Apply accessReview

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported.

In the Azure AD access reviews feature, apply the decisions of a completed accessReview. The target object can be either a one-time access review, or an instance of a recurring access review.

After an access review is finished, either because it reached the end date or an administrator stopped it manually, and auto-apply wasn't configured for the review, you can call Apply to apply the changes. Until apply occurs, the decisions to remove access rights do not appear on the source resource, the users for instance retain their group memberships. By calling apply, the outcome of the review is implemented by updating the group or application. If a user's access was denied in the review, when an administrator calls this API, Azure AD removes their membership or application assignment.

After an access review is finished, and auto-apply was configured, then the status of the review will change from Completed through intermediate states and finally will change to state Applied. You should expect to see denied users, if any, being removed from the resource group membership or app assignment in a few minutes.

A configured auto applying review, or selecting Apply doesn't have an effect on a group that originates in an on-premises directory or a dynamic group. If you want to change a group that originates on-premises, download the results and apply those changes to the representation of the group in that directory.

Permissions

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type Permissions (from least to most privileged)
Delegated (work or school account) AccessReview.ReadWrite.Membership, AccessReview.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application AccessReview.ReadWrite.Membership

HTTP request

POST /accessReviews/{reviewId}/applyDecisions

Request headers

Name Type Description
Authorization string Bearer {token}. Required.

Request body

Do not supply a request body for this method.

Response

If successful, this method returns a 204, No Content response code. It does not return anything in the response body.

See also

Example

Request
POST https://graph.microsoft.com/beta/accessReviews/2975E9B5-44CE-4E71-93D3-30F03B5AA992/applyDecisions
Response

Note: The response object shown here might be shortened for readability. All the properties will be returned from an actual call.

HTTP/1.1 204 No Content