Add-MgBetaAccessReviewDecision
In the Microsoft Entra access reviews feature, apply the decisions of a completed accessReview. The target object can be either a one-time access review, or an instance of a recurring access review. After an access review is finished, either because it reached the end date or an administrator stopped it manually, and auto-apply wasn't configured for the review, you can call Apply to apply the changes. Until apply occurs, the decisions to remove access rights do not appear on the source resource, the users for instance retain their group memberships. By calling apply, the outcome of the review is implemented by updating the group or application. If a user's access was denied in the review, when an administrator calls this API, Microsoft Entra ID removes their membership or application assignment. After an access review is finished, and auto-apply was configured, then the status of the review will change from Completed through intermediate states and finally will change to state Applied. You should expect to see denied users, if any, being removed from the resource group membership or app assignment in a few minutes. A configured auto applying review, or selecting Apply doesn't have an effect on a group that originates in an on-premises directory or a dynamic group. If you want to change a group that originates on-premises, download the results and apply those changes to the representation of the group in that directory.
Syntax
Add-MgBetaAccessReviewDecision
-AccessReviewId <String>
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-PassThru]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Add-MgBetaAccessReviewDecision
-InputObject <IIdentityGovernanceIdentity>
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-PassThru]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
In the Microsoft Entra access reviews feature, apply the decisions of a completed accessReview. The target object can be either a one-time access review, or an instance of a recurring access review. After an access review is finished, either because it reached the end date or an administrator stopped it manually, and auto-apply wasn't configured for the review, you can call Apply to apply the changes. Until apply occurs, the decisions to remove access rights do not appear on the source resource, the users for instance retain their group memberships. By calling apply, the outcome of the review is implemented by updating the group or application. If a user's access was denied in the review, when an administrator calls this API, Microsoft Entra ID removes their membership or application assignment. After an access review is finished, and auto-apply was configured, then the status of the review will change from Completed through intermediate states and finally will change to state Applied. You should expect to see denied users, if any, being removed from the resource group membership or app assignment in a few minutes. A configured auto applying review, or selecting Apply doesn't have an effect on a group that originates in an on-premises directory or a dynamic group. If you want to change a group that originates on-premises, download the results and apply those changes to the representation of the group in that directory.
Permissions
Permission type | Least privileged permissions | Higher privileged permissions |
---|---|---|
Delegated (work or school account) | AccessReview.ReadWrite.Membership | AccessReview.ReadWrite.All |
Delegated (personal Microsoft account) | Not supported. | Not supported. |
Application | AccessReview.ReadWrite.Membership | Not available. |
Examples
Example 1: Code snippet
Import-Module Microsoft.Graph.Beta.Identity.Governance
Add-MgBetaAccessReviewDecision -AccessReviewId $accessReviewId
This example shows how to use the Add-MgBetaAccessReviewDecision Cmdlet.
Parameters
-AccessReviewId
The unique identifier of accessReview
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Headers
Optional headers that will be added to the request.
Type: | IDictionary |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-InputObject
Identity Parameter To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
Type: | IIdentityGovernanceIdentity |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-PassThru
Returns true when the command succeeds
Type: | SwitchParameter |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ProgressAction
{{ Fill ProgressAction Description }}
Type: | ActionPreference |
Aliases: | proga |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ResponseHeadersVariable
Optional Response Headers Variable.
