Dela via


New-MgIdentityGovernanceAccessReviewDefinition

Create a new accessReviewScheduleDefinition object.

Note

To view the beta release of this cmdlet, view New-MgBetaIdentityGovernanceAccessReviewDefinition

Syntax

New-MgIdentityGovernanceAccessReviewDefinition
   [-ResponseHeadersVariable <String>]
   [-AdditionalNotificationRecipients <IMicrosoftGraphAccessReviewNotificationRecipientItem[]>]
   [-AdditionalProperties <Hashtable>]
   [-CreatedBy <IMicrosoftGraphUserIdentity>]
   [-CreatedDateTime <DateTime>]
   [-DescriptionForAdmins <String>]
   [-DescriptionForReviewers <String>]
   [-DisplayName <String>]
   [-FallbackReviewers <IMicrosoftGraphAccessReviewReviewerScope[]>]
   [-Id <String>]
   [-InstanceEnumerationScope <Hashtable>]
   [-Instances <IMicrosoftGraphAccessReviewInstance[]>]
   [-LastModifiedDateTime <DateTime>]
   [-Reviewers <IMicrosoftGraphAccessReviewReviewerScope[]>]
   [-Scope <Hashtable>]
   [-Settings <IMicrosoftGraphAccessReviewScheduleSettings>]
   [-StageSettings <IMicrosoftGraphAccessReviewStageSettings[]>]
   [-Status <String>]
   [-Headers <IDictionary>]
   [-ProgressAction <ActionPreference>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
New-MgIdentityGovernanceAccessReviewDefinition
   -BodyParameter <IMicrosoftGraphAccessReviewScheduleDefinition>
   [-ResponseHeadersVariable <String>]
   [-Headers <IDictionary>]
   [-ProgressAction <ActionPreference>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

Create a new accessReviewScheduleDefinition object.

Permissions

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) AccessReview.ReadWrite.All Not available.
Delegated (personal Microsoft account) Not supported. Not supported.
Application AccessReview.ReadWrite.All Not available.

Examples

Example 1: Create an access review on a group

Import-Module Microsoft.Graph.Identity.Governance

$params = @{
	displayName = "Test create"
	descriptionForAdmins = "New scheduled access review"
	descriptionForReviewers = "If you have any questions, contact jerry@contoso.com"
	scope = @{
		"@odata.type" = "#microsoft.graph.accessReviewQueryScope"
		query = "/groups/02f3bafb-448c-487c-88c2-5fd65ce49a41/transitiveMembers"
		queryType = "MicrosoftGraph"
	}
	reviewers = @(
		@{
			query = "/users/398164b1-5196-49dd-ada2-364b49f99b27"
			queryType = "MicrosoftGraph"
		}
	)
	settings = @{
		mailNotificationsEnabled = $true
		reminderNotificationsEnabled = $true
		justificationRequiredOnApproval = $true
		defaultDecisionEnabled = $false
		defaultDecision = "None"
		instanceDurationInDays = 1
		recommendationsEnabled = $true
		recurrence = @{
			pattern = @{
				type = "weekly"
				interval = 1
			}
			range = @{
				type = "noEnd"
				startDate = "2020-09-08T12:02:30.667Z"
			}
		}
	}
}

New-MgIdentityGovernanceAccessReviewDefinition -BodyParameter $params

This example will create an access review on a group

Example 2: Create an access review on all teams with inactive guest users

Import-Module Microsoft.Graph.Identity.Governance

$params = @{
	displayName = "Review inactive guests on teams"
	descriptionForAdmins = "Control guest user access to our teams."
	descriptionForReviewers = "Information security is everyone's responsibility. Review our access policy for more."
	instanceEnumerationScope = @{
		"@odata.type" = "#microsoft.graph.accessReviewQueryScope"
		query = "/groups?$filter=(groupTypes/any(c:c+eq+'Unified') and resourceProvisioningOptions/Any(x:x eq 'Team')')"
		queryType = "MicrosoftGraph"
	}
	scope = @{
		"@odata.type" = "#microsoft.graph.accessReviewInactiveUsersQueryScope"
		query = "./members/microsoft.graph.user/?$filter=(userType eq 'Guest')"
		queryType = "MicrosoftGraph"
		inactiveDuration = "P30D"
	}
	reviewers = @(
		@{
			query = "./owners"
			queryType = "MicrosoftGraph"
		}
	)
	fallbackReviewers = @(
		@{
			query = "/users/fc9a2c2b-1ddc-486d-a211-5fe8ca77fa1f"
			queryType = "MicrosoftGraph"
		}
	)
	settings = @{
		mailNotificationsEnabled = $true
		reminderNotificationsEnabled = $true
		justificationRequiredOnApproval = $true
		recommendationsEnabled = $true
		instanceDurationInDays = 3
		recurrence = @{
			pattern = @{
				type = "absoluteMonthly"
				dayOfMonth = 5
				interval = 3
			}
			range = @{
				type = "noEnd"
				startDate = "2020-05-04T00:00:00.000Z"
			}
		}
		defaultDecisionEnabled = $true
		defaultDecision = "Deny"
		autoApplyDecisionsEnabled = $true
	}
}

