AccessReview.ReadWrite.All
Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings that the signed-in user has access to in the organization.
Graph Methods
Type: A = Application Permission, D = Delegate Permission
Delegate Permission
Id | e4aa47b9-9a69-4109-82ed-36ec70d85ff1 |
Consent Type | Admin |
Display String | Manage all access reviews that user can access |
Description | Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings that the signed-in user has access to in the organization. |
Application Permission
Id | ef5f7d5c-338f-44b0-86c3-351f46c8bb5f |
Display String | Manage all access reviews |
Description | Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the organization, without a signed-in user. |
Resources
accessreview
Property | Type | Description |
---|---|---|
id | String | The feature-assigned unique identifier of an access review. |
displayName | String | The access review name. Required on create. |
startDateTime | DateTimeOffset | The DateTime when the review is scheduled to be start. This could be a date in the future. Required on create. |
endDateTime | DateTimeOffset | The DateTime when the review is scheduled to end. This must be at least one day later than the start date. Required on create. |
status | String | This read-only field specifies the status of an accessReview. The typical states include Initializing , NotStarted , Starting ,InProgress , Completing , Completed , AutoReviewing , and AutoReviewed . |
description | String | The description provided by the access review creator, to show to the reviewers. |
businessFlowTemplateId | String | The business flow template identifier. Required on create. This value is case sensitive. |
reviewerType | String | The relationship type of reviewer to the target object, one of self , delegated or entityOwners . Required on create. |
createdBy | userIdentity | The user who created this review. |
reviewedEntity | identity | The object for which the access reviews is reviewing the access rights assignments. This can be the group for the review of memberships of users in a group, or the app for a review of assignments of users to an application. Required on create. |
settings | accessReviewSettings | The settings of an accessReview, see type definition below. |
accessreviewdecision
Property | Type | Description |
---|---|---|
id |
String |
The id of the decision within the access review. |
accessReviewId |
String |
The feature-generated id of the access review. |
reviewedBy |
userIdentity | The identity of the reviewer. If the recommendation was used as the review, the userPrincipalName is empty. |
reviewedDate |
DateTimeOffset |
The date and time the most recent review for this access right was supplied. |
reviewResult |
String |
The result of the review, one of NotReviewed , Deny , DontKnow or Approve . |
justification |
String |
The reviewer's business justification, if supplied. |
appliedBy |
userIdentity | When the review completes, if the results were manually applied, the user identity of the user who applied the decision. If the review was auto-applied, the userPrincipalName is empty. |
appliedDateTime |
DateTimeOffset |
The date and time when the review decision was applied. |
applyResult |
String |
The outcome of applying the decision, one of NotApplied , Success , Failed , NotFound or NotSupported . |
accessRecommendation |
String |
The feature- generated recommendation shown to the reviewer, one of Approve , Deny or NotAvailable . |
accessReviewHistoryDefinition
Property | Type | Description |
---|---|---|
createdBy | userIdentity | User who created this review history definition. |
createdDateTime | DateTimeOffset | Timestamp when the access review definition was created. |
decisions | String collection | Determines which review decisions will be included in the fetched review history data if specified. Optional on create. All decisions will be included by default if no decisions are provided on create. Possible values are: approve , deny , dontKnow , notReviewed , and notNotified . |
displayName | String | Name for the access review history data collection. Required. |
id | String | The assigned unique identifier of an access review history definition. |
reviewHistoryPeriodEndDateTime | DateTimeOffset | A timestamp. Reviews ending on or before this date will be included in the fetched history data. Only required if scheduleSettings is not defined. |
reviewHistoryPeriodStartDateTime | DateTimeOffset | A timestamp. Reviews starting on or before this date will be included in the fetched history data. Only required if scheduleSettings is not defined. |
scheduleSettings | accessReviewHistoryScheduleSettings | The settings for a recurring access review history definition series. Only required if reviewHistoryPeriodStartDateTime or reviewHistoryPeriodEndDateTime are not defined. Not supported yet. |
scopes | accessReviewScope collection | Used to scope what reviews are included in the fetched history data. Fetches reviews whose scope matches with this provided scope. Required. |
