New-MgBetaIdentityGovernanceAccessReviewDefinition
Create a new accessReviewScheduleDefinition object.
Note
To view the v1.0 release of this cmdlet, view New-MgIdentityGovernanceAccessReviewDefinition
Syntax
New-MgBetaIdentityGovernanceAccessReviewDefinition
[-ResponseHeadersVariable <String>]
[-AdditionalNotificationRecipients <IMicrosoftGraphAccessReviewNotificationRecipientItem[]>]
[-AdditionalProperties <Hashtable>]
[-BackupReviewers <IMicrosoftGraphAccessReviewReviewerScope[]>]
[-CreatedBy <IMicrosoftGraphUserIdentity>]
[-CreatedDateTime <DateTime>]
[-DescriptionForAdmins <String>]
[-DescriptionForReviewers <String>]
[-DisplayName <String>]
[-FallbackReviewers <IMicrosoftGraphAccessReviewReviewerScope[]>]
[-Id <String>]
[-InstanceEnumerationScope <Hashtable>]
[-Instances <IMicrosoftGraphAccessReviewInstance[]>]
[-LastModifiedDateTime <DateTime>]
[-Reviewers <IMicrosoftGraphAccessReviewReviewerScope[]>]
[-Scope <Hashtable>]
[-Settings <IMicrosoftGraphAccessReviewScheduleSettings>]
[-StageSettings <IMicrosoftGraphAccessReviewStageSettings[]>]
[-Status <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
New-MgBetaIdentityGovernanceAccessReviewDefinition
-BodyParameter <IMicrosoftGraphAccessReviewScheduleDefinition>
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
Create a new accessReviewScheduleDefinition object.
Permissions
Permission type | Least privileged permissions | Higher privileged permissions |
---|---|---|
Delegated (work or school account) | AccessReview.ReadWrite.All | Not available. |
Delegated (personal Microsoft account) | Not supported. | Not supported. |
Application | AccessReview.ReadWrite.All | Not available. |
Examples
Example 1: Create an access review on a group
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
displayName = "Test create"
descriptionForAdmins = "New scheduled access review"
descriptionForReviewers = "If you have any questions, contact jerry@contoso.com"
scope = @{
"@odata.type" = "#microsoft.graph.accessReviewQueryScope"
query = "/groups/02f3bafb-448c-487c-88c2-5fd65ce49a41/transitiveMembers"
queryType = "MicrosoftGraph"
}
reviewers = @(
@{
query = "/users/398164b1-5196-49dd-ada2-364b49f99b27"
queryType = "MicrosoftGraph"
}
)
settings = @{
mailNotificationsEnabled = $true
reminderNotificationsEnabled = $true
justificationRequiredOnApproval = $true
defaultDecisionEnabled = $false
defaultDecision = "None"
instanceDurationInDays = 1
recommendationsEnabled = $true
recurrence = @{
pattern = @{
type = "weekly"
interval = 1
}
range = @{
type = "noEnd"
startDate = "2020-09-08T12:02:30.667Z"
}
}
}
}
New-MgBetaIdentityGovernanceAccessReviewDefinition -BodyParameter $params
This example will create an access review on a group
Example 2: Create an access review on all teams with inactive guest users
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
displayName = "Review inactive guests on teams"
descriptionForAdmins = "Control guest user access to our teams."
descriptionForReviewers = "Information security is everyone's responsibility. Review our access policy for more."
instanceEnumerationScope = @{
"@odata.type" = "#microsoft.graph.accessReviewQueryScope"
query = "/groups?$filter=(groupTypes/any(c:c+eq+'Unified') and resourceProvisioningOptions/Any(x:x eq 'Team')')"
queryType = "MicrosoftGraph"
}
scope = @{
"@odata.type" = "#microsoft.graph.accessReviewInactiveUsersQueryScope"
query = "./members/microsoft.graph.user/?$filter=(userType eq 'Guest')"
queryType = "MicrosoftGraph"
inactiveDuration = "P30D"
}
reviewers = @(
@{
query = "./owners"
queryType = "MicrosoftGraph"
}
)
fallbackReviewers = @(
@{
query = "/users/fc9a2c2b-1ddc-486d-a211-5fe8ca77fa1f"
queryType = "MicrosoftGraph"
}
)
settings = @{
mailNotificationsEnabled = $true
reminderNotificationsEnabled = $true
justificationRequiredOnApproval = $true
recommendationsEnabled = $true
instanceDurationInDays = 3
recurrence = @{
pattern = @{
type = "absoluteMonthly"
dayOfMonth = 5
interval = 3
}
range = @{
type = "noEnd"
startDate = "2020-05-04T00:00:00.000Z"
}
}
defaultDecisionEnabled = $true
defaultDecision = "Deny"
autoApplyDecisionsEnabled = $true
}
}
New-MgBetaIdentityGovernanceAccessReviewDefinition -BodyParameter $params
This example will create an access review on all teams with inactive guest users
Example 3: Create an access review of all users to an application
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
displayName = "Review employee access to LinkedIn"
descriptionForAdmins = "Review employee access to LinkedIn"
scope = @{
"@odata.type" = "#microsoft.graph.principalResourceMembershipsScope"
principalScopes = @(
@{
"@odata.type" = "#microsoft.graph.accessReviewQueryScope"
query = "/users"
queryType = "MicrosoftGraph"
}
)
resourceScopes = @(
@{
"@odata.type" = "#microsoft.graph.accessReviewQueryScope"
query = "/servicePrincipals/bae11f90-7d5d-46ba-9f55-8112b59d92ae"
queryType = "MicrosoftGraph"
}
)
}
reviewers = @(
@{
query = "./manager"
queryType = "MicrosoftGraph"
queryRoot = "decisions"
}
)
backupReviewers = @(
@{
query = "/groups/072ac5f4-3f13-4088-ab30-0a276f3e6322/transitiveMembers"
queryType = "MicrosoftGraph"
}
)
fallbackReviewers = @(
@{
query = "/groups/072ac5f4-3f13-4088-ab30-0a276f3e6322/transitiveMembers"
queryType = "MicrosoftGraph"
}
)
settings = @{
mailNotificationsEnabled = $true
reminderNotificationsEnabled = $true
justificationRequiredOnApproval = $true
defaultDecisionEnabled = $true
defaultDecision = "Recommendation"
instanceDurationInDays = 180
autoApplyDecisionsEnabled = $true
recommendationsEnabled = $true
recurrence = @{
pattern = @{
type = "absoluteMonthly"
interval = 6
dayOfMonth = 0
}
range = @{
type = "numbered"
startDate = "2021-05-05"
endDate = "2022-05-05"
}
}
}
}
New-MgBetaIdentityGovernanceAccessReviewDefinition -BodyParameter $params
This example will create an access review of all users to an application
Example 4: Create an access review on a group with multiple stages
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
displayName = "Group Multi-stage Access Review"
descriptionForAdmins = "New scheduled access review"
descriptionForReviewers = "If you have any questions, contact jerry@contoso.com"
scope = @{
"@odata.type" = "#microsoft.graph.accessReviewQueryScope"
query = "/groups/02f3bafb-448c-487c-88c2-5fd65ce49a41/transitiveMembers"
queryType = "MicrosoftGraph"
}
stageSettings = @(
@{
stageId = "1"
durationInDays = 2
recommendationsEnabled = $false
decisionsThatWillMoveToNextStage = @(
"NotReviewed"
"Approve"
)
reviewers = @(
@{
query = "/users/398164b1-5196-49dd-ada2-364b49f99b27"
queryType = "MicrosoftGraph"
}
)
}
@{
stageId = "2"
dependsOn = @(
"1"
)
durationInDays = 2
recommendationsEnabled = $true
reviewers = @(
@{
query = "./manager"
queryType = "MicrosoftGraph"
queryRoot = "decisions"
}
)
fallbackReviewers = @(
@{
query = "/groups/072ac5f4-3f13-4088-ab30-0a276f3e6322/transitiveMembers"
queryType = "MicrosoftGraph"
}
)
}
)
settings = @{
instanceDurationInDays = 4
recurrence = @{
pattern = @{
type = "weekly"
interval = 1
}
range = @{
type = "noEnd"
startDate = "2020-09-08T12:02:30.667Z"
}
}
decisionHistoriesForReviewersEnabled = $true
}
}
New-MgBetaIdentityGovernanceAccessReviewDefinition -BodyParameter $params
This example will create an access review on a group with multiple stages
Example 5: Create an access review on a group with insights about user-to-group affiliation and user sign in for recommendations
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
displayName = "Test create"
descriptionForAdmins = "New scheduled access review"
descriptionForReviewers = "If you have any questions, contact jerry@contoso.com"
scope = @{
"@odata.type" = "#microsoft.graph.accessReviewQueryScope"
query = "/groups/02f3bafb-448c-487c-88c2-5fd65ce49a41/transitiveMembers"
queryType = "MicrosoftGraph"
}
reviewers = @(
@{
query = "/users/398164b1-5196-49dd-ada2-364b49f99b27"
queryType = "MicrosoftGraph"
}
)
settings = @{
instanceDurationInDays = 1
recurrence = @{
pattern = @{
type = "weekly"
interval = 1
}
range = @{
type = "noEnd"
startDate = "2020-09-08T12:02:30.667Z"
}
}
recommendationInsightSettings = @(
@{
"@odata.type" = "#microsoft.graph.userLastSignInRecommendationInsightSetting"
recommendationLookBackDuration = "P30D"
signInScope = "tenant"
}
@{
"@odata.type" = "#microsoft.graph.groupPeerOutlierRecommendationInsightSettings"
}
)
}
}
New-MgBetaIdentityGovernanceAccessReviewDefinition -BodyParameter $params
This example will create an access review on a group with insights about user-to-group affiliation and user sign in for recommendations
Parameters
-AdditionalNotificationRecipients
Defines the list of additional users or group members to be notified of the access review progress. To construct, see NOTES section for ADDITIONALNOTIFICATIONRECIPIENTS properties and create a hash table.