New-MgIdentityGovernanceAccessReviewDefinition -BodyParameter $params

This example will create an access review on all teams with inactive guest users

Example 3: Create an access review of all users to an application

Import-Module Microsoft.Graph.Identity.Governance

$params = @{
	displayName = "Review employee access to LinkedIn"
	descriptionForAdmins = "Review employee access to LinkedIn"
	scope = @{
		"@odata.type" = "#microsoft.graph.principalResourceMembershipsScope"
		principalScopes = @(
			@{
				"@odata.type" = "#microsoft.graph.accessReviewQueryScope"
				query = "/users"
				queryType = "MicrosoftGraph"
			}
		)
		resourceScopes = @(
			@{
				"@odata.type" = "#microsoft.graph.accessReviewQueryScope"
				query = "/servicePrincipals/bae11f90-7d5d-46ba-9f55-8112b59d92ae"
				queryType = "MicrosoftGraph"
			}
		)
	}
	reviewers = @(
		@{
			query = "./manager"
			queryType = "MicrosoftGraph"
			queryRoot = "decisions"
		}
	)
	backupReviewers = @(
		@{
			query = "/groups/072ac5f4-3f13-4088-ab30-0a276f3e6322/transitiveMembers"
			queryType = "MicrosoftGraph"
		}
	)
	fallbackReviewers = @(
		@{
			query = "/groups/072ac5f4-3f13-4088-ab30-0a276f3e6322/transitiveMembers"
			queryType = "MicrosoftGraph"
		}
	)
	settings = @{
		mailNotificationsEnabled = $true
		reminderNotificationsEnabled = $true
		justificationRequiredOnApproval = $true
		defaultDecisionEnabled = $true
		defaultDecision = "Recommendation"
		instanceDurationInDays = 180
		autoApplyDecisionsEnabled = $true
		recommendationsEnabled = $true
		recurrence = @{
			pattern = @{
				type = "absoluteMonthly"
				interval = 6
				dayOfMonth = 0
			}
			range = @{
				type = "numbered"
				startDate = "2021-05-05"
				endDate = "2022-05-05"
			}
		}
	}
}

New-MgIdentityGovernanceAccessReviewDefinition -BodyParameter $params

This example will create an access review of all users to an application

Example 4: Create an access review on a group with multiple stages

Import-Module Microsoft.Graph.Identity.Governance

$params = @{
	displayName = "Group Multi-stage Access Review"
	descriptionForAdmins = "New scheduled access review"
	descriptionForReviewers = "If you have any questions, contact jerry@contoso.com"
	scope = @{
		"@odata.type" = "#microsoft.graph.accessReviewQueryScope"
		query = "/groups/02f3bafb-448c-487c-88c2-5fd65ce49a41/transitiveMembers"
		queryType = "MicrosoftGraph"
	}
	stageSettings = @(
		@{
			stageId = "1"
			durationInDays = 2
			recommendationsEnabled = $false
			decisionsThatWillMoveToNextStage = @(
			"NotReviewed"
		"Approve"
	)
	reviewers = @(
		@{
			query = "/users/398164b1-5196-49dd-ada2-364b49f99b27"
			queryType = "MicrosoftGraph"
		}
	)
}
@{
	stageId = "2"
	dependsOn = @(
	"1"
)
durationInDays = 2
recommendationsEnabled = $true
reviewers = @(
	@{
		query = "./manager"
		queryType = "MicrosoftGraph"
		queryRoot = "decisions"
	}
)
fallbackReviewers = @(
	@{
		query = "/groups/072ac5f4-3f13-4088-ab30-0a276f3e6322/transitiveMembers"
		queryType = "MicrosoftGraph"
	}
)
}
)
settings = @{
instanceDurationInDays = 4
recurrence = @{
pattern = @{
	type = "weekly"
	interval = 1
}
range = @{
	type = "noEnd"
	startDate = "2020-09-08T12:02:30.667Z"
}
}
decisionHistoriesForReviewersEnabled = $true
}
}

New-MgIdentityGovernanceAccessReviewDefinition -BodyParameter $params

This example will create an access review on a group with multiple stages

Parameters

-AdditionalNotificationRecipients

Defines the list of additional users or group members to be notified of the access review progress. To construct, see NOTES section for ADDITIONALNOTIFICATIONRECIPIENTS properties and create a hash table.

Type:IMicrosoftGraphAccessReviewNotificationRecipientItem[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-AdditionalProperties

Additional Parameters

Type:Hashtable
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-BodyParameter

accessReviewScheduleDefinition To construct, see NOTES section for BODYPARAMETER properties and create a hash table.

Type:IMicrosoftGraphAccessReviewScheduleDefinition
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-CreatedBy

userIdentity To construct, see NOTES section for CREATEDBY properties and create a hash table.

Type:IMicrosoftGraphUserIdentity
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-CreatedDateTime

Timestamp when the access review series was created. Supports $select. Read-only.

Type:DateTime
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DescriptionForAdmins

Description provided by review creators to provide more context of the review to admins. Supports $select.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DescriptionForReviewers

Description provided by review creators to provide more context of the review to reviewers. Reviewers see this description in the email sent to them requesting their review. Email notifications support up to 256 characters. Supports $select.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DisplayName

Name of the access review series. Supports $select and $orderby. Required on create.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-FallbackReviewers

This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers are notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner doesn't exist, or manager is specified as reviewer but a user's manager doesn't exist. See accessReviewReviewerScope. Replaces backupReviewers. Supports $select. NOTE: The value of this property will be ignored if fallback reviewers are assigned through the stageSettings property. To construct, see NOTES section for FALLBACKREVIEWERS properties and create a hash table.

Type:IMicrosoftGraphAccessReviewReviewerScope[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Headers

Optional headers that will be added to the request.

Type:IDictionary
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Id

The unique identifier for an entity. Read-only.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-InstanceEnumerationScope

accessReviewScope

Type:Hashtable
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Instances

If the accessReviewScheduleDefinition is a recurring access review, instances represent each recurrence. A review that doesn't recur will have exactly one instance. Instances also represent each unique resource under review in the accessReviewScheduleDefinition. If a review has multiple resources and multiple instances, each resource has a unique instance for each recurrence. To construct, see NOTES section for INSTANCES properties and create a hash table.

Type:IMicrosoftGraphAccessReviewInstance[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-LastModifiedDateTime

Timestamp when the access review series was last modified. Supports $select. Read-only.

Type:DateTime
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ProgressAction

{{ Fill ProgressAction Description }}

Type:ActionPreference
Aliases:proga
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ResponseHeadersVariable

Optional Response Headers Variable.

Type:String
Aliases:RHV
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Reviewers

This collection of access review scopes is used to define who are the reviewers. The reviewers property is only updatable if individual users are assigned as reviewers. Required on create. Supports $select. For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API. NOTE: The value of this property will be ignored if reviewers are assigned through the stageSettings property. To construct, see NOTES section for REVIEWERS properties and create a hash table.