status | accessReviewHistoryStatus | Represents the status of the review history data collection. The possible values are: done , inProgress , error , requested , unknownFutureValue . |
accessReviewHistoryInstance
Property | Type | Description |
---|---|---|
downloadUri | String | Uri which can be used to retrieve review history data. This URI will be active for 24 hours after being generated. Required. |
expirationDateTime | DateTimeOffset | Timestamp when this instance and associated data expires and the history is deleted. Required. |
fulfilledDateTime | DateTimeOffset | Timestamp when all of the available data for this instance was collected. This will be set after this instance's status is set to done . Required. |
id | String | The assigned unique identifier of an access review history instance. Read-only. Required. |
reviewHistoryPeriodEndDateTime | DateTimeOffset | Timestamp, reviews ending on or before this date will be included in the fetched history data. |
reviewHistoryPeriodStartDateTime | DateTimeOffset | Timestamp, reviews starting on or after this date will be included in the fetched history data. |
runDateTime | DateTimeOffset | Timestamp when the instance's history data is scheduled to be generated. |
status | accessReviewHistoryStatus | Represents the status of the review history data collection. The possible values are: done , inProgress , error , requested , unknownFutureValue . Once the **s |
accessReviewInstance
Property | Type | Description |
---|---|---|
endDateTime | DateTimeOffset | DateTime when review instance is scheduled to end.The DatetimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z . Supports $select . Read-only. |
fallbackReviewers | accessReviewReviewerScope collection | This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers will be notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner does not exist, or manager is specified as reviewer but a user's manager does not exist. Supports $select . |
id | String | Unique identifier of the instance. Supports $select . Read-only. |
reviewers | accessReviewReviewerScope collection | This collection of access review scopes is used to define who the reviewers are. Supports $select . For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API. |
scope | accessReviewScope | Created based on scope and instanceEnumerationScope at the accessReviewScheduleDefinition level. Defines the scope of users reviewed in a group. Supports $select and $filter (contains only). Read-only. |
startDateTime | DateTimeOffset | DateTime when review instance is scheduled to start. May be in the future. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z . Supports $select . Read-only. |
status | String | Specifies the status of an accessReview. Possible values: Initializing , NotStarted , Starting , InProgress , Completing , Completed , AutoReviewing , and AutoReviewed . Supports $select , $orderby , and $filter (eq only). Read-only. |
accessReviewInstanceDecisionItem
Property | Type | Description |
---|---|---|
accessReviewId | String | The identifier of the accessReviewInstance parent. Supports $select . Read-only. |
appliedBy | userIdentity | The identifier of the user who applied the decision. Read-only. |
appliedDateTime | DateTimeOffset | The timestamp when the approval decision was applied.00000000-0000-0000-0000-000000000000 if the assigned reviewer hasn't applied the decision or it was automatically applied. The DatetimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z . Supports $select . Read-only. |
applyResult | String | The result of applying the decision. Possible values: New , AppliedSuccessfully , AppliedWithUnknownFailure , AppliedSuccessfullyButObjectNotFound and ApplyNotSupported . Supports $select , $orderby , and $filter (eq only). Read-only. |
decision | String | Result of the review. Possible values: Approve , Deny , NotReviewed , or DontKnow . Supports $select , $orderby , and $filter (eq only). |
id | String | The identifier of the decision. Inherited from entity. Supports $select . Read-only. |
justification | String | Justification left by the reviewer when they made the decision. |
principal | identity | Every decision item in an access review represents a principal's access to a resource. This property represents details of the principal. For example, if a decision item represents access of User "Bob" to Group "Sales" - The principal is "Bob" and the resource is "Sales". Principals can be of two types - userIdentity and servicePrincipalIdentity. Supports $select . Read-only. |
principalLink | String | A link to the principal object. For example, https://graph.microsoft.com/v1.0/users/a6c7aecb-cbfd-4763-87ef-e91b4bd509d9 . Read-only. |
recommendation | String | A system-generated recommendation for the approval decision based off last interactive sign-in to tenant. Recommend approve if sign-in is within thirty days of start of review. Recommend deny if sign-in is greater than thirty days of start of review. Recommendation not available otherwise. Possible values: Approve , Deny , or NoInfoAvailable . Supports $select , $orderby , and $filter (eq only). Read-only. |
