AccessReview.ReadWrite.All

Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings that the signed-in user has access to in the organization.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the AccessReview.ReadWrite.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	ef5f7d5c-338f-44b0-86c3-351f46c8bb5f	e4aa47b9-9a69-4109-82ed-36ec70d85ff1
DisplayText	Manage all access reviews	Manage all access reviews that user can access
Description	Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the organization, without a signed-in user.	Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings that the signed-in user has access to in the organization.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}
	GET /identityGovernance/accessReviews/definitions
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/contactedReviewers
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/decisions
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/decisions/{accessReviewInstanceDecisionItemId}
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/decisions/filterByCurrentUser(on='reviewer')
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/stages
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/stages/{accessReviewStageId}
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/stages/{accessReviewStageId}/decisions
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/stages/filterByCurrentUser(on='reviewer')
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/filterByCurrentUser(on='reviewer')
	GET /identityGovernance/accessReviews/definitions/filterByCurrentUser(on='reviewer')
	GET /identityGovernance/accessReviews/historyDefinitions
	GET /identityGovernance/accessReviews/historyDefinitions/{accessReviewHistoryDefinitionId}/instances
	GET /identityGovernance/accessReviews/historyDefinitions/{definition-id}
	PATCH /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/decisions/{accessReviewInstanceDecisionItemId}
	PATCH /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/stages/{accessReviewStageId}
	POST /identityGovernance/accessReviews/definitions
	POST /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/acceptRecommendations
	POST /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/applyDecisions
	POST /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/batchRecordDecisions
	POST /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/resetDecisions
	POST /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/sendReminder
	POST /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/stages/{accessReviewStageId}/stop
	POST /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/stop
	POST /identityGovernance/accessReviews/historyDefinitions
	POST /identityGovernance/accessReviews/historyDefinitions/{accessReviewHistoryDefinitionId}/instances/{accessReviewHistoryInstanceId}/generateDownloadUri
	PUT /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}
	PUT /identityGovernance/accessReviews/definitions/{review-id}

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /accessReviews/{reviewId}
	DELETE /accessReviews/{reviewId}/reviewers/{userId}
	DELETE /identityGovernance/accessReviews/definitions/{review-id}
	GET /accessReviews?$filter=businessFlowTemplateId eq {businessFlowTemplate-id}&$top={pagesize}&$skip=0
	GET /accessReviews/{reviewId}
	GET /accessReviews/{reviewId}/decisions
	GET /accessReviews/{reviewId}/myDecisions
	GET /accessReviews/{reviewId}/reviewers
	GET /identityGovernance/accessReviews/definitions
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/contactedReviewers
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/decisions
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/decisions/{accessReviewInstanceDecisionItemId}
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/decisions/filterByCurrentUser(on='reviewer')
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/stages
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/stages/{accessReviewStageId}
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/stages/{accessReviewStageId}/decisions
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/stages/filterByCurrentUser(on='reviewer')
	GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/filterByCurrentUser(on='reviewer')
	GET /identityGovernance/accessReviews/definitions/{definition-id}/instances
	GET /identityGovernance/accessReviews/definitions/{definition-id}/instances/{instance-id}
	GET /identityGovernance/accessReviews/definitions/{review-id}
	GET /identityGovernance/accessReviews/definitions/filterByCurrentUser(on='reviewer')
	GET /identityGovernance/accessReviews/historyDefinitions
	GET /identityGovernance/accessReviews/historyDefinitions/{accessReviewHistoryDefinitionId}/instances
	GET /identityGovernance/accessReviews/historyDefinitions/{definition-id}
	GET /me/pendingAccessReviewInstances
	GET /me/pendingAccessReviewInstances/{instance-id}/decisions
	PATCH /accessReviews/{reviewId}
	PATCH /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/decisions/{accessReviewInstanceDecisionItemId}
	PATCH /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/stages/{accessReviewStageId}
	POST /identityGovernance/accessReviews/definitions/{definition-id}/instances/{instance-id}/stopApplyDecisions
	POST /accessReviews
	POST /accessReviews/{reviewId}/applyDecisions
	POST /accessReviews/{reviewId}/resetDecisions
	POST /accessReviews/{reviewId}/reviewers
	POST /accessReviews/{reviewId}/sendReminder
	POST /accessReviews/{reviewId}/stop
	POST /identityGovernance/accessReviews/decisions/filterByCurrentUser(on='reviewer')/recordAllDecisions
	POST /identityGovernance/accessReviews/definitions
	POST /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/resetDecisions
	POST /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/stages/{accessReviewStageId}/stop
	POST /identityGovernance/accessReviews/definitions/{definition-id}/instances/{instance-id}/applyDecisions
	POST /identityGovernance/accessReviews/definitions/{definition-id}/instances/{instance-id}/stop
	POST /identityGovernance/accessReviews/definitions/{definitionId}/instances/{instanceId}/sendReminder
	POST /identityGovernance/accessReviews/historyDefinitions
	POST /identityGovernance/accessReviews/historyDefinitions/{accessReviewHistoryDefinitionId}/instances/{accessReviewHistoryInstanceId}/generateDownloadUri
	POST /me/pendingAccessReviewInstances/{accessReviewInstanceId}/batchRecordDecisions
	POST /me/pendingAccessReviewInstances/{instance-id}/acceptRecommendations
	PUT /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}
	PUT /identityGovernance/accessReviews/definitions/{review-id}