Type: | String |
Aliases: | RHV |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Inputs
Microsoft.Graph.Beta.PowerShell.Models.IIdentityGovernanceIdentity
System.Collections.IDictionary
Outputs
System.Boolean
Notes
COMPLEX PARAMETER PROPERTIES
To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
INPUTOBJECT <IIdentityGovernanceIdentity>
: Identity Parameter
[AccessPackageAssignmentId <String>]
: The unique identifier of accessPackageAssignment[AccessPackageAssignmentPolicyId <String>]
: The unique identifier of accessPackageAssignmentPolicy[AccessPackageAssignmentRequestId <String>]
: The unique identifier of accessPackageAssignmentRequest[AccessPackageAssignmentResourceRoleId <String>]
: The unique identifier of accessPackageAssignmentResourceRole[AccessPackageCatalogId <String>]
: The unique identifier of accessPackageCatalog[AccessPackageId <String>]
: The unique identifier of accessPackage[AccessPackageId1 <String>]
: The unique identifier of accessPackage[AccessPackageResourceEnvironmentId <String>]
: The unique identifier of accessPackageResourceEnvironment[AccessPackageResourceId <String>]
: The unique identifier of accessPackageResource[AccessPackageResourceRequestId <String>]
: The unique identifier of accessPackageResourceRequest[AccessPackageResourceRoleId <String>]
: The unique identifier of accessPackageResourceRole[AccessPackageResourceRoleScopeId <String>]
: The unique identifier of accessPackageResourceRoleScope[AccessPackageResourceScopeId <String>]
: The unique identifier of accessPackageResourceScope[AccessPackageSubjectId <String>]
: The unique identifier of accessPackageSubject[AccessReviewDecisionId <String>]
: The unique identifier of accessReviewDecision[AccessReviewHistoryDefinitionId <String>]
: The unique identifier of accessReviewHistoryDefinition[AccessReviewHistoryInstanceId <String>]
: The unique identifier of accessReviewHistoryInstance[AccessReviewId <String>]
: The unique identifier of accessReview[AccessReviewId1 <String>]
: The unique identifier of accessReview[AccessReviewInstanceDecisionItemId <String>]
: The unique identifier of accessReviewInstanceDecisionItem[AccessReviewInstanceDecisionItemId1 <String>]
: The unique identifier of accessReviewInstanceDecisionItem[AccessReviewInstanceId <String>]
: The unique identifier of accessReviewInstance[AccessReviewReviewerId <String>]
: The unique identifier of accessReviewReviewer[AccessReviewScheduleDefinitionId <String>]
: The unique identifier of accessReviewScheduleDefinition[AccessReviewStageId <String>]
: The unique identifier of accessReviewStage[AgreementAcceptanceId <String>]
: The unique identifier of agreementAcceptance[AgreementFileLocalizationId <String>]
: The unique identifier of agreementFileLocalization[AgreementFileVersionId <String>]
: The unique identifier of agreementFileVersion[AgreementId <String>]
: The unique identifier of agreement[AppConsentRequestId <String>]
: The unique identifier of appConsentRequest[ApprovalId <String>]
: The unique identifier of approval[ApprovalStepId <String>]
: The unique identifier of approvalStep[BusinessFlowTemplateId <String>]
: The unique identifier of businessFlowTemplate[ConnectedOrganizationId <String>]
: The unique identifier of connectedOrganization[CustomAccessPackageWorkflowExtensionId <String>]
: The unique identifier of customAccessPackageWorkflowExtension[CustomCalloutExtensionId <String>]
: The unique identifier of customCalloutExtension[CustomExtensionHandlerId <String>]
: The unique identifier of customExtensionHandler[CustomExtensionStageSettingId <String>]
: The unique identifier of customExtensionStageSetting[CustomTaskExtensionId <String>]
: The unique identifier of customTaskExtension[DirectoryObjectId <String>]
: The unique identifier of directoryObject[EndDateTime <DateTime?>]
: Usage: endDateTime={endDateTime}[FindingId <String>]
: The unique identifier of finding[GovernanceInsightId <String>]
: The unique identifier of governanceInsight[GovernanceResourceId <String>]
: The unique identifier of governanceResource[GovernanceRoleAssignmentId <String>]
: The unique identifier of governanceRoleAssignment[GovernanceRoleAssignmentRequestId <String>]
: The unique identifier of governanceRoleAssignmentRequest[GovernanceRoleDefinitionId <String>]
: The unique identifier of governanceRoleDefinition[GovernanceRoleSettingId <String>]
: The unique identifier of governanceRoleSetting[IncompatibleAccessPackageId <String>]
