Add-MgBetaAccessReviewDecision

In the Microsoft Entra access reviews feature, apply the decisions of a completed accessReview. The target object can be either a one-time access review, or an instance of a recurring access review. After an access review is finished, either because it reached the end date or an administrator stopped it manually, and auto-apply wasn't configured for the review, you can call Apply to apply the changes. Until apply occurs, the decisions to remove access rights do not appear on the source resource, the users for instance retain their group memberships. By calling apply, the outcome of the review is implemented by updating the group or application. If a user's access was denied in the review, when an administrator calls this API, Microsoft Entra ID removes their membership or application assignment. After an access review is finished, and auto-apply was configured, then the status of the review will change from Completed through intermediate states and finally will change to state Applied. You should expect to see denied users, if any, being removed from the resource group membership or app assignment in a few minutes. A configured auto applying review, or selecting Apply doesn't have an effect on a group that originates in an on-premises directory or a dynamic group. If you want to change a group that originates on-premises, download the results and apply those changes to the representation of the group in that directory.

Syntax

Add-MgBetaAccessReviewDecision
   -AccessReviewId <String>
   [-ResponseHeadersVariable <String>]
   [-Headers <IDictionary>]
   [-PassThru]
   [-ProgressAction <ActionPreference>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
Add-MgBetaAccessReviewDecision
   -InputObject <IIdentityGovernanceIdentity>
   [-ResponseHeadersVariable <String>]
   [-Headers <IDictionary>]
   [-PassThru]
   [-ProgressAction <ActionPreference>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

In the Microsoft Entra access reviews feature, apply the decisions of a completed accessReview. The target object can be either a one-time access review, or an instance of a recurring access review. After an access review is finished, either because it reached the end date or an administrator stopped it manually, and auto-apply wasn't configured for the review, you can call Apply to apply the changes. Until apply occurs, the decisions to remove access rights do not appear on the source resource, the users for instance retain their group memberships. By calling apply, the outcome of the review is implemented by updating the group or application. If a user's access was denied in the review, when an administrator calls this API, Microsoft Entra ID removes their membership or application assignment. After an access review is finished, and auto-apply was configured, then the status of the review will change from Completed through intermediate states and finally will change to state Applied. You should expect to see denied users, if any, being removed from the resource group membership or app assignment in a few minutes. A configured auto applying review, or selecting Apply doesn't have an effect on a group that originates in an on-premises directory or a dynamic group. If you want to change a group that originates on-premises, download the results and apply those changes to the representation of the group in that directory.

Permissions

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) AccessReview.ReadWrite.Membership AccessReview.ReadWrite.All
Delegated (personal Microsoft account) Not supported. Not supported.
Application AccessReview.ReadWrite.Membership Not available.

Examples

Example 1: Code snippet

Import-Module Microsoft.Graph.Beta.Identity.Governance

Add-MgBetaAccessReviewDecision -AccessReviewId $accessReviewId

This example shows how to use the Add-MgBetaAccessReviewDecision Cmdlet.

Parameters

-AccessReviewId

The unique identifier of accessReview

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Headers

Optional headers that will be added to the request.

Type:IDictionary
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-InputObject

Identity Parameter To construct, see NOTES section for INPUTOBJECT properties and create a hash table.

Type:IIdentityGovernanceIdentity
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-PassThru

Returns true when the command succeeds

Type:SwitchParameter
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ProgressAction

{{ Fill ProgressAction Description }}

Type:ActionPreference
Aliases:proga
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ResponseHeadersVariable

Optional Response Headers Variable.

Type:String
Aliases:RHV
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

Microsoft.Graph.Beta.PowerShell.Models.IIdentityGovernanceIdentity

System.Collections.IDictionary

Outputs

System.Boolean

Notes

COMPLEX PARAMETER PROPERTIES

To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.