Type: | IMicrosoftGraphAccessReviewNotificationRecipientItem[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AdditionalProperties
Additional Parameters
Type: | Hashtable |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-BackupReviewers
This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers are notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner doesn't exist, or manager is specified as reviewer but a user's manager doesn't exist. Supports $select. Note: This property has been replaced by fallbackReviewers. However, specifying either backupReviewers or fallbackReviewers automatically populates the same values to the other property. To construct, see NOTES section for BACKUPREVIEWERS properties and create a hash table.
Type: | IMicrosoftGraphAccessReviewReviewerScope[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-BodyParameter
accessReviewScheduleDefinition To construct, see NOTES section for BODYPARAMETER properties and create a hash table.
Type: | IMicrosoftGraphAccessReviewScheduleDefinition |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-CreatedBy
userIdentity To construct, see NOTES section for CREATEDBY properties and create a hash table.
Type: | IMicrosoftGraphUserIdentity |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-CreatedDateTime
Timestamp when the access review series was created. Supports $select. Read-only.
Type: | DateTime |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-DescriptionForAdmins
Description provided by review creators to provide more context of the review to admins. Supports $select.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-DescriptionForReviewers
Description provided by review creators to provide more context of the review to reviewers. Reviewers see this description in the email sent to them requesting their review. Email notifications support up to 256 characters. Supports $select.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-DisplayName
Name of the access review series. Supports $select and $orderby. Required on create.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-FallbackReviewers
This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers will be notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner doesn't exist, or manager is specified as reviewer but a user's manager doesn't exist. See accessReviewReviewerScope. Replaces backupReviewers. Supports $select. NOTE: The value of this property will be ignored if fallback reviewers are assigned through the stageSettings property. To construct, see NOTES section for FALLBACKREVIEWERS properties and create a hash table.
Type: | IMicrosoftGraphAccessReviewReviewerScope[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Headers
Optional headers that will be added to the request.
Type: | IDictionary |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Id
The unique identifier for an entity. Read-only.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-InstanceEnumerationScope
accessReviewScope
Type: | Hashtable |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Instances
Set of access reviews instances for this access review series. Access reviews that don't recur will only have one instance; otherwise, there's an instance for each recurrence. To construct, see NOTES section for INSTANCES properties and create a hash table.
Type: | IMicrosoftGraphAccessReviewInstance[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-LastModifiedDateTime
Timestamp when the access review series was last modified. Supports $select. Read-only.
Type: | DateTime |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ProgressAction
{{ Fill ProgressAction Description }}
Type: | ActionPreference |
Aliases: | proga |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ResponseHeadersVariable
Optional Response Headers Variable.
Type: | String |
Aliases: | RHV |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Reviewers
This collection of access review scopes is used to define who are the reviewers. The reviewers property is only updatable if individual users are assigned as reviewers. Required on create. Supports $select. For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API. NOTE: The value of this property will be ignored if reviewers are assigned through the stageSettings property. To construct, see NOTES section for REVIEWERS properties and create a hash table.
Type: | IMicrosoftGraphAccessReviewReviewerScope[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Scope
accessReviewScope
Type: | Hashtable |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Settings
accessReviewScheduleSettings To construct, see NOTES section for SETTINGS properties and create a hash table.
Type: | IMicrosoftGraphAccessReviewScheduleSettings |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-StageSettings
Required only for a multi-stage access review to define the stages and their settings. You can break down each review instance into up to three sequential stages, where each stage can have a different set of reviewers, fallback reviewers, and settings. Stages are created sequentially based on the dependsOn property. Optional. When this property is defined, its settings are used instead of the corresponding settings in the accessReviewScheduleDefinition object and its settings, reviewers, and fallbackReviewers properties. To construct, see NOTES section for STAGESETTINGS properties and create a hash table.
Type: | IMicrosoftGraphAccessReviewStageSettings[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Status
This read-only field specifies the status of an access review. The typical states include Initializing, NotStarted, Starting, InProgress, Completing, Completed, AutoReviewing, and AutoReviewed. Supports $select, $orderby, and $filter (eq only). Read-only.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Inputs
Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphAccessReviewScheduleDefinition
System.Collections.IDictionary
Outputs
Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphAccessReviewScheduleDefinition
Notes
COMPLEX PARAMETER PROPERTIES
To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
ADDITIONALNOTIFICATIONRECIPIENTS <IMicrosoftGraphAccessReviewNotificationRecipientItem-
[]>
: Defines the list of additional users or group members to be notified of the access review progress.
[NotificationRecipientScope <IMicrosoftGraphAccessReviewNotificationRecipientScope>]
: accessReviewNotificationRecipientScope[(Any) <Object>]
: This indicates any property can be added to this object.
[NotificationTemplateType <String>]
: Indicates the type of access review email to be sent. Supported template type is CompletedAdditionalRecipients which sends review completion notifications to the recipients.
BACKUPREVIEWERS <IMicrosoftGraphAccessReviewReviewerScope-
[]>
: This collection of reviewer scopes is used to define the list of fallback reviewers.
These fallback reviewers are notified to take action if no users are found from the list of reviewers specified.
This could occur when either the group owner is specified as the reviewer but the group owner doesn't exist, or manager is specified as reviewer but a user's manager doesn't exist.
Supports $select.
Note: This property has been replaced by fallbackReviewers.
However, specifying either backupReviewers or fallbackReviewers automatically populates the same values to the other property.
[Query <String>]
: The query specifying who will be the reviewer.[QueryRoot <String>]
: In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query, for example, ./manager, is specified. Possible value: decisions.[QueryType <String>]
: The type of query. Examples include MicrosoftGraph and ARM.
