Revisión del acceso de invitado a grupos mediante las API de revisiones de acceso
Artículo
03/27/2024
8 colaboradores
Comentarios
En este artículo
La API de revisiones de acceso de Microsoft Graph permite a las organizaciones auditar y dar fe del acceso que las identidades (también denominadas entidades de seguridad ) se asignan a los recursos de la organización. Con la colaboración B2B, puede usar grupos de Microsoft 365 para administrar de forma eficaz el acceso de los invitados a recursos como archivos, notas, calendarios e incluso conversaciones de Teams. Y mediante la API de revisiones de acceso, las organizaciones pueden atestiguar periódicamente las entidades de seguridad que tienen acceso a dichos grupos y, por extensión, a otros recursos de la organización.
En este tutorial, aprenderá a:
Cree una revisión de acceso periódica de grupos de Microsoft 365 con invitados.
Investigue las decisiones que se aplican a las revisiones de acceso.
Requisitos previos
Para completar este tutorial, necesita los siguientes recursos y privilegios:
Un inquilino de Microsoft Entra en funcionamiento con una licencia Microsoft Entra ID P2 o Gobierno de Microsoft Entra ID habilitada.
Un invitado de prueba y un grupo de Microsoft 365 de prueba en el inquilino. El invitado debe ser miembro del grupo de Microsoft 365.
Inicie sesión en un cliente de API, como Graph Explorer , para llamar a Microsoft Graph con una cuenta que tenga al menos el rol Administrador de gobernanza de identidades .
Concédese los siguientes permisos delegados: AccessReview.ReadWrite.All.
Paso 1: Crear una revisión de acceso para todos los grupos de Microsoft 365 con invitados
La siguiente serie de revisión de acceso usa la siguiente configuración:
Es una revisión de acceso periódica y se revisa trimestralmente.
Los propietarios del grupo son los responsables de la toma de decisiones.
El ámbito de revisión solo se limita a los grupos de Microsoft 365 con invitados.
Define a un usuario como el revisor de reserva que puede revisar el acceso en caso de que el grupo no tenga ningún propietario asignado.
autoApplyDecisionsEnabled está establecido en true. En este caso, las decisiones se aplican automáticamente una vez que el revisor completa la revisión de acceso o finaliza la duración de la revisión de acceso. Si no está habilitado, un usuario debe aplicar las decisiones manualmente una vez completada la revisión.applyActions se establece en removeAccessApplyAction. Esta acción quita los invitados denegados del grupo. El invitado todavía puede iniciar sesión en el inquilino, pero no será miembro del grupo ni tendrá los privilegios de acceso que se conceden a través del grupo.
Solicitud
En esta llamada, reemplace los valores siguientes:
c9a5aff7-9298-4d71-adab-0a222e0a05e4 con el identificador del revisor de reserva.Valor de startDate con la fecha de hoy y el valor de endDate con una fecha de un año a partir de la fecha de inicio.
POST https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions
Content-type: application/json
{
"displayName": "Guest access to marketing group",
"scope": {
"@odata.type": "#microsoft.graph.accessReviewQueryScope",
"query": "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
"queryType": "MicrosoftGraph"
},
"instanceEnumerationScope": {
"@odata.type": "#microsoft.graph.accessReviewQueryScope",
"query": "/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true",
"queryType": "MicrosoftGraph",
"queryRoot": null
},
"reviewers": [
{
"query": "./owners",
"queryType": "MicrosoftGraph",
"queryRoot": null
}
],
"fallbackReviewers": [
{
"query": "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4",
"queryType": "MicrosoftGraph"
}
],
"settings": {
"mailNotificationsEnabled": true,
"reminderNotificationsEnabled": true,
"justificationRequiredOnApproval": true,
"defaultDecisionEnabled": true,
"defaultDecision": "Deny",
"instanceDurationInDays": 3,
"autoApplyDecisionsEnabled": true,
"recommendationsEnabled": true,
"recommendationLookBackDuration": "P30D",
"decisionHistoriesForReviewersEnabled": false,
"recurrence": {
"pattern": {
"type": "absoluteMonthly",
"interval": 3,
"month": 0,
"dayOfMonth": 0,
"daysOfWeek": [],
"firstDayOfWeek": "sunday",
"index": "first"
},
"range": {
"type": "endDate",
"numberOfOccurrences": 0,
"recurrenceTimeZone": null,
"startDate": "2024-03-21",
"endDate": "2025-03-21"
}
},
"applyActions": [
{
"@odata.type": "#microsoft.graph.removeAccessApplyAction"
}
]
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new AccessReviewScheduleDefinition
