使用访问评审 API 查看对组的来宾访问
本文内容
Microsoft Graph 中的访问评审 API 使组织能够审核和证明身份 (也称为 主体 ) 分配给组织中的资源的访问权限。 借助 B2B 协作,你可以使用 Microsoft 365 组有效地管理来宾对文件、笔记、日历甚至 Teams 对话等资源的访问权限。 通过使用访问评审 API,组织可以定期向有权访问此类组的主体以及按扩展证明组织中的其他资源。
在本教程中,你将了解如何:
创建包含来宾的 Microsoft 365 组的定期访问评审。
调查应用于访问评审的决策。
先决条件
若要完成本教程,需要以下资源和特权:
启用了 Microsoft Entra ID P2 或 Microsoft Entra ID 治理 许可证的工作Microsoft Entra租户。
租户中的测试来宾和测试 Microsoft 365 组。 来宾应是 Microsoft 365 组的成员。
登录到 API 客户端(如 Graph 资源管理器), 使用至少具有 标识治理管理员 角色的帐户调用 Microsoft Graph。
授予自己以下委托的权限: AccessReview.ReadWrite.All。
步骤 1:为包含来宾的所有 Microsoft 365 组创建访问评审
以下访问评审系列使用以下设置:
这是一次定期访问评审,每季度评审一次。
组所有者是决策者。
评审范围仅限于包含来宾的 Microsoft 365 组。
它将用户定义为回退审阅者,该审阅者可在组未分配任何所有者的情况下评审访问权限。
autoApplyDecisionsEnabled 设置为 true。 在这种情况下,一旦审阅者完成访问评审或访问评审持续时间结束,就会自动应用决策。 如果未启用,则用户必须在评审完成后手动应用决策。applyActions 设置为 removeAccessApplyAction。 此操作将从组中删除被拒绝的来宾。 来宾仍可以登录到租户,但不会是组的成员,也不会具有通过组授予的访问权限。
请求
在此调用中,替换以下值:
c9a5aff7-9298-4d71-adab-0a222e0a05e4 包含回退审阅者的 ID。startDate 的值(包含当前日期)和 endDate 的值(包含开始日期一年后的日期)。
POST https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions
Content-type: application/json
{
"displayName": "Guest access to marketing group",
"scope": {
"@odata.type": "#microsoft.graph.accessReviewQueryScope",
"query": "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
"queryType": "MicrosoftGraph"
},
"instanceEnumerationScope": {
"@odata.type": "#microsoft.graph.accessReviewQueryScope",
"query": "/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true",
"queryType": "MicrosoftGraph",
"queryRoot": null
},
"reviewers": [
{
"query": "./owners",
"queryType": "MicrosoftGraph",
"queryRoot": null
}
],
"fallbackReviewers": [
{
"query": "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4",
"queryType": "MicrosoftGraph"
}
],
"settings": {
"mailNotificationsEnabled": true,
"reminderNotificationsEnabled": true,
"justificationRequiredOnApproval": true,
"defaultDecisionEnabled": true,
"defaultDecision": "Deny",
"instanceDurationInDays": 3,
"autoApplyDecisionsEnabled": true,
"recommendationsEnabled": true,
"recommendationLookBackDuration": "P30D",
"decisionHistoriesForReviewersEnabled": false,
"recurrence": {
"pattern": {
"type": "absoluteMonthly",
"interval": 3,
"month": 0,
"dayOfMonth": 0,
"daysOfWeek": [],
"firstDayOfWeek": "sunday",
"index": "first"
},
"range": {
"type": "endDate",
"numberOfOccurrences": 0,
"recurrenceTimeZone": null,
"startDate": "2024-03-21",
"endDate": "2025-03-21"
}
},
"applyActions": [
{
"@odata.type": "#microsoft.graph.removeAccessApplyAction"
}
]
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new AccessReviewScheduleDefinition
{
DisplayName = "Guest access to marketing group",
Scope = new AccessReviewQueryScope
{
OdataType = "#microsoft.graph.accessReviewQueryScope",
Query = "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
QueryType = "MicrosoftGraph",
},
InstanceEnumerationScope = new AccessReviewQueryScope
{
OdataType = "#microsoft.graph.accessReviewQueryScope",
Query = "/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true",
QueryType = "MicrosoftGraph",
QueryRoot = null,
},
Reviewers = new List<AccessReviewReviewerScope>
{
new AccessReviewReviewerScope
{
Query = "./owners",
QueryType = "MicrosoftGraph",
QueryRoot = null,
},
},
FallbackReviewers = new List<AccessReviewReviewerScope>
{
new AccessReviewReviewerScope
{
Query = "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4",
QueryType = "MicrosoftGraph",
},
},
Settings = new AccessReviewScheduleSettings
{
MailNotificationsEnabled = true,
ReminderNotificationsEnabled = true,
JustificationRequiredOnApproval = true,
DefaultDecisionEnabled = true,
DefaultDecision = "Deny",
InstanceDurationInDays = 3,
AutoApplyDecisionsEnabled = true,
RecommendationsEnabled = true,
RecommendationLookBackDuration = TimeSpan.Parse("P30D"),
DecisionHistoriesForReviewersEnabled = false,
Recurrence = new PatternedRecurrence
{
Pattern = new RecurrencePattern
{
Type = RecurrencePatternType.AbsoluteMonthly,
Interval = 3,
Month = 0,
DayOfMonth = 0,
DaysOfWeek = new List<DayOfWeekObject>
{
},
FirstDayOfWeek = DayOfWeekObject.Sunday,
Index = WeekIndex.First,
},
Range = new RecurrenceRange
{
Type = RecurrenceRangeType.EndDate,
NumberOfOccurrences = 0,
RecurrenceTimeZone = null,
StartDate = new Date(DateTime.Parse("2024-03-21")),
EndDate = new Date(DateTime.Parse("2025-03-21")),
},
},
ApplyActions = new List<AccessReviewApplyAction>
{
new RemoveAccessApplyAction
{
OdataType = "#microsoft.graph.removeAccessApplyAction",