BODYPARAMETER <IMicrosoftGraphAccessReviewScheduleDefinition>
: accessReviewScheduleDefinition
[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[AdditionalNotificationRecipients <IMicrosoftGraphAccessReviewNotificationRecipientItem-
[]>]
: Defines the list of additional users or group members to be notified of the access review progress.[NotificationRecipientScope <IMicrosoftGraphAccessReviewNotificationRecipientScope>]
: accessReviewNotificationRecipientScope[(Any) <Object>]
: This indicates any property can be added to this object.
[NotificationTemplateType <String>]
: Indicates the type of access review email to be sent. Supported template type is CompletedAdditionalRecipients which sends review completion notifications to the recipients.
[BackupReviewers <IMicrosoftGraphAccessReviewReviewerScope-
[]>]
: This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers are notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner doesn't exist, or manager is specified as reviewer but a user's manager doesn't exist. Supports $select. Note: This property has been replaced by fallbackReviewers. However, specifying either backupReviewers or fallbackReviewers automatically populates the same values to the other property.[Query <String>]
: The query specifying who will be the reviewer.[QueryRoot <String>]
: In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query, for example, ./manager, is specified. Possible value: decisions.[QueryType <String>]
: The type of query. Examples include MicrosoftGraph and ARM.
[CreatedBy <IMicrosoftGraphUserIdentity>]
: userIdentity[(Any) <Object>]
: This indicates any property can be added to this object.[DisplayName <String>]
: The display name of the identity. For drive items, the display name might not always be available or up to date. For example, if a user changes their display name the API might show the new value in a future response, but the items associated with the user don't show up as changed when using delta.[Id <String>]
: Unique identifier for the identity or actor. For example, in the access reviews decisions API, this property might record the id of the principal, that is, the group, user, or application that's subject to review.[IPAddress <String>]
: Indicates the client IP address associated with the user performing the activity (audit log only).[UserPrincipalName <String>]
: The userPrincipalName attribute of the user.
[CreatedDateTime <DateTime?>]
: Timestamp when the access review series was created. Supports $select. Read-only.[DescriptionForAdmins <String>]
: Description provided by review creators to provide more context of the review to admins. Supports $select.[DescriptionForReviewers <String>]
: Description provided by review creators to provide more context of the review to reviewers. Reviewers see this description in the email sent to them requesting their review. Email notifications support up to 256 characters. Supports $select.[DisplayName <String>]
: Name of the access review series. Supports $select and $orderby. Required on create.[FallbackReviewers <IMicrosoftGraphAccessReviewReviewerScope-
[]>]
: This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers will be notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner doesn't exist, or manager is specified as reviewer but a user's manager doesn't exist. See accessReviewReviewerScope. Replaces backupReviewers. Supports $select. NOTE: The value of this property will be ignored if fallback reviewers are assigned through the stageSettings property.[InstanceEnumerationScope <IMicrosoftGraphAccessReviewScope>]
: accessReviewScope[(Any) <Object>]
: This indicates any property can be added to this object.
[Instances <IMicrosoftGraphAccessReviewInstance-
[]>]
: Set of access reviews instances for this access review series. Access reviews that don't recur will only have one instance; otherwise, there's an instance for each recurrence.[Id <String>]
: The unique identifier for an entity. Read-only.[ContactedReviewers <IMicrosoftGraphAccessReviewReviewer-
[]>]
: Returns the collection of reviewers who were contacted to complete this review. While the reviewers and fallbackReviewers properties of the accessReviewScheduleDefinition might specify group owners or managers as reviewers, contactedReviewers returns their individual identities. Supports $select. Read-only.[Id <String>]
: The unique identifier for an entity. Read-only.[CreatedDateTime <DateTime?>]
: The date when the reviewer was added for the access review.[DisplayName <String>]
: Name of reviewer.[UserPrincipalName <String>]
: User principal name of the user.
[Decisions <IMicrosoftGraphAccessReviewInstanceDecisionItem-
[]>]
: Each user reviewed in an accessReviewInstance has a decision item representing if they were approved, denied, or not yet reviewed.[Id <String>]
: The unique identifier for an entity. Read-only.[AccessReviewId <String>]
: The identifier of the accessReviewInstance parent. Supports $select. Read-only.[AppliedBy <IMicrosoftGraphUserIdentity>]
: userIdentity[AppliedDateTime <DateTime?>]
: The timestamp when the approval decision was applied. The DatetimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $select. Read-only.[ApplyResult <String>]
: The result of applying the decision. Possible values: New, AppliedSuccessfully, AppliedWithUnknownFailure, AppliedSuccessfullyButObjectNotFound, and ApplyNotSupported. Supports $select, $orderby, and $filter (eq only). Read-only.[Decision <String>]
: Result of the review. Possible values: Approve, Deny, NotReviewed, or DontKnow. Supports $select, $orderby, and $filter (eq only).[Insights <IMicrosoftGraphGovernanceInsight-
[]>]
: Insights are recommendations to reviewers on whether to approve or deny a decision. There can be multiple insights associated with an accessReviewInstanceDecisionItem.[Id <String>]
: The unique identifier for an entity. Read-only.[InsightCreatedDateTime <DateTime?>]
: Indicates when the insight was created.
[Instance <IMicrosoftGraphAccessReviewInstance>]
: accessReviewInstance[Justification <String>]
: Justification left by the reviewer when they made the decision.[Principal <IMicrosoftGraphIdentity>]
: identity[(Any) <Object>]
: This indicates any property can be added to this object.[DisplayName <String>]
: The display name of the identity. For drive items, the display name might not always be available or up to date. For example, if a user changes their display name the API might show the new value in a future response, but the items associated with the user don't show up as changed when using delta.[Id <String>]
: Unique identifier for the identity or actor. For example, in the access reviews decisions API, this property might record the id of the principal, that is, the group, user, or application that's subject to review.
[PrincipalLink <String>]
: Link to the principal object. For example: https://graph.microsoft.com/v1.0/users/a6c7aecb-cbfd-4763-87ef-e91b4bd509d9. Read-only.[PrincipalResourceMembership <IMicrosoftGraphDecisionItemPrincipalResourceMembership>]
: decisionItemPrincipalResourceMembership[(Any) <Object>]
: This indicates any property can be added to this object.[MembershipType <String>]
: decisionItemPrincipalResourceMembershipType
[Recommendation <String>]
: A system-generated recommendation for the approval decision based off last interactive sign-in to tenant. Recommend approve if sign-in is within 30 days of start of review. Recommend deny if sign-in is greater than 30 days of start of review. Recommendation not available otherwise. Possible values: Approve, Deny, or NoInfoAvailable. Supports $select, $orderby, and $filter (eq only). Read-only.[Resource <IMicrosoftGraphAccessReviewInstanceDecisionItemResource>]
: accessReviewInstanceDecisionItemResource[(Any) <Object>]
: This indicates any property can be added to this object.[DisplayName <String>]
: Display name of the resource[Id <String>]
: Resource ID[Type <String>]
: Type of resource. Types include: Group, ServicePrincipal, DirectoryRole, AzureRole, AccessPackageAssignmentPolicy.
[ResourceLink <String>]
: A link to the resource. For example, https://graph.microsoft.com/v1.0/servicePrincipals/c86300f3-8695-4320-9f6e-32a2555f5ff8. Supports $select. Read-only.[ReviewedBy <IMicrosoftGraphUserIdentity>]
: userIdentity[ReviewedDateTime <DateTime?>]
: The timestamp when the review decision occurred. Supports $select. Read-only.[Target <IMicrosoftGraphAccessReviewInstanceDecisionItemTarget>]
: accessReviewInstanceDecisionItemTarget[(Any) <Object>]
: This indicates any property can be added to this object.
[Definition <IMicrosoftGraphAccessReviewScheduleDefinition>]
: accessReviewScheduleDefinition[EndDateTime <DateTime?>]
: DateTime when review instance is scheduled to end. The DatetimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $select. Read-only.[Errors <IMicrosoftGraphAccessReviewError-
[]>]
: Collection of errors in an access review instance lifecycle. Read-only.[Code <String>]
: The error code.[Message <String>]
: The error message.