{
DisplayName = "Guest access to marketing group",
Scope = new AccessReviewQueryScope
{
OdataType = "#microsoft.graph.accessReviewQueryScope",
Query = "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
QueryType = "MicrosoftGraph",
},
InstanceEnumerationScope = new AccessReviewQueryScope
{
OdataType = "#microsoft.graph.accessReviewQueryScope",
Query = "/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true",
QueryType = "MicrosoftGraph",
QueryRoot = null,
},
Reviewers = new List<AccessReviewReviewerScope>
{
new AccessReviewReviewerScope
{
Query = "./owners",
QueryType = "MicrosoftGraph",
QueryRoot = null,
},
},
FallbackReviewers = new List<AccessReviewReviewerScope>
{
new AccessReviewReviewerScope
{
Query = "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4",
QueryType = "MicrosoftGraph",
},
},
Settings = new AccessReviewScheduleSettings
{
MailNotificationsEnabled = true,
ReminderNotificationsEnabled = true,
JustificationRequiredOnApproval = true,
DefaultDecisionEnabled = true,
DefaultDecision = "Deny",
InstanceDurationInDays = 3,
AutoApplyDecisionsEnabled = true,
RecommendationsEnabled = true,
RecommendationLookBackDuration = TimeSpan.Parse("P30D"),
DecisionHistoriesForReviewersEnabled = false,
Recurrence = new PatternedRecurrence
{
Pattern = new RecurrencePattern
{
Type = RecurrencePatternType.AbsoluteMonthly,
Interval = 3,
Month = 0,
DayOfMonth = 0,
DaysOfWeek = new List<DayOfWeekObject>
{
},
FirstDayOfWeek = DayOfWeekObject.Sunday,
Index = WeekIndex.First,
},
Range = new RecurrenceRange
{
Type = RecurrenceRangeType.EndDate,
NumberOfOccurrences = 0,
RecurrenceTimeZone = null,
StartDate = new Date(DateTime.Parse("2024-03-21")),
EndDate = new Date(DateTime.Parse("2025-03-21")),
},
},
ApplyActions = new List<AccessReviewApplyAction>
{
new RemoveAccessApplyAction
{
OdataType = "#microsoft.graph.removeAccessApplyAction",
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.AccessReviews.Definitions.PostAsync(requestBody);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc identity-governance access-reviews definitions create --body '{\
"displayName": "Guest access to marketing group",\
"scope": {\
"@odata.type": "#microsoft.graph.accessReviewQueryScope",\
"query": "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",\
"queryType": "MicrosoftGraph"\
},\
"instanceEnumerationScope": {\
"@odata.type": "#microsoft.graph.accessReviewQueryScope",\
"query": "/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true",\
"queryType": "MicrosoftGraph",\
"queryRoot": null\
},\
"reviewers": [\
{\
"query": "./owners",\
"queryType": "MicrosoftGraph",\
"queryRoot": null\
}\
],\
"fallbackReviewers": [\
{\
"query": "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4",\
"queryType": "MicrosoftGraph"\
}\
],\
"settings": {\
"mailNotificationsEnabled": true,\
"reminderNotificationsEnabled": true,\
"justificationRequiredOnApproval": true,\
"defaultDecisionEnabled": true,\
"defaultDecision": "Deny",\
"instanceDurationInDays": 3,\
"autoApplyDecisionsEnabled": true,\
"recommendationsEnabled": true,\
"recommendationLookBackDuration": "P30D",\
"decisionHistoriesForReviewersEnabled": false,\
"recurrence": {\
"pattern": {\
"type": "absoluteMonthly",\
"interval": 3,\
"month": 0,\
"dayOfMonth": 0,\
"daysOfWeek": [],\
"firstDayOfWeek": "sunday",\
"index": "first"\
},\
"range": {\
"type": "endDate",\
"numberOfOccurrences": 0,\
"recurrenceTimeZone": null,\
"startDate": "2024-03-21",\
"endDate": "2025-03-21"\
}\
},\
"applyActions": [\
{\
"@odata.type": "#microsoft.graph.removeAccessApplyAction"\
}\
]\
}\
}\
'
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)
requestBody := graphmodels.NewAccessReviewScheduleDefinition()
displayName := "Guest access to marketing group"
requestBody.SetDisplayName(&displayName)
scope := graphmodels.NewAccessReviewQueryScope()
query := "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')"
scope.SetQuery(&query)
queryType := "MicrosoftGraph"
scope.SetQueryType(&queryType)
requestBody.SetScope(scope)
instanceEnumerationScope := graphmodels.NewAccessReviewQueryScope()
query := "/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true"
instanceEnumerationScope.SetQuery(&query)
queryType := "MicrosoftGraph"
instanceEnumerationScope.SetQueryType(&queryType)
queryRoot := null
instanceEnumerationScope.SetQueryRoot(&queryRoot)
requestBody.SetInstanceEnumerationScope(instanceEnumerationScope)
accessReviewReviewerScope := graphmodels.NewAccessReviewReviewerScope()