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.AccessReviews.Definitions.PostAsync(requestBody);
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc identity-governance access-reviews definitions create --body '{\
"displayName": "Guest access to marketing group",\
"scope": {\
"@odata.type": "#microsoft.graph.accessReviewQueryScope",\
"query": "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",\
"queryType": "MicrosoftGraph"\
},\
"instanceEnumerationScope": {\
"@odata.type": "#microsoft.graph.accessReviewQueryScope",\
"query": "/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true",\
"queryType": "MicrosoftGraph",\
"queryRoot": null\
},\
"reviewers": [\
{\
"query": "./owners",\
"queryType": "MicrosoftGraph",\
"queryRoot": null\
}\
],\
"fallbackReviewers": [\
{\
"query": "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4",\
"queryType": "MicrosoftGraph"\
}\
],\
"settings": {\
"mailNotificationsEnabled": true,\
"reminderNotificationsEnabled": true,\
"justificationRequiredOnApproval": true,\
"defaultDecisionEnabled": true,\
"defaultDecision": "Deny",\
"instanceDurationInDays": 3,\
"autoApplyDecisionsEnabled": true,\
"recommendationsEnabled": true,\
"recommendationLookBackDuration": "P30D",\
"decisionHistoriesForReviewersEnabled": false,\
"recurrence": {\
"pattern": {\
"type": "absoluteMonthly",\
"interval": 3,\
"month": 0,\
"dayOfMonth": 0,\
"daysOfWeek": [],\
"firstDayOfWeek": "sunday",\
"index": "first"\
},\
"range": {\
"type": "endDate",\
"numberOfOccurrences": 0,\
"recurrenceTimeZone": null,\
"startDate": "2024-03-21",\
"endDate": "2025-03-21"\
}\
},\
"applyActions": [\
{\
"@odata.type": "#microsoft.graph.removeAccessApplyAction"\
}\
]\
}\
}\
'
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)
requestBody := graphmodels.NewAccessReviewScheduleDefinition()
displayName := "Guest access to marketing group"
requestBody.SetDisplayName(&displayName)
scope := graphmodels.NewAccessReviewQueryScope()
query := "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')"
scope.SetQuery(&query)
queryType := "MicrosoftGraph"
scope.SetQueryType(&queryType)
requestBody.SetScope(scope)
instanceEnumerationScope := graphmodels.NewAccessReviewQueryScope()
query := "/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true"
instanceEnumerationScope.SetQuery(&query)
queryType := "MicrosoftGraph"
instanceEnumerationScope.SetQueryType(&queryType)
queryRoot := null
instanceEnumerationScope.SetQueryRoot(&queryRoot)
requestBody.SetInstanceEnumerationScope(instanceEnumerationScope)
accessReviewReviewerScope := graphmodels.NewAccessReviewReviewerScope()
query := "./owners"
accessReviewReviewerScope.SetQuery(&query)
queryType := "MicrosoftGraph"
accessReviewReviewerScope.SetQueryType(&queryType)
queryRoot := null
accessReviewReviewerScope.SetQueryRoot(&queryRoot)
reviewers := []graphmodels.AccessReviewReviewerScopeable {
accessReviewReviewerScope,
}
requestBody.SetReviewers(reviewers)
accessReviewReviewerScope := graphmodels.NewAccessReviewReviewerScope()
query := "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4"
accessReviewReviewerScope.SetQuery(&query)
queryType := "MicrosoftGraph"
accessReviewReviewerScope.SetQueryType(&queryType)
fallbackReviewers := []graphmodels.AccessReviewReviewerScopeable {
accessReviewReviewerScope,
}
requestBody.SetFallbackReviewers(fallbackReviewers)
settings := graphmodels.NewAccessReviewScheduleSettings()
mailNotificationsEnabled := true
settings.SetMailNotificationsEnabled(&mailNotificationsEnabled)
reminderNotificationsEnabled := true
settings.SetReminderNotificationsEnabled(&reminderNotificationsEnabled)
justificationRequiredOnApproval := true
settings.SetJustificationRequiredOnApproval(&justificationRequiredOnApproval)
defaultDecisionEnabled := true
settings.SetDefaultDecisionEnabled(&defaultDecisionEnabled)
defaultDecision := "Deny"
settings.SetDefaultDecision(&defaultDecision)
instanceDurationInDays := int32(3)
settings.SetInstanceDurationInDays(&instanceDurationInDays)
autoApplyDecisionsEnabled := true
settings.SetAutoApplyDecisionsEnabled(&autoApplyDecisionsEnabled)
recommendationsEnabled := true
settings.SetRecommendationsEnabled(&recommendationsEnabled)
recommendationLookBackDuration , err := abstractions.ParseISODuration("P30D")
settings.SetRecommendationLookBackDuration(&recommendationLookBackDuration)
decisionHistoriesForReviewersEnabled := false
