Share via

Azure Access Review API

_-IJ-_ 76 Reputation points
2022-12-09T18:02:53.257+00:00

The Identity Governance article says "The Azure AD resources include groups...." however nowhere in the documentation, I am not able to find how to create an access review for an AAD group. I managed to create a new review via Powershell, API but it has no group assigned. When trying to create a similar one via Azure Portal the Group(s) name is mandatory whereas here it is missing. Here is my code to create a review but where and how should I specify group name(s), owners or not to review etc. 

param ([string]$app_secret)  
  
Write-Output "The required paremeter value is" $app_secret  
  
Write-Output "Pre Connect-MgGraph command"   
  
$tenantId = 'XXXXXXX'  
$appId = 'YYYYYYYYY'  
$appSecret = $app_secret  
$group_name="AAD-Group1-CONTRIBUTOR"  
  
$resourceAppIdUri = 'https://graph.microsoft.com'  
   
$oAuthUri = " https://login.microsoftonline.com/$TenantId/oauth2/token"  
$authBody = [Ordered] @{  
    resource = "$resourceAppIdUri"  
    client_id = "$appId"  
    client_secret = "$appSecret"  
    grant_type = 'client_credentials'  
}  
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop  
$token = $authResponse.access_token  
  
Connect-MgGraph -AccessToken $token   
  
Write-Output "Connect-MgGraph worked !!!! "  
  
Select-MgProfile -Name beta  
Import-Module Microsoft.Graph.Identity.Governance  
  
$AccessReviewTemplate = Get-MgBusinessFlowTemplate | Where DisplayName -eq 'Access reviews of memberships of a group'  
$AccessReviewTemplate.Id  
  
$AutoReviewSettings = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAutoReviewSettings]@{  
    NotReviewedResult = "None"  
}  
  
$RecurrenceSettings = @{  
 RecurrenceType = "onetime"  
 RecurrenceEndType = "endBy"  
 DurationInDays = 30  
 RecurrenceCount = 180  
            }  
$ReviewSettings = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessReviewSettings]@{  
    AccessRecommendationsEnabled    = $true     
    ActivityDurationInDays          = 0     
    AutoApplyReviewResultsEnabled   = $false  
    AutoReviewEnabled               = $false  
    AutoReviewSettings              = $AutoReviewSettings  
    JustificationRequiredOnApproval = $true  
    MailNotificationsEnabled        = $true  
    RecurrenceSettings              = $RecurrenceSettings  
    RemindersEnabled                = $true  
}  
  
$ReviewedEntity = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphIdentity]@{  
    DisplayName = "Group2"  
    Id          = "00000001-c59e-48c1-86e9-14ee6daef724" # AAD ObjectId  
}  
  
$NewAccessReview = @{  
    DisplayName            = $group_name  
    BusinessFlowTemplateId = $AccessReviewTemplate.Id  
    Description            = "AR created via Azure Devops!"  
    Settings               = $ReviewSettings  
    StartDateTime          = (get-date)  
    ReviewedEntity         = $ReviewedEntity  
    ReviewerType           = "entityOwners"  
}  
  
New-MgAccessReview @NewAccessReview`
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2022-12-14T17:04:08.517+00:00

    Hi @_-IJ-_ ,

    Thanks for confirming that the sample meets your requirements. I am adding a summarized answer.

    Issue:

    An example is needed for creating an access review for an Azure AD group and specifying the group.

    Example/Resolution:

    To specify the group, you need to copy the group ID and include it in the scopes (Query = "/groups/eb75ccd2-59ef-48b7-8f76-cc3f33f899f4"). The documentation has an example here that creates an access review for a group.

    Import-Module Microsoft.Graph.Identity.Governance  

$params = @{  
    DisplayName = "One-time self-review for members of Building security"  
    DescriptionForAdmins = "One-time self-review for members of Building security"  
    DescriptionForReviewers = "One-time self-review for members of Building security"  
    Scope = @{  
        Query = "/groups/eb75ccd2-59ef-48b7-8f76-cc3f33f899f4/transitiveMembers"  
        QueryType = "MicrosoftGraph"  
    }  
    InstanceEnumerationScope = @{  
        Query = "/groups/eb75ccd2-59ef-48b7-8f76-cc3f33f899f4"  
        QueryType = "MicrosoftGraph"  
    }  
    Settings = @{  
        MailNotificationsEnabled = $true  
        ReminderNotificationsEnabled = $true  
        JustificationRequiredOnApproval = $true  
        DefaultDecisionEnabled = $true  
        DefaultDecision = "Deny"  
        InstanceDurationInDays = 5  
        AutoApplyDecisionsEnabled = $true  
        RecommendationsEnabled = $true  
        Recurrence = @{  
            Pattern = $null  
            Range = @{  
                Type = "numbered"  
                NumberOfOccurrences = 0  
                RecurrenceTimeZone = $null  
                StartDate = "2022-02-11"  
                EndDate = "2022-02-16"  
            }  
        }  
    }  
}  

New-MgIdentityGovernanceAccessReviewDefinition -BodyParameter $params

    I believe [GroupId <String>]: key: id of group can also be specified as in this example.

    -
    If the information helped you, please *Accept the answer**. This will help us and other members of the community who might be researching similar information.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.