AccessReview.ReadWrite.All
Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings that the signed-in user has access to in the organization.
Graph Methods
Type: A = Application Permission, D = Delegate Permission
| Ver |
Type |
Method |
| Beta |
D |
DELETE /accessReviews/{reviewId} |
| Beta |
D |
DELETE /accessReviews/{reviewId}/reviewers/{userId} |
| V1 |
A,D |
DELETE /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId} |
| Beta |
A,D |
DELETE /identityGovernance/accessReviews/definitions/{review-id} |
| Beta |
D |
GET /accessReviews/{reviewId} |
| Beta |
D |
GET /accessReviews/{reviewId}/decisions |
| Beta |
D |
GET /accessReviews/{reviewId}/myDecisions |
| Beta |
D |
GET /accessReviews/{reviewId}/reviewers |
| Beta |
D |
GET /accessReviews?$filter=businessFlowTemplateId eq {businessFlowTemplate-id}&$top={pagesize}&$skip=0 |
| Beta |
D |
GET /businessFlowTemplates |
| V1 |
A,D |
GET /identityGovernance/accessReviews/definitions |
| V1 |
A,D |
GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId} |
| V1 |
A,D |
GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances |
| V1 |
A,D |
GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId} |
| V1 |
A,D |
GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/decisions |
| V1 |
A,D |
GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/decisions/{accessReviewInstanceDecisionItemId} |
| V1 |
A,D |
GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/decisions/filterByCurrentUser(on='reviewer') |
| V1 |
A,D |
GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/filterByCurrentUser(on='reviewer') |
| Beta |
A,D |
GET /identityGovernance/accessReviews/definitions/{definition-id}/instances |
| Beta |
A,D |
GET /identityGovernance/accessReviews/definitions/{definition-id}/instances/{instance-id} |
| Beta |
A,D |
GET /identityGovernance/accessReviews/definitions/{definition-id}/instances/{instance-id}/decisions |
| Beta |
A,D |
GET /identityGovernance/accessReviews/definitions/{review-id} |
| V1 |
A,D |
GET /identityGovernance/accessReviews/definitions/filterByCurrentUser(on='reviewer') |
| Beta |
A,D |
GET /identityGovernance/accessReviews/historyDefinitions |
| Beta |
A,D |
GET /identityGovernance/accessReviews/historyDefinitions/{definition-id} |
| Beta |
D |
GET /me/pendingAccessReviewInstances |
| Beta |
D |
GET /me/pendingAccessReviewInstances/{instance-id}/decisions |
| Beta |
D |
PATCH /accessReviews/{reviewId} |
| V1 |
A,D |
PATCH /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/decisions/{accessReviewInstanceDecisionItemId} |
| Beta |
D |
PATCH /me/pendingAccessReviewInstances/{instance-id}/decisions/{decision-id} |
| Beta |
D |
POST /accessReviews |
| Beta |
D |
POST /accessReviews/{reviewId}/applyDecisions |
| Beta |
D |
POST /accessReviews/{reviewId}/resetDecisions |
| Beta |
D |
POST /accessReviews/{reviewId}/reviewers |
| Beta |
D |
POST /accessReviews/{reviewId}/sendReminder |
| Beta |
D |
POST /accessReviews/{reviewId}/stop |
| V1 |
A,D |
POST /identityGovernance/accessReviews/definitions |
| V1 |
D |
POST /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/acceptRecommendations |
| V1 |
A,D |
POST /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/applyDecisions |
| V1 |
A,D |
POST /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/batchRecordDecisions |
| V1 |
A,D |
POST /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/resetDecisions |
| V1 |
A,D |
POST /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/sendReminder |
| V1 |
A,D |
POST /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/stop |
| Beta |
A,D |
POST /identityGovernance/accessReviews/definitions/{definition-id}/instances/{instance-id}/applyDecisions |
| Beta |
A,D |
POST /identityGovernance/accessReviews/definitions/{definitionId}/instances/{instanceId}/sendReminder |
| Beta |
A,D |
POST /identityGovernance/accessReviews/definitions/{definition-id}/instances/{instance-id}/stop |
| Beta |
A,D |
POST /identityGovernance/accessReviews/historyDefinitions |
| Beta |
A,D |
POST /identityGovernance/accessReviews/historyDefinitions/{definition-id}/generateDownloadUri() |
| Beta |
A,D |
POST /me/pendingAccessReviewInstances/{accessReviewInstanceId}/batchRecordDecisions |
| Beta |
D |
POST /me/pendingAccessReviewInstances/{instance-id}/acceptRecommendations |
| V1 |
A,D |
PUT /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId} |
| Beta |
A,D |
PUT /identityGovernance/accessReviews/definitions/{review-id} |
Delegate Permission
|
|
| Id |
e4aa47b9-9a69-4109-82ed-36ec70d85ff1 |
| Consent Type |
Admin |
