When a former employee leaves your organization, their OneDrive files often need legal review before access is granted to a new owner. You have configured the retention policy and assigned a legal team member as the reviewer. But the access request is sent to a different person, such as the former employee’s direct manager or a random site collection administrator. This mismatch delays compliance workflows and creates security gaps. The root cause is almost always a misconfigured approval chain in the Microsoft 365 admin center or a missing site collection owner assignment. This article explains why the wrong approver receives the request and provides a step-by-step checklist to route OneDrive access requests to the correct legal reviewer.
Key Takeaways: Direct OneDrive Access Requests to the Right Legal Approver
- Microsoft 365 admin center > Settings > Org settings > OneDrive > Access requests: Controls who receives the email when someone requests access to a former employee’s OneDrive. Set this to a shared legal mailbox or a specific legal team member.
- SharePoint admin center > Active sites > former employee site > Owners: The site collection owner group determines the default approver when no explicit access request setting is configured. Remove old managers and add the legal reviewer as a site owner.
- PowerShell Set-SPOSite -Identity -Owner or -SiteOwner: Allows bulk reassignment of OneDrive site ownership to the correct legal reviewer across multiple former employees at once.
Why OneDrive Access Requests Go to the Wrong Approver
When a former employee’s OneDrive site is orphaned, the system uses a fallback approval chain to determine who receives access requests. The chain follows this order:
- Site owner group: The user or group listed as the site owner receives the request first. If the former employee was the sole owner, the system skips this step.
- Access request settings: If no site owner is active, the system checks the tenant-level access request setting in the OneDrive admin section. This setting defines a default email address for all orphaned OneDrive sites.
- Site collection administrator: If neither of the above is configured, the request goes to any user who has site collection administrator rights on the former employee’s site.
The most common failure is that the direct manager is listed as a site owner because of the automatic manager assignment feature in OneDrive. When the former employee’s manager is still an active user, the system routes the access request to them instead of the legal reviewer. Another failure occurs when the tenant-level access request email is left blank or points to a general IT support mailbox that forwards requests to the wrong team.
The Role of the Manager Assignment Feature
OneDrive automatically assigns the former employee’s direct manager as a site owner when the user account is deleted or disabled. This feature is designed to give the manager immediate access to the files. However, if your organization requires legal review before access is granted, this automatic assignment bypasses the legal approval process. The manager receives the access request and can approve it without legal oversight.
Checklist to Route OneDrive Access Requests to the Correct Legal Approver
Use this checklist in the order presented to ensure all former employee OneDrive sites direct access requests to your designated legal reviewer.
Step 1: Disable Automatic Manager Assignment
- Open the Microsoft 365 admin center
Go to Settings > Org settings > OneDrive. - Locate the manager assignment setting
Scroll to the section labeled When a user is deleted from Azure Active Directory. Uncheck the box that says Give the user’s manager access to the user’s OneDrive. - Save the change
Click Save. This prevents any future manager from automatically becoming a site owner.
Step 2: Set a Default Access Request Email for Orphaned Sites
- Navigate to OneDrive access request settings
In the same OneDrive settings page, find Access requests. - Enter the legal reviewer email address
Type the email address of your legal team shared mailbox or a specific legal reviewer. This email receives all access requests for orphaned OneDrive sites that have no active owner. - Save the setting
Click Save. The tenant now uses this email as the fallback approver.
Step 3: Reassign Site Ownership for Existing Former Employee Sites
- Open the SharePoint admin center
Go to Admin centers > SharePoint. - Find the former employee’s OneDrive site
Select Active sites. Use the search box to find the site by the former employee’s name or email. The site URL follows the patternhttps://yourtenant-my.sharepoint.com/personal/username_domain_com. - Change the site owner
Click the site name to open the details panel. Under Owners, click Add owner. Enter the legal reviewer’s email address. Remove any existing owners such as the former manager. - Save the change
Click Save. The legal reviewer is now the primary owner and will receive all future access requests.
Step 4: Use PowerShell for Bulk Reassignment
If you have many former employee sites to update, use PowerShell to reassign ownership in bulk.
- Install and connect to SharePoint Online PowerShell
RunInstall-Module -Name Microsoft.Online.SharePoint.PowerShellthenConnect-SPOService -Url https://yourtenant-admin.sharepoint.com. - Reassign the site owner
Use the commandSet-SPOSite -Identity https://yourtenant-my.sharepoint.com/personal/username_domain_com -Owner legalreviewer@yourtenant.com. Replace the URL and email with your values. - Verify the change
RunGet-SPOSite -Identity https://yourtenant-my.sharepoint.com/personal/username_domain_com | Select Ownerto confirm the new owner.
If Access Requests Still Go to the Wrong Person
The Legal Reviewer Is Not Receiving Any Emails
This usually happens when the access request email address is not a valid mailbox or is a distribution group that does not accept external emails. Use a shared mailbox or a security group that can receive email from external senders. Also check your Exchange Online spam filter to ensure emails from no-reply@sharepointonline.com are not blocked.
The Former Employee’s Manager Still Gets the Request
If you disabled automatic manager assignment but the manager still appears as an owner, the manager was added manually before the setting was changed. Follow Step 3 to remove the manager from the site owners group. If the manager is listed as a site collection administrator, remove them from that role in the SharePoint admin center under More features > Site collection administrators.
The Request Goes to a Global Admin Instead of the Legal Reviewer
Global admins have implicit access to all OneDrive sites and may receive access requests as a fallback. To prevent this, ensure the access request email in the OneDrive settings is populated with the legal reviewer’s address. Also remove global admins from the site owner group of each former employee site.
Access Request Routing: Tenant-Level Setting vs Site Owner Assignment
| Item | Tenant-Level Access Request Email | Site Owner Assignment |
|---|---|---|
| Scope | Applies to all orphaned OneDrive sites with no active owner | Applies to a single former employee site |
| Configuration location | Microsoft 365 admin center > Settings > Org settings > OneDrive > Access requests | SharePoint admin center > Active sites > select site > Owners |
| Override behavior | Overrides site collection administrator fallback but not explicit site owner | Overrides all other routing rules for that specific site |
| Best for | Setting a default legal mailbox for all future former employees | Fixing routing for existing former employee sites where the wrong person is already an owner |
Use the tenant-level setting as a safety net and site owner assignment as the primary method for existing sites. Both should point to the same legal reviewer or shared mailbox.
After completing this checklist, all access requests for former employee OneDrive sites will be routed to your designated legal reviewer. The legal team can review files before granting access to a new owner or archiving the data. For ongoing compliance, run a monthly PowerShell script that checks site ownership on all OneDrive sites and reassigns any that do not match the legal reviewer. Use Get-SPOSite -IncludePersonalSite $true to list all personal sites and verify their owner property.