settings.SetDecisionHistoriesForReviewersEnabled(&decisionHistoriesForReviewersEnabled)
recurrence := graphmodels.NewPatternedRecurrence()
pattern := graphmodels.NewRecurrencePattern()
type := graphmodels.ABSOLUTEMONTHLY_RECURRENCEPATTERNTYPE
pattern.SetType(&type)
interval := int32(3)
pattern.SetInterval(&interval)
month := int32(0)
pattern.SetMonth(&month)
dayOfMonth := int32(0)
pattern.SetDayOfMonth(&dayOfMonth)
daysOfWeek := []graphmodels.DayOfWeekable {
}
pattern.SetDaysOfWeek(daysOfWeek)
firstDayOfWeek := graphmodels.SUNDAY_DAYOFWEEK
pattern.SetFirstDayOfWeek(&firstDayOfWeek)
index := graphmodels.FIRST_WEEKINDEX
pattern.SetIndex(&index)
recurrence.SetPattern(pattern)
range := graphmodels.NewRecurrenceRange()
type := graphmodels.ENDDATE_RECURRENCERANGETYPE
range.SetType(&type)
numberOfOccurrences := int32(0)
range.SetNumberOfOccurrences(&numberOfOccurrences)
recurrenceTimeZone := null
range.SetRecurrenceTimeZone(&recurrenceTimeZone)
startDate := 2024-03-21
range.SetStartDate(&startDate)
endDate := 2025-03-21
range.SetEndDate(&endDate)
recurrence.SetRange(range)
settings.SetRecurrence(recurrence)
accessReviewApplyAction := graphmodels.NewRemoveAccessApplyAction()
applyActions := []graphmodels.AccessReviewApplyActionable {
accessReviewApplyAction,
}
settings.SetApplyActions(applyActions)
requestBody.SetSettings(settings)
definitions, err := graphClient.IdentityGovernance().AccessReviews().Definitions().Post(context.Background(), requestBody, nil)
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AccessReviewScheduleDefinition accessReviewScheduleDefinition = new AccessReviewScheduleDefinition();
accessReviewScheduleDefinition.setDisplayName("Guest access to marketing group");
AccessReviewQueryScope scope = new AccessReviewQueryScope();
scope.setOdataType("#microsoft.graph.accessReviewQueryScope");
scope.setQuery("./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')");
scope.setQueryType("MicrosoftGraph");
accessReviewScheduleDefinition.setScope(scope);
AccessReviewQueryScope instanceEnumerationScope = new AccessReviewQueryScope();
instanceEnumerationScope.setOdataType("#microsoft.graph.accessReviewQueryScope");
instanceEnumerationScope.setQuery("/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true");
instanceEnumerationScope.setQueryType("MicrosoftGraph");
instanceEnumerationScope.setQueryRoot(null);
accessReviewScheduleDefinition.setInstanceEnumerationScope(instanceEnumerationScope);
LinkedList<AccessReviewReviewerScope> reviewers = new LinkedList<AccessReviewReviewerScope>();
AccessReviewReviewerScope accessReviewReviewerScope = new AccessReviewReviewerScope();
accessReviewReviewerScope.setQuery("./owners");
accessReviewReviewerScope.setQueryType("MicrosoftGraph");
accessReviewReviewerScope.setQueryRoot(null);
reviewers.add(accessReviewReviewerScope);
accessReviewScheduleDefinition.setReviewers(reviewers);
LinkedList<AccessReviewReviewerScope> fallbackReviewers = new LinkedList<AccessReviewReviewerScope>();
AccessReviewReviewerScope accessReviewReviewerScope1 = new AccessReviewReviewerScope();
accessReviewReviewerScope1.setQuery("/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4");
accessReviewReviewerScope1.setQueryType("MicrosoftGraph");
fallbackReviewers.add(accessReviewReviewerScope1);
accessReviewScheduleDefinition.setFallbackReviewers(fallbackReviewers);
AccessReviewScheduleSettings settings = new AccessReviewScheduleSettings();
settings.setMailNotificationsEnabled(true);
settings.setReminderNotificationsEnabled(true);
settings.setJustificationRequiredOnApproval(true);
settings.setDefaultDecisionEnabled(true);
settings.setDefaultDecision("Deny");
settings.setInstanceDurationInDays(3);
settings.setAutoApplyDecisionsEnabled(true);
settings.setRecommendationsEnabled(true);
PeriodAndDuration recommendationLookBackDuration = PeriodAndDuration.ofDuration(Duration.parse("P30D"));
settings.setRecommendationLookBackDuration(recommendationLookBackDuration);
settings.setDecisionHistoriesForReviewersEnabled(false);
PatternedRecurrence recurrence = new PatternedRecurrence();
RecurrencePattern pattern = new RecurrencePattern();
pattern.setType(RecurrencePatternType.AbsoluteMonthly);
pattern.setInterval(3);
pattern.setMonth(0);
pattern.setDayOfMonth(0);
LinkedList<DayOfWeek> daysOfWeek = new LinkedList<DayOfWeek>();
pattern.setDaysOfWeek(daysOfWeek);
pattern.setFirstDayOfWeek(DayOfWeek.Sunday);
pattern.setIndex(WeekIndex.First);
recurrence.setPattern(pattern);