| Display String |
Manage all access reviews that user can access |
| Description |
Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings that the signed-in user has access to in the organization. |
Application Permission
|
|
| Id |
ef5f7d5c-338f-44b0-86c3-351f46c8bb5f |
| Display String |
Manage all access reviews |
| Description |
Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the organization, without a signed-in user. |
Resources
| Property |
Type |
Description |
| id |
String |
The feature-assigned unique identifier of an access review. |
| displayName |
String |
The access review name. Required on create. |
| startDateTime |
DateTimeOffset |
The DateTime when the review is scheduled to be start. This could be a date in the future. Required on create. |
| endDateTime |
DateTimeOffset |
The DateTime when the review is scheduled to end. This must be at least one day later than the start date. Required on create. |
| status |
String |
This read-only field specifies the status of an accessReview. The typical states include Initializing, NotStarted, Starting,InProgress, Completing, Completed, AutoReviewing, and AutoReviewed. |
| description |
String |
The description provided by the access review creator, to show to the reviewers. |
| businessFlowTemplateId |
String |
The business flow template identifier. Required on create. This value is case sensitive. |
| reviewerType |
String |
The relationship type of reviewer to the target object, one of self, delegated or entityOwners. Required on create. |
| createdBy |
userIdentity |
The user who created this review. |
| reviewedEntity |
identity |
The object for which the access reviews is reviewing the access rights assignments. This can be the group for the review of memberships of users in a group, or the app for a review of assignments of users to an application. Required on create. |
| settings |
accessReviewSettings |
The settings of an accessReview, see type definition below. |
| Property |
Type |
Description |
id |
String |
The id of the decision within the access review. |
accessReviewId |
String |
The feature-generated id of the access review. |
reviewedBy |
userIdentity |
The identity of the reviewer. If the recommendation was used as the review, the userPrincipalName is empty. |
reviewedDate |
DateTimeOffset |
The date and time the most recent review for this access right was supplied. |
reviewResult |
String |
The result of the review, one of NotReviewed, Deny, DontKnow or Approve. |
justification |
String |
The reviewer's business justification, if supplied. |
appliedBy |
userIdentity |
When the review completes, if the results were manually applied, the user identity of the user who applied the decision. If the review was auto-applied, the userPrincipalName is empty. |
appliedDateTime |
DateTimeOffset |
The date and time when the review decision was applied. |
applyResult |
String |
The outcome of applying the decision, one of NotApplied, Success, Failed, NotFound or NotSupported. |
accessRecommendation |
String |
The feature- generated recommendation shown to the reviewer, one of Approve, Deny or NotAvailable. |
| Property |
Type |
Description |
| createdBy |
userIdentity |
User who created this review history definition. |
| createdDateTime |
DateTimeOffset |
Timestamp when the access review definition was created. |
| decisions |
String collection |
Determines which review decisions will be included in the fetched review history data if specified. Optional on create. All decisions will be included by default if no decisions are provided on create. Possible values are: approve, deny, dontKnow, notReviewed, and notNotified. |
| displayName |
String |
Name for the access review history data collection. Required. |
| downloadUri |
String |
Uri which can be used to retrieve review history data. This URI will be active for 24 hours after being generated. |
| fulfilledDateTime |
DateTimeOffset |
Timestamp when all of the available data for this definition was collected. This will be set after this definition's status is set to done. |
| id |
String |
The assigned unique identifier of an access review history definition. |
| reviewHistoryPeriodEndDateTime |
DateTimeOffset |
Timestamp, reviews starting on or after this date will be included in the fetched history data. Required. |
| reviewHistoryPeriodStartDateTime |
DateTimeOffset |
Timestamp, reviews starting on or before this date will be included in the fetched history data. Required. |
| scopes |
microsoft.graph.accessReviewQueryScope collection |
