Azure Active Directory (Azure AD) access reviews
APIs under the
/beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
This is the recommended API for access reviews. The previous version of the access reviews API is deprecated.
Use Azure AD access reviews to configure one-time or recurring access reviews for attestation of a principal's right to access Azure AD resources. The principals are users or applications (service principals). The Azure AD resources include groups, applications (service principals), access packages, and privileged roles. Access reviews is a feature of Azure AD Identity Governance.
Typical customer scenarios for access reviews include:
- Customers can review and certify guest user access to groups through group memberships. Reviewers can use the insights that are provided to efficiently decide whether guests should have continued access.
- Customers can review and certify employee access to Azure AD resources.
- Customers can review and audit assignments to Azure AD privileged roles. This supports organizations in the management of privileged access.
The access reviews feature, including the API, is included in Azure AD Premium P2. The tenant where an access review is being created must have a valid purchased or trial Azure AD Premium P2 or EMS E5 subscription. For more information about the license requirements, see Access reviews license requirements.
This article describes how to export personal data from a device or service. These steps can be used to support your obligations under the General Data Protection Regulation (GDPR). Authorized tenant admins can use Microsoft Graph to correct, update, or delete identifiable information about end users, including customer and employee user profiles or personal data, such as a user's name, work title, address, or phone number, in your Azure Active Directory (Azure AD) environment.
The following table lists the methods that you can use to interact with access review-related resources.
|List definitions||accessReviewScheduleDefinition collection||Get a list of the accessReviewScheduleDefinition objects and their properties.|
|Get accessReviewScheduleDefinition||accessReviewScheduleDefinition||Get an accessReviewScheduleDefinition object and its properties.|
|Create definitions||accessReviewScheduleDefinition||Create a new accessReviewScheduleDefinition.|
|Delete accessReviewScheduleDefinition||None.||Delete an accessReviewScheduleDefinition.|
|Update accessReviewScheduleDefinition||None.||Update properties of an accessReviewScheduleDefinition with a specified identifier.|
|filterByCurrentUser||accessReviewScheduleDefinition collection||Retrieves all definitions for which the calling user is a reviewer on one or more instance.|
|List instances||accessReviewInstance collection||Get a list of the accessReviewInstance objects and their properties.|
|Get accessReviewInstance||accessReviewInstance||Read the properties and relationships of an accessReviewInstance object.|
|sendReminder||None.||Send a reminder to the reviewers of an accessReviewInstance.|
|stop||None.||Manually stop an accessReviewInstance.|
|acceptRecommendations||None.||Allows the calling user to accept the decision recommendation for each NotReviewed accessReviewInstanceDecisionItem that they are the reviewer on for a specific accessReviewInstance.|
|applyDecisions||None.||Manually apply decisions on an accessReviewInstance.|
|batchRecordDecisions||None||Review batches of principals or resources in one call.|
|resetDecisions||None||Resets all decision items on an instance to
|filterByCurrentUser||accessReviewInstance collection||Returns all instances on a given accessReviewScheduleDefinition for which the calling user is the reviewer of one or more decisions.|
|Instance decision items|
|List decisions||accessReviewInstanceDecisionItem collection||Get a list of the accessReviewInstanceDecisionItem objects and their properties.|
|Get accessReviewInstanceDecisionItem||accessReviewInstanceDecisionItem||Read the properties and relationships of an accessReviewInstanceDecisionItem object.|
|Update accessReviewInstanceDecisionItem||None.||For any accessReviewInstanceDecisionItems that the calling user is assigned a reviewer on, calling user can record a decision by patching the decision object.|
|filterByCurrentUser||accessReviewInstanceDecisionItem collection||Retrieves all accessReviewInstanceDecisionItems objects where the calling use is the reviewer for a given accessReviewInstance.|
|listPendingApproval (deprecated)||accessReviewInstanceDecisionItem collection.||Get all accessReviewInstanceDecisionItems assigned to the calling user, for a specific accessReviewInstance. This method is being deprecated and replaced by accessReviewInstanceDecisionItem: filterByCurrentUser.|
|List historyDefinitions||accessReviewHistoryDefinition collection||Get a list of the accessReviewHistoryDefinition objects and their properties.|
|Create historyDefinitions||accessReviewHistoryDefinition||Create a new accessReviewHistoryDefinition object.|
|Get accessReviewHistoryDefinition||accessReviewHistoryDefinition||Read the properties and relationships of an accessReviewHistoryDefinition object.|
|generateDownloadUri||accessReviewHistoryInstance||Generate a URI for an instance that can be used to retrieve review history data.|
|List instances||accessReviewHistoryInstance||Retrieve a list of the accessReviewHistoryInstance objects and their properties.|
|Get accessReviewPolicy||accessReviewPolicy||Read the properties and relationships of an accessReviewPolicy object.|
|Update accessReviewPolicy||accessReviewPolicy||Update the properties of an accessReviewPolicy object.|
|List definitions pending approval (deprecated)||accessReviewScheduleDefinition collection||Retrieves all definitions for which the calling user is a reviewer on one or more instance. This method is being deprecated and replaced by accessReviewScheduleDefinition: filterByCurrentUser.|
|List pendingAccessReviewInstances (deprecated)||accessReviewInstance collection.||Get all pending accessReviewInstance resources assigned to the calling user. This method is being deprecated and replaced by accessReviewInstance: filterByCurrentUser.|
Role and application permission authorization checks
The following Azure AD roles are required for a calling user to manage access reviews.
|Operation||Application permissions||Required directory role of the calling user|
|Read||AccessReview.Read.All or AccessReview.ReadWrite.All||Global Administrator, Global Reader, Security Administrator, Security Reader or User Administrator|
|Create, Update or Delete||AccessReview.ReadWrite.All||Global Administrator or User Administrator|
In addition, a user who is an assigned reviewer of an access review can manage their decisions, without needing to be in a directory role.
- Azure AD access reviews
- Tutorials to learn how to use the access reviews API to review access to Azure AD resources
- How an administrator can manage user access with Azure AD access reviews
- How an administrator can manage guest access with Azure AD access reviews
Submit and view feedback for