query := "./owners"
accessReviewReviewerScope.SetQuery(&query)
queryType := "MicrosoftGraph"
accessReviewReviewerScope.SetQueryType(&queryType)
queryRoot := null
accessReviewReviewerScope.SetQueryRoot(&queryRoot)
reviewers := []graphmodels.AccessReviewReviewerScopeable {
accessReviewReviewerScope,
}
requestBody.SetReviewers(reviewers)
accessReviewReviewerScope := graphmodels.NewAccessReviewReviewerScope()
query := "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4"
accessReviewReviewerScope.SetQuery(&query)
queryType := "MicrosoftGraph"
accessReviewReviewerScope.SetQueryType(&queryType)
fallbackReviewers := []graphmodels.AccessReviewReviewerScopeable {
accessReviewReviewerScope,
}
requestBody.SetFallbackReviewers(fallbackReviewers)
settings := graphmodels.NewAccessReviewScheduleSettings()
mailNotificationsEnabled := true
settings.SetMailNotificationsEnabled(&mailNotificationsEnabled)
reminderNotificationsEnabled := true
settings.SetReminderNotificationsEnabled(&reminderNotificationsEnabled)
justificationRequiredOnApproval := true
settings.SetJustificationRequiredOnApproval(&justificationRequiredOnApproval)
defaultDecisionEnabled := true
settings.SetDefaultDecisionEnabled(&defaultDecisionEnabled)
defaultDecision := "Deny"
settings.SetDefaultDecision(&defaultDecision)
instanceDurationInDays := int32(3)
settings.SetInstanceDurationInDays(&instanceDurationInDays)
autoApplyDecisionsEnabled := true
settings.SetAutoApplyDecisionsEnabled(&autoApplyDecisionsEnabled)
recommendationsEnabled := true
settings.SetRecommendationsEnabled(&recommendationsEnabled)
recommendationLookBackDuration , err := abstractions.ParseISODuration("P30D")
settings.SetRecommendationLookBackDuration(&recommendationLookBackDuration)
decisionHistoriesForReviewersEnabled := false
settings.SetDecisionHistoriesForReviewersEnabled(&decisionHistoriesForReviewersEnabled)
recurrence := graphmodels.NewPatternedRecurrence()
pattern := graphmodels.NewRecurrencePattern()
type := graphmodels.ABSOLUTEMONTHLY_RECURRENCEPATTERNTYPE
pattern.SetType(&type)
interval := int32(3)
pattern.SetInterval(&interval)
month := int32(0)
pattern.SetMonth(&month)
dayOfMonth := int32(0)
pattern.SetDayOfMonth(&dayOfMonth)
daysOfWeek := []graphmodels.DayOfWeekable {
}
pattern.SetDaysOfWeek(daysOfWeek)
firstDayOfWeek := graphmodels.SUNDAY_DAYOFWEEK
pattern.SetFirstDayOfWeek(&firstDayOfWeek)
index := graphmodels.FIRST_WEEKINDEX
pattern.SetIndex(&index)
recurrence.SetPattern(pattern)
range := graphmodels.NewRecurrenceRange()
type := graphmodels.ENDDATE_RECURRENCERANGETYPE
range.SetType(&type)
numberOfOccurrences := int32(0)
range.SetNumberOfOccurrences(&numberOfOccurrences)
recurrenceTimeZone := null
range.SetRecurrenceTimeZone(&recurrenceTimeZone)
startDate := 2024-03-21
range.SetStartDate(&startDate)
endDate := 2025-03-21
range.SetEndDate(&endDate)
recurrence.SetRange(range)
settings.SetRecurrence(recurrence)
accessReviewApplyAction := graphmodels.NewRemoveAccessApplyAction()
applyActions := []graphmodels.AccessReviewApplyActionable {
accessReviewApplyAction,
}
settings.SetApplyActions(applyActions)
requestBody.SetSettings(settings)
definitions, err := graphClient.IdentityGovernance().AccessReviews().Definitions().Post(context.Background(), requestBody, nil)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AccessReviewScheduleDefinition accessReviewScheduleDefinition = new AccessReviewScheduleDefinition();
accessReviewScheduleDefinition.setDisplayName("Guest access to marketing group");
AccessReviewQueryScope scope = new AccessReviewQueryScope();
scope.setOdataType("#microsoft.graph.accessReviewQueryScope");
scope.setQuery("./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')");
scope.setQueryType("MicrosoftGraph");
accessReviewScheduleDefinition.setScope(scope);
AccessReviewQueryScope instanceEnumerationScope = new AccessReviewQueryScope();
instanceEnumerationScope.setOdataType("#microsoft.graph.accessReviewQueryScope");
instanceEnumerationScope.setQuery("/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true");
instanceEnumerationScope.setQueryType("MicrosoftGraph");
instanceEnumerationScope.setQueryRoot(null);
accessReviewScheduleDefinition.setInstanceEnumerationScope(instanceEnumerationScope);
LinkedList<AccessReviewReviewerScope> reviewers = new LinkedList<AccessReviewReviewerScope>();
AccessReviewReviewerScope accessReviewReviewerScope = new AccessReviewReviewerScope();
accessReviewReviewerScope.setQuery("./owners");
