When a contractor leaves or is removed, IT administrators often need to grant a manager or delegate access to the former employee’s OneDrive. The built-in workflow in the Microsoft 365 admin center is supposed to route the access request to the correct person. However, many administrators report that the access request goes to the wrong approver, delaying cleanup and data recovery. This issue typically occurs because the target OneDrive’s owner has a different manager assigned in the Microsoft 365 directory than expected, or because the delegation settings in the admin portal are misconfigured. This article explains why the approval request is misdirected and provides step-by-step fixes to route the request to the correct person.
The approval workflow relies on the manager attribute in Azure Active Directory. If the manager field is empty, outdated, or points to a user who no longer exists, the system falls back to a default approver. Additionally, the OneDrive admin center settings can override the default approval chain. Understanding these two root causes is essential to resolve the routing issue.
This article covers the technical cause of misrouted approvals, the steps to verify and correct the manager attribute, and how to configure the admin center approval settings. It also includes a comparison of the two main approval methods and solutions for related failure patterns.
Key Takeaways: Fixing OneDrive Access Approval Routing
- Microsoft 365 admin center > Users > Active users > Manager: The manager attribute on the former employee’s user object determines the default approver. Verify and update this field.
- OneDrive admin center > Access management > Delegation: Overrides the default approval chain. Set delegation to a specific group or user to ensure correct routing.
- Azure AD Connect sync: If manager data comes from on-premises Active Directory, a sync error or stale attribute can cause the wrong approver. Force a sync or update the source.
Why the Approval Request Goes to the Wrong Approver
The Microsoft 365 approval workflow for granting access to a former employee’s OneDrive uses a chain of three fallback options. The system first checks the manager attribute on the former employee’s user object in Azure Active Directory. If the manager field is populated and the manager user is active, the request is sent to that person. If the manager field is empty, the system checks the delegation settings in the OneDrive admin center. If no delegation is configured, the request is sent to the global administrators group.
The most common cause of misrouting is an incorrect or missing manager attribute. For example, a contractor may have been assigned a manager who left the company, or the manager field was never populated during onboarding. Another frequent cause is a stale delegation setting that points to a user or group that no longer exists or has the wrong permissions.
A less obvious cause is a delay in directory synchronization. If you use Azure AD Connect to sync users from on-premises Active Directory, the manager attribute may not have synced correctly. The approval request is generated based on the data in Azure AD at the moment the request is submitted. If the sync is stuck or the attribute is not mapped, the wrong approver is selected.
Steps to Route the Approval Request to the Correct Approver
- Check the manager attribute on the former employee’s user object
Go to the Microsoft 365 admin center at admin.microsoft.com. Select Users > Active users. Find the former employee’s account and click to open the details panel. Select the Mail tab and locate the Manager field. If the manager is incorrect or blank, click Edit and select the correct person from the directory. Save the change. - Verify the manager is an active user with a valid license
The manager must be an active user with a valid Microsoft 365 license. If the manager account is disabled or unlicensed, the approval request will not reach them. Go to Users > Active users and confirm the manager’s account status. If needed, re-enable the account or assign a license. - Force an Azure AD Connect sync if using on-premises Active Directory
If your organization syncs users from on-premises Active Directory, the manager attribute update may not appear immediately. On the Azure AD Connect server, open PowerShell as an administrator and runStart-ADSyncSyncCycle -PolicyType Delta. Wait five minutes, then verify the manager attribute in the Microsoft 365 admin center again. - Configure OneDrive admin center delegation settings
Go to the OneDrive admin center at admin.onedrive.com. Select Access management from the left navigation. Under Delegation, select Allow delegation and choose Specific users or groups. Enter the email address of the correct approver or a security group that contains the approver. Click Save. This setting overrides the manager attribute for all future access requests. - Submit a new access request after updating settings
After correcting the manager attribute or delegation setting, go to the Microsoft 365 admin center. Select Users > Active users, click the former employee’s name, and select OneDrive. Click Get access to files. The approval request should now be sent to the correct approver. Confirm by checking the approver’s email inbox for the request.
If the Approval Request Still Goes to the Wrong Approver
The manager attribute update did not apply
If the manager appears correct in the admin center but the request still goes to the wrong person, the change may not have propagated. Azure AD can take up to 30 minutes to fully update. Wait and try again. If the issue persists, check the Audit log in the compliance center for any errors related to the user object update.
The delegation setting is not being honored
Delegation settings in the OneDrive admin center apply only to new access requests. If a previous request was already submitted and rejected or expired, the delegation setting may not take effect for that specific user. Cancel any pending requests and submit a new one. To cancel, go to OneDrive admin center > Access management > Requests and delete the pending request.
The former employee’s OneDrive is in a different tenant
If the contractor had a guest account in your tenant but their OneDrive is in their home tenant, the approval workflow does not apply. You cannot grant access through the Microsoft 365 admin center. Instead, the contractor’s home tenant admin must grant access directly. This scenario is common with external contractors who were invited as guests.
The approval request goes to a group that no longer exists
If the delegation setting points to a security group that has been deleted, the request is sent to no one. Check the delegation setting in the OneDrive admin center and ensure the group still exists and contains the correct members. If the group was deleted, update the delegation to a valid group or user.
Manager Attribute vs Delegation Setting: Approval Routing Comparison
| Item | Manager Attribute | Delegation Setting |
|---|---|---|
| Configuration location | Microsoft 365 admin center > Users > Active users > Manager field | OneDrive admin center > Access management > Delegation |
| Approval priority | Checked first by the workflow | Checked only if manager attribute is empty or invalid |
| Scope | Applies per individual user | Applies to all users without a valid manager |
| Best for | Organizations with accurate directory data | Organizations with many contractors or guests |
| Limitation | Requires manual update for each user | Overrides the manager chain for all users |
When the request goes to the wrong approver, first correct the manager attribute. If that does not work or is impractical for many users, configure the delegation setting to a specific person or group. Both methods can be used together for maximum control.
You can now route OneDrive access requests to the correct approver by updating the manager attribute or the delegation setting. As a next step, review the manager attributes for all contractor accounts to prevent future misrouting. For large-scale cleanup, consider using PowerShell to bulk-update the manager field with the Set-AzureADUserManager cmdlet. This approach ensures every contractor has a valid approver before the departure date.