Used to scope what reviews are included in the fetched history data. Fetches reviews whose scope matches with this provided scope. See accessreviewqueryscope. Required. |
| status |
String collection |
Represents the status of the review history data collection. Possible values are: done, inprogress, error, requested. |
| Property |
Type |
Description |
| endDateTime |
DateTimeOffset |
DateTime when review instance is scheduled to end.The DatetimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $select. Read-only. |
| fallbackReviewers |
accessReviewReviewerScope collection |
This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers will be notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner does not exist, or manager is specified as reviewer but a user's manager does not exist. Supports $select. |
| id |
String |
Unique identifier of the instance. Inherited from entity. Supports $select. Read-only. |
| scope |
accessReviewScope |
Created based on scope and instanceEnumerationScope at the accessReviewScheduleDefinition level. Defines the scope of users reviewed in a group. Supports $select and $filter (contains only). Read-only. |
| startDateTime |
DateTimeOffset |
DateTime when review instance is scheduled to start. May be in the future. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $select. Read-only. |
| status |
String |
Specifies the status of an accessReview. Possible values: Initializing, NotStarted, Starting, InProgress, Completing, Completed, AutoReviewing, and AutoReviewed. Supports $select, $orderby, and $filter (eq only). Read-only. |
| reviewers |
accessReviewReviewerScope collection |
This collection of access review scopes is used to define who the reviewers are. Supports $select. For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API. |
| Property |
Type |
Description |
| accessReviewId |
String |
The identifier of the accessReviewInstance parent. Supports $select. Read-only. |
| appliedBy |
userIdentity |
The identifier of the user who applied the decision. Read-only. |
| appliedDateTime |
DateTimeOffset |
The timestamp when the approval decision was applied. The DatetimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $select. Read-only. |
| applyResult |
String |
The result of applying the decision. Possible values: New, AppliedSuccessfully, AppliedWithUnknownFailure, AppliedSuccessfullyButObjectNotFound and ApplyNotSupported. Supports $select, $orderby, and $filter (eq only). Read-only. |
| decision |
String |
Result of the review. Possible values: Approve, Deny, NotReviewed, or DontKnow. Supports $select, $orderby, and $filter (eq only). |
| id |
String |
The identifier of the decision. Inherited from entity. Supports $select. Read-only. |
| justification |
String |
Justification left by the reviewer when they made the decision. |
| principal |
identity |
Every decision item in an access review represents a principal's access to a resource. This property represents details of the principal. For example, if a decision item represents access of User "Bob" to Group "Sales" - The principal is "Bob" and the resource is "Sales". Principals can be of two types - userIdentity and servicePrincipalIdentity. Supports $select. Read-only. |
| principalLink |
String |
A link to the principal object. For example, https://graph.microsoft.com/v1.0/users/a6c7aecb-cbfd-4763-87ef-e91b4bd509d9. Read-only. |
| recommendation |
String |
A system-generated recommendation for the approval decision based off last interactive sign-in to tenant. Recommend approve if sign-in is within thirty days of start of review. Recommend deny if sign-in is greater than thirty days of start of review. Recommendation not available otherwise. Possible values: Approve, Deny, or NoInfoAvailable. Supports $select, $orderby, and $filter (eq only). Read-only. |
| resource |
accessReviewInstanceDecisionItemResource |
Every decision item in an access review represents a principal's access to a resource. This property represents details of the resource. For example, if a decision item represents access of User "Bob" to Group "Sales" - The principal is Bob and the resource is "Sales". Resources can be of multiple types. See accessReviewInstanceDecisionItemResource. Read-only. |
| resourceLink |
String |
A link to the resource. For example, https://graph.microsoft.com/v1.0/servicePrincipals/c86300f3-8695-4320-9f6e-32a2555f5ff8. Supports $select. Read-only. |
| reviewedBy |
userIdentity |
The identifier of the reviewer. Supports $select. Read-only. |
| reviewedDateTime |