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Add-MgIdentityGovernanceAccessReviewDefinitionInstanceDecision
	Get-MgIdentityGovernanceAccessReviewDefinition
	Get-MgIdentityGovernanceAccessReviewDefinitionInstance
	Get-MgIdentityGovernanceAccessReviewDefinitionInstanceContactedReviewer
	Get-MgIdentityGovernanceAccessReviewDefinitionInstanceDecision
	Get-MgIdentityGovernanceAccessReviewDefinitionInstanceStage
	Get-MgIdentityGovernanceAccessReviewDefinitionInstanceStageDecision
	Get-MgIdentityGovernanceAccessReviewHistoryDefinition
	Get-MgIdentityGovernanceAccessReviewHistoryDefinitionInstance
	Invoke-MgAcceptIdentityGovernanceAccessReviewDefinitionInstanceRecommendation
	Invoke-MgBatchIdentityGovernanceAccessReviewDefinitionInstanceRecordDecision
	Invoke-MgFilterIdentityGovernanceAccessReviewDefinitionByCurrentUser
	Invoke-MgFilterIdentityGovernanceAccessReviewDefinitionInstanceByCurrentUser
	Invoke-MgFilterIdentityGovernanceAccessReviewDefinitionInstanceStageByCurrentUser
	Invoke-MgFilterIdentityGovernanceAccessReviewDefinitionInstanceStageDecisionByCurrentUser
	New-MgIdentityGovernanceAccessReviewDefinition
	New-MgIdentityGovernanceAccessReviewHistoryDefinition
	New-MgIdentityGovernanceAccessReviewHistoryDefinitionInstanceDownloadUri
	Remove-MgIdentityGovernanceAccessReviewDefinition
	Reset-MgIdentityGovernanceAccessReviewDefinitionInstanceDecision
	Send-MgIdentityGovernanceAccessReviewDefinitionInstanceReminder
	Set-MgIdentityGovernanceAccessReviewDefinition
	Stop-MgIdentityGovernanceAccessReviewDefinitionInstance
	Stop-MgIdentityGovernanceAccessReviewDefinitionInstanceStage
	Update-MgIdentityGovernanceAccessReviewDefinitionInstance
	Update-MgIdentityGovernanceAccessReviewDefinitionInstanceStage
	Update-MgIdentityGovernanceAccessReviewDefinitionInstanceStageDecision