resource | accessReviewInstanceDecisionItemResource | Every decision item in an access review represents a principal's access to a resource. This property represents details of the resource. For example, if a decision item represents access of User "Bob" to Group "Sales" - The principal is Bob and the resource is "Sales". Resources can be of multiple types. See accessReviewInstanceDecisionItemResource. Read-only. |
resourceLink | String | A link to the resource. For example, https://graph.microsoft.com/v1.0/servicePrincipals/c86300f3-8695-4320-9f6e-32a2555f5ff8 . Supports $select . Read-only. |
reviewedBy | userIdentity | The identifier of the reviewer.00000000-0000-0000-0000-000000000000 if the assigned reviewer hasn't reviewed. Supports $select . Read-only. |
reviewedDateTime | DateTimeOffset | The timestamp when the review decision occurred. Supports $select . Read-only. |
accessReviewQueryScope
Property | Type | Description |
---|---|---|
query | String | The query representing what will be reviewed in an access review. |
queryRoot | String | In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query is specified. For example, ./manager . |
queryType | String | Indicates the type of query. Types include MicrosoftGraph and ARM . |
accessreviewrecurrencesettings
Property | Type | Description |
---|---|---|
recurrenceType | String | The recurrence interval. Possible vaules: onetime , weekly , monthly , quarterly , halfyearly or annual . |
recurrenceEndType | String | How the recurrence ends. Possible values: never , endBy , occurrences , or recurrenceCount . If it is never , then there is no explicit end of the recurrence series. If it is endBy , then the recurrence ends at a certain date. If it is occurrences , then the series ends after recurrenceCount instances of the review have completed. |
durationInDays | Int32 | The duration in days for recurrence. |
recurrenceCount | Int32 | The count of recurrences, if the value of **r |
accessReviewReviewer
Property | Type | Description |
---|---|---|
createdDateTime | DateTimeOffset | The date when the reviewer was added for the access review. |
displayName | String | Name of reviewer. |
id | String | Identifier of the reviewer. Inherited from entity. |
userPrincipalName | String | User principal name of the reviewer. |
accessReviewReviewerScope
Property | Type | Description |
---|---|---|
query | String | The query specifying who will be the reviewer. |
queryRoot | String | In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query, for example, ./manager , is specified. Possible value: decisions . |
queryType | String | The type of query. Examples include MicrosoftGraph and ARM . |
accessreviews-root
accessReviewScheduleDefinition
Property | Type | Description |
---|---|---|
additionalNotificationRecipients | accessReviewNotificationRecipientItem collection | Defines the list of additional users or group members to be notified of the access review progress. |
backupReviewers (deprecated) | accessReviewReviewerScope collection | This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers will be notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner does not exist, or manager is specified as reviewer but a user's manager does not exist. Supports $select . Note: This property has been replaced by fallbackReviewers. However, specifying either backupReviewers or fallbackReviewers automatically populates the same values to the other property. |
createdBy | userIdentity | User who created this review. Read-only. |
createdDateTime | DateTimeOffset | Timestamp when the access review series was created. Supports $select . Read-only. |
descriptionForAdmins | String | Description provided by review creators to provide more context of the review to admins. Supports $select . |
descriptionForReviewers | String | Description provided by review creators to provide more context of the review to reviewers. Reviewers will see this description in the email sent to them requesting their review. Email notifications support up to 256 characters. Supports $select . |
displayName | String | Name of the access review series. Supports $select and $orderBy . Required on create. |
fallbackReviewers | accessReviewReviewerScope collection | This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers will be notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner does not exist, or manager is specified as reviewer but a user's manager does not exist. See accessReviewReviewerScope. Replaces backupReviewers. Supports $select . NOTE: The value of this property will be ignored if fallback reviewers are assigned through the stageSettings property. |
id | String | The feature-assigned unique identifier of an access review. Supports $select . Read-only. |