[FallbackReviewers <IMicrosoftGraphAccessReviewReviewerScope-
[]>]
: This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers are notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner doesn't exist, or manager is specified as reviewer but a user's manager doesn't exist. Supports $select.[Reviewers <IMicrosoftGraphAccessReviewReviewerScope-
[]>]
: This collection of access review scopes is used to define who the reviewers are. Supports $select. For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API.[Scope <IMicrosoftGraphAccessReviewScope>]
: accessReviewScope[Stages <IMicrosoftGraphAccessReviewStage-
[]>]
: If the instance has multiple stages, this returns the collection of stages. A new stage will only be created when the previous stage ends. The existence, number, and settings of stages on a review instance are created based on the accessReviewStageSettings on the parent accessReviewScheduleDefinition.[Id <String>]
: The unique identifier for an entity. Read-only.[Decisions <IMicrosoftGraphAccessReviewInstanceDecisionItem-
[]>]
: Each user reviewed in an accessReviewStage has a decision item representing if they were approved, denied, or not yet reviewed.[EndDateTime <DateTime?>]
: DateTime when review stage is scheduled to end. The DatetimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. This property is the cumulative total of the durationInDays for all stages. Read-only.[FallbackReviewers <IMicrosoftGraphAccessReviewReviewerScope-
[]>]
: This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers are notified to take action if no users are found from the list of reviewers specified. This can occur when either the group owner is specified as the reviewer but the group owner does not exist, or manager is specified as reviewer but a user's manager does not exist.[Reviewers <IMicrosoftGraphAccessReviewReviewerScope-
[]>]
: This collection of access review scopes is used to define who the reviewers are. For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API.[StartDateTime <DateTime?>]
: DateTime when review stage is scheduled to start. May be in the future. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only.[Status <String>]
: Specifies the status of an accessReviewStage. Possible values: Initializing, NotStarted, Starting, InProgress, Completing, Completed, AutoReviewing, and AutoReviewed. Supports $orderby, and $filter (eq only). Read-only.
[StartDateTime <DateTime?>]
: DateTime when review instance is scheduled to start. May be in the future. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $select. Read-only.[Status <String>]
: Specifies the status of an accessReview. Possible values: Initializing, NotStarted, Starting, InProgress, Completing, Completed, AutoReviewing, and AutoReviewed. Supports $select, $orderby, and $filter (eq only). Read-only.
[LastModifiedDateTime <DateTime?>]
: Timestamp when the access review series was last modified. Supports $select. Read-only.[Reviewers <IMicrosoftGraphAccessReviewReviewerScope-
[]>]
: This collection of access review scopes is used to define who are the reviewers. The reviewers property is only updatable if individual users are assigned as reviewers. Required on create. Supports $select. For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API. NOTE: The value of this property will be ignored if reviewers are assigned through the stageSettings property.[Scope <IMicrosoftGraphAccessReviewScope>]
: accessReviewScope[Settings <IMicrosoftGraphAccessReviewScheduleSettings>]
: accessReviewScheduleSettings[(Any) <Object>]
: This indicates any property can be added to this object.[ApplyActions <IMicrosoftGraphAccessReviewApplyAction-
[]>]
: Optional field. Describes the actions to take once a review is complete. There are two types that are currently supported: removeAccessApplyAction (default) and disableAndDeleteUserApplyAction. Field only needs to be specified in the case of disableAndDeleteUserApplyAction.[AutoApplyDecisionsEnabled <Boolean?>]
: Indicates whether decisions are automatically applied. When set to false, an admin must apply the decisions manually once the reviewer completes the access review. When set to true, decisions are applied automatically after the access review instance duration ends, whether or not the reviewers have responded. Default value is false. CAUTION: If both autoApplyDecisionsEnabled and defaultDecisionEnabled are true, all access for the principals to the resource risks being revoked if the reviewers fail to respond.[DecisionHistoriesForReviewersEnabled <Boolean?>]
: Indicates whether decisions on previous access review stages are available for reviewers on an accessReviewInstance with multiple subsequent stages. If not provided, the default is disabled (false).[DefaultDecision <String>]
: Decision chosen if defaultDecisionEnabled is enabled. Can be one of Approve, Deny, or Recommendation.[DefaultDecisionEnabled <Boolean?>]
: Indicates whether the default decision is enabled or disabled when reviewers do not respond. Default value is false. CAUTION: If both autoApplyDecisionsEnabled and defaultDecisionEnabled are true, all access for the principals to the resource risks being revoked if the reviewers fail to respond.[InstanceDurationInDays <Int32?>]
: Duration of each recurrence of review (accessReviewInstance) in number of days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its durationInDays setting will be used instead of the value of this property.[JustificationRequiredOnApproval <Boolean?>]
: Indicates whether reviewers are required to provide justification with their decision. Default value is false.[MailNotificationsEnabled <Boolean?>]
: Indicates whether emails are enabled or disabled. Default value is false.[RecommendationInsightSettings <IMicrosoftGraphAccessReviewRecommendationInsightSetting-
[]>]
: Optional. Describes the types of insights that aid reviewers to make access review decisions. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationInsightSettings setting will be used instead of the value of this property.[RecommendationLookBackDuration <TimeSpan?>]
: Optional field. Indicates the period of inactivity (with respect to the start date of the review instance) that recommendations will be configured from. The recommendation will be to deny if the user is inactive during the look-back duration. For reviews of groups and Microsoft Entra roles, any duration is accepted. For reviews of applications, 30 days is the maximum duration. If not specified, the duration is 30 days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationLookBackDuration setting will be used instead of the value of this property.[RecommendationsEnabled <Boolean?>]
: Indicates whether decision recommendations are enabled or disabled. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationsEnabled setting will be used instead of the value of this property.[Recurrence <IMicrosoftGraphPatternedRecurrence>]
: patternedRecurrence[(Any) <Object>]
: This indicates any property can be added to this object.[Pattern <IMicrosoftGraphRecurrencePattern>]
: recurrencePattern[(Any) <Object>]
: This indicates any property can be added to this object.[DayOfMonth <Int32?>]
: The day of the month on which the event occurs. Required if type is absoluteMonthly or absoluteYearly.[DaysOfWeek <String-
[]>]
: A collection of the days of the week on which the event occurs. The possible values are: sunday, monday, tuesday, wednesday, thursday, friday, saturday. If type is relativeMonthly or relativeYearly, and daysOfWeek specifies more than one day, the event falls on the first day that satisfies the pattern. Required if type is weekly, relativeMonthly, or relativeYearly.[FirstDayOfWeek <String>]
: dayOfWeek[Index <String>]
: weekIndex[Interval <Int32?>]
: The number of units between occurrences, where units can be in days, weeks, months, or years, depending on the type. Required.[Month <Int32?>]
: The month in which the event occurs. This is a number from 1 to 12.[Type <String>]
: recurrencePatternType
[Range <IMicrosoftGraphRecurrenceRange>]
: recurrenceRange[(Any) <Object>]
: This indicates any property can be added to this object.[EndDate <DateTime?>]
: The date to stop applying the recurrence pattern. Depending on the recurrence pattern of the event, the last occurrence of the meeting may not be this date. Required if type is endDate.[NumberOfOccurrences <Int32?>]
: The number of times to repeat the event. Required and must be positive if type is numbered.[RecurrenceTimeZone <String>]
: Time zone for the startDate and endDate properties. Optional. If not specified, the time zone of the event is used.[StartDate <DateTime?>]
: The date to start applying the recurrence pattern. The first occurrence of the meeting may be this date or later, depending on the recurrence pattern of the event. Must be the same value as the start property of the recurring event. Required.[Type <String>]
: recurrenceRangeType
[ReminderNotificationsEnabled <Boolean?>]
: Indicates whether reminders are enabled or disabled. Default value is false.