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Add-MgBetaAccessReviewDecision
	Add-MgBetaIdentityGovernanceAccessReviewDefinitionInstanceDecision
	Get-MgBetaAccessReview
	Get-MgBetaAccessReviewDecision
	Get-MgBetaAccessReviewMyDecision
	Get-MgBetaAccessReviewReviewer
	Get-MgBetaIdentityGovernanceAccessReviewDefinition
	Get-MgBetaIdentityGovernanceAccessReviewDefinitionInstance
	Get-MgBetaIdentityGovernanceAccessReviewDefinitionInstanceContactedReviewer
	Get-MgBetaIdentityGovernanceAccessReviewDefinitionInstanceDecision
	Get-MgBetaIdentityGovernanceAccessReviewDefinitionInstanceStage
	Get-MgBetaIdentityGovernanceAccessReviewDefinitionInstanceStageDecision
	Get-MgBetaIdentityGovernanceAccessReviewHistoryDefinition
	Get-MgBetaIdentityGovernanceAccessReviewHistoryDefinitionInstance
	Invoke-MgBetaAcceptIdentityGovernanceAccessReviewDecisionInstanceRecommendation
	Invoke-MgBetaAcceptIdentityGovernanceAccessReviewDefinitionInstanceRecommendation
	Invoke-MgBetaBatchIdentityGovernanceAccessReviewDecisionInstanceRecordDecision
	Invoke-MgBetaBatchIdentityGovernanceAccessReviewDefinitionInstanceRecordDecision
	Invoke-MgBetaFilterIdentityGovernanceAccessReviewDefinitionByCurrentUser
	Invoke-MgBetaFilterIdentityGovernanceAccessReviewDefinitionInstanceByCurrentUser
	Invoke-MgBetaFilterIdentityGovernanceAccessReviewDefinitionInstanceStageByCurrentUser
	Invoke-MgBetaFilterIdentityGovernanceAccessReviewDefinitionInstanceStageDecisionByCurrentUser
	Invoke-MgBetaRecordIdentityGovernanceAccessReviewDecision
	Invoke-MgBetaRecordIdentityGovernanceAccessReviewDecisionInstanceDecision
	Invoke-MgBetaRecordIdentityGovernanceAccessReviewDecisionInstanceStageDecision
	Invoke-MgBetaRecordIdentityGovernanceAccessReviewDefinitionInstanceDecision
	Invoke-MgBetaRecordIdentityGovernanceAccessReviewDefinitionInstanceStageDecision
	New-MgBetaAccessReview
	New-MgBetaAccessReviewReviewer
	New-MgBetaIdentityGovernanceAccessReviewDefinition
	New-MgBetaIdentityGovernanceAccessReviewHistoryDefinition
	New-MgBetaIdentityGovernanceAccessReviewHistoryDefinitionInstanceDownloadUri
	Remove-MgBetaAccessReview
	Remove-MgBetaAccessReviewReviewer
	Remove-MgBetaIdentityGovernanceAccessReviewDefinition
	Reset-MgBetaAccessReviewDecision
	Reset-MgBetaIdentityGovernanceAccessReviewDefinitionInstanceDecision
	Send-MgBetaAccessReviewReminder
	Send-MgBetaIdentityGovernanceAccessReviewDefinitionInstanceReminder
	Set-MgBetaIdentityGovernanceAccessReviewDefinition
	Stop-MgBetaAccessReview
	Stop-MgBetaIdentityGovernanceAccessReviewDefinitionInstance
	Stop-MgBetaIdentityGovernanceAccessReviewDefinitionInstanceApplyDecision
	Stop-MgBetaIdentityGovernanceAccessReviewDefinitionInstanceStage
	Update-MgBetaAccessReview
	Update-MgBetaIdentityGovernanceAccessReviewDefinitionInstance
	Update-MgBetaIdentityGovernanceAccessReviewDefinitionInstanceStage
	Update-MgBetaIdentityGovernanceAccessReviewDefinitionInstanceStageDecision

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: accessreview

Property	Type	Description
id	String	The feature-assigned unique identifier of an access review.
displayName	String	The access review name. Required on create.
startDateTime	DateTimeOffset	The date and time when the review is scheduled to be start. This date can be in the future. Required on create.
endDateTime	DateTimeOffset	The DateTime when the review is scheduled to end. This must be at least one day later than the start date. Required on create.
status	String	This read-only field specifies the status of an accessReview. The typical states include `Initializing`, `NotStarted`, `Starting`,`InProgress`, `Completing`, `Completed`, `AutoReviewing`, and `AutoReviewed`.
description	String	The description provided by the access review creator, to show to the reviewers.
businessFlowTemplateId	String	The business flow template identifier. Required on create. This value is case sensitive.
reviewerType	String	The relationship type of reviewer to the target object, one of: `self`, `delegated`, `entityOwners`. Required on create.
createdBy	userIdentity	The user who created this review.
reviewedEntity	identity	The object for which the access review is reviewing the access rights assignments. This identity can be the group for the review of memberships of users in a group, or the app for a review of assignments of users to an application. Required on create.
settings	accessReviewSettings	The settings of an accessReview, see type definition below.