RecurrenceRange range = new RecurrenceRange();
range.setType(RecurrenceRangeType.EndDate);
range.setNumberOfOccurrences(0);
range.setRecurrenceTimeZone(null);
LocalDate startDate = LocalDate.parse("2024-03-21");
range.setStartDate(startDate);
LocalDate endDate = LocalDate.parse("2025-03-21");
range.setEndDate(endDate);
recurrence.setRange(range);
settings.setRecurrence(recurrence);
LinkedList<AccessReviewApplyAction> applyActions = new LinkedList<AccessReviewApplyAction>();
RemoveAccessApplyAction accessReviewApplyAction = new RemoveAccessApplyAction();
accessReviewApplyAction.setOdataType("#microsoft.graph.removeAccessApplyAction");
applyActions.add(accessReviewApplyAction);
settings.setApplyActions(applyActions);
accessReviewScheduleDefinition.setSettings(settings);
AccessReviewScheduleDefinition result = graphClient.identityGovernance().accessReviews().definitions().post(accessReviewScheduleDefinition);
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
const options = {
authProvider,
};
const client = Client.init(options);
const accessReviewScheduleDefinition = {
displayName: 'Guest access to marketing group',
scope: {
'@odata.type': '#microsoft.graph.accessReviewQueryScope',
query: './members/microsoft.graph.user/?$count=true&$filter=(userType eq \'Guest\')',
queryType: 'MicrosoftGraph'
},
instanceEnumerationScope: {
'@odata.type': '#microsoft.graph.accessReviewQueryScope',
query: '/v1.0/groups?$filter=(groupTypes/any(c:c+eq+\'Unified\'))&$count=true',
queryType: 'MicrosoftGraph',
queryRoot: null
},
reviewers: [
{
query: './owners',
queryType: 'MicrosoftGraph',
queryRoot: null
}
],
fallbackReviewers: [
{
query: '/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4',
queryType: 'MicrosoftGraph'
}
],
settings: {
mailNotificationsEnabled: true,
reminderNotificationsEnabled: true,
justificationRequiredOnApproval: true,
defaultDecisionEnabled: true,
defaultDecision: 'Deny',
instanceDurationInDays: 3,
autoApplyDecisionsEnabled: true,
recommendationsEnabled: true,
recommendationLookBackDuration: 'P30D',
decisionHistoriesForReviewersEnabled: false,
recurrence: {
pattern: {
type: 'absoluteMonthly',
interval: 3,
month: 0,
dayOfMonth: 0,
daysOfWeek: [],
firstDayOfWeek: 'sunday',
index: 'first'
},
range: {
type: 'endDate',
numberOfOccurrences: 0,
recurrenceTimeZone: null,
startDate: '2024-03-21',
endDate: '2025-03-21'
}
},
applyActions: [
{
'@odata.type': '#microsoft.graph.removeAccessApplyAction'
}
]
}
};
await client.api('/identityGovernance/accessReviews/definitions')
.post(accessReviewScheduleDefinition);
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\AccessReviewScheduleDefinition;
use Microsoft\Graph\Generated\Models\AccessReviewQueryScope;
use Microsoft\Graph\Generated\Models\AccessReviewReviewerScope;
use Microsoft\Graph\Generated\Models\AccessReviewScheduleSettings;
use Microsoft\Graph\Generated\Models\PatternedRecurrence;
use Microsoft\Graph\Generated\Models\RecurrencePattern;
use Microsoft\Graph\Generated\Models\DayOfWeek;
use Microsoft\Graph\Generated\Models\RecurrenceRange;
use Microsoft\Graph\Generated\Models\AccessReviewApplyAction;
use Microsoft\Graph\Generated\Models\RemoveAccessApplyAction;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new AccessReviewScheduleDefinition();
$requestBody->setDisplayName('Guest access to marketing group');
$scope = new AccessReviewQueryScope();
$scope->setOdataType('#microsoft.graph.accessReviewQueryScope');
$scope->setQuery('./members/microsoft.graph.user/?$count=true&$filter=(userType eq \'Guest\')');
$scope->setQueryType('MicrosoftGraph');
$requestBody->setScope($scope);
$instanceEnumerationScope = new AccessReviewQueryScope();
$instanceEnumerationScope->setOdataType('#microsoft.graph.accessReviewQueryScope');
$instanceEnumerationScope->setQuery('/v1.0/groups?$filter=(groupTypes/any(c:c+eq+\'Unified\'))&$count=true');
$instanceEnumerationScope->setQueryType('MicrosoftGraph');
$instanceEnumerationScope->setQueryRoot(null);
$requestBody->setInstanceEnumerationScope($instanceEnumerationScope);
$reviewersAccessReviewReviewerScope1 = new AccessReviewReviewerScope();
$reviewersAccessReviewReviewerScope1->setQuery('./owners');
$reviewersAccessReviewReviewerScope1->setQueryType('MicrosoftGraph');
$reviewersAccessReviewReviewerScope1->setQueryRoot(null);
$reviewersArray []= $reviewersAccessReviewReviewerScope1;
$requestBody->setReviewers($reviewersArray);
