Azure AD access reviews

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported.

You can use Azure AD access reviews to configure one-time or recurring access reviews for attestation of user's access rights.

Typical customer scenarios for access reviews of group memberships and application access are:

  • Customers can review and certify guest user access by using access reviews of their access to applications and memberships of groups. Reviewers can use the insights that are provided to efficiently decide whether guests should have continued access.

  • Customers can review and certify employee access to applications and group memberships with access reviews.

  • Customers can collect access review controls into programs that are relevant for your organization to track reviews for compliance or risk-sensitive applications.

There is also a related capability for customers to review and certify the role assignments of administrative users who are assigned to Azure AD roles such as Global Administrator or Azure subscription roles. This capability is included in Azure AD Privileged Identity Management.

Note that the access reviews feature, including the API, is included in Azure AD Premium P2. The tenant where an access review is being created must have a valid purchased or trial Azure AD Premium P2 or EMS E5 subscription. Prior to creating an access review, program or program control, an administrator must have previously onboarded in order to prepare the programControlType and businessFlowTemplate resources. The organization can onboard to Azure AD access reviews or, in the case of access reviews of Azure AD roles or Azure subscription roles, Azure AD PIM.

Methods

The following table lists the methods that you can use to interact with access review-related resources.

Method Return type Description
Get accessReview accessReview Get an access review with a specific ID.
Create accessReview accessReview Create a new accessReview.
Delete accessReview None. Delete an accessReview.
Update accessReview accessReview Update an accessReview.
List accessReviews accessReview collection List accessReviews for a businessFlowTemplate.
List accessReview reviewers userIdentity collection Get the reviewers of an accessReview.
Add accessReview reviewer None. Add a reviewer to an accessReview.
Remove accessReview reviewer None. Remove a reviewer from an accessReview.
List accessReview decisions accessReviewDecision collection Get the decisions of an accessReview.
List my accessReview decisions accessReviewDecision collection As a reviewer, get my decisions of an accessReview.
Send accessReview reminder None. Send a reminder to the reviewers of an accessReview.
Stop accessReview None. Stop an accessReview.
Reset accessReview decisions None. Reset the decisions in an in-progress accessReview.
Apply accessReview decisions None. Apply the decisions from a completed accessReview.
List businessFlowTemplates businessFlowTemplate collection Get the business flow templates appropriate to access reviews.
Create program program Create a new program.
Delete program None. Delete a program.
List programs program collection Get a collection of all the programs.
List programControls of a program programControl collection Get a collection of the controls of a program.
Update program program Update a program.
Create programControl programControl Add a programControl to a program.
Delete programControl None. Remove a programControl from a program.
List programControls programControl collection List controls across all programs in the tenant.
List programControlTypes programControlType collection List program control types.

Role and application permission authorization checks

The following directory roles are required for a calling user to manage access reviews, programs, and controls.

Target resource Operation Application permissions Required directory role of the calling user
accessReview of an Azure AD role Read AccessReview.Read.All or AccessReview.ReadWrite.All Global Administrator, Security Administrator, Security Reader or Privileged Role Administrator
accessReview of an Azure AD role Create, Update or Delete AccessReview.ReadWrite.All Global Administrator or Privileged Role Administrator
accessReview of a group or app Read AccessReview.Read.All, AccessReview.ReadWrite.Membership or AccessReview.ReadWrite.All Global Administrator, Security Administrator, Security Reader or User Administrator
accessReview of a group or app Create, Update or Delete AccessReview.ReadWrite.Membership or AccessReview.ReadWrite.All Global Administrator or User Administrator
program and programControl Read ProgramControl.Read.All or ProgramControl.ReadWrite.All Global Administrator, Security Administrator, Security Reader or User Administrator
program and programControl Create, Update or Delete ProgramControl.ReadWrite.All Global Administrator or User Administrator

In addition, a user who is an assigned reviewer of an access review can manage their decisions, without needing to be in a directory role.

See also