Type:IMicrosoftGraphAccessReviewReviewerScope[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Scope

accessReviewScope

Type:Hashtable
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Settings

accessReviewScheduleSettings To construct, see NOTES section for SETTINGS properties and create a hash table.

Type:IMicrosoftGraphAccessReviewScheduleSettings
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-StageSettings

Required only for a multi-stage access review to define the stages and their settings. You can break down each review instance into up to three sequential stages, where each stage can have a different set of reviewers, fallback reviewers, and settings. Stages are created sequentially based on the dependsOn property. Optional. When this property is defined, its settings are used instead of the corresponding settings in the accessReviewScheduleDefinition object and its settings, reviewers, and fallbackReviewers properties. To construct, see NOTES section for STAGESETTINGS properties and create a hash table.

Type:IMicrosoftGraphAccessReviewStageSettings[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Status

This read-only field specifies the status of an access review. The typical states include Initializing, NotStarted, Starting, InProgress, Completing, Completed, AutoReviewing, and AutoReviewed. Supports $select, $orderby, and $filter (eq only). Read-only.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessReviewScheduleDefinition

System.Collections.IDictionary

Outputs

Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAccessReviewScheduleDefinition

Notes

COMPLEX PARAMETER PROPERTIES

To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.

ADDITIONALNOTIFICATIONRECIPIENTS <IMicrosoftGraphAccessReviewNotificationRecipientItem- []>: Defines the list of additional users or group members to be notified of the access review progress.

  • [NotificationRecipientScope <IMicrosoftGraphAccessReviewNotificationRecipientScope>]: accessReviewNotificationRecipientScope
    • [(Any) <Object>]: This indicates any property can be added to this object.
  • [NotificationTemplateType <String>]: Indicates the type of access review email to be sent. Supported template type is CompletedAdditionalRecipients, which sends review completion notifications to the recipients.

BODYPARAMETER <IMicrosoftGraphAccessReviewScheduleDefinition>: accessReviewScheduleDefinition