DateTimeOffset |
The timestamp when the review decision occurred. Supports $select. Read-only. |
| Property |
Type |
Description |
| query |
String |
The query representing what will be reviewed in an access review. |
| queryRoot |
String |
In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query is specified. For example, ./manager. |
| queryType |
String |
Indicates the type of query. Types include MicrosoftGraph and ARM. |
| Property |
Type |
Description |
| recurrenceType |
String |
The recurrence interval. Possible vaules: onetime, weekly, monthly, quarterly, halfyearly or annual. |
| recurrenceEndType |
String |
How the recurrence ends. Possible values: never, endBy, occurrences, or recurrenceCount. If it is never, then there is no explicit end of the recurrence series. If it is endBy, then the recurrence ends at a certain date. If it is occurrences, then the series ends after recurrenceCount instances of the review have completed. |
| durationInDays |
Int32 |
The duration in days for recurrence. |
| recurrenceCount |
Int32 |
The count of recurrences, if the value of **r |
| Property |
Type |
Description |
| query |
String |
The query specifying who will be the reviewer. See table for examples. |
| queryType |
String |
The type of query. Examples include MicrosoftGraph and ARM. |
| queryRoot |
String |
In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query, for example, ./manager, is specified. Possible value: decisions. |
| Property |
Type |
Description |
| additionalNotificationRecipients |
accessReviewNotificationRecipientItem collection |
Defines the list of additional users or group members to be notified of the access review progress. |
| createdBy |
userIdentity |
User who created this review. Read-only. |
| createdDateTime |
DateTimeOffset |
Timestamp when the access review series was created. Supports $select and $orderBy. Read-only. |
| descriptionForAdmins |
String |
Description provided by review creators to provide more context of the review to admins. Supports $select. |
| descriptionForReviewers |
String |
Description provided by review creators to provide more context of the review to reviewers. Reviewers will see this description in the email sent to them requesting their review. Email notifications support up to 256 characters. Supports $select. |
| displayName |
String |
Name of the access review series. Supports $select and $orderBy. Required on create. |
| fallbackReviewers |
accessReviewReviewerScope collection |
This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers will be notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner does not exist, or manager is specified as reviewer but a user's manager does not exist. See accessReviewReviewerScope. Replaces backupReviewers. Supports $select. |
| id |
String |
The feature-assigned unique identifier of an access review. Supports $select. Read-only. |
| instanceEnumerationScope |
accessReviewScope |
This property is required when scoping a review to guest users' access across all Microsoft 365 groups and determines which Microsoft 365 groups are reviewed. Each group will become a unique accessReviewInstance of the access review series. For supported scopes, see accessReviewScope. Supports $select. For examples of options for configuring instanceEnumerationScope, see Configure the scope of your access review definition using the Microsoft Graph API. |
| lastModifiedDateTime |
DateTimeOffset |
Timestamp when the access review series was last modified. Supports $select. Read-only. |
| reviewers |
accessReviewReviewerScope collection |
This collection of access review scopes is used to define who are the reviewers. The reviewers property is only updatable if individual users are assigned as reviewers. Required on create. Supports $select. For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API. |
| scope |
accessReviewScope |
Defines the entities whose access is reviewed. For supported scopes, see accessReviewScope. Required on create. Supports $select and $filter (contains only). For examples of options for configuring scope, see Configure the scope of your access review definition using the Microsoft Graph API. |
| settings |
accessReviewScheduleSettings |
The settings for an access review series, see type definition below. Supports $select. Required on create. |
| status |
String |
This read-only field specifies the status of an access review. The typical states include Initializing, NotStarted, Starting, InProgress, Completing, Completed, AutoReviewing, and AutoReviewed.
