Microsoft Entra access reviews (deprecated)

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Caution

This version of the access review API is deprecated and will stop returning data on May 19, 2023. Please use access reviews API.

You can use Microsoft Entra access reviews to configure one-time or recurring access reviews for attestation of user's access rights.

Typical customer scenarios for access reviews of group memberships and application access are:

  • Customers can review and certify guest user access by using access reviews of their access to applications and memberships of groups. Reviewers can use the insights that are provided to efficiently decide whether guests should have continued access.

  • Customers can review and certify employee access to applications and group memberships with access reviews.

  • Customers can collect access review controls into programs that are relevant for your organization to track reviews for compliance or risk-sensitive applications.

There's also a related capability for customers to review and certify the role assignments of administrative users who are assigned to Microsoft Entra roles or Azure subscription roles. This capability is included in Microsoft Entra Privileged Identity Management.

The tenant where an access review is being created or managed via the API must have sufficient purchased or trial licenses. For more information about the license requirements, see Access reviews license requirements.

Prior to creating an access review, program or program control, an administrator must have previously onboarded in order to prepare the programControlType and businessFlowTemplate resources. The organization can onboard to Microsoft Entra access reviews or, in the case of access reviews of Microsoft Entra roles or Azure subscription roles, Microsoft Entra PIM.

Methods

The following table lists the methods that you can use to interact with access review-related resources.

Method Return type Description
Get accessReview accessReview Get an access review with a specific ID.
Create accessReview accessReview Create a new accessReview.
Delete accessReview None. Delete an accessReview.
Update accessReview accessReview Update an accessReview.
List accessReviews accessReview collection List accessReviews for a businessFlowTemplate.
List accessReview reviewers userIdentity collection Get the reviewers of an accessReview.
Add accessReview reviewer None. Add a reviewer to an accessReview.
Remove accessReview reviewer None. Remove a reviewer from an accessReview.
List accessReview decisions accessReviewDecision collection Get the decisions of an accessReview.
List my accessReview decisions accessReviewDecision collection As a reviewer, get my decisions of an accessReview.
Send accessReview reminder None. Send a reminder to the reviewers of an accessReview.
Stop accessReview None. Stop an accessReview.
Reset accessReview decisions None. Reset the decisions in an in-progress accessReview.
Apply accessReview decisions None. Apply the decisions from a completed accessReview.
List businessFlowTemplates businessFlowTemplate collection Get the business flow templates appropriate to access reviews.
Create program program Create a new program.
Delete program None. Delete a program.
List programs program collection Get a collection of all the programs.
List programControls of a program programControl collection Get a collection of the controls of a program.
Update program program Update a program.
Create programControl programControl Add a programControl to a program.
Delete programControl None. Remove a programControl from a program.
List programControls programControl collection List controls across all programs in the tenant.
List programControlTypes programControlType collection List program control types.

Role and application permission authorization checks

The following directory roles are required for a calling user to manage access reviews, programs, and controls.

Target resource Operation Application permissions Least privileged directory roles of the calling user
accessReview of a Microsoft Entra role Read AccessReview.Read.All or AccessReview.ReadWrite.All Global Reader, Security Administrator, Security Reader or Privileged Role Administrator
accessReview of a Microsoft Entra role Create, Update, or Delete AccessReview.ReadWrite.All Privileged Role Administrator
accessReview of a group or app Read AccessReview.Read.All, AccessReview.ReadWrite.Membership, or AccessReview.ReadWrite.All Global Reader, Security Administrator, Security Reader, or User Administrator
accessReview of a group or app Create, Update, or Delete AccessReview.ReadWrite.Membership or AccessReview.ReadWrite.All User Administrator
program and programControl Read ProgramControl.Read.All or ProgramControl.ReadWrite.All Global Reader, Security Administrator, Security Reader or User Administrator
program and programControl Create, Update, or Delete ProgramControl.ReadWrite.All User Administrator

In addition, a user who is an assigned reviewer of an access review can manage their decisions, without needing to be in a directory role.