  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [Id <String>]: The unique identifier for an entity. Read-only.
  • [AdditionalNotificationRecipients <IMicrosoftGraphAccessReviewNotificationRecipientItem- []>]: Defines the list of additional users or group members to be notified of the access review progress.
    • [NotificationRecipientScope <IMicrosoftGraphAccessReviewNotificationRecipientScope>]: accessReviewNotificationRecipientScope
      • [(Any) <Object>]: This indicates any property can be added to this object.
    • [NotificationTemplateType <String>]: Indicates the type of access review email to be sent. Supported template type is CompletedAdditionalRecipients, which sends review completion notifications to the recipients.
  • [CreatedBy <IMicrosoftGraphUserIdentity>]: userIdentity
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [DisplayName <String>]: The display name of the identity.For drive items, the display name might not always be available or up to date. For example, if a user changes their display name the API might show the new value in a future response, but the items associated with the user don't show up as changed when using delta.
    • [Id <String>]: Unique identifier for the identity or actor. For example, in the access reviews decisions API, this property might record the id of the principal, that is, the group, user, or application that's subject to review.
    • [IPAddress <String>]: Indicates the client IP address associated with the user performing the activity (audit log only).
    • [UserPrincipalName <String>]: The userPrincipalName attribute of the user.
  • [CreatedDateTime <DateTime?>]: Timestamp when the access review series was created. Supports $select. Read-only.
  • [DescriptionForAdmins <String>]: Description provided by review creators to provide more context of the review to admins. Supports $select.
  • [DescriptionForReviewers <String>]: Description provided by review creators to provide more context of the review to reviewers. Reviewers see this description in the email sent to them requesting their review. Email notifications support up to 256 characters. Supports $select.
  • [DisplayName <String>]: Name of the access review series. Supports $select and $orderby. Required on create.
  • [FallbackReviewers <IMicrosoftGraphAccessReviewReviewerScope- []>]: This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers are notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner doesn't exist, or manager is specified as reviewer but a user's manager doesn't exist. See accessReviewReviewerScope. Replaces backupReviewers. Supports $select. NOTE: The value of this property will be ignored if fallback reviewers are assigned through the stageSettings property.
    • [Query <String>]: The query specifying who will be the reviewer.
    • [QueryRoot <String>]: In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query, for example, ./manager, is specified. Possible value: decisions.
    • [QueryType <String>]: The type of query. Examples include MicrosoftGraph and ARM.
  • [InstanceEnumerationScope <IMicrosoftGraphAccessReviewScope>]: accessReviewScope
    • [(Any) <Object>]: This indicates any property can be added to this object.
  • [Instances <IMicrosoftGraphAccessReviewInstance- []>]: If the accessReviewScheduleDefinition is a recurring access review, instances represent each recurrence. A review that doesn't recur will have exactly one instance. Instances also represent each unique resource under review in the accessReviewScheduleDefinition. If a review has multiple resources and multiple instances, each resource has a unique instance for each recurrence.
    • [Id <String>]: The unique identifier for an entity. Read-only.
    • [ContactedReviewers <IMicrosoftGraphAccessReviewReviewer- []>]: Returns the collection of reviewers who were contacted to complete this review. While the reviewers and fallbackReviewers properties of the accessReviewScheduleDefinition might specify group owners or managers as reviewers, contactedReviewers returns their individual identities. Supports $select. Read-only.
      • [Id <String>]: The unique identifier for an entity. Read-only.
      • [CreatedDateTime <DateTime?>]: The date when the reviewer was added for the access review.
      • [DisplayName <String>]: Name of reviewer.
      • [UserPrincipalName <String>]: User principal name of the reviewer.
    • [Decisions <IMicrosoftGraphAccessReviewInstanceDecisionItem- []>]: Each user reviewed in an accessReviewInstance has a decision item representing if they were approved, denied, or not yet reviewed.
      • [Id <String>]: The unique identifier for an entity. Read-only.
      • [AccessReviewId <String>]: The identifier of the accessReviewInstance parent. Supports $select. Read-only.
      • [AppliedBy <IMicrosoftGraphUserIdentity>]: userIdentity
      • [AppliedDateTime <DateTime?>]: The timestamp when the approval decision was applied.00000000-0000-0000-0000-000000000000 if the assigned reviewer hasn't applied the decision or it was automatically applied. The DatetimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $select. Read-only.
      • [ApplyResult <String>]: The result of applying the decision. Possible values: New, AppliedSuccessfully, AppliedWithUnknownFailure, AppliedSuccessfullyButObjectNotFound and ApplyNotSupported. Supports $select, $orderby, and $filter (eq only). Read-only.
      • [Decision <String>]: Result of the review. Possible values: Approve, Deny, NotReviewed, or DontKnow. Supports $select, $orderby, and $filter (eq only).
      • [Insights <IMicrosoftGraphGovernanceInsight- []>]: Insights are recommendations to reviewers on whether to approve or deny a decision. There can be multiple insights associated with an accessReviewInstanceDecisionItem.
        • [Id <String>]: The unique identifier for an entity. Read-only.
        • [InsightCreatedDateTime <DateTime?>]: Indicates when the insight was created.
      • [Justification <String>]: Justification left by the reviewer when they made the decision.
      • [Principal <IMicrosoftGraphIdentity>]: identity
        • [(Any) <Object>]: This indicates any property can be added to this object.
        • [DisplayName <String>]: The display name of the identity.For drive items, the display name might not always be available or up to date. For example, if a user changes their display name the API might show the new value in a future response, but the items associated with the user don't show up as changed when using delta.
        • [Id <String>]: Unique identifier for the identity or actor. For example, in the access reviews decisions API, this property might record the id of the principal, that is, the group, user, or application that's subject to review.
      • [PrincipalLink <String>]: A link to the principal object. For example, https://graph.microsoft.com/v1.0/users/a6c7aecb-cbfd-4763-87ef-e91b4bd509d9. Read-only.
      • [Recommendation <String>]: A system-generated recommendation for the approval decision based off last interactive sign-in to tenant. The value is Approve if the sign-in is fewer than 30 days after the start of review, Deny if the sign-in is greater than 30 days after, or NoInfoAvailable. Possible values: Approve, Deny, or NoInfoAvailable. Supports $select, $orderby, and $filter (eq only). Read-only.
      • [Resource <IMicrosoftGraphAccessReviewInstanceDecisionItemResource>]: accessReviewInstanceDecisionItemResource
        • [(Any) <Object>]: This indicates any property can be added to this object.
        • [DisplayName <String>]: Display name of the resource
        • [Id <String>]: Identifier of the resource
        • [Type <String>]: Type of resource. Types include: Group, ServicePrincipal, DirectoryRole, AzureRole, AccessPackageAssignmentPolicy.
      • [ResourceLink <String>]: A link to the resource. For example, https://graph.microsoft.com/v1.0/servicePrincipals/c86300f3-8695-4320-9f6e-32a2555f5ff8. Supports $select. Read-only.
      • [ReviewedBy <IMicrosoftGraphUserIdentity>]: userIdentity
      • [ReviewedDateTime <DateTime?>]: The timestamp when the review decision occurred. Supports $select. Read-only.
    • [EndDateTime <DateTime?>]: DateTime when review instance is scheduled to end.The DatetimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $select. Read-only.
    • [FallbackReviewers <IMicrosoftGraphAccessReviewReviewerScope- []>]: This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers will be notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner does not exist, or manager is specified as reviewer but a user's manager does not exist. Supports $select.
    • [Reviewers <IMicrosoftGraphAccessReviewReviewerScope- []>]: This collection of access review scopes is used to define who the reviewers are. Supports $select. For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API.
    • [Scope <IMicrosoftGraphAccessReviewScope>]: accessReviewScope
    • [Stages <IMicrosoftGraphAccessReviewStage- []>]: If the instance has multiple stages, this returns the collection of stages. A new stage will only be created when the previous stage ends. The existence, number, and settings of stages on a review instance are created based on the accessReviewStageSettings on the parent accessReviewScheduleDefinition.
      • [Id <String>]: The unique identifier for an entity. Read-only.