$fallbackReviewersAccessReviewReviewerScope1 = new AccessReviewReviewerScope();
$fallbackReviewersAccessReviewReviewerScope1->setQuery('/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4');
$fallbackReviewersAccessReviewReviewerScope1->setQueryType('MicrosoftGraph');
$fallbackReviewersArray []= $fallbackReviewersAccessReviewReviewerScope1;
$requestBody->setFallbackReviewers($fallbackReviewersArray);
$settings = new AccessReviewScheduleSettings();
$settings->setMailNotificationsEnabled(true);
$settings->setReminderNotificationsEnabled(true);
$settings->setJustificationRequiredOnApproval(true);
$settings->setDefaultDecisionEnabled(true);
$settings->setDefaultDecision('Deny');
$settings->setInstanceDurationInDays(3);
$settings->setAutoApplyDecisionsEnabled(true);
$settings->setRecommendationsEnabled(true);
$settings->setRecommendationLookBackDuration(new \DateInterval('P30D'));
$settings->setDecisionHistoriesForReviewersEnabled(false);
$settingsRecurrence = new PatternedRecurrence();
$settingsRecurrencePattern = new RecurrencePattern();
$settingsRecurrencePattern->setType(new RecurrencePatternType('absoluteMonthly'));
$settingsRecurrencePattern->setInterval(3);
$settingsRecurrencePattern->setMonth(0);
$settingsRecurrencePattern->setDayOfMonth(0);
$settingsRecurrencePattern->setDaysOfWeek([]);
$settingsRecurrencePattern->setFirstDayOfWeek(new DayOfWeek('sunday'));
$settingsRecurrencePattern->setIndex(new WeekIndex('first'));
$settingsRecurrence->setPattern($settingsRecurrencePattern);
$settingsRecurrenceRange = new RecurrenceRange();
$settingsRecurrenceRange->setType(new RecurrenceRangeType('endDate'));
$settingsRecurrenceRange->setNumberOfOccurrences(0);
$settingsRecurrenceRange->setRecurrenceTimeZone(null);
$settingsRecurrenceRange->setStartDate(new Date('2024-03-21'));
$settingsRecurrenceRange->setEndDate(new Date('2025-03-21'));
$settingsRecurrence->setRange($settingsRecurrenceRange);
$settings->setRecurrence($settingsRecurrence);
$applyActionsAccessReviewApplyAction1 = new RemoveAccessApplyAction();
$applyActionsAccessReviewApplyAction1->setOdataType('#microsoft.graph.removeAccessApplyAction');
$applyActionsArray []= $applyActionsAccessReviewApplyAction1;
$settings->setApplyActions($applyActionsArray);
$requestBody->setSettings($settings);
$result = $graphServiceClient->identityGovernance()->accessReviews()->definitions()->post($requestBody)->wait();
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
Import-Module Microsoft.Graph.Identity.Governance
$params = @{
displayName = "Guest access to marketing group"
scope = @{
"@odata.type" = "#microsoft.graph.accessReviewQueryScope"
query = "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')"
queryType = "MicrosoftGraph"
}
instanceEnumerationScope = @{
"@odata.type" = "#microsoft.graph.accessReviewQueryScope"
query = "/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true"
queryType = "MicrosoftGraph"
queryRoot = $null
}
reviewers = @(
@{
query = "./owners"
queryType = "MicrosoftGraph"
queryRoot = $null
}
)
fallbackReviewers = @(
@{
query = "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4"
queryType = "MicrosoftGraph"
}
)
settings = @{
mailNotificationsEnabled = $true
reminderNotificationsEnabled = $true
justificationRequiredOnApproval = $true
defaultDecisionEnabled = $true
defaultDecision = "Deny"
instanceDurationInDays = 3
autoApplyDecisionsEnabled = $true
recommendationsEnabled = $true
recommendationLookBackDuration = "P30D"
decisionHistoriesForReviewersEnabled = $false
recurrence = @{
pattern = @{
type = "absoluteMonthly"
interval = 3
month = 0
dayOfMonth = 0
daysOfWeek = @(
)
firstDayOfWeek = "sunday"
index = "first"
}
range = @{
type = "endDate"
numberOfOccurrences = 0
recurrenceTimeZone = $null
startDate = "2024-03-21"
endDate = "2025-03-21"
}
}
applyActions = @(
@{
"@odata.type" = "#microsoft.graph.removeAccessApplyAction"
}
)
}
}
New-MgIdentityGovernanceAccessReviewDefinition -BodyParameter $params
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
from msgraph import GraphServiceClient
from msgraph.generated.models.access_review_schedule_definition import AccessReviewScheduleDefinition
from msgraph.generated.models.access_review_query_scope import AccessReviewQueryScope
from msgraph.generated.models.access_review_reviewer_scope import AccessReviewReviewerScope
from msgraph.generated.models.access_review_schedule_settings import AccessReviewScheduleSettings
from msgraph.generated.models.patterned_recurrence import PatternedRecurrence
