When a former employee leaves your organization, incident response teams often need immediate access to their OneDrive files. The default approval workflow in the Microsoft 365 admin center sends the access request to the former employee’s manager. If the manager is unavailable or also has left the company, the request goes to the wrong approver or gets stuck entirely. This guide explains why the wrong approver is selected and provides a step-by-step fix to route access requests to the correct security or IT team instead.
Key Takeaways: Redirect OneDrive Access Approvals for Incident Response
- Microsoft 365 admin center > Settings > Org settings > Security & privacy > OneDrive access: Controls who receives approval requests for accessing a former employee’s OneDrive.
- Azure AD > Users > Manager field: The default approver is the user listed as the employee’s manager. If missing or wrong, the request is sent to a global admin or an unexpected person.
- PowerShell cmdlet Set-SPOTenant –RequireSecondaryContact: Adds a secondary approver or overrides the manager-based routing for incident response scenarios.
Why OneDrive Access Requests Go to the Wrong Approver
When an administrator initiates a request to access a former employee’s OneDrive, Microsoft 365 checks the Azure Active Directory profile of that user. The system looks for the Manager attribute. If a manager is listed, the approval request is sent to that person. If the manager field is empty, the request escalates to any global admin in the tenant.
The problem occurs in three common scenarios:
- The former employee’s manager is also a former employee or is on extended leave. The request sits in an unread mailbox.
- The manager field is populated with a person outside the incident response chain, such as a project lead who has no knowledge of data retrieval procedures.
- The tenant has no secondary contact configured, so the request defaults to a single global admin who may not be monitoring approval requests.
The core cause is that the default approval routing uses the Manager attribute in Azure AD, which was never designed for incident response workflows. The fix requires changing the approval contact or adding a secondary approver who is part of the security or IT team.
Steps to Redirect OneDrive Access Approval to the Correct Team
You have two methods to fix the wrong approver issue. Use Method 1 if you want to set a permanent secondary contact for all former employee access requests. Use Method 2 if you need to change the approver for a single user immediately.
Method 1: Set a Tenant-Level Secondary Approver via PowerShell
- Connect to SharePoint Online PowerShell
Open Windows PowerShell as an administrator. RunConnect-SPOService -Url https://yourtenant-admin.sharepoint.com. Replaceyourtenantwith your actual tenant name. Sign in with a global admin account. - Check the current secondary contact setting
RunGet-SPOTenant | Select-Object RequireSecondaryContact. If it returnsFalse, no secondary contact is enforced. If it returnsTrue, a secondary contact is already required. - Enable the secondary contact requirement
RunSet-SPOTenant –RequireSecondaryContact $true. This forces the system to check for a secondary approver before sending the request to the manager. - Assign a secondary contact to the affected user
RunSet-SPOUser –Site https://yourtenant-my.sharepoint.com/personal/formeremployee_domain_com –LoginName approver@domain.com –IsSiteCollectionAdmin $true. Replace the URL with the former employee’s OneDrive URL and the login name with the security team member’s email. The secondary contact must be a site collection admin on that OneDrive. - Test the approval flow
Initiate a test access request from the Microsoft 365 admin center. The approval email should now go to both the manager and the secondary contact you assigned.
Method 2: Update the Manager Field for a Single User
- Open Azure Active Directory
Go to https://aad.portal.azure.com and sign in as a global admin or user administrator. - Locate the former employee account
Select Users then All users. Search for the former employee’s name and click on their profile. - Change the Manager attribute
In the left navigation, click Properties. Scroll to the Job information section. Click Manager and select a user from the incident response team. Click Save. - Verify the change
Go to the Microsoft 365 admin center at https://admin.microsoft.com. Navigate to Users > Active users. Select the former employee. Under OneDrive, click Get access to files. The approval request will now be sent to the new manager you set.
If the Approval Still Goes to the Wrong Person
The manager field is empty but the request goes to an unknown admin
When the manager field is blank, Microsoft 365 escalates the request to any global admin. If multiple global admins exist, one of them receives the email. To fix this, always set a manager or use Method 1 to assign a secondary contact. You can also remove unnecessary global admin roles to limit who receives fallback requests.
The secondary contact is not receiving approval emails
The secondary contact must be a site collection admin on the former employee’s OneDrive. If you assigned the secondary contact but they are not receiving emails, verify their site collection admin status. Run Get-SPOUser –Site https://yourtenant-my.sharepoint.com/personal/formeremployee_domain_com –LoginName approver@domain.com | Select-Object IsSiteCollectionAdmin. If it returns False, run the Set-SPOUser command again with –IsSiteCollectionAdmin $true.
The approval request times out with no response
Approval requests expire after 30 days if no one responds. To avoid this, create a shared mailbox for the incident response team and set that mailbox’s email as the manager or secondary contact. Monitor the mailbox daily. Alternatively, use the Add secondary contact field in the Microsoft 365 admin center under Settings > Org settings > Security & privacy > OneDrive access. This field accepts any email address, including a distribution group.
Default Approver vs Secondary Contact: Key Differences
| Item | Default Approver (Manager) | Secondary Contact |
|---|---|---|
| Source of assignment | Azure AD Manager attribute | Set via PowerShell or admin center |
| Requires site collection admin rights | No, only an Azure AD user | Yes, must be added as site collection admin |
| Affects all users in tenant | No, per-user attribute | Yes, when RequireSecondaryContact is enabled |
| Fallback if unavailable | Escalates to any global admin | No fallback; request waits for either approver |
| Best for incident response | Only if manager is on the security team | Yes, can be a shared mailbox or distribution group |
You can now redirect OneDrive access approval requests to the correct incident response team. Start by checking the current manager attribute for any recently departed employees. If your team needs a permanent solution, enable the secondary contact requirement with PowerShell and assign a shared mailbox as the approver. For urgent access, update the manager field temporarily and revert it after the investigation.