      • [Decisions <IMicrosoftGraphAccessReviewInstanceDecisionItem- []>]: Each user reviewed in an accessReviewStage has a decision item representing if they were approved, denied, or not yet reviewed.
      • [EndDateTime <DateTime?>]: The date and time in ISO 8601 format and UTC time when the review stage is scheduled to end. This property is the cumulative total of the durationInDays for all stages. Read-only.
      • [FallbackReviewers <IMicrosoftGraphAccessReviewReviewerScope- []>]: This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers are notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner doesn't exist, or manager is specified as reviewer but a user's manager doesn't exist.
      • [Reviewers <IMicrosoftGraphAccessReviewReviewerScope- []>]: This collection of access review scopes is used to define who the reviewers are. For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API.
      • [StartDateTime <DateTime?>]: The date and time in ISO 8601 format and UTC time when the review stage is scheduled to start. Read-only.
      • [Status <String>]: Specifies the status of an accessReviewStage. Possible values: Initializing, NotStarted, Starting, InProgress, Completing, Completed, AutoReviewing, and AutoReviewed. Supports $orderby, and $filter (eq only). Read-only.
    • [StartDateTime <DateTime?>]: DateTime when review instance is scheduled to start. May be in the future. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $select. Read-only.
    • [Status <String>]: Specifies the status of an accessReview. Possible values: Initializing, NotStarted, Starting, InProgress, Completing, Completed, AutoReviewing, and AutoReviewed. Supports $select, $orderby, and $filter (eq only). Read-only.
  • [LastModifiedDateTime <DateTime?>]: Timestamp when the access review series was last modified. Supports $select. Read-only.
  • [Reviewers <IMicrosoftGraphAccessReviewReviewerScope- []>]: This collection of access review scopes is used to define who are the reviewers. The reviewers property is only updatable if individual users are assigned as reviewers. Required on create. Supports $select. For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API. NOTE: The value of this property will be ignored if reviewers are assigned through the stageSettings property.
  • [Scope <IMicrosoftGraphAccessReviewScope>]: accessReviewScope
  • [Settings <IMicrosoftGraphAccessReviewScheduleSettings>]: accessReviewScheduleSettings
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [ApplyActions <IMicrosoftGraphAccessReviewApplyAction- []>]: Optional field. Describes the actions to take once a review is complete. There are two types that are currently supported: removeAccessApplyAction (default) and disableAndDeleteUserApplyAction. Field only needs to be specified in the case of disableAndDeleteUserApplyAction.
    • [AutoApplyDecisionsEnabled <Boolean?>]: Indicates whether decisions are automatically applied. When set to false, an admin must apply the decisions manually once the reviewer completes the access review. When set to true, decisions are applied automatically after the access review instance duration ends, whether or not the reviewers have responded. Default value is false. CAUTION: If both autoApplyDecisionsEnabled and defaultDecisionEnabled are true, all access for the principals to the resource risks being revoked if the reviewers fail to respond.
    • [DecisionHistoriesForReviewersEnabled <Boolean?>]: Indicates whether decisions on previous access review stages are available for reviewers on an accessReviewInstance with multiple subsequent stages. If not provided, the default is disabled (false).
    • [DefaultDecision <String>]: Decision chosen if defaultDecisionEnabled is enabled. Can be one of Approve, Deny, or Recommendation.
    • [DefaultDecisionEnabled <Boolean?>]: Indicates whether the default decision is enabled or disabled when reviewers do not respond. Default value is false. CAUTION: If both autoApplyDecisionsEnabled and defaultDecisionEnabled are true, all access for the principals to the resource risks being revoked if the reviewers fail to respond.
    • [InstanceDurationInDays <Int32?>]: Duration of an access review instance in days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its durationInDays setting will be used instead of the value of this property.
    • [JustificationRequiredOnApproval <Boolean?>]: Indicates whether reviewers are required to provide justification with their decision. Default value is false.
    • [MailNotificationsEnabled <Boolean?>]: Indicates whether emails are enabled or disabled. Default value is false.
    • [RecommendationInsightSettings <IMicrosoftGraphAccessReviewRecommendationInsightSetting- []>]: Optional. Describes the types of insights that aid reviewers to make access review decisions. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationInsightSettings setting will be used instead of the value of this property.
    • [RecommendationLookBackDuration <TimeSpan?>]: Optional field. Indicates the period of inactivity (with respect to the start date of the review instance) that recommendations will be configured from. The recommendation will be to deny if the user is inactive during the look-back duration. For reviews of groups and Microsoft Entra roles, any duration is accepted. For reviews of applications, 30 days is the maximum duration. If not specified, the duration is 30 days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationLookBackDuration setting will be used instead of the value of this property.
    • [RecommendationsEnabled <Boolean?>]: Indicates whether decision recommendations are enabled or disabled. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationsEnabled setting will be used instead of the value of this property.
    • [Recurrence <IMicrosoftGraphPatternedRecurrence>]: patternedRecurrence
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [Pattern <IMicrosoftGraphRecurrencePattern>]: recurrencePattern
        • [(Any) <Object>]: This indicates any property can be added to this object.
        • [DayOfMonth <Int32?>]: The day of the month on which the event occurs. Required if type is absoluteMonthly or absoluteYearly.
        • [DaysOfWeek <String- []>]: A collection of the days of the week on which the event occurs. The possible values are: sunday, monday, tuesday, wednesday, thursday, friday, saturday. If type is relativeMonthly or relativeYearly, and daysOfWeek specifies more than one day, the event falls on the first day that satisfies the pattern. Required if type is weekly, relativeMonthly, or relativeYearly.
        • [FirstDayOfWeek <String>]: dayOfWeek
        • [Index <String>]: weekIndex
        • [Interval <Int32?>]: The number of units between occurrences, where units can be in days, weeks, months, or years, depending on the type. Required.
        • [Month <Int32?>]: The month in which the event occurs. This is a number from 1 to 12.
        • [Type <String>]: recurrencePatternType
      • [Range <IMicrosoftGraphRecurrenceRange>]: recurrenceRange
        • [(Any) <Object>]: This indicates any property can be added to this object.
        • [EndDate <DateTime?>]: The date to stop applying the recurrence pattern. Depending on the recurrence pattern of the event, the last occurrence of the meeting may not be this date. Required if type is endDate.
        • [NumberOfOccurrences <Int32?>]: The number of times to repeat the event. Required and must be positive if type is numbered.
        • [RecurrenceTimeZone <String>]: Time zone for the startDate and endDate properties. Optional. If not specified, the time zone of the event is used.
        • [StartDate <DateTime?>]: The date to start applying the recurrence pattern. The first occurrence of the meeting may be this date or later, depending on the recurrence pattern of the event. Must be the same value as the start property of the recurring event. Required.
        • [Type <String>]: recurrenceRangeType
    • [ReminderNotificationsEnabled <Boolean?>]: Indicates whether reminders are enabled or disabled. Default value is false.
  • [StageSettings <IMicrosoftGraphAccessReviewStageSettings- []>]: Required only for a multi-stage access review to define the stages and their settings. You can break down each review instance into up to three sequential stages, where each stage can have a different set of reviewers, fallback reviewers, and settings. Stages are created sequentially based on the dependsOn property. Optional. When this property is defined, its settings are used instead of the corresponding settings in the accessReviewScheduleDefinition object and its settings, reviewers, and fallbackReviewers properties.
    • [DecisionsThatWillMoveToNextStage <String- []>]: Indicate which decisions will go to the next stage. Can be a subset of Approve, Deny, Recommendation, or NotReviewed. If not provided, all decisions will go to the next stage. Optional.
    • [DependsOn <String- []>]: Defines the sequential or parallel order of the stages and depends on the stageId. Only sequential stages are currently supported. For example, if stageId is 2, then dependsOn must be 1. If stageId is 1, don't specify dependsOn. Required if stageId isn't 1.
    • [DurationInDays <Int32?>]: The duration of the stage. Required. NOTE: The cumulative value of this property across all stages 1. Will override the instanceDurationInDays setting on the accessReviewScheduleDefinition object.

