Azure AD access reviews
APIs under the
/beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported.
You can use Azure AD access reviews to configure one-time or recurring access reviews for attestation of user's access rights.
Typical customer scenarios for access reviews of group memberships and application access are:
Customers can review and certify guest user access by using access reviews of their access to applications and memberships of groups. Reviewers can use the insights that are provided to efficiently decide whether guests should have continued access.
Customers can review and certify employee access to applications and group memberships with access reviews.
Customers can collect access review controls into programs that are relevant for your organization to track reviews for compliance or risk-sensitive applications.
There is also a related capability for customers to review and certify the role assignments of administrative users who are assigned to Azure AD roles such as Global Administrator or Azure subscription roles. This capability is included in Azure AD Privileged Identity Management.
Note that the access reviews feature, including the API, is included in Azure AD Premium P2. The tenant where an access review is being created must have a valid purchased or trial Azure AD Premium P2 or EMS E5 subscription. Prior to creating an access review, program or program control, an administrator must have previously onboarded in order to prepare the programControlType and businessFlowTemplate resources. The organization can onboard to Azure AD access reviews or, in the case of access reviews of Azure AD roles or Azure subscription roles, Azure AD PIM.
The following table lists the methods that you can use to interact with access review-related resources.
|Get accessReview||accessReview||Get an access review with a specific ID.|
|Create accessReview||accessReview||Create a new accessReview.|
|Delete accessReview||None.||Delete an accessReview.|
|Update accessReview||accessReview||Update an accessReview.|
|List accessReviews||accessReview collection||List accessReviews for a businessFlowTemplate.|
|List accessReview reviewers||userIdentity collection||Get the reviewers of an accessReview.|
|Add accessReview reviewer||None.||Add a reviewer to an accessReview.|
|Remove accessReview reviewer||None.||Remove a reviewer from an accessReview.|
|List accessReview decisions||accessReviewDecision collection||Get the decisions of an accessReview.|
|List my accessReview decisions||accessReviewDecision collection||As a reviewer, get my decisions of an accessReview.|
|Send accessReview reminder||None.||Send a reminder to the reviewers of an accessReview.|
|Stop accessReview||None.||Stop an accessReview.|
|Reset accessReview decisions||None.||Reset the decisions in an in-progress accessReview.|
|Apply accessReview decisions||None.||Apply the decisions from a completed accessReview.|
|List businessFlowTemplates||businessFlowTemplate collection||Get the business flow templates appropriate to access reviews.|
|Create program||program||Create a new program.|
|Delete program||None.||Delete a program.|
|List programs||program collection||Get a collection of all the programs.|
|List programControls of a program||programControl collection||Get a collection of the controls of a program.|
|Update program||program||Update a program.|
|Create programControl||programControl||Add a programControl to a program.|
|Delete programControl||None.||Remove a programControl from a program.|
|List programControls||programControl collection||List controls across all programs in the tenant.|
|List programControlTypes||programControlType collection||List program control types.|
Role and application permission authorization checks
The following directory roles are required for a calling user to manage access reviews, programs, and controls.
|Target resource||Operation||Application permissions||Required directory role of the calling user|
|accessReview of an Azure AD role||Read||AccessReview.Read.All or AccessReview.ReadWrite.All||Global Administrator, Security Administrator, Security Reader or Privileged Role Administrator|
|accessReview of an Azure AD role||Create, Update or Delete||AccessReview.ReadWrite.All||Global Administrator or Privileged Role Administrator|
|accessReview of a group or app||Read||AccessReview.Read.All, AccessReview.ReadWrite.Membership or AccessReview.ReadWrite.All||Global Administrator, Security Administrator, Security Reader or User Administrator|
|accessReview of a group or app||Create, Update or Delete||AccessReview.ReadWrite.Membership or AccessReview.ReadWrite.All||Global Administrator or User Administrator|
|program and programControl||Read||ProgramControl.Read.All or ProgramControl.ReadWrite.All||Global Administrator, Security Administrator, Security Reader or User Administrator|
|program and programControl||Create, Update or Delete||ProgramControl.ReadWrite.All||Global Administrator or User Administrator|
In addition, a user who is an assigned reviewer of an access review can manage their decisions, without needing to be in a directory role.