accessReviewReviewerScope.setQueryType("MicrosoftGraph");
accessReviewReviewerScope.setQueryRoot(null);
reviewers.add(accessReviewReviewerScope);
accessReviewScheduleDefinition.setReviewers(reviewers);
LinkedList<AccessReviewReviewerScope> fallbackReviewers = new LinkedList<AccessReviewReviewerScope>();
AccessReviewReviewerScope accessReviewReviewerScope1 = new AccessReviewReviewerScope();
accessReviewReviewerScope1.setQuery("/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4");
accessReviewReviewerScope1.setQueryType("MicrosoftGraph");
fallbackReviewers.add(accessReviewReviewerScope1);
accessReviewScheduleDefinition.setFallbackReviewers(fallbackReviewers);
AccessReviewScheduleSettings settings = new AccessReviewScheduleSettings();
settings.setMailNotificationsEnabled(true);
settings.setReminderNotificationsEnabled(true);
settings.setJustificationRequiredOnApproval(true);
settings.setDefaultDecisionEnabled(true);
settings.setDefaultDecision("Deny");
settings.setInstanceDurationInDays(3);
settings.setAutoApplyDecisionsEnabled(true);
settings.setRecommendationsEnabled(true);
PeriodAndDuration recommendationLookBackDuration = PeriodAndDuration.ofDuration(Duration.parse("P30D"));
settings.setRecommendationLookBackDuration(recommendationLookBackDuration);
settings.setDecisionHistoriesForReviewersEnabled(false);
PatternedRecurrence recurrence = new PatternedRecurrence();
RecurrencePattern pattern = new RecurrencePattern();
pattern.setType(RecurrencePatternType.AbsoluteMonthly);
pattern.setInterval(3);
pattern.setMonth(0);
pattern.setDayOfMonth(0);
LinkedList<DayOfWeek> daysOfWeek = new LinkedList<DayOfWeek>();
pattern.setDaysOfWeek(daysOfWeek);
pattern.setFirstDayOfWeek(DayOfWeek.Sunday);
pattern.setIndex(WeekIndex.First);
recurrence.setPattern(pattern);
RecurrenceRange range = new RecurrenceRange();
range.setType(RecurrenceRangeType.EndDate);
range.setNumberOfOccurrences(0);
range.setRecurrenceTimeZone(null);
LocalDate startDate = LocalDate.parse("2024-03-21");
range.setStartDate(startDate);
LocalDate endDate = LocalDate.parse("2025-03-21");
range.setEndDate(endDate);
recurrence.setRange(range);
settings.setRecurrence(recurrence);
LinkedList<AccessReviewApplyAction> applyActions = new LinkedList<AccessReviewApplyAction>();
RemoveAccessApplyAction accessReviewApplyAction = new RemoveAccessApplyAction();
accessReviewApplyAction.setOdataType("#microsoft.graph.removeAccessApplyAction");
applyActions.add(accessReviewApplyAction);
settings.setApplyActions(applyActions);
accessReviewScheduleDefinition.setSettings(settings);
AccessReviewScheduleDefinition result = graphClient.identityGovernance().accessReviews().definitions().post(accessReviewScheduleDefinition);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
const options = {
authProvider,
};
const client = Client.init(options);
const accessReviewScheduleDefinition = {
displayName: 'Guest access to marketing group',
scope: {
'@odata.type': '#microsoft.graph.accessReviewQueryScope',
query: './members/microsoft.graph.user/?$count=true&$filter=(userType eq \'Guest\')',
queryType: 'MicrosoftGraph'
},
instanceEnumerationScope: {
'@odata.type': '#microsoft.graph.accessReviewQueryScope',
query: '/v1.0/groups?$filter=(groupTypes/any(c:c+eq+\'Unified\'))&$count=true',
queryType: 'MicrosoftGraph',
queryRoot: null
},
reviewers: [
{
query: './owners',
queryType: 'MicrosoftGraph',
queryRoot: null
}
],
fallbackReviewers: [
{
query: '/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4',
queryType: 'MicrosoftGraph'
}
],
settings: {
mailNotificationsEnabled: true,
reminderNotificationsEnabled: true,
justificationRequiredOnApproval: true,
defaultDecisionEnabled: true,
defaultDecision: 'Deny',
instanceDurationInDays: 3,
autoApplyDecisionsEnabled: true,
recommendationsEnabled: true,
recommendationLookBackDuration: 'P30D',
decisionHistoriesForReviewersEnabled: false,
recurrence: {
pattern: {
type: 'absoluteMonthly',
interval: 3,
month: 0,
dayOfMonth: 0,
daysOfWeek: [],
firstDayOfWeek: 'sunday',
index: 'first'
},
range: {
type: 'endDate',
numberOfOccurrences: 0,
recurrenceTimeZone: null,
startDate: '2024-03-21',
endDate: '2025-03-21'
}
},
applyActions: [
{
'@odata.type': '#microsoft.graph.removeAccessApplyAction'
}
]
}
};
await client.api('/identityGovernance/accessReviews/definitions')
.post(accessReviewScheduleDefinition);
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\AccessReviewScheduleDefinition;
use Microsoft\Graph\Generated\Models\AccessReviewQueryScope;