Can't exceed the length of one recurrence. That is, if the review recurs weekly, the cumulative durationInDays can't exceed 7. - [FallbackReviewers <IMicrosoftGraphAccessReviewReviewerScope- []>]: If provided, the fallback reviewers are asked to complete a review if the primary reviewers don't exist. For example, if managers are selected as reviewers and a principal under review doesn't have a manager in Microsoft Entra ID, the fallback reviewers are asked to review that principal. NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object. - [RecommendationInsightSettings <IMicrosoftGraphAccessReviewRecommendationInsightSetting- []>]: - [RecommendationsEnabled <Boolean?>]: Indicates whether showing recommendations to reviewers is enabled. Required. NOTE: The value of this property overrides override the corresponding setting on the accessReviewScheduleDefinition object. - [Reviewers <IMicrosoftGraphAccessReviewReviewerScope- []>]: Defines who the reviewers are. If none is specified, the review is a self-review (users review their own access). For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API. NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition. - [StageId <String>]: Unique identifier of the accessReviewStageSettings object. The stageId is used by the dependsOn property to indicate the order of the stages. Required.

  • [Status <String>]: This read-only field specifies the status of an access review. The typical states include Initializing, NotStarted, Starting, InProgress, Completing, Completed, AutoReviewing, and AutoReviewed. Supports $select, $orderby, and $filter (eq only). Read-only.

CREATEDBY <IMicrosoftGraphUserIdentity>: userIdentity

  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [DisplayName <String>]: The display name of the identity.For drive items, the display name might not always be available or up to date. For example, if a user changes their display name the API might show the new value in a future response, but the items associated with the user don't show up as changed when using delta.
  • [Id <String>]: Unique identifier for the identity or actor. For example, in the access reviews decisions API, this property might record the id of the principal, that is, the group, user, or application that's subject to review.
  • [IPAddress <String>]: Indicates the client IP address associated with the user performing the activity (audit log only).
  • [UserPrincipalName <String>]: The userPrincipalName attribute of the user.

FALLBACKREVIEWERS <IMicrosoftGraphAccessReviewReviewerScope- []>: This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers are notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner doesn't exist, or manager is specified as reviewer but a user's manager doesn't exist. See accessReviewReviewerScope. Replaces backupReviewers. Supports $select. NOTE: The value of this property will be ignored if fallback reviewers are assigned through the stageSettings property.

  • [Query <String>]: The query specifying who will be the reviewer.
  • [QueryRoot <String>]: In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query, for example, ./manager, is specified. Possible value: decisions.
  • [QueryType <String>]: The type of query. Examples include MicrosoftGraph and ARM.

INSTANCES <IMicrosoftGraphAccessReviewInstance- []>: If the accessReviewScheduleDefinition is a recurring access review, instances represent each recurrence. A review that doesn't recur will have exactly one instance. Instances also represent each unique resource under review in the accessReviewScheduleDefinition. If a review has multiple resources and multiple instances, each resource has a unique instance for each recurrence.