instanceEnumerationScope | accessReviewScope | This property is required when scoping a review to guest users' access across all Microsoft 365 groups and determines which Microsoft 365 groups are reviewed. Each group will become a unique accessReviewInstance of the access review series. For supported scopes, see accessReviewScope. Supports $select . For examples of options for configuring instanceEnumerationScope, see Configure the scope of your access review definition using the Microsoft Graph API. |
lastModifiedDateTime | DateTimeOffset | Timestamp when the access review series was last modified. Supports $select . Read-only. |
reviewers | accessReviewReviewerScope collection | This collection of access review scopes is used to define who are the reviewers. The reviewers property is only updatable if individual users are assigned as reviewers. Required on create. Supports $select . For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API. NOTE: The value of this property will be ignored if reviewers are assigned through the stageSettings property. |
scope | accessReviewScope | Defines the entities whose access is reviewed. For supported scopes, see accessReviewScope. Required on create. Supports $select and $filter (contains only). For examples of options for configuring scope, see Configure the scope of your access review definition using the Microsoft Graph API. |
settings | accessReviewScheduleSettings | The settings for an access review series, see type definition below. Supports $select . Required on create. |
stageSettings | accessReviewStageSettings collection | Required only for a multi-stage access review to define the stages and their settings. You can break down each review instance into up to three sequential stages, where each stage can have a different set of reviewers, fallback reviewers, and settings. Stages will be created sequentially based on the dependsOn property. Optional. When this property is defined, its settings are used instead of the corresponding settings in the accessReviewScheduleDefinition object and its settings, reviewers, and fallbackReviewers properties. |
status | String | This read-only field specifies the status of an access review. The typical states include Initializing , NotStarted , Starting , InProgress , Completing , Completed , AutoReviewing , and AutoReviewed . Supports $select , $orderby , and $filter (eq only). Read-only. |
accessReviewScheduleSettings
Property | Type | Description |
---|---|---|
applyActions | accessReviewApplyAction collection | Optional field. Describes the actions to take once a review is complete. There are two types that are currently supported: removeAccessApplyAction (default) and disableAndDeleteUserApplyAction . Field only needs to be specified in the case of disableAndDeleteUserApplyAction . |
autoApplyDecisionsEnabled | Boolean | Indicates whether decisions are automatically applied. When set to false , an admin must apply the decisions manually once the reviewer completes the access review. When set to true , decisions are applied automatically after the access review instance duration ends, whether or not the reviewers have responded. Default value is false . |
decisionHistoriesForReviewersEnabled | Boolean | Indicates whether decisions on previous access review stages are available for reviewers on an accessReviewInstance with multiple subsequent stages. If not provided, the default is disabled (false ). |
defaultDecision | String | Decision chosen if defaultDecisionEnabled is enabled. Can be one of Approve , Deny , or Recommendation . |
defaultDecisionEnabled | Boolean | Indicates whether the default decision is enabled or disabled when reviewers do not respond. Default value is false . |
instanceDurationInDays | Int32 | Duration of an access review instance in days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its durationInDays setting will be used instead of the value of this property. |
justificationRequiredOnApproval | Boolean | Indicates whether reviewers are required to provide justification with their decision. Default value is false . |
mailNotificationsEnabled | Boolean | Indicates whether emails are enabled or disabled. Default value is false . |
recommendationsEnabled | Boolean | Indicates whether decision recommendations are enabled or disabled. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationsEnabled setting will be used instead of the value of this property. |
recurrence | patternedRecurrence | Detailed settings for recurrence using the standard Outlook recurrence object. Note: Only dayOfMonth, interval, and type ( weekly , absoluteMonthly ) properties are supported. Use the property startDate on recurrenceRange to determine the day the review starts. |
reminderNotificationsEnabled | Boolean | Indicates whether reminders are enabled or disabled. Default value is false . |
accessReviewScope
accessReviewStage
Property | Type | Description |
---|---|---|
endDateTime | DateTimeOffset | The date and time in ISO 8601 format and UTC time when the review stage is scheduled to end. This property is the cumulative total of the durationInDays for all stages. Read-only. |
