Azure AD access reviews

Namespace: microsoft.graph

Use Azure AD access reviews to configure one-time or recurring access reviews for attestation of users' rights to access Azure AD resources. These Azure AD resources include groups, service principals, access packages, and privileged roles.

Typical customer scenarios for access reviews include:

  • Customers can review and certify guest user access to groups through group memberships. Reviewers can use the insights that are provided to efficiently decide whether guests should have continued access.
  • Customers can review and certify employee access to Azure AD resources.
  • Customers can review and audit assignments to Azure AD privileged roles. This supports organizations in the management of privileged access.

The access reviews feature, including the API, is available only with a valid purchase or trial license of Azure AD Premium P2 or EMS E5 subscription.

Methods

The following table lists the methods that you can use to interact with access review-related resources.

Method Return type Description
Schedule definitions
List accessReviewScheduleDefinitions accessReviewScheduleDefinition collection Get a list of the accessReviewScheduleDefinition objects and their properties.
Create accessReviewScheduleDefinition accessReviewScheduleDefinition Create a new accessReviewScheduleDefinition object.
Get accessReviewScheduleDefinition accessReviewScheduleDefinition Read the properties and relationships of an accessReviewScheduleDefinition object.
Update accessReviewScheduleDefinition accessReviewScheduleDefinition Update the properties of an accessReviewScheduleDefinition object.
Delete accessReviewScheduleDefinition None Deletes an accessReviewScheduleDefinition object.
filterByCurrentUser accessReviewScheduleDefinition collection Returns all definitions where the calling user is the reviewer of any instances.
Instances
List accessReviewInstances accessReviewInstance collection Get a list of the accessReviewInstance objects and their properties.
Get accessReviewInstance accessReviewInstance Read the properties and relationships of an accessReviewInstance object.
stop None Manually stop an accessReviewInstance.
sendReminder None Send a reminder to the reviewers of an accessReviewInstance.
resetDecisions None Resets all decision items on an instance to notReviewed
applyDecisions None Manually apply decision on an accessReviewInstance.
acceptRecommendations None Allows the calling user to accept the decision recommendation for each NotReviewed accessReviewInstanceDecisionItem that they are the reviewer on for a specific accessReviewInstance.
batchRecordDecisions None Review batches of principals or resources in one call.
filterByCurrentUser accessReviewInstance collection Returns all instance objects on a definition for which the calling user is the reviewer.
Instance decision items
List accessReviewInstanceDecisionItems accessReviewInstanceDecisionItem collection Get a list of the accessReviewInstanceDecisionItem objects and their properties.
Get accessReviewInstanceDecisionItem accessReviewInstanceDecisionItem Read the properties and relationships of an accessReviewInstanceDecisionItem object.
Update accessReviewInstanceDecisionItem accessReviewInstanceDecisionItem Update the properties of an accessReviewInstanceDecisionItem object.
accessReviewInstanceDecisionItem: filterByCurrentUser accessReviewInstanceDecisionItem collection Returns the decision items for which the calling user is the reviewer of.

Role and application permission authorization checks

The following Azure AD roles are required for a calling user to manage access reviews.

Operation Application permissions Required directory role of the calling user
Read AccessReview.Read.All or AccessReview.ReadWrite.All Global Administrator, Global Reader, Security Administrator, Security Reader or User Administrator
Create, Update or Delete AccessReview.ReadWrite.All Global Administrator or User Administrator

In addition, a user who is an assigned reviewer of an access review can manage their decisions, without needing to be in a directory role.

See also