use Microsoft\Graph\Generated\Models\AccessReviewReviewerScope;
use Microsoft\Graph\Generated\Models\AccessReviewScheduleSettings;
use Microsoft\Graph\Generated\Models\PatternedRecurrence;
use Microsoft\Graph\Generated\Models\RecurrencePattern;
use Microsoft\Graph\Generated\Models\DayOfWeek;
use Microsoft\Graph\Generated\Models\RecurrenceRange;
use Microsoft\Graph\Generated\Models\AccessReviewApplyAction;
use Microsoft\Graph\Generated\Models\RemoveAccessApplyAction;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new AccessReviewScheduleDefinition();
$requestBody->setDisplayName('Guest access to marketing group');
$scope = new AccessReviewQueryScope();
$scope->setOdataType('#microsoft.graph.accessReviewQueryScope');
$scope->setQuery('./members/microsoft.graph.user/?$count=true&$filter=(userType eq \'Guest\')');
$scope->setQueryType('MicrosoftGraph');
$requestBody->setScope($scope);
$instanceEnumerationScope = new AccessReviewQueryScope();
$instanceEnumerationScope->setOdataType('#microsoft.graph.accessReviewQueryScope');
$instanceEnumerationScope->setQuery('/v1.0/groups?$filter=(groupTypes/any(c:c+eq+\'Unified\'))&$count=true');
$instanceEnumerationScope->setQueryType('MicrosoftGraph');
$instanceEnumerationScope->setQueryRoot(null);
$requestBody->setInstanceEnumerationScope($instanceEnumerationScope);
$reviewersAccessReviewReviewerScope1 = new AccessReviewReviewerScope();
$reviewersAccessReviewReviewerScope1->setQuery('./owners');
$reviewersAccessReviewReviewerScope1->setQueryType('MicrosoftGraph');
$reviewersAccessReviewReviewerScope1->setQueryRoot(null);
$reviewersArray []= $reviewersAccessReviewReviewerScope1;
$requestBody->setReviewers($reviewersArray);
$fallbackReviewersAccessReviewReviewerScope1 = new AccessReviewReviewerScope();
$fallbackReviewersAccessReviewReviewerScope1->setQuery('/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4');
$fallbackReviewersAccessReviewReviewerScope1->setQueryType('MicrosoftGraph');
$fallbackReviewersArray []= $fallbackReviewersAccessReviewReviewerScope1;
$requestBody->setFallbackReviewers($fallbackReviewersArray);
$settings = new AccessReviewScheduleSettings();
$settings->setMailNotificationsEnabled(true);
$settings->setReminderNotificationsEnabled(true);
$settings->setJustificationRequiredOnApproval(true);
$settings->setDefaultDecisionEnabled(true);
$settings->setDefaultDecision('Deny');
$settings->setInstanceDurationInDays(3);
$settings->setAutoApplyDecisionsEnabled(true);
$settings->setRecommendationsEnabled(true);
$settings->setRecommendationLookBackDuration(new \DateInterval('P30D'));
$settings->setDecisionHistoriesForReviewersEnabled(false);
$settingsRecurrence = new PatternedRecurrence();
$settingsRecurrencePattern = new RecurrencePattern();
$settingsRecurrencePattern->setType(new RecurrencePatternType('absoluteMonthly'));
$settingsRecurrencePattern->setInterval(3);
$settingsRecurrencePattern->setMonth(0);
$settingsRecurrencePattern->setDayOfMonth(0);
$settingsRecurrencePattern->setDaysOfWeek([]);
$settingsRecurrencePattern->setFirstDayOfWeek(new DayOfWeek('sunday'));
$settingsRecurrencePattern->setIndex(new WeekIndex('first'));
$settingsRecurrence->setPattern($settingsRecurrencePattern);
$settingsRecurrenceRange = new RecurrenceRange();
$settingsRecurrenceRange->setType(new RecurrenceRangeType('endDate'));
$settingsRecurrenceRange->setNumberOfOccurrences(0);
$settingsRecurrenceRange->setRecurrenceTimeZone(null);
$settingsRecurrenceRange->setStartDate(new Date('2024-03-21'));
$settingsRecurrenceRange->setEndDate(new Date('2025-03-21'));
$settingsRecurrence->setRange($settingsRecurrenceRange);
$settings->setRecurrence($settingsRecurrence);
$applyActionsAccessReviewApplyAction1 = new RemoveAccessApplyAction();
$applyActionsAccessReviewApplyAction1->setOdataType('#microsoft.graph.removeAccessApplyAction');
$applyActionsArray []= $applyActionsAccessReviewApplyAction1;
$settings->setApplyActions($applyActionsArray);
$requestBody->setSettings($settings);
$result = $graphServiceClient->identityGovernance()->accessReviews()->definitions()->post($requestBody)->wait();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Import-Module Microsoft.Graph.Identity.Governance
$params = @{
displayName = "Guest access to marketing group"
scope = @{
"@odata.type" = "#microsoft.graph.accessReviewQueryScope"
query = "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')"
queryType = "MicrosoftGraph"
}
instanceEnumerationScope = @{
"@odata.type" = "#microsoft.graph.accessReviewQueryScope"