INPUTOBJECT <IIdentityGovernanceIdentity>: Identity Parameter

  • [AccessPackageAssignmentId <String>]: The unique identifier of accessPackageAssignment
  • [AccessPackageAssignmentPolicyId <String>]: The unique identifier of accessPackageAssignmentPolicy
  • [AccessPackageAssignmentRequestId <String>]: The unique identifier of accessPackageAssignmentRequest
  • [AccessPackageAssignmentResourceRoleId <String>]: The unique identifier of accessPackageAssignmentResourceRole
  • [AccessPackageCatalogId <String>]: The unique identifier of accessPackageCatalog
  • [AccessPackageId <String>]: The unique identifier of accessPackage
  • [AccessPackageId1 <String>]: The unique identifier of accessPackage
  • [AccessPackageResourceEnvironmentId <String>]: The unique identifier of accessPackageResourceEnvironment
  • [AccessPackageResourceId <String>]: The unique identifier of accessPackageResource
  • [AccessPackageResourceRequestId <String>]: The unique identifier of accessPackageResourceRequest
  • [AccessPackageResourceRoleId <String>]: The unique identifier of accessPackageResourceRole
  • [AccessPackageResourceRoleScopeId <String>]: The unique identifier of accessPackageResourceRoleScope
  • [AccessPackageResourceScopeId <String>]: The unique identifier of accessPackageResourceScope
  • [AccessPackageSubjectId <String>]: The unique identifier of accessPackageSubject
  • [AccessReviewDecisionId <String>]: The unique identifier of accessReviewDecision
  • [AccessReviewHistoryDefinitionId <String>]: The unique identifier of accessReviewHistoryDefinition
  • [AccessReviewHistoryInstanceId <String>]: The unique identifier of accessReviewHistoryInstance
  • [AccessReviewId <String>]: The unique identifier of accessReview
  • [AccessReviewId1 <String>]: The unique identifier of accessReview
  • [AccessReviewInstanceDecisionItemId <String>]: The unique identifier of accessReviewInstanceDecisionItem
  • [AccessReviewInstanceDecisionItemId1 <String>]: The unique identifier of accessReviewInstanceDecisionItem
  • [AccessReviewInstanceId <String>]: The unique identifier of accessReviewInstance
  • [AccessReviewReviewerId <String>]: The unique identifier of accessReviewReviewer
  • [AccessReviewScheduleDefinitionId <String>]: The unique identifier of accessReviewScheduleDefinition
  • [AccessReviewStageId <String>]: The unique identifier of accessReviewStage
  • [AgreementAcceptanceId <String>]: The unique identifier of agreementAcceptance
  • [AgreementFileLocalizationId <String>]: The unique identifier of agreementFileLocalization
  • [AgreementFileVersionId <String>]: The unique identifier of agreementFileVersion
  • [AgreementId <String>]: The unique identifier of agreement
  • [AppConsentRequestId <String>]: The unique identifier of appConsentRequest
  • [ApprovalId <String>]: The unique identifier of approval
  • [ApprovalStepId <String>]: The unique identifier of approvalStep
  • [BusinessFlowTemplateId <String>]: The unique identifier of businessFlowTemplate
  • [ConnectedOrganizationId <String>]: The unique identifier of connectedOrganization
  • [CustomAccessPackageWorkflowExtensionId <String>]: The unique identifier of customAccessPackageWorkflowExtension
  • [CustomCalloutExtensionId <String>]: The unique identifier of customCalloutExtension
  • [CustomExtensionHandlerId <String>]: The unique identifier of customExtensionHandler
  • [CustomExtensionStageSettingId <String>]: The unique identifier of customExtensionStageSetting
  • [CustomTaskExtensionId <String>]: The unique identifier of customTaskExtension
  • [DirectoryObjectId <String>]: The unique identifier of directoryObject
  • [EndDateTime <DateTime?>]: Usage: endDateTime={endDateTime}
  • [FindingId <String>]: The unique identifier of finding
  • [GovernanceInsightId <String>]: The unique identifier of governanceInsight
  • [GovernanceResourceId <String>]: The unique identifier of governanceResource
  • [GovernanceRoleAssignmentId <String>]: The unique identifier of governanceRoleAssignment
  • [GovernanceRoleAssignmentRequestId <String>]: The unique identifier of governanceRoleAssignmentRequest
  • [GovernanceRoleDefinitionId <String>]: The unique identifier of governanceRoleDefinition
  • [GovernanceRoleSettingId <String>]: The unique identifier of governanceRoleSetting
  • [IncompatibleAccessPackageId <String>]: Usage: incompatibleAccessPackageId='{incompatibleAccessPackageId}'
  • [LongRunningOperationId <String>]: The unique identifier of longRunningOperation
  • [ObjectId <String>]: Alternate key of accessPackageSubject