[StageSettings <IMicrosoftGraphAccessReviewStageSettings-
[]>]
: Required only for a multi-stage access review to define the stages and their settings. You can break down each review instance into up to three sequential stages, where each stage can have a different set of reviewers, fallback reviewers, and settings. Stages are created sequentially based on the dependsOn property. Optional. When this property is defined, its settings are used instead of the corresponding settings in the accessReviewScheduleDefinition object and its settings, reviewers, and fallbackReviewers properties.[DecisionsThatWillMoveToNextStage <String-
[]>]
: Indicate which decisions will go to the next stage. Can be a subset of Approve, Deny, Recommendation, or NotReviewed. If not provided, all decisions will go to the next stage. Optional.[DependsOn <String-
[]>]
: Defines the sequential or parallel order of the stages and depends on the stageId. Only sequential stages are currently supported. For example, if stageId is 2, then dependsOn must be 1. If stageId is 1, don't specify dependsOn. Required if stageId isn't 1.[DurationInDays <Int32?>]
: The duration of the stage. Required. NOTE: The cumulative value of this property across all stages 1. Will override the instanceDurationInDays setting on the accessReviewScheduleDefinition object.
Can't exceed the length of one recurrence.
That is, if the review recurs weekly, the cumulative durationInDays can't exceed 7.
- [FallbackReviewers <IMicrosoftGraphAccessReviewReviewerScope-
[]>]
: If provided, the fallback reviewers are asked to complete a review if the primary reviewers don't exist.
For example, if managers are selected as reviewers and a principal under review doesn't have a manager in Microsoft Entra ID, the fallback reviewers are asked to review that principal.
NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object.
- [RecommendationInsightSettings <IMicrosoftGraphAccessReviewRecommendationInsightSetting-
[]>]
:
- [RecommendationLookBackDuration <TimeSpan?>]
: Optional field.
Indicates the time period of inactivity (with respect to the start date of the review instance) from which that recommendations will be configured.
The recommendation is to deny if the user is inactive during the look back duration.
For reviews of groups and Microsoft Entra roles, any duration is accepted.
For reviews of applications, 30 days is the maximum duration.
If not specified, the duration is 30 days.
NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object.
- [RecommendationsEnabled <Boolean?>]
: Indicates whether showing recommendations to reviewers is enabled.
Required.
NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object.
- [Reviewers <IMicrosoftGraphAccessReviewReviewerScope-
[]>]
: Defines who the reviewers are.
If none is specified, the review is a self-review (users review their own access).
For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API.
NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition.
- [StageId <String>]
: Unique identifier of the accessReviewStageSettings.
The stageId is used in dependsOn property to indicate the stage relationship.
Required.
[Status <String>]
: This read-only field specifies the status of an access review. The typical states include Initializing, NotStarted, Starting, InProgress, Completing, Completed, AutoReviewing, and AutoReviewed. Supports $select, $orderby, and $filter (eq only). Read-only.
CREATEDBY <IMicrosoftGraphUserIdentity>
: userIdentity
[(Any) <Object>]
: This indicates any property can be added to this object.[DisplayName <String>]
: The display name of the identity. For drive items, the display name might not always be available or up to date. For example, if a user changes their display name the API might show the new value in a future response, but the items associated with the user don't show up as changed when using delta.[Id <String>]
: Unique identifier for the identity or actor. For example, in the access reviews decisions API, this property might record the id of the principal, that is, the group, user, or application that's subject to review.[IPAddress <String>]
: Indicates the client IP address associated with the user performing the activity (audit log only).[UserPrincipalName <String>]
: The userPrincipalName attribute of the user.
FALLBACKREVIEWERS <IMicrosoftGraphAccessReviewReviewerScope-
[]>
: This collection of reviewer scopes is used to define the list of fallback reviewers.
These fallback reviewers will be notified to take action if no users are found from the list of reviewers specified.
This could occur when either the group owner is specified as the reviewer but the group owner doesn't exist, or manager is specified as reviewer but a user's manager doesn't exist.
See accessReviewReviewerScope.
Replaces backupReviewers.
Supports $select.
NOTE: The value of this property will be ignored if fallback reviewers are assigned through the stageSettings property.
[Query <String>]
: The query specifying who will be the reviewer.[QueryRoot <String>]
: In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query, for example, ./manager, is specified. Possible value: decisions.[QueryType <String>]
: The type of query. Examples include MicrosoftGraph and ARM.
INSTANCES <IMicrosoftGraphAccessReviewInstance-
[]>
: Set of access reviews instances for this access review series.
Access reviews that don't recur will only have one instance; otherwise, there's an instance for each recurrence.
[Id <String>]
: The unique identifier for an entity. Read-only.[ContactedReviewers <IMicrosoftGraphAccessReviewReviewer-
[]>]
: Returns the collection of reviewers who were contacted to complete this review. While the reviewers and fallbackReviewers properties of the accessReviewScheduleDefinition might specify group owners or managers as reviewers, contactedReviewers returns their individual identities. Supports $select. Read-only.[Id <String>]
: The unique identifier for an entity. Read-only.[CreatedDateTime <DateTime?>]
: The date when the reviewer was added for the access review.[DisplayName <String>]
: Name of reviewer.[UserPrincipalName <String>]
: User principal name of the user.
[Decisions <IMicrosoftGraphAccessReviewInstanceDecisionItem-
[]>]
: Each user reviewed in an accessReviewInstance has a decision item representing if they were approved, denied, or not yet reviewed.[Id <String>]
: The unique identifier for an entity. Read-only.[AccessReviewId <String>]
: The identifier of the accessReviewInstance parent. Supports $select. Read-only.[AppliedBy <IMicrosoftGraphUserIdentity>]
: userIdentity[(Any) <Object>]
: This indicates any property can be added to this object.[DisplayName <String>]
: The display name of the identity. For drive items, the display name might not always be available or up to date. For example, if a user changes their display name the API might show the new value in a future response, but the items associated with the user don't show up as changed when using delta.[Id <String>]
: Unique identifier for the identity or actor. For example, in the access reviews decisions API, this property might record the id of the principal, that is, the group, user, or application that's subject to review.[IPAddress <String>]
: Indicates the client IP address associated with the user performing the activity (audit log only).[UserPrincipalName <String>]
: The userPrincipalName attribute of the user.
[AppliedDateTime <DateTime?>]
: The timestamp when the approval decision was applied. The DatetimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $select. Read-only.[ApplyResult <String>]
: The result of applying the decision. Possible values: New, AppliedSuccessfully, AppliedWithUnknownFailure, AppliedSuccessfullyButObjectNotFound, and ApplyNotSupported. Supports $select, $orderby, and $filter (eq only). Read-only.[Decision <String>]
: Result of the review. Possible values: Approve, Deny, NotReviewed, or DontKnow. Supports $select, $orderby, and $filter (eq only).[Insights <IMicrosoftGraphGovernanceInsight-
[]>]
: Insights are recommendations to reviewers on whether to approve or deny a decision. There can be multiple insights associated with an accessReviewInstanceDecisionItem.[Id <String>]
: The unique identifier for an entity. Read-only.[InsightCreatedDateTime <DateTime?>]
: Indicates when the insight was created.
[Instance <IMicrosoftGraphAccessReviewInstance>]
: accessReviewInstance[Justification <String>]
: Justification left by the reviewer when they made the decision.[Principal <IMicrosoftGraphIdentity>]
: identity[(Any) <Object>]
: This indicates any property can be added to this object.[DisplayName <String>]
: The display name of the identity. For drive items, the display name might not always be available or up to date. For example, if a user changes their display name the API might show the new value in a future response, but the items associated with the user don't show up as changed when using delta.[Id <String>]
: Unique identifier for the identity or actor. For example, in the access reviews decisions API, this property might record the id of the principal, that is, the group, user, or application that's subject to review.