query = "/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true"
queryType = "MicrosoftGraph"
queryRoot = $null
}
reviewers = @(
@{
query = "./owners"
queryType = "MicrosoftGraph"
queryRoot = $null
}
)
fallbackReviewers = @(
@{
query = "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4"
queryType = "MicrosoftGraph"
}
)
settings = @{
mailNotificationsEnabled = $true
reminderNotificationsEnabled = $true
justificationRequiredOnApproval = $true
defaultDecisionEnabled = $true
defaultDecision = "Deny"
instanceDurationInDays = 3
autoApplyDecisionsEnabled = $true
recommendationsEnabled = $true
recommendationLookBackDuration = "P30D"
decisionHistoriesForReviewersEnabled = $false
recurrence = @{
pattern = @{
type = "absoluteMonthly"
interval = 3
month = 0
dayOfMonth = 0
daysOfWeek = @(
)
firstDayOfWeek = "sunday"
index = "first"
}
range = @{
type = "endDate"
numberOfOccurrences = 0
recurrenceTimeZone = $null
startDate = "2024-03-21"
endDate = "2025-03-21"
}
}
applyActions = @(
@{
"@odata.type" = "#microsoft.graph.removeAccessApplyAction"
}
)
}
}
New-MgIdentityGovernanceAccessReviewDefinition -BodyParameter $params
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
from msgraph import GraphServiceClient
from msgraph.generated.models.access_review_schedule_definition import AccessReviewScheduleDefinition
from msgraph.generated.models.access_review_query_scope import AccessReviewQueryScope
from msgraph.generated.models.access_review_reviewer_scope import AccessReviewReviewerScope
from msgraph.generated.models.access_review_schedule_settings import AccessReviewScheduleSettings
from msgraph.generated.models.patterned_recurrence import PatternedRecurrence
from msgraph.generated.models.recurrence_pattern import RecurrencePattern
from msgraph.generated.models.day_of_week import DayOfWeek
from msgraph.generated.models.recurrence_range import RecurrenceRange
from msgraph.generated.models.access_review_apply_action import AccessReviewApplyAction
from msgraph.generated.models.remove_access_apply_action import RemoveAccessApplyAction
graph_client = GraphServiceClient(credentials, scopes)
request_body = AccessReviewScheduleDefinition(
display_name = "Guest access to marketing group",
scope = AccessReviewQueryScope(
odata_type = "#microsoft.graph.accessReviewQueryScope",
query = "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
query_type = "MicrosoftGraph",
),
instance_enumeration_scope = AccessReviewQueryScope(
odata_type = "#microsoft.graph.accessReviewQueryScope",
query = "/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true",
query_type = "MicrosoftGraph",
query_root = None,
),
reviewers = [
AccessReviewReviewerScope(
query = "./owners",
query_type = "MicrosoftGraph",
query_root = None,
),
],
fallback_reviewers = [
AccessReviewReviewerScope(
query = "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4",
query_type = "MicrosoftGraph",
),
],
settings = AccessReviewScheduleSettings(
mail_notifications_enabled = True,
reminder_notifications_enabled = True,
justification_required_on_approval = True,
default_decision_enabled = True,
default_decision = "Deny",
instance_duration_in_days = 3,
auto_apply_decisions_enabled = True,
recommendations_enabled = True,
recommendation_look_back_duration = "P30D",
decision_histories_for_reviewers_enabled = False,
recurrence = PatternedRecurrence(
pattern = RecurrencePattern(
type = RecurrencePatternType.AbsoluteMonthly,
interval = 3,
month = 0,
day_of_month = 0,
days_of_week = [
],
first_day_of_week = DayOfWeek.Sunday,
index = WeekIndex.First,
),
range = RecurrenceRange(
type = RecurrenceRangeType.EndDate,
number_of_occurrences = 0,
recurrence_time_zone = None,
start_date = "2024-03-21",
end_date = "2025-03-21",
),
),
apply_actions = [
RemoveAccessApplyAction(
odata_type = "#microsoft.graph.removeAccessApplyAction",
),
],
),
)
result = await graph_client.identity_governance.access_reviews.definitions.post(request_body)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Respuesta
Nota: Se puede acortar el objeto de respuesta que se muestra aquí para mejorar la legibilidad.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/accessReviews/definitions/$entity",
"id": "c22ae540-b89a-4d24-bac0-4ef35e6591ea",
"displayName": "Guest access to marketing group",
"createdDateTime": null,
"lastModifiedDateTime": null,
"status": "NotStarted",
"descriptionForAdmins": null,
"descriptionForReviewers": null,
"scope": {
"@odata.type": "#microsoft.graph.accessReviewQueryScope",