Graph reference: accessreviewdecision

Property	Type	Description
`id`	`String`	The ID of the decision within the access review.
`accessReviewId`	`String`	The feature-generated ID of the access review.
`reviewedBy`	userIdentity	The identity of the reviewer. If the recommendation was used as the review, the userPrincipalName is empty.
`reviewedDate`	`DateTimeOffset`	The date and time the most recent review for this access right was supplied.
`reviewResult`	`String`	The result of the review, one of `NotReviewed`, `Deny`, `DontKnow` or `Approve`.
`justification`	`String`	The reviewer's business justification, if supplied.
`appliedBy`	userIdentity	When the review completes, if the results were manually applied, the user identity of the user who applied the decision. If the review was autoapplied, the userPrincipalName is empty.
`appliedDateTime`	`DateTimeOffset`	The date and time when the review decision was applied.
`applyResult`	`String`	The outcome of applying the decision, one of: `NotApplied`, `Success`, `Failed`, `NotFound`, `NotSupported`.
`accessRecommendation`	`String`	The feature- generated recommendation shown to the reviewer, one of: `Approve`, `Deny`, `NotAvailable`.

Graph reference: accessReviewHistoryDefinition

Property	Type	Description
createdBy	userIdentity	User who created this review history definition.
createdDateTime	DateTimeOffset	Timestamp when the access review definition was created.
decisions	String collection	Determines which review decisions will be included in the fetched review history data if specified. Optional on create. All decisions are included by default if no decisions are provided on create. Possible values are: `approve`, `deny`, `dontKnow`, `notReviewed`, and `notNotified`.
displayName	String	Name for the access review history data collection. Required.
id	String	The assigned unique identifier of an access review history definition.
reviewHistoryPeriodEndDateTime	DateTimeOffset	A timestamp. Reviews ending on or before this date will be included in the fetched history data. Only required if scheduleSettings isn't defined.
reviewHistoryPeriodStartDateTime	DateTimeOffset	A timestamp. Reviews starting on or before this date will be included in the fetched history data. Only required if scheduleSettings isn't defined.
scheduleSettings	accessReviewHistoryScheduleSettings	The settings for a recurring access review history definition series. Only required if reviewHistoryPeriodStartDateTime or reviewHistoryPeriodEndDateTime aren't defined. Not supported yet.
scopes	accessReviewScope collection	Used to scope what reviews are included in the fetched history data. Fetches reviews whose scope matches with this provided scope. Required.
status	accessReviewHistoryStatus	Represents the status of the review history data collection. The possible values are: `done`, `inProgress`, `error`, `requested`, `unknownFutureValue`.

Graph reference: accessReviewHistoryInstance

Property	Type	Description
downloadUri	String	Uri that can be used to retrieve review history data. This URI will be active for 24 hours after being generated. Required.
expirationDateTime	DateTimeOffset	Timestamp when this instance and associated data expires and the history is deleted. Required.
fulfilledDateTime	DateTimeOffset	Timestamp when all of the available data for this instance was collected and is set after this instance's status is set to `done`. Required.
id	String	The assigned unique identifier of an access review history instance. Read-only. Required.
reviewHistoryPeriodEndDateTime	DateTimeOffset	Timestamp reviews ending on or before this date will be included in the fetched history data.
reviewHistoryPeriodStartDateTime	DateTimeOffset	Timestamp reviews starting on or after this date will be included in the fetched history data.
runDateTime	DateTimeOffset	Timestamp when the instance's history data is scheduled to be generated.
status	accessReviewHistoryStatus	Represents the status of the review history data collection. The possible values are: `done`, `inProgress`, `error`, `requested`, `unknownFutureValue`. Once the **s