  • [On <String>]: Usage: on='{on}'
  • [PermissionsCreepIndexDistributionId <String>]: The unique identifier of permissionsCreepIndexDistribution
  • [PermissionsRequestChangeId <String>]: The unique identifier of permissionsRequestChange
  • [PrivilegedAccessGroupAssignmentScheduleId <String>]: The unique identifier of privilegedAccessGroupAssignmentSchedule
  • [PrivilegedAccessGroupAssignmentScheduleInstanceId <String>]: The unique identifier of privilegedAccessGroupAssignmentScheduleInstance
  • [PrivilegedAccessGroupAssignmentScheduleRequestId <String>]: The unique identifier of privilegedAccessGroupAssignmentScheduleRequest
  • [PrivilegedAccessGroupEligibilityScheduleId <String>]: The unique identifier of privilegedAccessGroupEligibilitySchedule
  • [PrivilegedAccessGroupEligibilityScheduleInstanceId <String>]: The unique identifier of privilegedAccessGroupEligibilityScheduleInstance
  • [PrivilegedAccessGroupEligibilityScheduleRequestId <String>]: The unique identifier of privilegedAccessGroupEligibilityScheduleRequest
  • [PrivilegedAccessId <String>]: The unique identifier of privilegedAccess
  • [PrivilegedApprovalId <String>]: The unique identifier of privilegedApproval
  • [PrivilegedOperationEventId <String>]: The unique identifier of privilegedOperationEvent
  • [PrivilegedRoleAssignmentId <String>]: The unique identifier of privilegedRoleAssignment
  • [PrivilegedRoleAssignmentId1 <String>]: The unique identifier of privilegedRoleAssignment
  • [PrivilegedRoleAssignmentRequestId <String>]: The unique identifier of privilegedRoleAssignmentRequest
  • [PrivilegedRoleId <String>]: The unique identifier of privilegedRole
  • [ProgramControlId <String>]: The unique identifier of programControl
  • [ProgramControlId1 <String>]: The unique identifier of programControl
  • [ProgramControlTypeId <String>]: The unique identifier of programControlType
  • [ProgramId <String>]: The unique identifier of program
  • [RbacApplicationId <String>]: The unique identifier of rbacApplication
  • [RunId <String>]: The unique identifier of run
  • [StartDateTime <DateTime?>]: Usage: startDateTime={startDateTime}
  • [TaskDefinitionId <String>]: The unique identifier of taskDefinition
  • [TaskId <String>]: The unique identifier of task
  • [TaskProcessingResultId <String>]: The unique identifier of taskProcessingResult
  • [TaskReportId <String>]: The unique identifier of taskReport
  • [UnifiedRbacResourceActionId <String>]: The unique identifier of unifiedRbacResourceAction
  • [UnifiedRbacResourceNamespaceId <String>]: The unique identifier of unifiedRbacResourceNamespace
  • [UnifiedRoleAssignmentId <String>]: The unique identifier of unifiedRoleAssignment
  • [UnifiedRoleAssignmentScheduleId <String>]: The unique identifier of unifiedRoleAssignmentSchedule
  • [UnifiedRoleAssignmentScheduleInstanceId <String>]: The unique identifier of unifiedRoleAssignmentScheduleInstance
  • [UnifiedRoleAssignmentScheduleRequestId <String>]: The unique identifier of unifiedRoleAssignmentScheduleRequest
  • [UnifiedRoleDefinitionId <String>]: The unique identifier of unifiedRoleDefinition
  • [UnifiedRoleDefinitionId1 <String>]: The unique identifier of unifiedRoleDefinition
  • [UnifiedRoleEligibilityScheduleId <String>]: The unique identifier of unifiedRoleEligibilitySchedule
  • [UnifiedRoleEligibilityScheduleInstanceId <String>]: The unique identifier of unifiedRoleEligibilityScheduleInstance
  • [UnifiedRoleEligibilityScheduleRequestId <String>]: The unique identifier of unifiedRoleEligibilityScheduleRequest
  • [UnifiedRoleManagementAlertConfigurationId <String>]: The unique identifier of unifiedRoleManagementAlertConfiguration
  • [UnifiedRoleManagementAlertDefinitionId <String>]: The unique identifier of unifiedRoleManagementAlertDefinition
  • [UnifiedRoleManagementAlertId <String>]: The unique identifier of unifiedRoleManagementAlert
  • [UnifiedRoleManagementAlertIncidentId <String>]: The unique identifier of unifiedRoleManagementAlertIncident
  • [UniqueName <String>]: Alternate key of accessPackageCatalog
  • [UserConsentRequestId <String>]: The unique identifier of userConsentRequest
  • [UserId <String>]: The unique identifier of user
  • [UserProcessingResultId <String>]: The unique identifier of userProcessingResult
  • [WorkflowId <String>]: The unique identifier of workflow
  • [WorkflowTemplateId <String>]: The unique identifier of workflowTemplate
  • [WorkflowVersionNumber <Int32?>]: The unique identifier of workflowVersion