  • [Id <String>]: The unique identifier for an entity. Read-only.
  • [ContactedReviewers <IMicrosoftGraphAccessReviewReviewer- []>]: Returns the collection of reviewers who were contacted to complete this review. While the reviewers and fallbackReviewers properties of the accessReviewScheduleDefinition might specify group owners or managers as reviewers, contactedReviewers returns their individual identities. Supports $select. Read-only.
    • [Id <String>]: The unique identifier for an entity. Read-only.
    • [CreatedDateTime <DateTime?>]: The date when the reviewer was added for the access review.
    • [DisplayName <String>]: Name of reviewer.
    • [UserPrincipalName <String>]: User principal name of the reviewer.
  • [Decisions <IMicrosoftGraphAccessReviewInstanceDecisionItem- []>]: Each user reviewed in an accessReviewInstance has a decision item representing if they were approved, denied, or not yet reviewed.
    • [Id <String>]: The unique identifier for an entity. Read-only.
    • [AccessReviewId <String>]: The identifier of the accessReviewInstance parent. Supports $select. Read-only.
    • [AppliedBy <IMicrosoftGraphUserIdentity>]: userIdentity
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [DisplayName <String>]: The display name of the identity.For drive items, the display name might not always be available or up to date. For example, if a user changes their display name the API might show the new value in a future response, but the items associated with the user don't show up as changed when using delta.
      • [Id <String>]: Unique identifier for the identity or actor. For example, in the access reviews decisions API, this property might record the id of the principal, that is, the group, user, or application that's subject to review.
      • [IPAddress <String>]: Indicates the client IP address associated with the user performing the activity (audit log only).
      • [UserPrincipalName <String>]: The userPrincipalName attribute of the user.
    • [AppliedDateTime <DateTime?>]: The timestamp when the approval decision was applied.00000000-0000-0000-0000-000000000000 if the assigned reviewer hasn't applied the decision or it was automatically applied. The DatetimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $select. Read-only.
    • [ApplyResult <String>]: The result of applying the decision. Possible values: New, AppliedSuccessfully, AppliedWithUnknownFailure, AppliedSuccessfullyButObjectNotFound and ApplyNotSupported. Supports $select, $orderby, and $filter (eq only). Read-only.
    • [Decision <String>]: Result of the review. Possible values: Approve, Deny, NotReviewed, or DontKnow. Supports $select, $orderby, and $filter (eq only).
    • [Insights <IMicrosoftGraphGovernanceInsight- []>]: Insights are recommendations to reviewers on whether to approve or deny a decision. There can be multiple insights associated with an accessReviewInstanceDecisionItem.
      • [Id <String>]: The unique identifier for an entity. Read-only.
      • [InsightCreatedDateTime <DateTime?>]: Indicates when the insight was created.
    • [Justification <String>]: Justification left by the reviewer when they made the decision.
    • [Principal <IMicrosoftGraphIdentity>]: identity
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [DisplayName <String>]: The display name of the identity.For drive items, the display name might not always be available or up to date. For example, if a user changes their display name the API might show the new value in a future response, but the items associated with the user don't show up as changed when using delta.
      • [Id <String>]: Unique identifier for the identity or actor. For example, in the access reviews decisions API, this property might record the id of the principal, that is, the group, user, or application that's subject to review.
    • [PrincipalLink <String>]: A link to the principal object. For example, https://graph.microsoft.com/v1.0/users/a6c7aecb-cbfd-4763-87ef-e91b4bd509d9. Read-only.
    • [Recommendation <String>]: A system-generated recommendation for the approval decision based off last interactive sign-in to tenant. The value is Approve if the sign-in is fewer than 30 days after the start of review, Deny if the sign-in is greater than 30 days after, or NoInfoAvailable. Possible values: Approve, Deny, or NoInfoAvailable. Supports $select, $orderby, and $filter (eq only). Read-only.
    • [Resource <IMicrosoftGraphAccessReviewInstanceDecisionItemResource>]: accessReviewInstanceDecisionItemResource
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [DisplayName <String>]: Display name of the resource
      • [Id <String>]: Identifier of the resource
      • [Type <String>]: Type of resource. Types include: Group, ServicePrincipal, DirectoryRole, AzureRole, AccessPackageAssignmentPolicy.
    • [ResourceLink <String>]: A link to the resource. For example, https://graph.microsoft.com/v1.0/servicePrincipals/c86300f3-8695-4320-9f6e-32a2555f5ff8. Supports $select. Read-only.
    • [ReviewedBy <IMicrosoftGraphUserIdentity>]: userIdentity
    • [ReviewedDateTime <DateTime?>]: The timestamp when the review decision occurred. Supports $select. Read-only.
  • [EndDateTime <DateTime?>]: DateTime when review instance is scheduled to end.The DatetimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $select. Read-only.
  • [FallbackReviewers <IMicrosoftGraphAccessReviewReviewerScope- []>]: This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers will be notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner does not exist, or manager is specified as reviewer but a user's manager does not exist. Supports $select.
    • [Query <String>]: The query specifying who will be the reviewer.
    • [QueryRoot <String>]: In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query, for example, ./manager, is specified. Possible value: decisions.
    • [QueryType <String>]: The type of query. Examples include MicrosoftGraph and ARM.
  • [Reviewers <IMicrosoftGraphAccessReviewReviewerScope- []>]: This collection of access review scopes is used to define who the reviewers are. Supports $select. For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API.
  • [Scope <IMicrosoftGraphAccessReviewScope>]: accessReviewScope
    • [(Any) <Object>]: This indicates any property can be added to this object.
  • [Stages <IMicrosoftGraphAccessReviewStage- []>]: If the instance has multiple stages, this returns the collection of stages. A new stage will only be created when the previous stage ends. The existence, number, and settings of stages on a review instance are created based on the accessReviewStageSettings on the parent accessReviewScheduleDefinition.
    • [Id <String>]: The unique identifier for an entity. Read-only.
    • [Decisions <IMicrosoftGraphAccessReviewInstanceDecisionItem- []>]: Each user reviewed in an accessReviewStage has a decision item representing if they were approved, denied, or not yet reviewed.
    • [EndDateTime <DateTime?>]: The date and time in ISO 8601 format and UTC time when the review stage is scheduled to end. This property is the cumulative total of the durationInDays for all stages. Read-only.
    • [FallbackReviewers <IMicrosoftGraphAccessReviewReviewerScope- []>]: This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers are notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner doesn't exist, or manager is specified as reviewer but a user's manager doesn't exist.
    • [Reviewers <IMicrosoftGraphAccessReviewReviewerScope- []>]: This collection of access review scopes is used to define who the reviewers are. For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API.
    • [StartDateTime <DateTime?>]: The date and time in ISO 8601 format and UTC time when the review stage is scheduled to start. Read-only.
    • [Status <String>]: Specifies the status of an accessReviewStage. Possible values: Initializing, NotStarted, Starting, InProgress, Completing, Completed, AutoReviewing, and AutoReviewed. Supports $orderby, and $filter (eq only). Read-only.
  • [StartDateTime <DateTime?>]: DateTime when review instance is scheduled to start. May be in the future. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $select. Read-only.
  • [Status <String>]: Specifies the status of an accessReview. Possible values: Initializing, NotStarted, Starting, InProgress, Completing, Completed, AutoReviewing, and AutoReviewed. Supports $select, $orderby, and $filter (eq only). Read-only.

REVIEWERS <IMicrosoftGraphAccessReviewReviewerScope- []>: This collection of access review scopes is used to define who are the reviewers. The reviewers property is only updatable if individual users are assigned as reviewers. Required on create. Supports $select. For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API. NOTE: The value of this property will be ignored if reviewers are assigned through the stageSettings property.

  • [Query <String>]: The query specifying who will be the reviewer.
  • [QueryRoot <String>]: In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query, for example, ./manager, is specified. Possible value: decisions.
  • [QueryType <String>]: The type of query. Examples include MicrosoftGraph and ARM.