Graph reference: accessReviewInstance

Property	Type	Description
endDateTime	DateTimeOffset	DateTime when review instance is scheduled to end.The DatetimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Supports `$select`. Read-only.
fallbackReviewers	accessReviewReviewerScope collection	This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers will be notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner does not exist, or manager is specified as reviewer but a user's manager does not exist. Supports `$select`.
id	String	Unique identifier of the instance. Supports `$select`. Read-only.
reviewers	accessReviewReviewerScope collection	This collection of access review scopes is used to define who the reviewers are. Supports `$select`. For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API.
scope	accessReviewScope	Created based on scope and instanceEnumerationScope at the accessReviewScheduleDefinition level. Defines the scope of users reviewed in a group. Supports `$select` and `$filter` (`contains` only). Read-only.
startDateTime	DateTimeOffset	DateTime when review instance is scheduled to start. May be in the future. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Supports `$select`. Read-only.
status	String	Specifies the status of an accessReview. Possible values: `Initializing`, `NotStarted`, `Starting`, `InProgress`, `Completing`, `Completed`, `AutoReviewing`, and `AutoReviewed`. Supports `$select`, `$orderby`, and `$filter` (`eq` only). Read-only.

Graph reference: accessReviewInstanceDecisionItem

Property	Type	Description
accessReviewId	String	The identifier of the accessReviewInstance parent. Supports `$select`. Read-only.
appliedBy	userIdentity	The identifier of the user who applied the decision. Read-only.
appliedDateTime	DateTimeOffset	The timestamp when the approval decision was applied.`00000000-0000-0000-0000-000000000000` if the assigned reviewer hasn't applied the decision or it was automatically applied. The DatetimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Supports `$select`. Read-only.
applyResult	String	The result of applying the decision. Possible values: `New`, `AppliedSuccessfully`, `AppliedWithUnknownFailure`, `AppliedSuccessfullyButObjectNotFound` and `ApplyNotSupported`. Supports `$select`, `$orderby`, and `$filter` (`eq` only). Read-only.
decision	String	Result of the review. Possible values: `Approve`, `Deny`, `NotReviewed`, or `DontKnow`. Supports `$select`, `$orderby`, and `$filter` (`eq` only).
id	String	The identifier of the decision. Inherited from entity. Supports `$select`. Read-only.
justification	String	Justification left by the reviewer when they made the decision.
principal	identity	Every decision item in an access review represents a principal's access to a resource. This property represents details of the principal. For example, if a decision item represents access of User "Bob" to Group "Sales" - The principal is "Bob" and the resource is "Sales". Principals can be of two types - userIdentity and servicePrincipalIdentity. Supports `$select`. Read-only.
principalLink	String	A link to the principal object. For example, `https://graph.microsoft.com/v1.0/users/a6c7aecb-cbfd-4763-87ef-e91b4bd509d9`. Read-only.
recommendation	String	A system-generated recommendation for the approval decision based off last interactive sign-in to tenant. The value is `Approve` if the sign-in is fewer than 30 days after the start of review, `Deny` if the sign-in is greater than 30 days after, or `NoInfoAvailable`. Possible values: `Approve`, `Deny`, or `NoInfoAvailable`. Supports `$select`, `$orderby`, and `$filter` (`eq` only). Read-only.
resource	accessReviewInstanceDecisionItemResource	Every decision item in an access review represents a principal's access to a resource. This property represents details of the resource. For example, if a decision item represents access of User "Bob" to Group "Sales" - The principal is Bob and the resource is "Sales". Resources can be of multiple types. See accessReviewInstanceDecisionItemResource. Read-only.
resourceLink	String	A link to the resource. For example, `https://graph.microsoft.com/v1.0/servicePrincipals/c86300f3-8695-4320-9f6e-32a2555f5ff8`. Supports `$select`. Read-only.
reviewedBy	userIdentity	The identifier of the reviewer.`00000000-0000-0000-0000-000000000000` if the assigned reviewer hasn't reviewed. Supports `$select`. Read-only.
reviewedDateTime	DateTimeOffset	The timestamp when the review decision occurred. Supports `$select`. Read-only.

Graph reference: accessReviewQueryScope

Property	Type	Description
query	String	The query representing what will be reviewed in an access review.
queryRoot	String	In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query is specified. For example, `./manager`.
queryType	String	Indicates the type of query. Types include `MicrosoftGraph` and `ARM`.