fallbackReviewers | accessReviewReviewerScope collection | This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers will be notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner does not exist, or manager is specified as reviewer but a user's manager does not exist. |
id | String | Unique identifier of the stage. Read-only. |
reviewers | accessReviewReviewerScope collection | This collection of access review scopes is used to define who the reviewers are. For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API. |
startDateTime | DateTimeOffset | The date and time in ISO 8601 format and UTC time when the review stage is scheduled to start. Read-only. |
status | String | Specifies the status of an accessReviewStage. Possible values: Initializing , NotStarted , Starting , InProgress , Completing , Completed , AutoReviewing , and AutoReviewed . Supports $orderby , and $filter (eq only). Read-only. |
accessReviewStageSettings
Property | Type | Description |
---|---|---|
decisionsThatWillMoveToNextStage | String collection | Indicate which decisions will go to the next stage. Can be a sub-set of Approve , Deny , Recommendation , or NotReviewed . If not provided, all decisions will go to the next stage. Optional. |
dependsOn | String collection | Defines the sequential or parallel order of the stages and depends on the stageId. Only sequential stages are currently supported. For example, if stageId is 2 , then dependsOn must be 1 . If stageId is 1 , do not specify dependsOn. Required if stageId is not 1 . |
durationInDays | Int32 | The duration of the stage. Required. NOTE: The cumulative value of this property across all stages 1. Will override the instanceDurationInDays setting on the accessReviewScheduleDefinition object. 2. Cannot exceed the length of one recurrence. That is, if the review recurs weekly, the cumulative durationInDays cannot exceed 7. |
fallbackReviewers | accessReviewReviewerScope collection | If provided, the fallback reviewers are asked to complete a review if the primary reviewers do not exist. For example, if managers are selected as reviewers and a principal under review does not have a manager in Azure AD, the fallback reviewers are asked to review that principal. NOTE: The value of this property will override the corresponding setting on the accessReviewScheduleDefinition object. |
recommendationsEnabled | Boolean | Indicates whether showing recommendations to reviewers is enabled. Required. NOTE: The value of this property will override override the corresponding setting on the accessReviewScheduleDefinition object. |
reviewers | accessReviewReviewerScope collection | Defines who the reviewers are. If none are specified, the review is a self-review (users review their own access). For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API. NOTE: The value of this property will override the corresponding setting on the accessReviewScheduleDefinition. |
stageId | String | Unique identifier of the **a |
accessreviewsv2-overview
businessflowtemplate
Property | Type | Description |
---|---|---|
id | String | The feature-assigned identifier of the business flow template. These values are case sensitive. |
displayName | String | The name of the business flow template |
identity
Property | Type | Description |
---|---|---|
displayName | String | The display name of the identity. Note that this might not always be available or up to date. For example, if a user changes their display name, the API might show the new value in a future response, but the items associated with the user won't show up as having changed when using delta. |
id | String | Unique identifier for the identity. |
programcontrol
Property | Type | Description |
---|---|---|
id | String | The feature-assigned identifier of the link between program and control. |
programId | String | The programId of the program this control is a part of. Required on create. |
controlId | String | The controlId of the control, in particular the identifier of an access review. Required on create. |
controlTypeId | String | The programControlType identifies the type of program control - for example, a control linking to guest access reviews. Required on create. |
displayName | String | The name of the control. |
status | String | The life cycle status of the control. |
createdDateTime | DateTimeOffset | The creation date and time of the program control. |
owner | userIdentity | The user who created the program control. |
resource | programResource | The resource, a group or an app, targeted by this program control's access review. |
userIdentity
Property | Type | Description |
---|---|---|
displayName | String | The identity's display name. Note that this may not always be available or up-to-date. |
id | String | Unique identifier for the identity. |
ipAddress | String | Indicates the client IP address used by user performing the activity (audit log only). |
userPrincipalName | String | The userPrincipalName attribute of the user. |