: Usage: incompatibleAccessPackageId='{incompatibleAccessPackageId}'[LongRunningOperationId <String>]
: The unique identifier of longRunningOperation[ObjectId <String>]
: Alternate key of accessPackageSubject[On <String>]
: Usage: on='{on}'[PermissionsCreepIndexDistributionId <String>]
: The unique identifier of permissionsCreepIndexDistribution[PermissionsRequestChangeId <String>]
: The unique identifier of permissionsRequestChange[PrivilegedAccessGroupAssignmentScheduleId <String>]
: The unique identifier of privilegedAccessGroupAssignmentSchedule[PrivilegedAccessGroupAssignmentScheduleInstanceId <String>]
: The unique identifier of privilegedAccessGroupAssignmentScheduleInstance[PrivilegedAccessGroupAssignmentScheduleRequestId <String>]
: The unique identifier of privilegedAccessGroupAssignmentScheduleRequest[PrivilegedAccessGroupEligibilityScheduleId <String>]
: The unique identifier of privilegedAccessGroupEligibilitySchedule[PrivilegedAccessGroupEligibilityScheduleInstanceId <String>]
: The unique identifier of privilegedAccessGroupEligibilityScheduleInstance[PrivilegedAccessGroupEligibilityScheduleRequestId <String>]
: The unique identifier of privilegedAccessGroupEligibilityScheduleRequest[PrivilegedAccessId <String>]
: The unique identifier of privilegedAccess[PrivilegedApprovalId <String>]
: The unique identifier of privilegedApproval[PrivilegedOperationEventId <String>]
: The unique identifier of privilegedOperationEvent[PrivilegedRoleAssignmentId <String>]
: The unique identifier of privilegedRoleAssignment[PrivilegedRoleAssignmentId1 <String>]
: The unique identifier of privilegedRoleAssignment[PrivilegedRoleAssignmentRequestId <String>]
: The unique identifier of privilegedRoleAssignmentRequest[PrivilegedRoleId <String>]
: The unique identifier of privilegedRole[ProgramControlId <String>]
: The unique identifier of programControl[ProgramControlId1 <String>]
: The unique identifier of programControl[ProgramControlTypeId <String>]
: The unique identifier of programControlType[ProgramId <String>]
: The unique identifier of program[RbacApplicationId <String>]
: The unique identifier of rbacApplication[RunId <String>]
: The unique identifier of run[StartDateTime <DateTime?>]
: Usage: startDateTime={startDateTime}[TaskDefinitionId <String>]
: The unique identifier of taskDefinition[TaskId <String>]
: The unique identifier of task[TaskProcessingResultId <String>]
: The unique identifier of taskProcessingResult[TaskReportId <String>]
: The unique identifier of taskReport[UnifiedRbacResourceActionId <String>]
: The unique identifier of unifiedRbacResourceAction[UnifiedRbacResourceNamespaceId <String>]
: The unique identifier of unifiedRbacResourceNamespace[UnifiedRoleAssignmentId <String>]
: The unique identifier of unifiedRoleAssignment[UnifiedRoleAssignmentScheduleId <String>]
: The unique identifier of unifiedRoleAssignmentSchedule[UnifiedRoleAssignmentScheduleInstanceId <String>]
: The unique identifier of unifiedRoleAssignmentScheduleInstance[UnifiedRoleAssignmentScheduleRequestId <String>]
: The unique identifier of unifiedRoleAssignmentScheduleRequest[UnifiedRoleDefinitionId <String>]
: The unique identifier of unifiedRoleDefinition[UnifiedRoleDefinitionId1 <String>]
: The unique identifier of unifiedRoleDefinition[UnifiedRoleEligibilityScheduleId <String>]
: The unique identifier of unifiedRoleEligibilitySchedule[UnifiedRoleEligibilityScheduleInstanceId <String>]
: The unique identifier of unifiedRoleEligibilityScheduleInstance[UnifiedRoleEligibilityScheduleRequestId <String>]
: The unique identifier of unifiedRoleEligibilityScheduleRequest[UnifiedRoleManagementAlertConfigurationId <String>]
: The unique identifier of unifiedRoleManagementAlertConfiguration[UnifiedRoleManagementAlertDefinitionId <String>]
: The unique identifier of unifiedRoleManagementAlertDefinition[UnifiedRoleManagementAlertId <String>]
: The unique identifier of unifiedRoleManagementAlert[UnifiedRoleManagementAlertIncidentId <String>]
: The unique identifier of unifiedRoleManagementAlertIncident[UniqueName <String>]
: Alternate key of accessPackageCatalog[UserConsentRequestId <String>]
: The unique identifier of userConsentRequest[UserId <String>]
: The unique identifier of user[UserProcessingResultId <String>]
: The unique identifier of userProcessingResult[WorkflowId <String>]
: The unique identifier of workflow[WorkflowTemplateId <String>]
: The unique identifier of workflowTemplate[WorkflowVersionNumber <Int32?>]
: The unique identifier of workflowVersion