Graph reference: accessreviewrecurrencesettings

Property	Type	Description
recurrenceType	String	The recurrence interval. Possible values: `onetime`, `weekly`, `monthly`, `quarterly`, `halfyearly` or `annual`.
recurrenceEndType	String	How the recurrence ends. Possible values: `never`, `endBy`, `occurrences`, or `recurrenceCount`. If it's `never`, then there's no explicit end of the recurrence series. If it's `endBy`, then the recurrence ends at a certain date. If it's `occurrences`, then the series ends after `recurrenceCount` instances of the review have completed.
durationInDays	Int32	The duration in days for recurrence.
recurrenceCount	Int32	The count of recurrences, if the value of **r

Graph reference: accessReviewReviewer

Property	Type	Description
createdDateTime	DateTimeOffset	The date when the reviewer was added for the access review.
displayName	String	Name of reviewer.
id	String	Identifier of the reviewer. Inherited from entity.
userPrincipalName	String	User principal name of the reviewer.

Graph reference: accessReviewReviewerScope

Property	Type	Description
query	String	The query specifying who will be the reviewer.
queryRoot	String	In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query, for example, `./manager`, is specified. Possible value: `decisions`.
queryType	String	The type of query. Examples include `MicrosoftGraph` and `ARM`.

Graph reference: accessReviewScheduleDefinition

Property	Type	Description
additionalNotificationRecipients	accessReviewNotificationRecipientItem collection	Defines the list of additional users or group members to be notified of the access review progress.
backupReviewers (deprecated)	accessReviewReviewerScope collection	This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers are notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner doesn't exist, or manager is specified as reviewer but a user's manager doesn't exist. Supports `$select`. Note: This property has been replaced by fallbackReviewers. However, specifying either backupReviewers or fallbackReviewers automatically populates the same values to the other property.
createdBy	userIdentity	User who created this review. Read-only.
createdDateTime	DateTimeOffset	Timestamp when the access review series was created. Supports `$select`. Read-only.
descriptionForAdmins	String	Description provided by review creators to provide more context of the review to admins. Supports `$select`.
descriptionForReviewers	String	Description provided by review creators to provide more context of the review to reviewers. Reviewers see this description in the email sent to them requesting their review. Email notifications support up to 256 characters. Supports `$select`.
displayName	String	Name of the access review series. Supports `$select` and `$orderby`. Required on create.
fallbackReviewers	accessReviewReviewerScope collection	This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers are notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner doesn't exist, or manager is specified as reviewer but a user's manager doesn't exist. See accessReviewReviewerScope. Replaces backupReviewers. Supports `$select`. NOTE: The value of this property will be ignored if fallback reviewers are assigned through the stageSettings property.
id	String	The feature-assigned unique identifier of an access review. Supports `$select`. Read-only.
instanceEnumerationScope	accessReviewScope	This property is required when scoping a review to guest users' access across all Microsoft 365 groups and determines which Microsoft 365 groups are reviewed. Each group becomes a unique accessReviewInstance of the access review series. For supported scopes, see accessReviewScope. Supports `$select`. For examples of options for configuring instanceEnumerationScope, see Configure the scope of your access review definition using the Microsoft Graph API.
lastModifiedDateTime	DateTimeOffset	Timestamp when the access review series was last modified. Supports `$select`. Read-only.
reviewers	accessReviewReviewerScope collection	This collection of access review scopes is used to define who are the reviewers. The reviewers property is only updatable if individual users are assigned as reviewers. Required on create. Supports `$select`. For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API. NOTE: The value of this property will be ignored if reviewers are assigned through the stageSettings property.
scope	accessReviewScope	Defines the entities whose access is reviewed. For supported scopes, see accessReviewScope. Required on create. Supports `$select` and `$filter` (`contains` only). For examples of options for configuring scope, see Configure the scope of your access review definition using the Microsoft Graph API.
settings	accessReviewScheduleSettings	The settings for an access review series, see type definition below. Supports `$select`. Required on create.
stageSettings	accessReviewStageSettings collection	Required only for a multi-stage access review to define the stages and their settings. You can break down each review instance into up to three sequential stages, where each stage can have a different set of reviewers, fallback reviewers, and settings. Stages are created sequentially based on the dependsOn property. Optional. When this property is defined, its settings are used instead of the corresponding settings in the accessReviewScheduleDefinition object and its settings, reviewers, and fallbackReviewers properties.
status	String	This read-only field specifies the status of an access review. The typical states include `Initializing`, `NotStarted`, `Starting`, `InProgress`, `Completing`, `Completed`, `AutoReviewing`, and `AutoReviewed`. Supports `$select`, `$orderby`, and `$filter` (`eq` only). Read-only.