from msgraph.generated.models.recurrence_pattern import RecurrencePattern
from msgraph.generated.models.day_of_week import DayOfWeek
from msgraph.generated.models.recurrence_range import RecurrenceRange
from msgraph.generated.models.access_review_apply_action import AccessReviewApplyAction
from msgraph.generated.models.remove_access_apply_action import RemoveAccessApplyAction
graph_client = GraphServiceClient(credentials, scopes)
request_body = AccessReviewScheduleDefinition(
display_name = "Guest access to marketing group",
scope = AccessReviewQueryScope(
odata_type = "#microsoft.graph.accessReviewQueryScope",
query = "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
query_type = "MicrosoftGraph",
),
instance_enumeration_scope = AccessReviewQueryScope(
odata_type = "#microsoft.graph.accessReviewQueryScope",
query = "/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true",
query_type = "MicrosoftGraph",
query_root = None,
),
reviewers = [
AccessReviewReviewerScope(
query = "./owners",
query_type = "MicrosoftGraph",
query_root = None,
),
],
fallback_reviewers = [
AccessReviewReviewerScope(
query = "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4",
query_type = "MicrosoftGraph",
),
],
settings = AccessReviewScheduleSettings(
mail_notifications_enabled = True,
reminder_notifications_enabled = True,
justification_required_on_approval = True,
default_decision_enabled = True,
default_decision = "Deny",
instance_duration_in_days = 3,
auto_apply_decisions_enabled = True,
recommendations_enabled = True,
recommendation_look_back_duration = "P30D",
decision_histories_for_reviewers_enabled = False,
recurrence = PatternedRecurrence(
pattern = RecurrencePattern(
type = RecurrencePatternType.AbsoluteMonthly,
interval = 3,
month = 0,
day_of_month = 0,
days_of_week = [
],
first_day_of_week = DayOfWeek.Sunday,
index = WeekIndex.First,
),
range = RecurrenceRange(
type = RecurrenceRangeType.EndDate,
number_of_occurrences = 0,
recurrence_time_zone = None,
start_date = "2024-03-21",
end_date = "2025-03-21",
),
),
apply_actions = [
RemoveAccessApplyAction(
odata_type = "#microsoft.graph.removeAccessApplyAction",
),
],
),
)
result = await graph_client.identity_governance.access_reviews.definitions.post(request_body)
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
响应
注意: 为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/accessReviews/definitions/$entity",
"id": "c22ae540-b89a-4d24-bac0-4ef35e6591ea",
"displayName": "Guest access to marketing group",
"createdDateTime": null,
"lastModifiedDateTime": null,
"status": "NotStarted",
"descriptionForAdmins": null,
"descriptionForReviewers": null,
"scope": {
"@odata.type": "#microsoft.graph.accessReviewQueryScope",
"query": "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
"queryType": "MicrosoftGraph",
"queryRoot": null
},
"instanceEnumerationScope": {
"@odata.type": "#microsoft.graph.accessReviewQueryScope",
"query": "/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true",
"queryType": "MicrosoftGraph",
"queryRoot": null
},
"reviewers": [
{
"query": "./owners",
"queryType": "MicrosoftGraph",
"queryRoot": null
}
],
"fallbackReviewers": [
{
"query": "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4",
"queryType": "MicrosoftGraph",
"queryRoot": null
}
],
"settings": {
"mailNotificationsEnabled": true,
"reminderNotificationsEnabled": true,
"justificationRequiredOnApproval": true,
"defaultDecisionEnabled": true,
"defaultDecision": "Deny",
"instanceDurationInDays": 3,
"autoApplyDecisionsEnabled": true,
"recommendationsEnabled": true,
"recommendationLookBackDuration": "P30D",
"decisionHistoriesForReviewersEnabled": false,
"recurrence": {
"pattern": {
"type": "absoluteMonthly",
"interval": 3,
"month": 0,
"dayOfMonth": 0,
"daysOfWeek": [],
"firstDayOfWeek": "sunday",
"index": "first"
},
"range": {
"type": "endDate",
"numberOfOccurrences": 0,
"recurrenceTimeZone": null,
"startDate": "2024-03-21",
"endDate": "2025-03-21"
}
},
"applyActions": [
{
"@odata.type": "#microsoft.graph.removeAccessApplyAction"
}
],
"recommendationInsightSettings": []
},
"stageSettings": [],
"additionalNotificationRecipients": []
}
步骤 2:列出访问评审的实例
以下查询列出了访问评审定义的所有实例。 如果租户中有多个包含来宾的 Microsoft 365 组,则此请求 将为每个包含来宾的 Microsoft 365 组返回一个实例 。
请求
GET https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions/c22ae540-b89a-4d24-bac0-4ef35e6591ea/instances
