accessReviewInstanceDecisionItem resource type

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Note

This is the recommended API for access reviews. The previous version of the access reviews API is deprecated.

Represents an Azure AD access review decision on an instance of a review. This decision represents the determination of a user or service principal's access for a given access review instance. This resource is an open type that allows other properties to be passed in.

Methods

Method Return Type Description
List decisions (from an access review instance) accessReviewInstanceDecisionItem collection Get a list of the accessReviewInstanceDecisionItem objects and their properties.
List decisions (from a stage of an access review instance) accessReviewInstanceDecisionItem collection Get a list of the accessReviewInstanceDecisionItem objects for a stage of an acecss review instance.
Get accessReviewInstanceDecisionItem accessReviewInstanceDecisionItem Read the properties and relationships of an accessReviewInstanceDecisionItem object.
Update accessReviewInstanceDecisionItem None. For any accessReviewInstanceDecisionItems that the calling user is assigned a reviewer on, calling user can record a decision by patching the decision object.
filterByCurrentUser accessReviewInstanceDecisionItem collection Retrieves all accessReviewInstanceDecisionItems objects where the calling use is the reviewer for a given accessReviewInstance.
List accessReviewInstanceDecisionItems pending approval (deprecated) accessReviewInstanceDecisionItem collection. Get all accessReviewInstanceDecisionItems assigned to the calling user, for a specific accessReviewInstance. This method is being deprecated and replaced by filterByCurrentUser.

Properties

Property Type Description
accessReviewId String The identifier of the accessReviewInstance parent. Supports $select. Read-only.
appliedBy userIdentity The identifier of the user who applied the decision. 00000000-0000-0000-0000-000000000000 if the assigned reviewer hasn't applied the decision or it was automatically applied. Read-only.
appliedDateTime DateTimeOffset The timestamp when the approval decision was applied. The DatetimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $select. Read-only.
applyResult String The result of applying the decision. Possible values: New, AppliedSuccessfully, AppliedWithUnknownFailure, AppliedSuccessfullyButObjectNotFound and ApplyNotSupported. Supports $select, $orderby, and $filter (eq only). Read-only.
decision String Result of the review. Possible values: Approve, Deny, NotReviewed, or DontKnow. Supports $select, $orderby, and $filter (eq only).
id String The identifier of the decision. Inherited from entity. Supports $select. Read-only.
justification String Justification left by the reviewer when they made the decision.
target accessReviewInstanceDecisionItemTarget The target of this specific decision. Decision targets can be of different types – each one with its own specific properties. See accessReviewInstanceDecisionItemTarget. Read-only.
This property has been replaced by the principal and resource properties in v1.0.
principal identity Every decision item in an access review represents a principal's access to a resource. This property represents details of the principal. For example, if a decision item represents access of User "Bob" to Group "Sales" - The principal is "Bob" and the resource is "Sales". Principals can be of two types - userIdentity and servicePrincipalIdentity. Supports $select. Read-only.
principalLink String Link to the principal object. For example: https://graph.microsoft.com/v1.0/users/a6c7aecb-cbfd-4763-87ef-e91b4bd509d9. Read-only.
recommendation String A system-generated recommendation for the approval decision based off last interactive sign-in to tenant. Recommend approve if sign-in is within thirty days of start of review. Recommend deny if sign-in is greater than thirty days of start of review. Recommendation not available otherwise. Possible values: Approve, Deny, or NoInfoAvailable. Supports $select, $orderby, and $filter (eq only). Read-only.
resource accessReviewInstanceDecisionItemResource Every decision item in an access review represents a principal's access to a resource. This property represents details of the resource. For example, if a decision item represents access of User "Bob" to Group "Sales" - The principal is Bob and the resource is "Sales". Resources can be of multiple types. See accessReviewInstanceDecisionItemResource. Read-only.
resourceLink String A link to the resource. For example, https://graph.microsoft.com/v1.0/servicePrincipals/c86300f3-8695-4320-9f6e-32a2555f5ff8. Supports $select. Read-only.
reviewedBy userIdentity The identifier of the reviewer. 00000000-0000-0000-0000-000000000000 if the assigned reviewer hasn't reviewed. Supports $select. Read-only.
reviewedDateTime DateTimeOffset The timestamp when the review decision occurred. Supports $select. Read-only.
principalResourceMembership decisionItemPrincipalResourceMembership Every decision item in an access review represents a principal's membership to a resource. This property provides the details of the membership. For example, whether the principal has direct access or indirect access to the resource. Supports $select. Read-only.

Relationships

Relationship Type Description
instance accessReviewInstance There is exactly one accessReviewInstance associated with each decision. The instance is the parent of the decision item, representing the recurrence of the access review the decision is made on.
insights governanceInsight collection Insights are recommendations to reviewers on whether to approve or deny a decision. There can be multiple insights associated with an accessReviewInstanceDecisionItem.

JSON representation

The following is a JSON representation of the resource.

{
  "@odata.type": "#microsoft.graph.accessReviewInstanceDecisionItem",
  "id": "String (identifier)",
  "accessReviewId": "String",
  "reviewedBy": {
    "@odata.type": "microsoft.graph.userIdentity"
  },
  "reviewedDateTime": "String (timestamp)",
  "decision": "String",
  "justification": "String",
  "appliedBy": {
    "@odata.type": "microsoft.graph.userIdentity"
  },
  "appliedDateTime": "String (timestamp)",
  "applyResult": "String",
  "recommendation": "String",
  "target": {
    "@odata.type": "microsoft.graph.accessReviewInstanceDecisionItemTarget"
  },
  "principal": {
    "@odata.type": "microsoft.graph.identity"
  },
  "principalLink": "String",
  "resource": {
    "@odata.type": "microsoft.graph.accessReviewInstanceDecisionItemResource"
  },
  "principalResourceMembership": {
    "@odata.type": "microsoft.graph.decisionItemPrincipalResourceMembership"
  },
  "resourceLink": "String"
}