[PrincipalLink <String>]
: Link to the principal object. For example: https://graph.microsoft.com/v1.0/users/a6c7aecb-cbfd-4763-87ef-e91b4bd509d9. Read-only.[PrincipalResourceMembership <IMicrosoftGraphDecisionItemPrincipalResourceMembership>]
: decisionItemPrincipalResourceMembership[(Any) <Object>]
: This indicates any property can be added to this object.[MembershipType <String>]
: decisionItemPrincipalResourceMembershipType
[Recommendation <String>]
: A system-generated recommendation for the approval decision based off last interactive sign-in to tenant. Recommend approve if sign-in is within 30 days of start of review. Recommend deny if sign-in is greater than 30 days of start of review. Recommendation not available otherwise. Possible values: Approve, Deny, or NoInfoAvailable. Supports $select, $orderby, and $filter (eq only). Read-only.[Resource <IMicrosoftGraphAccessReviewInstanceDecisionItemResource>]
: accessReviewInstanceDecisionItemResource[(Any) <Object>]
: This indicates any property can be added to this object.[DisplayName <String>]
: Display name of the resource[Id <String>]
: Resource ID[Type <String>]
: Type of resource. Types include: Group, ServicePrincipal, DirectoryRole, AzureRole, AccessPackageAssignmentPolicy.
[ResourceLink <String>]
: A link to the resource. For example, https://graph.microsoft.com/v1.0/servicePrincipals/c86300f3-8695-4320-9f6e-32a2555f5ff8. Supports $select. Read-only.[ReviewedBy <IMicrosoftGraphUserIdentity>]
: userIdentity[ReviewedDateTime <DateTime?>]
: The timestamp when the review decision occurred. Supports $select. Read-only.[Target <IMicrosoftGraphAccessReviewInstanceDecisionItemTarget>]
: accessReviewInstanceDecisionItemTarget[(Any) <Object>]
: This indicates any property can be added to this object.
[Definition <IMicrosoftGraphAccessReviewScheduleDefinition>]
: accessReviewScheduleDefinition[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[AdditionalNotificationRecipients <IMicrosoftGraphAccessReviewNotificationRecipientItem-
[]>]
: Defines the list of additional users or group members to be notified of the access review progress.[NotificationRecipientScope <IMicrosoftGraphAccessReviewNotificationRecipientScope>]
: accessReviewNotificationRecipientScope[(Any) <Object>]
: This indicates any property can be added to this object.
[NotificationTemplateType <String>]
: Indicates the type of access review email to be sent. Supported template type is CompletedAdditionalRecipients which sends review completion notifications to the recipients.
[BackupReviewers <IMicrosoftGraphAccessReviewReviewerScope-
[]>]
: This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers are notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner doesn't exist, or manager is specified as reviewer but a user's manager doesn't exist. Supports $select. Note: This property has been replaced by fallbackReviewers. However, specifying either backupReviewers or fallbackReviewers automatically populates the same values to the other property.[Query <String>]
: The query specifying who will be the reviewer.[QueryRoot <String>]
: In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query, for example, ./manager, is specified. Possible value: decisions.[QueryType <String>]
: The type of query. Examples include MicrosoftGraph and ARM.
[CreatedBy <IMicrosoftGraphUserIdentity>]
: userIdentity[CreatedDateTime <DateTime?>]
: Timestamp when the access review series was created. Supports $select. Read-only.[DescriptionForAdmins <String>]
: Description provided by review creators to provide more context of the review to admins. Supports $select.[DescriptionForReviewers <String>]
: Description provided by review creators to provide more context of the review to reviewers. Reviewers see this description in the email sent to them requesting their review. Email notifications support up to 256 characters. Supports $select.[DisplayName <String>]
: Name of the access review series. Supports $select and $orderby. Required on create.[FallbackReviewers <IMicrosoftGraphAccessReviewReviewerScope-
[]>]
: This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers will be notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner doesn't exist, or manager is specified as reviewer but a user's manager doesn't exist. See accessReviewReviewerScope. Replaces backupReviewers. Supports $select. NOTE: The value of this property will be ignored if fallback reviewers are assigned through the stageSettings property.[InstanceEnumerationScope <IMicrosoftGraphAccessReviewScope>]
: accessReviewScope[(Any) <Object>]
: This indicates any property can be added to this object.
[Instances <IMicrosoftGraphAccessReviewInstance-
[]>]
: Set of access reviews instances for this access review series. Access reviews that don't recur will only have one instance; otherwise, there's an instance for each recurrence.[LastModifiedDateTime <DateTime?>]
: Timestamp when the access review series was last modified. Supports $select. Read-only.[Reviewers <IMicrosoftGraphAccessReviewReviewerScope-
[]>]
: This collection of access review scopes is used to define who are the reviewers. The reviewers property is only updatable if individual users are assigned as reviewers. Required on create. Supports $select. For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API. NOTE: The value of this property will be ignored if reviewers are assigned through the stageSettings property.[Scope <IMicrosoftGraphAccessReviewScope>]
: accessReviewScope[Settings <IMicrosoftGraphAccessReviewScheduleSettings>]
: accessReviewScheduleSettings[(Any) <Object>]
: This indicates any property can be added to this object.[ApplyActions <IMicrosoftGraphAccessReviewApplyAction-
[]>]
: Optional field. Describes the actions to take once a review is complete. There are two types that are currently supported: removeAccessApplyAction (default) and disableAndDeleteUserApplyAction. Field only needs to be specified in the case of disableAndDeleteUserApplyAction.[AutoApplyDecisionsEnabled <Boolean?>]
: Indicates whether decisions are automatically applied. When set to false, an admin must apply the decisions manually once the reviewer completes the access review. When set to true, decisions are applied automatically after the access review instance duration ends, whether or not the reviewers have responded. Default value is false. CAUTION: If both autoApplyDecisionsEnabled and defaultDecisionEnabled are true, all access for the principals to the resource risks being revoked if the reviewers fail to respond.[DecisionHistoriesForReviewersEnabled <Boolean?>]
: Indicates whether decisions on previous access review stages are available for reviewers on an accessReviewInstance with multiple subsequent stages. If not provided, the default is disabled (false).[DefaultDecision <String>]
: Decision chosen if defaultDecisionEnabled is enabled. Can be one of Approve, Deny, or Recommendation.[DefaultDecisionEnabled <Boolean?>]
: Indicates whether the default decision is enabled or disabled when reviewers do not respond. Default value is false. CAUTION: If both autoApplyDecisionsEnabled and defaultDecisionEnabled are true, all access for the principals to the resource risks being revoked if the reviewers fail to respond.[InstanceDurationInDays <Int32?>]
: Duration of each recurrence of review (accessReviewInstance) in number of days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its durationInDays setting will be used instead of the value of this property.[JustificationRequiredOnApproval <Boolean?>]
: Indicates whether reviewers are required to provide justification with their decision. Default value is false.[MailNotificationsEnabled <Boolean?>]
: Indicates whether emails are enabled or disabled. Default value is false.[RecommendationInsightSettings <IMicrosoftGraphAccessReviewRecommendationInsightSetting-
[]>]
: Optional. Describes the types of insights that aid reviewers to make access review decisions. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationInsightSettings setting will be used instead of the value of this property.[RecommendationLookBackDuration <TimeSpan?>]
: Optional field. Indicates the period of inactivity (with respect to the start date of the review instance) that recommendations will be configured from. The recommendation will be to deny if the user is inactive during the look-back duration. For reviews of groups and Microsoft Entra roles, any duration is accepted. For reviews of applications, 30 days is the maximum duration. If not specified, the duration is 30 days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationLookBackDuration setting will be used instead of the value of this property.[RecommendationsEnabled <Boolean?>]
: Indicates whether decision recommendations are enabled or disabled. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationsEnabled setting will be used instead of the value of this property.[Recurrence <IMicrosoftGraphPatternedRecurrence>]
: patternedRecurrence[(Any) <Object>]
: This indicates any property can be added to this object.[Pattern <IMicrosoftGraphRecurrencePattern>]
: recurrencePattern[(Any) <Object>]
: This indicates any property can be added to this object.[DayOfMonth <Int32?>]
: The day of the month on which the event occurs. Required if type is absoluteMonthly or absoluteYearly.[DaysOfWeek <String-
[]>]
: A collection of the days of the week on which the event occurs. The possible values are: sunday, monday, tuesday, wednesday, thursday, friday, saturday. If type is relativeMonthly or relativeYearly, and daysOfWeek specifies more than one day, the event falls on the first day that satisfies the pattern. Required if type is weekly, relativeMonthly, or relativeYearly.[FirstDayOfWeek <String>]
: dayOfWeek[Index <String>]
: weekIndex[Interval <Int32?>]
: The number of units between occurrences, where units can be in days, weeks, months, or years, depending on the type. Required.[Month <Int32?>]
: The month in which the event occurs. This is a number from 1 to 12.[Type <String>]
: recurrencePatternType
[Range <IMicrosoftGraphRecurrenceRange>]
: recurrenceRange[(Any) <Object>]
: This indicates any property can be added to this object.[EndDate <DateTime?>]
: The date to stop applying the recurrence pattern. Depending on the recurrence pattern of the event, the last occurrence of the meeting may not be this date. Required if type is endDate.[NumberOfOccurrences <Int32?>]
: The number of times to repeat the event. Required and must be positive if type is numbered.[RecurrenceTimeZone <String>]
: Time zone for the startDate and endDate properties. Optional. If not specified, the time zone of the event is used.[StartDate <DateTime?>]
: The date to start applying the recurrence pattern. The first occurrence of the meeting may be this date or later, depending on the recurrence pattern of the event. Must be the same value as the start property of the recurring event. Required.[Type <String>]
: recurrenceRangeType
[ReminderNotificationsEnabled <Boolean?>]
: Indicates whether reminders are enabled or disabled. Default value is false.