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.AccessReviews.Definitions["{accessReviewScheduleDefinition-id}"].Instances.GetAsync();
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc identity-governance access-reviews definitions instances list --access-review-schedule-definition-id {accessReviewScheduleDefinition-id}
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
//other-imports
)
graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)
instances, err := graphClient.IdentityGovernance().AccessReviews().Definitions().ByAccessReviewScheduleDefinitionId("accessReviewScheduleDefinition-id").Instances().Get(context.Background(), nil)
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AccessReviewInstanceCollectionResponse result = graphClient.identityGovernance().accessReviews().definitions().byAccessReviewScheduleDefinitionId("{accessReviewScheduleDefinition-id}").instances().get();
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
const options = {
authProvider,
};
const client = Client.init(options);
let instances = await client.api('/identityGovernance/accessReviews/definitions/c22ae540-b89a-4d24-bac0-4ef35e6591ea/instances')
.get();
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
<?php
use Microsoft\Graph\GraphServiceClient;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$result = $graphServiceClient->identityGovernance()->accessReviews()->definitions()->byAccessReviewScheduleDefinitionId('accessReviewScheduleDefinition-id')->instances()->get()->wait();
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
Import-Module Microsoft.Graph.Identity.Governance
Get-MgIdentityGovernanceAccessReviewDefinitionInstance -AccessReviewScheduleDefinitionId $accessReviewScheduleDefinitionId
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
from msgraph import GraphServiceClient
graph_client = GraphServiceClient(credentials, scopes)
result = await graph_client.identity_governance.access_reviews.definitions.by_access_review_schedule_definition_id('accessReviewScheduleDefinition-id').instances.get()
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
响应
在此响应中,范围包括测试组,因为它具有来宾。 在此响应中,访问评审实例当前 InProgress为 。 因为它是季度评审,因此每三个月自动创建一个新的评审实例,审阅者可以应用新的决策。
注意: 为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/accessReviews/definitions('c22ae540-b89a-4d24-bac0-4ef35e6591ea')/instances",
"value": [
{
"id": "6392b1a7-9c25-4844-83e5-34e23c88e16a",
"startDateTime": "2024-03-21T17:00:36.96Z",
"endDateTime": "2024-03-24T17:00:36.96Z",
"status": "InProgress",
"scope": {
"query": "/groups/59ab642a-2776-4e32-9b68-9ff7a47b7f6a/members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
"queryType": "MicrosoftGraph"
}
}
]
}
步骤 3:获取决策
获取针对访问评审实例做出的决策。 在这样的季度评审中,只要访问评审仍然处于活动状态:
每三个月创建一个新的评审实例。
审阅者需要为新实例应用新决策。
请求
GET https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions/c22ae540-b89a-4d24-bac0-4ef35e6591ea/instances/6392b1a7-9c25-4844-83e5-34e23c88e16a/decisions
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.AccessReviews.Definitions["{accessReviewScheduleDefinition-id}"].Instances["{accessReviewInstance-id}"].Decisions.GetAsync();
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc identity-governance access-reviews definitions instances decisions list --access-review-schedule-definition-id {accessReviewScheduleDefinition-id} --access-review-instance-id {accessReviewInstance-id}
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
//other-imports
)
graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)
decisions, err := graphClient.IdentityGovernance().AccessReviews().Definitions().ByAccessReviewScheduleDefinitionId("accessReviewScheduleDefinition-id").Instances().ByAccessReviewInstanceId("accessReviewInstance-id").Decisions().Get(context.Background(), nil)
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AccessReviewInstanceDecisionItemCollectionResponse result = graphClient.identityGovernance().accessReviews().definitions().byAccessReviewScheduleDefinitionId("{accessReviewScheduleDefinition-id}").instances().byAccessReviewInstanceId("{accessReviewInstance-id}").decisions().get();
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
const options = {
authProvider,
};
const client = Client.init(options);
let decisions = await client.api('/identityGovernance/accessReviews/definitions/c22ae540-b89a-4d24-bac0-4ef35e6591ea/instances/6392b1a7-9c25-4844-83e5-34e23c88e16a/decisions')
.get();
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
<?php
