Microsoft Entra access reviews (deprecated)
Namespace: microsoft.graph
Important
APIs under the /beta
version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Caution
This version of the access review API is deprecated and will stop returning data on May 19, 2023. Please use access reviews API.
You can use Microsoft Entra access reviews to configure one-time or recurring access reviews for attestation of user's access rights.
Typical customer scenarios for access reviews of group memberships and application access are:
Customers can review and certify guest user access by using access reviews of their access to applications and memberships of groups. Reviewers can use the insights that are provided to efficiently decide whether guests should have continued access.
Customers can review and certify employee access to applications and group memberships with access reviews.
Customers can collect access review controls into programs that are relevant for your organization to track reviews for compliance or risk-sensitive applications.
There's also a related capability for customers to review and certify the role assignments of administrative users who are assigned to Microsoft Entra roles or Azure subscription roles. This capability is included in Microsoft Entra Privileged Identity Management.
The tenant where an access review is being created or managed via the API must have sufficient purchased or trial licenses. For more information about the license requirements, see Access reviews license requirements.
Prior to creating an access review, program or program control, an administrator must have previously onboarded in order to prepare the programControlType and businessFlowTemplate resources. The organization can onboard to Microsoft Entra access reviews or, in the case of access reviews of Microsoft Entra roles or Azure subscription roles, Microsoft Entra PIM.
Methods
The following table lists the methods that you can use to interact with access review-related resources.
Method | Return type | Description |
---|---|---|
Get accessReview | accessReview | Get an access review with a specific ID. |
Create accessReview | accessReview | Create a new accessReview. |
Delete accessReview | None. | Delete an accessReview. |
Update accessReview | accessReview | Update an accessReview. |
List accessReviews | accessReview collection | List accessReviews for a businessFlowTemplate. |
List accessReview reviewers | userIdentity collection | Get the reviewers of an accessReview. |
Add accessReview reviewer | None. | Add a reviewer to an accessReview. |
Remove accessReview reviewer | None. | Remove a reviewer from an accessReview. |
List accessReview decisions | accessReviewDecision collection | Get the decisions of an accessReview. |
List my accessReview decisions | accessReviewDecision collection | As a reviewer, get my decisions of an accessReview. |
Send accessReview reminder | None. | Send a reminder to the reviewers of an accessReview. |
Stop accessReview | None. | Stop an accessReview. |
Reset accessReview decisions | None. | Reset the decisions in an in-progress accessReview. |
Apply accessReview decisions | None. | Apply the decisions from a completed accessReview. |
List businessFlowTemplates | businessFlowTemplate collection | Get the business flow templates appropriate to access reviews. |
Create program | program | Create a new program. |
Delete program | None. | Delete a program. |
List programs | program collection | Get a collection of all the programs. |
List programControls of a program | programControl collection | Get a collection of the controls of a program. |
Update program | program | Update a program. |
Create programControl | programControl | Add a programControl to a program. |
Delete programControl | None. | Remove a programControl from a program. |
List programControls | programControl collection | List controls across all programs in the tenant. |
List programControlTypes | programControlType collection | List program control types. |
Role and application permission authorization checks
The following directory roles are required for a calling user to manage access reviews, programs, and controls.
Target resource | Operation | Application permissions | Least privileged directory roles of the calling user |
---|---|---|---|
accessReview of a Microsoft Entra role | Read | AccessReview.Read.All or AccessReview.ReadWrite.All | Global Reader, Security Administrator, Security Reader or Privileged Role Administrator |
accessReview of a Microsoft Entra role | Create, Update, or Delete | AccessReview.ReadWrite.All | Privileged Role Administrator |
accessReview of a group or app | Read | AccessReview.Read.All, AccessReview.ReadWrite.Membership, or AccessReview.ReadWrite.All | Global Reader, Security Administrator, Security Reader, or User Administrator |
accessReview of a group or app | Create, Update, or Delete | AccessReview.ReadWrite.Membership or AccessReview.ReadWrite.All | User Administrator |
program and programControl | Read | ProgramControl.Read.All or ProgramControl.ReadWrite.All | Global Reader, Security Administrator, Security Reader or User Administrator |
program and programControl | Create, Update, or Delete | ProgramControl.ReadWrite.All | User Administrator |
In addition, a user who is an assigned reviewer of an access review can manage their decisions, without needing to be in a directory role.