a Global Administrator or User Administrator account. - Navigate to the user profile
Select Identity > Users > All users. Find the departing employee and click their display name. - Edit the Manager field
In the left navigation, select Properties. Under the Job info section, click Edit. In the Manager field, type the name of the HR user or a shared mailbox that will handle the handover. Click Save. - Delete or disable the user
After saving the manager change, go back to the user list. Select the user, then click Delete user or Revoke sessions and Block sign-in as per your offboarding process. The OneDrive access request will now be sent to the HR user you set as the manager.
Method 2: Configure OneDrive Access Policy to Use a Shared Mailbox
- Sign in to the SharePoint admin center
Go to https://admin.microsoft.com/SharePoint and sign in with a SharePoint Administrator or Global Administrator account. - Open the OneDrive access policy
In the left navigation, select Policies > Sharing. Scroll down to the OneDrive access requests section. - Change the notification recipient
Under Notify people who can request access, clear the default value and enter the email address of a shared HR mailbox (for example, hr@contoso.com). Click Save. - Test the configuration
Ask a user who does not have access to a former employee’s OneDrive to visit that OneDrive URL. They should see a request access button. After they submit the request, verify that the HR shared mailbox receives the notification email within a few minutes.
Method 3: Use Power Automate to Automate Manager Assignment
- Create a new automated cloud flow
Go to https://make.powerautomate.com and sign in. Click Create > Automated cloud flow. - Set the trigger to “When a user is deleted from Microsoft Entra ID”
Search for the Microsoft Entra ID connector and select the trigger When a user is deleted from Microsoft Entra ID. Click Create. - Add an action to update the manager
Click + New step. Search for the Microsoft Entra ID connector and select the action Update user. In the User ID field, enter the user principal name of the deleted user (available from the trigger output). In the Manager field, enter the email of the HR shared mailbox. Click Save. - Test the flow
Delete a test user (or use a simulated trigger) to verify that the manager attribute is updated before the OneDrive access request is sent. Check that the HR mailbox receives the request email.
If the Access Request Still Goes to the Wrong Person
Manager Field Was Empty at the Time of Deletion
If the manager field was empty when the user was deleted, the system sends the access request to the site collection administrator, which is typically a global admin. To fix this retroactively, you must restore the deleted user, update the manager field, and then delete the user again. To restore a deleted user, go to the Microsoft Entra admin center, select Identity > Users > Deleted users, select the user, and click Restore user. Then follow Method 1 above.
Manager User Account Is Also Disabled or Deleted
If the manager has also left the organization, the access request email will not be delivered. The system does not fall back to another approver. To avoid this, always set the manager to an active HR mailbox or a security group that has a designated owner. You can also create a shared mailbox specifically for OneDrive access requests and set that as the manager for all departing users.
Access Request Email Goes to Spam or Is Blocked
The notification email is sent from Microsoft SharePoint with the subject “Access request for [site name]”. If your email security rules block external or automated messages, the HR mailbox may never see the request. Add the SharePoint notification email address to the allowed senders list in Exchange Online mail flow rules. You can also check the mailbox’s Junk Email folder.
Manager Attribute vs SharePoint Access Policy: Key Differences
| Item | Manager Attribute (Microsoft Entra ID) | SharePoint Access Policy (OneDrive) |
|---|---|---|
| Scope | All Microsoft 365 services that use the manager field | Only OneDrive sites |
| Configuration location | Microsoft Entra admin center > User properties | SharePoint admin center > Policies > Sharing |
| When it applies | Before user deletion or via automation | At the time of access request |
| Can be a group or shared mailbox | Yes, if you enter the email address of a shared mailbox | Yes, you can enter any email address |
| Fallback behavior | If empty, falls back to site collection admin | If empty, falls back to site owner (deleted user), then manager |
The manager attribute is the primary control for the OneDrive access request approver. The SharePoint access policy only overrides the notification recipient for requests made after the user is deleted. For the most reliable results, set the manager field to an active HR shared mailbox before deleting the user. You can also use Power Automate to automate this process and ensure no departing user is missed. The SharePoint access policy provides a secondary safeguard if the manager field is not set at the time of deletion. Use both methods together to guarantee HR receives every access request.