Graph reference: accessReviewScheduleSettings

Property	Type	Description
applyActions	accessReviewApplyAction collection	Optional field. Describes the actions to take once a review is complete. There are two types that are currently supported: `removeAccessApplyAction` (default) and `disableAndDeleteUserApplyAction`. Field only needs to be specified in the case of `disableAndDeleteUserApplyAction`.
autoApplyDecisionsEnabled	Boolean	Indicates whether decisions are automatically applied. When set to `false`, an admin must apply the decisions manually once the reviewer completes the access review. When set to `true`, decisions are applied automatically after the access review instance duration ends, whether or not the reviewers have responded. Default value is `false`. CAUTION: If both autoApplyDecisionsEnabled and defaultDecisionEnabled are `true`, all access for the principals to the resource risks being revoked if the reviewers fail to respond.
decisionHistoriesForReviewersEnabled	Boolean	Indicates whether decisions on previous access review stages are available for reviewers on an accessReviewInstance with multiple subsequent stages. If not provided, the default is disabled (`false`).
defaultDecision	String	Decision chosen if defaultDecisionEnabled is enabled. Can be one of `Approve`, `Deny`, or `Recommendation`.
defaultDecisionEnabled	Boolean	Indicates whether the default decision is enabled or disabled when reviewers do not respond. Default value is `false`. CAUTION: If both autoApplyDecisionsEnabled and defaultDecisionEnabled are `true`, all access for the principals to the resource risks being revoked if the reviewers fail to respond.
instanceDurationInDays	Int32	Duration of an access review instance in days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its durationInDays setting will be used instead of the value of this property.
justificationRequiredOnApproval	Boolean	Indicates whether reviewers are required to provide justification with their decision. Default value is `false`.
mailNotificationsEnabled	Boolean	Indicates whether emails are enabled or disabled. Default value is `false`.
recommendationsEnabled	Boolean	Indicates whether decision recommendations are enabled or disabled. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationsEnabled setting will be used instead of the value of this property.
recurrence	patternedRecurrence	Detailed settings for recurrence using the standard Outlook recurrence object. Note: Only dayOfMonth, interval, and type (`weekly`, `absoluteMonthly`) properties are supported. Use the property startDate on recurrenceRange to determine the day the review starts.
reminderNotificationsEnabled	Boolean	Indicates whether reminders are enabled or disabled. Default value is `false`.
recommendationLookBackDuration	Duration	Optional field. Indicates the period of inactivity (with respect to the start date of the review instance) that recommendations will be configured from. The recommendation will be to `deny` if the user is inactive during the look-back duration. For reviews of groups and Microsoft Entra roles, any duration is accepted. For reviews of applications, 30 days is the maximum duration. If not specified, the duration is 30 days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationLookBackDuration setting will be used instead of the value of this property.
recommendationInsightSettings	accessReviewRecommendationInsightSetting collection	Optional. Describes the types of insights that aid reviewers to make access review decisions. **N

Graph reference: accessReviewStage

Property	Type	Description
endDateTime	DateTimeOffset	The date and time in ISO 8601 format and UTC time when the review stage is scheduled to end. This property is the cumulative total of the durationInDays for all stages. Read-only.
fallbackReviewers	accessReviewReviewerScope collection	This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers are notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner doesn't exist, or manager is specified as reviewer but a user's manager doesn't exist.
id	String	Unique identifier of the stage. Read-only.
reviewers	accessReviewReviewerScope collection	This collection of access review scopes is used to define who the reviewers are. For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API.
startDateTime	DateTimeOffset	The date and time in ISO 8601 format and UTC time when the review stage is scheduled to start. Read-only.
status	String	Specifies the status of an accessReviewStage. Possible values: `Initializing`, `NotStarted`, `Starting`, `InProgress`, `Completing`, `Completed`, `AutoReviewing`, and `AutoReviewed`. Supports `$orderby`, and `$filter` (`eq` only). Read-only.