"query": "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
"queryType": "MicrosoftGraph",
"queryRoot": null
},
"instanceEnumerationScope": {
"@odata.type": "#microsoft.graph.accessReviewQueryScope",
"query": "/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true",
"queryType": "MicrosoftGraph",
"queryRoot": null
},
"reviewers": [
{
"query": "./owners",
"queryType": "MicrosoftGraph",
"queryRoot": null
}
],
"fallbackReviewers": [
{
"query": "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4",
"queryType": "MicrosoftGraph",
"queryRoot": null
}
],
"settings": {
"mailNotificationsEnabled": true,
"reminderNotificationsEnabled": true,
"justificationRequiredOnApproval": true,
"defaultDecisionEnabled": true,
"defaultDecision": "Deny",
"instanceDurationInDays": 3,
"autoApplyDecisionsEnabled": true,
"recommendationsEnabled": true,
"recommendationLookBackDuration": "P30D",
"decisionHistoriesForReviewersEnabled": false,
"recurrence": {
"pattern": {
"type": "absoluteMonthly",
"interval": 3,
"month": 0,
"dayOfMonth": 0,
"daysOfWeek": [],
"firstDayOfWeek": "sunday",
"index": "first"
},
"range": {
"type": "endDate",
"numberOfOccurrences": 0,
"recurrenceTimeZone": null,
"startDate": "2024-03-21",
"endDate": "2025-03-21"
}
},
"applyActions": [
{
"@odata.type": "#microsoft.graph.removeAccessApplyAction"
}
],
"recommendationInsightSettings": []
},
"stageSettings": [],
"additionalNotificationRecipients": []
}
Paso 2: Enumerar instancias de la revisión de acceso
En la consulta siguiente se enumeran todas las instancias de la definición de revisión de acceso. Si hay más de un grupo de Microsoft 365 con invitados en el inquilino, esta solicitud devuelve una instancia para cada grupo de Microsoft 365 con invitados .
Solicitud
GET https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions/c22ae540-b89a-4d24-bac0-4ef35e6591ea/instances
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.AccessReviews.Definitions["{accessReviewScheduleDefinition-id}"].Instances.GetAsync();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
//other-imports
)
graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)
instances, err := graphClient.IdentityGovernance().AccessReviews().Definitions().ByAccessReviewScheduleDefinitionId("accessReviewScheduleDefinition-id").Instances().Get(context.Background(), nil)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AccessReviewInstanceCollectionResponse result = graphClient.identityGovernance().accessReviews().definitions().byAccessReviewScheduleDefinitionId("{accessReviewScheduleDefinition-id}").instances().get();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
<?php
use Microsoft\Graph\GraphServiceClient;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$result = $graphServiceClient->identityGovernance()->accessReviews()->definitions()->byAccessReviewScheduleDefinitionId('accessReviewScheduleDefinition-id')->instances()->get()->wait();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
from msgraph import GraphServiceClient
graph_client = GraphServiceClient(credentials, scopes)
result = await graph_client.identity_governance.access_reviews.definitions.by_access_review_schedule_definition_id('accessReviewScheduleDefinition-id').instances.get()
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Respuesta
En esta respuesta, el ámbito incluye el grupo de pruebas porque tiene un invitado. En esta respuesta, la instancia de revisión de acceso es actualmente InProgress. Dado que se trata de una revisión trimestral, se crea automáticamente una nueva instancia de revisión cada tres meses y los revisores pueden aplicar nuevas decisiones.
Nota: Se puede acortar el objeto de respuesta que se muestra aquí para mejorar la legibilidad.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/accessReviews/definitions('c22ae540-b89a-4d24-bac0-4ef35e6591ea')/instances",
"value": [
{
"id": "6392b1a7-9c25-4844-83e5-34e23c88e16a",
"startDateTime": "2024-03-21T17:00:36.96Z",
"endDateTime": "2024-03-24T17:00:36.96Z",
"status": "InProgress",
"scope": {
"query": "/groups/59ab642a-2776-4e32-9b68-9ff7a47b7f6a/members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
"queryType": "MicrosoftGraph"
}
}
]
}
Paso 3: Tomar decisiones
Obtenga las decisiones tomadas para la instancia de una revisión de acceso. En una revisión trimestral como esta, y siempre que la revisión de acceso siga activa:
Cada tres meses se crea una nueva instancia de revisión.
Los revisores deben aplicar nuevas decisiones para las nuevas instancias.
