Share via

Creating an access review definition for a custom data provided resource with graph

ritmo2k 871 Reputation points
2026-03-11T19:02:23.2866667+00:00

I am trying to use either a generic rest request or the New-MgBetaIdentityGovernanceAccessReviewDefinition cmdlet to create a definition for a custom data provided resource, but I cannot figure out how to define the scope query for this type.

The command below fails with an invalid body error, which is not surprising, as the scope query is not specific and would return other types if they existed. However, that endpoint doesn't seem to support indexing or OData filters.

New-MgBetaIdentityGovernanceAccessReviewDefinition `
    -BodyParameter @{
        displayName = $reviewDisplayName
        descriptionForAdmins = $reviewDescriptionForAdmins
        descriptionForReviewers = $reviewDescriptionForReviewers
        scope = @{
            '@odata.type' = '#microsoft.graph.accessReviewQueryScope'
            query = '/identityGovernance/entitlementManagement/accessPackageCatalogs/{0}/accessPackageResources' -f $catalog.Id
            queryType = 'MicrosoftGraph'
        }
        reviewers = @(
            @{
                query     = './manager'
                queryType = 'MicrosoftGraph'
                queryRoot = 'decisions'
            }
        )
        settings = @{
            autoApplyDecisionsEnabled = $true
            defaultDecision = 'None'
            defaultDecisionEnabled = $false
            instanceDurationInDays = $reviewDurationDays
            justificationRequiredOnApproval = $true
            mailNotificationsEnabled = $true
            recommendationsEnabled = $false
            reminderNotificationsEnabled = $true
            recurrence = @{
                pattern = $null
                range = @{
                    type = 'numbered'
                    numberOfOccurrences = 0
                    recurrenceTimeZone = $null
                    startDate = (Get-Date).ToString('yyyy-MM-dd')
                    endDate = (Get-Date).AddDays(2).ToString('yyyy-MM-dd')
                }
            }
        }
    } `
    -Headers @{'x-accessreviews-version' = 'vnext'}
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Answer accepted by question author
  1. Vasil Michev 126K Reputation points MVP Volunteer Moderator
    2026-03-11T20:06:04.41+00:00

    I don't believe you can use filters. The review will cover all users assigned to any objects within a catalog, with the only "scope" you can select being whether to include guest users. But this is all done via predefined/hardcoded values, see the example in the official documentation. Or just create the review via the portal and capture the network trace :)

    To specify managers as reviewers for objects included in a catalog review, again use the "hardcoded" value:

    "reviewers":[{"@odata.type":"#microsoft.graph.accessReviewReviewerScope","scopeType":"manager"}]

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.