Graph reference: accessReviewStageSettings

Property	Type	Description
decisionsThatWillMoveToNextStage	String collection	Indicate which decisions will go to the next stage. Can be a subset of `Approve`, `Deny`, `Recommendation`, or `NotReviewed`. If not provided, all decisions will go to the next stage. Optional.
dependsOn	String collection	Defines the sequential or parallel order of the stages and depends on the stageId. Only sequential stages are currently supported. For example, if stageId is `2`, then dependsOn must be `1`. If stageId is `1`, don't specify dependsOn. Required if stageId isn't `1`.
durationInDays	Int32	The duration of the stage. Required. NOTE: The cumulative value of this property across all stages 1. Will override the instanceDurationInDays setting on the accessReviewScheduleDefinition object. 2. Can't exceed the length of one recurrence. That is, if the review recurs weekly, the cumulative durationInDays can't exceed 7.
fallbackReviewers	accessReviewReviewerScope collection	If provided, the fallback reviewers are asked to complete a review if the primary reviewers don't exist. For example, if managers are selected as reviewers and a principal under review doesn't have a manager in Microsoft Entra ID, the fallback reviewers are asked to review that principal. NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object.
recommendationsEnabled	Boolean	Indicates whether showing recommendations to reviewers is enabled. Required. NOTE: The value of this property overrides override the corresponding setting on the accessReviewScheduleDefinition object.
recommendationInsightsSettings	accessReviewRecommendationInsightSetting collection	Determines which recommendations to show to reviewers. NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object.
recommendationLookBackDuration	Duration	Optional field. Indicates the time period of inactivity (with respect to the start date of the review instance) that recommendations will be configured from. The recommendation is to `deny` if the user is inactive during the look back duration. For reviews of groups and Microsoft Entra roles, any duration is accepted. For reviews of applications, 30 days is the maximum duration. If not specified, the duration is 30 days. NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object.
reviewers	accessReviewReviewerScope collection	Defines who the reviewers are. If none is specified, the review is a self-review (users review their own access). For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API. NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition.
stageId	String	Unique identifier of the **a

Graph reference: businessflowtemplate

Property	Type	Description
id	String	The feature-assigned identifier of the business flow template. These values are case sensitive.
displayName	String	The name of the business flow template

Graph reference: identity

Property	Type	Description
displayName	String	The display name of the identity. For drive items, the display name might not always be available or up to date. For example, if a user changes their display name the API might show the new value in a future response, but the items associated with the user don't show up as changed when using delta.
id	String	Unique identifier for the identity or actor. For example, in the access reviews decisions API, this property might record the id of the principal, that is, the group, user, or application that's subject to review.
tenantId	String	Unique identity of the tenant. Optional.
thumbnails	thumbnailSet	Keyed collection of thumbnail resources. Optional. Applies to drive items, for example.

Graph reference: programcontrol

Property	Type	Description
id	String	The feature-assigned identifier of the link between program and control.
programId	String	The programId of the program this control is a part of. Required on create.
controlId	String	The controlId of the control, in particular the identifier of an access review. Required on create.
controlTypeId	String	The programControlType identifies the type of program control - for example, a control linking to guest access reviews. Required on create.
displayName	String	The name of the control.
status	String	The life cycle status of the control.
createdDateTime	DateTimeOffset	The creation date and time of the program control.
owner	userIdentity	The user who created the program control.
resource	programResource	The resource, a group or an app, targeted by this program control's access review.

Graph reference: userIdentity

Property	Type	Description
displayName	String	The display name of the identity. This might not always be available or up-to-date.
id	String	Unique identifier for the identity. Nullable. When the unique identifier is unavailable, the displayName property is provided for the identity, but the id property isn't included in the response.
ipAddress	String	Indicates the client IP address associated with the user performing the activity (audit log only).
userPrincipalName	String	The **u

Table of Contents

AccessReview.ReadWrite.All

Graph Methods

Resources