[StageSettings <IMicrosoftGraphAccessReviewStageSettings-
[]>]
: Required only for a multi-stage access review to define the stages and their settings. You can break down each review instance into up to three sequential stages, where each stage can have a different set of reviewers, fallback reviewers, and settings. Stages are created sequentially based on the dependsOn property. Optional. When this property is defined, its settings are used instead of the corresponding settings in the accessReviewScheduleDefinition object and its settings, reviewers, and fallbackReviewers properties.[DecisionsThatWillMoveToNextStage <String-
[]>]
: Indicate which decisions will go to the next stage. Can be a subset of Approve, Deny, Recommendation, or NotReviewed. If not provided, all decisions will go to the next stage. Optional.[DependsOn <String-
[]>]
: Defines the sequential or parallel order of the stages and depends on the stageId. Only sequential stages are currently supported. For example, if stageId is 2, then dependsOn must be 1. If stageId is 1, don't specify dependsOn. Required if stageId isn't 1.[DurationInDays <Int32?>]
: The duration of the stage. Required. NOTE: The cumulative value of this property across all stages 1. Will override the instanceDurationInDays setting on the accessReviewScheduleDefinition object.
Can't exceed the length of one recurrence.
That is, if the review recurs weekly, the cumulative durationInDays can't exceed 7.
- [FallbackReviewers <IMicrosoftGraphAccessReviewReviewerScope-
[]>]
: If provided, the fallback reviewers are asked to complete a review if the primary reviewers don't exist.
For example, if managers are selected as reviewers and a principal under review doesn't have a manager in Microsoft Entra ID, the fallback reviewers are asked to review that principal.
NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object.
- [RecommendationInsightSettings <IMicrosoftGraphAccessReviewRecommendationInsightSetting-
[]>]
:
- [RecommendationLookBackDuration <TimeSpan?>]
: Optional field.
Indicates the time period of inactivity (with respect to the start date of the review instance) from which that recommendations will be configured.
The recommendation is to deny if the user is inactive during the look back duration.
For reviews of groups and Microsoft Entra roles, any duration is accepted.
For reviews of applications, 30 days is the maximum duration.
If not specified, the duration is 30 days.
NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object.
- [RecommendationsEnabled <Boolean?>]
: Indicates whether showing recommendations to reviewers is enabled.
Required.
NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object.
- [Reviewers <IMicrosoftGraphAccessReviewReviewerScope-
[]>]
: Defines who the reviewers are.
If none is specified, the review is a self-review (users review their own access).
For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API.
NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition.
- [StageId <String>]
: Unique identifier of the accessReviewStageSettings.
The stageId is used in dependsOn property to indicate the stage relationship.
Required.
- [Status <String>]
: This read-only field specifies the status of an access review.
The typical states include Initializing, NotStarted, Starting, InProgress, Completing, Completed, AutoReviewing, and AutoReviewed.
Supports $select, $orderby, and $filter (eq only).
Read-only.
[EndDateTime <DateTime?>]
: DateTime when review instance is scheduled to end. The DatetimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $select. Read-only.[Errors <IMicrosoftGraphAccessReviewError-
[]>]
: Collection of errors in an access review instance lifecycle. Read-only.[Code <String>]
: The error code.[Message <String>]
: The error message.
[FallbackReviewers <IMicrosoftGraphAccessReviewReviewerScope-
[]>]
: This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers are notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner doesn't exist, or manager is specified as reviewer but a user's manager doesn't exist. Supports $select.[Reviewers <IMicrosoftGraphAccessReviewReviewerScope-
[]>]
: This collection of access review scopes is used to define who the reviewers are. Supports $select. For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API.[Scope <IMicrosoftGraphAccessReviewScope>]
: accessReviewScope[Stages <IMicrosoftGraphAccessReviewStage-
[]>]
: If the instance has multiple stages, this returns the collection of stages. A new stage will only be created when the previous stage ends. The existence, number, and settings of stages on a review instance are created based on the accessReviewStageSettings on the parent accessReviewScheduleDefinition.[Id <String>]
: The unique identifier for an entity. Read-only.[Decisions <IMicrosoftGraphAccessReviewInstanceDecisionItem-
[]>]
: Each user reviewed in an accessReviewStage has a decision item representing if they were approved, denied, or not yet reviewed.[EndDateTime <DateTime?>]
: DateTime when review stage is scheduled to end. The DatetimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. This property is the cumulative total of the durationInDays for all stages. Read-only.[FallbackReviewers <IMicrosoftGraphAccessReviewReviewerScope-
[]>]
: This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers are notified to take action if no users are found from the list of reviewers specified. This can occur when either the group owner is specified as the reviewer but the group owner does not exist, or manager is specified as reviewer but a user's manager does not exist.[Reviewers <IMicrosoftGraphAccessReviewReviewerScope-
[]>]
: This collection of access review scopes is used to define who the reviewers are. For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API.[StartDateTime <DateTime?>]
: DateTime when review stage is scheduled to start. May be in the future. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only.[Status <String>]
: Specifies the status of an accessReviewStage. Possible values: Initializing, NotStarted, Starting, InProgress, Completing, Completed, AutoReviewing, and AutoReviewed. Supports $orderby, and $filter (eq only). Read-only.
[StartDateTime <DateTime?>]
: DateTime when review instance is scheduled to start. May be in the future. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $select. Read-only.[Status <String>]
: Specifies the status of an accessReview. Possible values: Initializing, NotStarted, Starting, InProgress, Completing, Completed, AutoReviewing, and AutoReviewed. Supports $select, $orderby, and $filter (eq only). Read-only.
REVIEWERS <IMicrosoftGraphAccessReviewReviewerScope-
[]>
: This collection of access review scopes is used to define who are the reviewers.
The reviewers property is only updatable if individual users are assigned as reviewers.
Required on create.
Supports $select.
For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API.
NOTE: The value of this property will be ignored if reviewers are assigned through the stageSettings property.
[Query <String>]
: The query specifying who will be the reviewer.[QueryRoot <String>]
: In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query, for example, ./manager, is specified. Possible value: decisions.[QueryType <String>]
: The type of query. Examples include MicrosoftGraph and ARM.