Supports $select, $orderby, and $filter (eq only). Read-only. |
| backupReviewers (deprecated) |
accessReviewReviewerScope collection |
This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers will be notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner does not exist, or manager is specified as reviewer but a user's manager does not exist. Supports $select.
**N |
| Property |
Type |
Description |
| mailNotificationsEnabled |
Boolean |
Indicates whether emails are enabled or disabled. Default value is false. |
| reminderNotificationsEnabled |
Boolean |
Indicates whether reminders are enabled or disabled. Default value is false. |
| justificationRequiredOnApproval |
Boolean |
Indicates whether reviewers are required to provide justification with their decision. Default value is false. |
| defaultDecisionEnabled |
Boolean |
Indicates whether the default decision is enabled or disabled when reviewers do not respond. Default value is false. |
| defaultDecision |
String |
Decision chosen if defaultDecisionEnabled is true. Can be one of Approve, Deny, or Recommendation. |
| instanceDurationInDays |
Int32 |
Duration of each recurrence of review (accessReviewInstance) in number of days. |
| recurrence |
patternedRecurrence |
Detailed settings for recurrence using the standard Outlook recurrence object. Only weekly and absoluteMonthly on recurrencePattern are supported. Use the property startDate on recurrenceRange to determine the day the review starts. |
| autoApplyDecisionsEnabled |
Boolean |
Indicates whether decisions are automatically applied. When set to false, an admin must apply the decisions manually once the reviewer completes the access review. When set to true, decisions are applied automatically after the access review instance duration ends, whether or not the reviewers have responded. Default value is false. |
| applyActions |
accessReviewApplyAction collection |
Optional field. Describes the actions to take once a review is complete. There are two types that are currently supported: removeAccessApplyAction (default) and disableAndDeleteUserApplyAction. Field only needs to be specified in the case of disableAndDeleteUserApplyAction. |
| recommendationsEnabled |
Boolean |
Indicates whether decision recommendations are enabled or disabled. |
| Property |
Type |
Description |
| id |
String |
The feature-assigned identifier of the business flow template. These values are case sensitive. |
| displayName |
String |
The name of the business flow template |
| Property |
Type |
Description |
| displayName |
String |
The identity's display name. Note that this may not always be available or up to date. For example, if a user changes their display name, the API may show the new value in a future response, but the items associated with the user won't show up as having changed when using delta. |
| id |
String |
Unique identifier for the identity. |
| Property |
Type |
Description |
| id |
String |
The feature-assigned identifier of the link between program and control. |
| programId |
String |
The programId of the program this control is a part of. Required on create. |
| controlId |
String |
The controlId of the control, in particular the identifier of an access review. Required on create. |
| controlTypeId |
String |
The programControlType identifies the type of program control - for example, a control linking to guest access reviews. Required on create. |
| displayName |
String |
The name of the control. |
| status |
String |
The life cycle status of the control. |
| createdDateTime |
DateTimeOffset |
The creation date and time of the program control. |
| owner |
userIdentity |
The user who created the program control. |
| resource |
programResource |
The resource, a group or an app, targeted by this program control's access review. |
| Property |
Type |
Description |
| displayName |
String |
The identity's display name. Note that this may not always be available or up-to-date. |
| id |
String |
Unique identifier for the identity. |
| ipAddress |
String |
Indicates the client IP address used by user performing the activity (audit log only). |
| userPrincipalName |
String |
The userPrincipalName attribute of the user. |