use Microsoft\Graph\GraphServiceClient;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$result = $graphServiceClient->identityGovernance()->accessReviews()->definitions()->byAccessReviewScheduleDefinitionId('accessReviewScheduleDefinition-id')->instances()->byAccessReviewInstanceId('accessReviewInstance-id')->decisions()->get()->wait();
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
Import-Module Microsoft.Graph.Identity.Governance
Get-MgIdentityGovernanceAccessReviewDefinitionInstanceDecision -AccessReviewScheduleDefinitionId $accessReviewScheduleDefinitionId -AccessReviewInstanceId $accessReviewInstanceId
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
from msgraph import GraphServiceClient
graph_client = GraphServiceClient(credentials, scopes)
result = await graph_client.identity_governance.access_reviews.definitions.by_access_review_schedule_definition_id('accessReviewScheduleDefinition-id').instances.by_access_review_instance_id('accessReviewInstance-id').decisions.get()
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
响应
以下响应显示了针对评审实例做出的决定。
注意: 为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/accessReviews/definitions('c22ae540-b89a-4d24-bac0-4ef35e6591ea')/instances('6392b1a7-9c25-4844-83e5-34e23c88e16a')/decisions",
"@odata.count": 1,
"value": [
{
"id": "0e76ee07-b4c6-469e-bc9d-e73fc9a8d660",
"accessReviewId": "6392b1a7-9c25-4844-83e5-34e23c88e16a",
"reviewedDateTime": "2021-02-10T17:06:26.147Z",
"decision": "Approve",
"justification": "",
"appliedDateTime": null,
"applyResult": "New",
"recommendation": "Deny",
"reviewedBy": {
"id": "00000000-0000-0000-0000-000000000000",
"displayName": "AAD Access Reviews",
"userPrincipalName": "AAD Access Reviews"
},
"appliedBy": {
"id": "00000000-0000-0000-0000-000000000000",
"displayName": "",
"userPrincipalName": ""
},
"target": {
"@odata.type": "#microsoft.graph.accessReviewInstanceDecisionItemUserTarget",
"userId": "baf1b0a0-1f9a-4a56-9884-6a30824f8d20",
"userDisplayName": "John Doe (Tailspin Toys)",
"userPrincipalName": "john@tailspintoys.com"
},
"principal": {
"@odata.type": "#microsoft.graph.userIdentity",
"id": "baf1b0a0-1f9a-4a56-9884-6a30824f8d20",
"displayName": "John Doe (Tailspin Toys)",
"userPrincipalName": "john@tailspintoys.com"
}
}
]
}
步骤 4:清理资源
在此步骤中,将删除访问评审定义。 由于访问评审计划定义是访问评审的蓝图,因此删除该定义会删除相关的设置、实例和决策。 请求返回 204 No Content 响应。
DELETE https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions/c22ae540-b89a-4d24-bac0-4ef35e6591ea
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.IdentityGovernance.AccessReviews.Definitions["{accessReviewScheduleDefinition-id}"].DeleteAsync();
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc identity-governance access-reviews definitions delete --access-review-schedule-definition-id {accessReviewScheduleDefinition-id}
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
//other-imports
)
graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)
graphClient.IdentityGovernance().AccessReviews().Definitions().ByAccessReviewScheduleDefinitionId("accessReviewScheduleDefinition-id").Delete(context.Background(), nil)
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
graphClient.identityGovernance().accessReviews().definitions().byAccessReviewScheduleDefinitionId("{accessReviewScheduleDefinition-id}").delete();
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
const options = {
authProvider,
};
const client = Client.init(options);
await client.api('/identityGovernance/accessReviews/definitions/c22ae540-b89a-4d24-bac0-4ef35e6591ea')
.delete();
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
<?php
use Microsoft\Graph\GraphServiceClient;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$graphServiceClient->identityGovernance()->accessReviews()->definitions()->byAccessReviewScheduleDefinitionId('accessReviewScheduleDefinition-id')->delete()->wait();
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
Import-Module Microsoft.Graph.Identity.Governance
Remove-MgIdentityGovernanceAccessReviewDefinition -AccessReviewScheduleDefinitionId $accessReviewScheduleDefinitionId
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
from msgraph import GraphServiceClient
graph_client = GraphServiceClient(credentials, scopes)
await graph_client.identity_governance.access_reviews.definitions.by_access_review_schedule_definition_id('accessReviewScheduleDefinition-id').delete()
请阅读 SDK 文档 ,了解如何将 SDK 添加 到项目并创建 authProvider 实例的详细信息。
相关内容