SETTINGS <IMicrosoftGraphAccessReviewScheduleSettings>
: accessReviewScheduleSettings
[(Any) <Object>]
: This indicates any property can be added to this object.[ApplyActions <IMicrosoftGraphAccessReviewApplyAction-
[]>]
: Optional field. Describes the actions to take once a review is complete. There are two types that are currently supported: removeAccessApplyAction (default) and disableAndDeleteUserApplyAction. Field only needs to be specified in the case of disableAndDeleteUserApplyAction.[AutoApplyDecisionsEnabled <Boolean?>]
: Indicates whether decisions are automatically applied. When set to false, an admin must apply the decisions manually once the reviewer completes the access review. When set to true, decisions are applied automatically after the access review instance duration ends, whether or not the reviewers have responded. Default value is false. CAUTION: If both autoApplyDecisionsEnabled and defaultDecisionEnabled are true, all access for the principals to the resource risks being revoked if the reviewers fail to respond.[DecisionHistoriesForReviewersEnabled <Boolean?>]
: Indicates whether decisions on previous access review stages are available for reviewers on an accessReviewInstance with multiple subsequent stages. If not provided, the default is disabled (false).[DefaultDecision <String>]
: Decision chosen if defaultDecisionEnabled is enabled. Can be one of Approve, Deny, or Recommendation.[DefaultDecisionEnabled <Boolean?>]
: Indicates whether the default decision is enabled or disabled when reviewers do not respond. Default value is false. CAUTION: If both autoApplyDecisionsEnabled and defaultDecisionEnabled are true, all access for the principals to the resource risks being revoked if the reviewers fail to respond.[InstanceDurationInDays <Int32?>]
: Duration of each recurrence of review (accessReviewInstance) in number of days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its durationInDays setting will be used instead of the value of this property.[JustificationRequiredOnApproval <Boolean?>]
: Indicates whether reviewers are required to provide justification with their decision. Default value is false.[MailNotificationsEnabled <Boolean?>]
: Indicates whether emails are enabled or disabled. Default value is false.[RecommendationInsightSettings <IMicrosoftGraphAccessReviewRecommendationInsightSetting-
[]>]
: Optional. Describes the types of insights that aid reviewers to make access review decisions. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationInsightSettings setting will be used instead of the value of this property.[RecommendationLookBackDuration <TimeSpan?>]
: Optional field. Indicates the period of inactivity (with respect to the start date of the review instance) that recommendations will be configured from. The recommendation will be to deny if the user is inactive during the look-back duration. For reviews of groups and Microsoft Entra roles, any duration is accepted. For reviews of applications, 30 days is the maximum duration. If not specified, the duration is 30 days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationLookBackDuration setting will be used instead of the value of this property.[RecommendationsEnabled <Boolean?>]
: Indicates whether decision recommendations are enabled or disabled. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationsEnabled setting will be used instead of the value of this property.[Recurrence <IMicrosoftGraphPatternedRecurrence>]
: patternedRecurrence[(Any) <Object>]
: This indicates any property can be added to this object.[Pattern <IMicrosoftGraphRecurrencePattern>]
: recurrencePattern[(Any) <Object>]
: This indicates any property can be added to this object.[DayOfMonth <Int32?>]
: The day of the month on which the event occurs. Required if type is absoluteMonthly or absoluteYearly.[DaysOfWeek <String-
[]>]
: A collection of the days of the week on which the event occurs. The possible values are: sunday, monday, tuesday, wednesday, thursday, friday, saturday. If type is relativeMonthly or relativeYearly, and daysOfWeek specifies more than one day, the event falls on the first day that satisfies the pattern. Required if type is weekly, relativeMonthly, or relativeYearly.[FirstDayOfWeek <String>]
: dayOfWeek[Index <String>]
: weekIndex[Interval <Int32?>]
: The number of units between occurrences, where units can be in days, weeks, months, or years, depending on the type. Required.[Month <Int32?>]
: The month in which the event occurs. This is a number from 1 to 12.[Type <String>]
: recurrencePatternType
[Range <IMicrosoftGraphRecurrenceRange>]
: recurrenceRange[(Any) <Object>]
: This indicates any property can be added to this object.[EndDate <DateTime?>]
: The date to stop applying the recurrence pattern. Depending on the recurrence pattern of the event, the last occurrence of the meeting may not be this date. Required if type is endDate.[NumberOfOccurrences <Int32?>]
: The number of times to repeat the event. Required and must be positive if type is numbered.[RecurrenceTimeZone <String>]
: Time zone for the startDate and endDate properties. Optional. If not specified, the time zone of the event is used.[StartDate <DateTime?>]
: The date to start applying the recurrence pattern. The first occurrence of the meeting may be this date or later, depending on the recurrence pattern of the event. Must be the same value as the start property of the recurring event. Required.[Type <String>]
: recurrenceRangeType
[ReminderNotificationsEnabled <Boolean?>]
: Indicates whether reminders are enabled or disabled. Default value is false.
STAGESETTINGS <IMicrosoftGraphAccessReviewStageSettings-
[]>
: Required only for a multi-stage access review to define the stages and their settings.
You can break down each review instance into up to three sequential stages, where each stage can have a different set of reviewers, fallback reviewers, and settings.
Stages are created sequentially based on the dependsOn property.
Optional.
When this property is defined, its settings are used instead of the corresponding settings in the accessReviewScheduleDefinition object and its settings, reviewers, and fallbackReviewers properties.
[DecisionsThatWillMoveToNextStage <String-
[]>]
: Indicate which decisions will go to the next stage. Can be a subset of Approve, Deny, Recommendation, or NotReviewed. If not provided, all decisions will go to the next stage. Optional.[DependsOn <String-
[]>]
: Defines the sequential or parallel order of the stages and depends on the stageId. Only sequential stages are currently supported. For example, if stageId is 2, then dependsOn must be 1. If stageId is 1, don't specify dependsOn. Required if stageId isn't 1.[DurationInDays <Int32?>]
: The duration of the stage. Required. NOTE: The cumulative value of this property across all stages 1. Will override the instanceDurationInDays setting on the accessReviewScheduleDefinition object.
Can't exceed the length of one recurrence. That is, if the review recurs weekly, the cumulative durationInDays can't exceed 7.
[FallbackReviewers <IMicrosoftGraphAccessReviewReviewerScope-
[]>]
: If provided, the fallback reviewers are asked to complete a review if the primary reviewers don't exist. For example, if managers are selected as reviewers and a principal under review doesn't have a manager in Microsoft Entra ID, the fallback reviewers are asked to review that principal. NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object.[Query <String>]
: The query specifying who will be the reviewer.[QueryRoot <String>]
: In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query, for example, ./manager, is specified. Possible value: decisions.[QueryType <String>]
: The type of query. Examples include MicrosoftGraph and ARM.
[RecommendationInsightSettings <IMicrosoftGraphAccessReviewRecommendationInsightSetting-
[]>]
:[RecommendationLookBackDuration <TimeSpan?>]
: Optional field. Indicates the time period of inactivity (with respect to the start date of the review instance) from which that recommendations will be configured. The recommendation is to deny if the user is inactive during the look back duration. For reviews of groups and Microsoft Entra roles, any duration is accepted. For reviews of applications, 30 days is the maximum duration. If not specified, the duration is 30 days. NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object.[RecommendationsEnabled <Boolean?>]
: Indicates whether showing recommendations to reviewers is enabled. Required. NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object.[Reviewers <IMicrosoftGraphAccessReviewReviewerScope-
[]>]
: Defines who the reviewers are. If none is specified, the review is a self-review (users review their own access). For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API. NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition.[StageId <String>]
: Unique identifier of the accessReviewStageSettings. The stageId is used in dependsOn property to indicate the stage relationship. Required.
RELATED LINKS
https://zcusa.951200.xyz/graph/api/accessreviewset-post-definitions?view=graph-rest-beta