AccessReview.ReadWrite.Membership

Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings for group and app memberships that the signed-in user has access to in the organization.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the AccessReview.ReadWrite.Membership permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	18228521-a591-40f1-b215-5fad4488c117	5af8c3f5-baca-439a-97b0-ea58a435e269
DisplayText	Manage access reviews for group and app memberships	Manage access reviews for group and app memberships
Description	Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the organization for group and app memberships, without a signed-in user.	Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings for group and app memberships that the signed-in user has access to in the organization.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /accessReviews/{reviewId}
	DELETE /accessReviews/{reviewId}/reviewers/{userId}
	GET /accessReviews?$filter=businessFlowTemplateId eq {businessFlowTemplate-id}&$top={pagesize}&$skip=0
	GET /accessReviews/{reviewId}
	GET /accessReviews/{reviewId}/decisions
	GET /accessReviews/{reviewId}/myDecisions
	GET /accessReviews/{reviewId}/reviewers
	PATCH /accessReviews/{reviewId}
	POST /accessReviews
	POST /accessReviews/{reviewId}/applyDecisions
	POST /accessReviews/{reviewId}/resetDecisions
	POST /accessReviews/{reviewId}/reviewers
	POST /accessReviews/{reviewId}/sendReminder
	POST /accessReviews/{reviewId}/stop

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Add-MgBetaAccessReviewDecision
	Get-MgBetaAccessReview
	Get-MgBetaAccessReviewDecision
	Get-MgBetaAccessReviewMyDecision
	Get-MgBetaAccessReviewReviewer
	New-MgBetaAccessReview
	New-MgBetaAccessReviewReviewer
	Remove-MgBetaAccessReview
	Remove-MgBetaAccessReviewReviewer
	Reset-MgBetaAccessReviewDecision
	Send-MgBetaAccessReviewReminder
	Stop-MgBetaAccessReview
	Update-MgBetaAccessReview

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: accessreview

Property	Type	Description
id	String	The feature-assigned unique identifier of an access review.
displayName	String	The access review name. Required on create.
startDateTime	DateTimeOffset	The date and time when the review is scheduled to be start. This date can be in the future. Required on create.
endDateTime	DateTimeOffset	The DateTime when the review is scheduled to end. This must be at least one day later than the start date. Required on create.
status	String	This read-only field specifies the status of an accessReview. The typical states include `Initializing`, `NotStarted`, `Starting`,`InProgress`, `Completing`, `Completed`, `AutoReviewing`, and `AutoReviewed`.
description	String	The description provided by the access review creator, to show to the reviewers.
businessFlowTemplateId	String	The business flow template identifier. Required on create. This value is case sensitive.
reviewerType	String	The relationship type of reviewer to the target object, one of: `self`, `delegated`, `entityOwners`. Required on create.
createdBy	userIdentity	The user who created this review.
reviewedEntity	identity	The object for which the access review is reviewing the access rights assignments. This identity can be the group for the review of memberships of users in a group, or the app for a review of assignments of users to an application. Required on create.
settings	accessReviewSettings	The settings of an accessReview, see type definition below.

Graph reference: accessreviewdecision

Property	Type	Description
`id`	`String`	The ID of the decision within the access review.
`accessReviewId`	`String`	The feature-generated ID of the access review.
`reviewedBy`	userIdentity	The identity of the reviewer. If the recommendation was used as the review, the userPrincipalName is empty.
`reviewedDate`	`DateTimeOffset`	The date and time the most recent review for this access right was supplied.
`reviewResult`	`String`	The result of the review, one of `NotReviewed`, `Deny`, `DontKnow` or `Approve`.
`justification`	`String`	The reviewer's business justification, if supplied.
`appliedBy`	userIdentity	When the review completes, if the results were manually applied, the user identity of the user who applied the decision. If the review was autoapplied, the userPrincipalName is empty.
`appliedDateTime`	`DateTimeOffset`	The date and time when the review decision was applied.
`applyResult`	`String`	The outcome of applying the decision, one of: `NotApplied`, `Success`, `Failed`, `NotFound`, `NotSupported`.
`accessRecommendation`	`String`	The feature- generated recommendation shown to the reviewer, one of: `Approve`, `Deny`, `NotAvailable`.

Graph reference: accessreviewrecurrencesettings

Property	Type	Description
recurrenceType	String	The recurrence interval. Possible values: `onetime`, `weekly`, `monthly`, `quarterly`, `halfyearly` or `annual`.
recurrenceEndType	String	How the recurrence ends. Possible values: `never`, `endBy`, `occurrences`, or `recurrenceCount`. If it's `never`, then there's no explicit end of the recurrence series. If it's `endBy`, then the recurrence ends at a certain date. If it's `occurrences`, then the series ends after `recurrenceCount` instances of the review have completed.
durationInDays	Int32	The duration in days for recurrence.
recurrenceCount	Int32	The count of recurrences, if the value of **r

Graph reference: businessflowtemplate

Property	Type	Description
id	String	The feature-assigned identifier of the business flow template. These values are case sensitive.
displayName	String	The name of the business flow template

Graph reference: identity

Property	Type	Description
displayName	String	The display name of the identity. For drive items, the display name might not always be available or up to date. For example, if a user changes their display name the API might show the new value in a future response, but the items associated with the user don't show up as changed when using delta.
id	String	Unique identifier for the identity or actor. For example, in the access reviews decisions API, this property might record the id of the principal, that is, the group, user, or application that's subject to review.
tenantId	String	Unique identity of the tenant. Optional.
thumbnails	thumbnailSet	Keyed collection of thumbnail resources. Optional. Applies to drive items, for example.

Graph reference: programcontrol

Property	Type	Description
id	String	The feature-assigned identifier of the link between program and control.
programId	String	The programId of the program this control is a part of. Required on create.
controlId	String	The controlId of the control, in particular the identifier of an access review. Required on create.
controlTypeId	String	The programControlType identifies the type of program control - for example, a control linking to guest access reviews. Required on create.
displayName	String	The name of the control.
status	String	The life cycle status of the control.
createdDateTime	DateTimeOffset	The creation date and time of the program control.
owner	userIdentity	The user who created the program control.
resource	programResource	The resource, a group or an app, targeted by this program control's access review.

Graph reference: userIdentity

Property	Type	Description
displayName	String	The display name of the identity. This might not always be available or up-to-date.
id	String	Unique identifier for the identity. Nullable. When the unique identifier is unavailable, the displayName property is provided for the identity, but the id property isn't included in the response.
ipAddress	String	Indicates the client IP address associated with the user performing the activity (audit log only).
userPrincipalName	String	The **u

Table of Contents

AccessReview.ReadWrite.Membership

Graph Methods

Resources