Access 审阅 API 概述Overview of the access reviews API

Microsoft访问评审 API Graph允许你以编程方式查看对 Azure AD 资源的访问权限。The access reviews API in Microsoft Graph allows you to programmatically review access to Azure AD resources. 这包括:This includes:

  • 创建、读取、更新和删除访问评审、访问评审设置和计划。Creating, reading, updating, and deleting access reviews, access review settings, and schedules.
  • 调查过去的访问评审和审阅者做出的决策,包括 Azure AD 自动执行的步骤。Investigating past access reviews and the decisions taken by reviewers, including the steps Azure AD took automatically.

使用范围Scope of use

访问评审 API 既支持委托上下文又支持应用程序上下文。The access reviews APIs support both delegated and application contexts. 在委派 (上下文中) ,应用程序代表用户调用访问评审 API。In a user (delegated) context, an application calls the access reviews API on behalf of a user. 典型方案包括:Typical scenarios include:

  • 使用脚本创建、读取或更新访问评审的管理员。An administrator using a script to create, read, or update an access review.
  • 使用应用或脚本为自己拥有的资源创建访问评审的资源所有者。A resource owner using an app or a script to create an access review for a resource they own.
  • 管理员会自动收集一个或多个访问评审的所有决策。An administrator automatically collecting all decisions for one or more access reviews.

若要在用户环境中授权 (委派) ,请参阅代表 用户获取访问权限To authorize your app in a user (delegated) context, see get access on behalf of a user.

在应用程序上下文中,应用程序在没有登录用户的情况下调用访问评审 API。In an application context, an application calls the access reviews API without a signed-in user present. 典型方案是安排的后台脚本定期收集所有访问评审的决策。A typical scenario is a scheduled background script regularly collecting decisions for all access reviews. 若要在此上下文中授权你的应用,请参阅 在没有用户的情况下获取访问权限To authorize your app in this context, see get access without a user.

访问评审的构建基块Building blocks of an access review

访问评审按逻辑进行构建,并包含以下构建基块:Access reviews are structured logically and are comprised of these building blocks:

  • 访问评审计划定义 - 包含访问评审及其实例设置的逻辑蓝图。Access reviews schedule definitions - The logical blueprint that contains the settings of an access review and its instances.
  • 访问评审实例 - 表示具有作用域、审阅者和状态的审阅活动。Access review instance - Represents a review activity that has a scope, reviewers, and a status. 访问评审定义可以具有多个实例,就像定期审阅中一样。An access review definition may have multiple instances as is the case in recurring reviews. 一次评审只有一个实例。One-off reviews have exactly one instance.
  • 记录用于审阅的决策项 - 表示审阅者对实例做出的决定,包括时间戳和决策理由。Decision items recorded for a review - Represent a decision a reviewer made on an instance, including the time stamp and justification for the decision. 每个审阅实例具有与所审阅用户数一样多的决策。Each review instance has as many decisions as the number of users under review. 如果没有做出任何决策,即审阅者尚未对审阅做出响应,则实例将没有决策对象。If there are no decisions taken, that is, reviewers haven’t responded to the review, there will be no decision objects for the instance.

后续步骤Next steps

请尝试以下教程来管理访问评审:Try out the following tutorials to manage access reviews:

另请参阅See also