Edit

Share via

Create historyDefinitions

  • Article

Namespace: microsoft.graph

Create a new accessReviewHistoryDefinition object.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) AccessReview.ReadWrite.All Not available.
Delegated (personal Microsoft account) Not supported. Not supported.
Application AccessReview.ReadWrite.All Not available.

Important

In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported Microsoft Entra role or a custom role with a supported role permission. The following least privileged roles are supported for this operation.

  • To write access reviews of a group or app: User Administrator, Identity Governance Administrator
  • To write access reviews of a Microsoft Entra role: Identity Governance Administrator, Privileged Role Administrator

HTTP request

POST /identityGovernance/accessReviews/historyDefinitions

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-Type application/json. Required.

Request body

In the request body, supply a JSON representation of the accessReviewHistoryDefinition object.

The following table shows the required properties used to create an accessReviewHistoryDefinition.

Property Type Description
displayName String Name for the access review history data collection. Required.
reviewHistoryPeriodStartDateTime DateTimeOffset A timestamp. Reviews starting on or after this date will be included in the fetched history data. Only required if scheduleSettings isn't defined.
reviewHistoryPeriodEndDateTime DateTimeOffset A timestamp. Reviews starting on or before this date will be included in the fetched history data. Only required if scheduleSettings isn't defined.
scopes accessReviewQueryScope collection Used to filter which reviews are included in the fetched history data. Fetches reviews whose scope matches with this provided scope. Required.
For more, see Supported scope queries for accessReviewHistoryDefinition.
scheduleSettings accessReviewHistoryScheduleSettings Not supported yet. The settings for a recurring access review history definition series. Only required if reviewHistoryPeriodStartDateTime or reviewHistoryPeriodEndDateTime aren't defined.

Supported scope queries for accessReviewHistoryDefinition

The scopes property of accessReviewHistoryDefinition is based on accessReviewQueryScope, a resource that allows you to configure different resources in it's query property. These resources then represent the scope of the history definition and dictate the type of review history data that is included in the downloadable CSV file that is generated when the history definition's accessReviewHistoryInstances are created.

The $filter query parameter with the contains operator is supported on the scope property of accessReviewScheduleDefinition. Use the following format for the request:

/identityGovernance/accessReviews/definitions?$filter=contains(scope/microsoft.graph.accessReviewQueryScope/query, '{object}')

The {object} can have one of the following values:

Value Description
/groups List every accessReviewScheduleDefinition on individual groups (excludes definitions scoped to all Microsoft 365 groups with guests).
/groups/{group id} List every accessReviewScheduleDefinition on a specific group (excludes definitions scoped to all Microsoft 365 groups with guests).
./members List every accessReviewScheduleDefinition scoped to all Microsoft 365 groups with guests.
accessPackageAssignments List every accessReviewScheduleDefinition on an access package.
roleAssignmentScheduleInstances List every accessReviewScheduleDefinition for principals that are assigned to a privileged role.

The $filter query parameter isn't supported on accessReviewInactiveUserQueryScope or principalResourceMembershipScope.

Response

If successful, this method returns a 201 Created response code and an accessReviewHistoryDefinition object in the response body.

Examples

The following example shows how to create an access review history definition scoped to access reviews on access packages and groups, running between the start date of 01/01/2021 and end date of 04/05/2021.

Request

POST https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/historyDefinitions
Content-Type: application/json

{
  "displayName": "Last quarter's group reviews April 2021",
  "decisions": [
    "approve",
    "deny",
    "dontKnow",
    "notReviewed",
    "notNotified"
  ],
  "reviewHistoryPeriodStartDateTime": "2021-01-01T00:00:00Z",
  "reviewHistoryPeriodEndDateTime": "2021-04-30T23:59:59Z",
  "scopes": [
    {
      "@odata.type": "#microsoft.graph.accessReviewQueryScope",
      "queryType": "MicrosoftGraph",     
      "query": "/identityGovernance/accessReviews/definitions?$filter=contains(scope/query, 'accessPackageAssignments')",
      "queryRoot": null
    },  
    {
      "@odata.type": "#microsoft.graph.accessReviewQueryScope",
      "queryType": "MicrosoftGraph",     
      "query": "/identityGovernance/accessReviews/definitions?$filter=contains(scope/query, '/groups')",
      "queryRoot": null
    }
  ]
}

Response

Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-Type: application/json

{
    "@odata.type": "#microsoft.graph.accessReviewHistoryDefinition",
    "id": "b2cb022f-b7e1-40f3-9854-c65a40861c38",
    "displayName": "Last quarter's group reviews April 2021",
    "reviewHistoryPeriodStartDateTime": "2021-01-01T00:00:00Z",
    "reviewHistoryPeriodEndDateTime": "2021-04-30T23:59:59Z",
    "decisions": [
        "approve",
        "deny",
        "dontKnow",
        "notReviewed",
        "notNotified"
    ],
    "status": "requested",
    "createdDateTime": "2021-04-14T00:22:48.9392594Z",
    "createdBy": {
        "id": "957f1027-c0ee-460d-9269-b8444459e0fe",
        "displayName": "MOD Administrator",
        "userPrincipalName": "admin@contoso.com"
    },
    "scopes": [
        {
            "@odata.type": "#microsoft.graph.accessReviewQueryScope",
            "queryType": "MicrosoftGraph",
            "query": "/identityGovernance/accessReviews/definitions?$filter=contains(scope/query, 'accessPackageAssignments')",
            "queryRoot": null
        },
        {
            "@odata.type": "#microsoft.graph.accessReviewQueryScope",
            "queryType": "MicrosoftGraph",
            "query": "/identityGovernance/accessReviews/definitions?$filter=contains(scope/query, '/groups')",
            "queryRoot": null
        }
    ]
}