Solicitud
GET https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions/c22ae540-b89a-4d24-bac0-4ef35e6591ea/instances/6392b1a7-9c25-4844-83e5-34e23c88e16a/decisions
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.AccessReviews.Definitions["{accessReviewScheduleDefinition-id}"].Instances["{accessReviewInstance-id}"].Decisions.GetAsync();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc identity-governance access-reviews definitions instances decisions list --access-review-schedule-definition-id {accessReviewScheduleDefinition-id} --access-review-instance-id {accessReviewInstance-id}
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
//other-imports
)
graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)
decisions, err := graphClient.IdentityGovernance().AccessReviews().Definitions().ByAccessReviewScheduleDefinitionId("accessReviewScheduleDefinition-id").Instances().ByAccessReviewInstanceId("accessReviewInstance-id").Decisions().Get(context.Background(), nil)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AccessReviewInstanceDecisionItemCollectionResponse result = graphClient.identityGovernance().accessReviews().definitions().byAccessReviewScheduleDefinitionId("{accessReviewScheduleDefinition-id}").instances().byAccessReviewInstanceId("{accessReviewInstance-id}").decisions().get();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
const options = {
authProvider,
};
const client = Client.init(options);
let decisions = await client.api('/identityGovernance/accessReviews/definitions/c22ae540-b89a-4d24-bac0-4ef35e6591ea/instances/6392b1a7-9c25-4844-83e5-34e23c88e16a/decisions')
.get();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
<?php
use Microsoft\Graph\GraphServiceClient;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$result = $graphServiceClient->identityGovernance()->accessReviews()->definitions()->byAccessReviewScheduleDefinitionId('accessReviewScheduleDefinition-id')->instances()->byAccessReviewInstanceId('accessReviewInstance-id')->decisions()->get()->wait();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Import-Module Microsoft.Graph.Identity.Governance
Get-MgIdentityGovernanceAccessReviewDefinitionInstanceDecision -AccessReviewScheduleDefinitionId $accessReviewScheduleDefinitionId -AccessReviewInstanceId $accessReviewInstanceId
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
from msgraph import GraphServiceClient
graph_client = GraphServiceClient(credentials, scopes)
result = await graph_client.identity_governance.access_reviews.definitions.by_access_review_schedule_definition_id('accessReviewScheduleDefinition-id').instances.by_access_review_instance_id('accessReviewInstance-id').decisions.get()
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Respuesta
En la siguiente respuesta se muestra la decisión adoptada para la instancia de la revisión.
Nota: Se puede acortar el objeto de respuesta que se muestra aquí para mejorar la legibilidad.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/accessReviews/definitions('c22ae540-b89a-4d24-bac0-4ef35e6591ea')/instances('6392b1a7-9c25-4844-83e5-34e23c88e16a')/decisions",
"@odata.count": 1,
"value": [
{
"id": "0e76ee07-b4c6-469e-bc9d-e73fc9a8d660",
"accessReviewId": "6392b1a7-9c25-4844-83e5-34e23c88e16a",
"reviewedDateTime": "2021-02-10T17:06:26.147Z",
"decision": "Approve",
"justification": "",
"appliedDateTime": null,
"applyResult": "New",
"recommendation": "Deny",
"reviewedBy": {
"id": "00000000-0000-0000-0000-000000000000",
"displayName": "AAD Access Reviews",
"userPrincipalName": "AAD Access Reviews"
},
"appliedBy": {
"id": "00000000-0000-0000-0000-000000000000",
"displayName": "",
"userPrincipalName": ""
},
"target": {
"@odata.type": "#microsoft.graph.accessReviewInstanceDecisionItemUserTarget",
"userId": "baf1b0a0-1f9a-4a56-9884-6a30824f8d20",
"userDisplayName": "John Doe (Tailspin Toys)",
"userPrincipalName": "john@tailspintoys.com"
},
"principal": {
"@odata.type": "#microsoft.graph.userIdentity",
"id": "baf1b0a0-1f9a-4a56-9884-6a30824f8d20",
"displayName": "John Doe (Tailspin Toys)",
"userPrincipalName": "john@tailspintoys.com"
}
}
]
}
Paso 4: Limpieza de recursos
En este paso, eliminará la definición de revisión de acceso. Puesto que la definición de programación de revisión de acceso es el plano técnico para la revisión de acceso, al eliminar la definición se quitan las opciones de configuración, las instancias y las decisiones relacionadas. La solicitud devuelve una 204 No Content respuesta.
DELETE https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions/c22ae540-b89a-4d24-bac0-4ef35e6591ea
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.IdentityGovernance.AccessReviews.Definitions["{accessReviewScheduleDefinition-id}"].DeleteAsync();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
//other-imports
)
graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)
graphClient.IdentityGovernance().AccessReviews().Definitions().ByAccessReviewScheduleDefinitionId("accessReviewScheduleDefinition-id").Delete(context.Background(), nil)
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
graphClient.identityGovernance().accessReviews().definitions().byAccessReviewScheduleDefinitionId("{accessReviewScheduleDefinition-id}").delete();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
<?php
use Microsoft\Graph\GraphServiceClient;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$graphServiceClient->identityGovernance()->accessReviews()->definitions()->byAccessReviewScheduleDefinitionId('accessReviewScheduleDefinition-id')->delete()->wait();
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
from msgraph import GraphServiceClient
graph_client = GraphServiceClient(credentials, scopes)
await graph_client.identity_governance.access_reviews.definitions.by_access_review_schedule_definition_id('accessReviewScheduleDefinition-id').delete()
Lea la documentación del SDK para obtener más información sobre cómo agregar el SDK al proyecto y crear una instancia de authProvider .
Contenido relacionado