SETTINGS <IMicrosoftGraphAccessReviewScheduleSettings>: accessReviewScheduleSettings

  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [ApplyActions <IMicrosoftGraphAccessReviewApplyAction- []>]: Optional field. Describes the actions to take once a review is complete. There are two types that are currently supported: removeAccessApplyAction (default) and disableAndDeleteUserApplyAction. Field only needs to be specified in the case of disableAndDeleteUserApplyAction.
  • [AutoApplyDecisionsEnabled <Boolean?>]: Indicates whether decisions are automatically applied. When set to false, an admin must apply the decisions manually once the reviewer completes the access review. When set to true, decisions are applied automatically after the access review instance duration ends, whether or not the reviewers have responded. Default value is false. CAUTION: If both autoApplyDecisionsEnabled and defaultDecisionEnabled are true, all access for the principals to the resource risks being revoked if the reviewers fail to respond.
  • [DecisionHistoriesForReviewersEnabled <Boolean?>]: Indicates whether decisions on previous access review stages are available for reviewers on an accessReviewInstance with multiple subsequent stages. If not provided, the default is disabled (false).
  • [DefaultDecision <String>]: Decision chosen if defaultDecisionEnabled is enabled. Can be one of Approve, Deny, or Recommendation.
  • [DefaultDecisionEnabled <Boolean?>]: Indicates whether the default decision is enabled or disabled when reviewers do not respond. Default value is false. CAUTION: If both autoApplyDecisionsEnabled and defaultDecisionEnabled are true, all access for the principals to the resource risks being revoked if the reviewers fail to respond.
  • [InstanceDurationInDays <Int32?>]: Duration of an access review instance in days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its durationInDays setting will be used instead of the value of this property.
  • [JustificationRequiredOnApproval <Boolean?>]: Indicates whether reviewers are required to provide justification with their decision. Default value is false.
  • [MailNotificationsEnabled <Boolean?>]: Indicates whether emails are enabled or disabled. Default value is false.
  • [RecommendationInsightSettings <IMicrosoftGraphAccessReviewRecommendationInsightSetting- []>]: Optional. Describes the types of insights that aid reviewers to make access review decisions. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationInsightSettings setting will be used instead of the value of this property.
  • [RecommendationLookBackDuration <TimeSpan?>]: Optional field. Indicates the period of inactivity (with respect to the start date of the review instance) that recommendations will be configured from. The recommendation will be to deny if the user is inactive during the look-back duration. For reviews of groups and Microsoft Entra roles, any duration is accepted. For reviews of applications, 30 days is the maximum duration. If not specified, the duration is 30 days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationLookBackDuration setting will be used instead of the value of this property.
  • [RecommendationsEnabled <Boolean?>]: Indicates whether decision recommendations are enabled or disabled. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationsEnabled setting will be used instead of the value of this property.
  • [Recurrence <IMicrosoftGraphPatternedRecurrence>]: patternedRecurrence
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [Pattern <IMicrosoftGraphRecurrencePattern>]: recurrencePattern
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [DayOfMonth <Int32?>]: The day of the month on which the event occurs. Required if type is absoluteMonthly or absoluteYearly.
      • [DaysOfWeek <String- []>]: A collection of the days of the week on which the event occurs. The possible values are: sunday, monday, tuesday, wednesday, thursday, friday, saturday. If type is relativeMonthly or relativeYearly, and daysOfWeek specifies more than one day, the event falls on the first day that satisfies the pattern. Required if type is weekly, relativeMonthly, or relativeYearly.
      • [FirstDayOfWeek <String>]: dayOfWeek
      • [Index <String>]: weekIndex
      • [Interval <Int32?>]: The number of units between occurrences, where units can be in days, weeks, months, or years, depending on the type. Required.
      • [Month <Int32?>]: The month in which the event occurs. This is a number from 1 to 12.
      • [Type <String>]: recurrencePatternType
    • [Range <IMicrosoftGraphRecurrenceRange>]: recurrenceRange
      • [(Any) <Object>]: This indicates any property can be added to this object.
      • [EndDate <DateTime?>]: The date to stop applying the recurrence pattern. Depending on the recurrence pattern of the event, the last occurrence of the meeting may not be this date. Required if type is endDate.
      • [NumberOfOccurrences <Int32?>]: The number of times to repeat the event. Required and must be positive if type is numbered.
      • [RecurrenceTimeZone <String>]: Time zone for the startDate and endDate properties. Optional. If not specified, the time zone of the event is used.
      • [StartDate <DateTime?>]: The date to start applying the recurrence pattern. The first occurrence of the meeting may be this date or later, depending on the recurrence pattern of the event. Must be the same value as the start property of the recurring event. Required.
      • [Type <String>]: recurrenceRangeType
  • [ReminderNotificationsEnabled <Boolean?>]: Indicates whether reminders are enabled or disabled. Default value is false.

STAGESETTINGS <IMicrosoftGraphAccessReviewStageSettings- []>: Required only for a multi-stage access review to define the stages and their settings. You can break down each review instance into up to three sequential stages, where each stage can have a different set of reviewers, fallback reviewers, and settings. Stages are created sequentially based on the dependsOn property. Optional. When this property is defined, its settings are used instead of the corresponding settings in the accessReviewScheduleDefinition object and its settings, reviewers, and fallbackReviewers properties.

  • [DecisionsThatWillMoveToNextStage <String- []>]: Indicate which decisions will go to the next stage. Can be a subset of Approve, Deny, Recommendation, or NotReviewed. If not provided, all decisions will go to the next stage. Optional.
  • [DependsOn <String- []>]: Defines the sequential or parallel order of the stages and depends on the stageId. Only sequential stages are currently supported. For example, if stageId is 2, then dependsOn must be 1. If stageId is 1, don't specify dependsOn. Required if stageId isn't 1.
  • [DurationInDays <Int32?>]: The duration of the stage. Required. NOTE: The cumulative value of this property across all stages 1. Will override the instanceDurationInDays setting on the accessReviewScheduleDefinition object.

Can't exceed the length of one recurrence. That is, if the review recurs weekly, the cumulative durationInDays can't exceed 7.

  • [FallbackReviewers <IMicrosoftGraphAccessReviewReviewerScope- []>]: If provided, the fallback reviewers are asked to complete a review if the primary reviewers don't exist. For example, if managers are selected as reviewers and a principal under review doesn't have a manager in Microsoft Entra ID, the fallback reviewers are asked to review that principal. NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object.
    • [Query <String>]: The query specifying who will be the reviewer.
    • [QueryRoot <String>]: In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query, for example, ./manager, is specified. Possible value: decisions.
    • [QueryType <String>]: The type of query. Examples include MicrosoftGraph and ARM.
  • [RecommendationInsightSettings <IMicrosoftGraphAccessReviewRecommendationInsightSetting- []>]:
  • [RecommendationsEnabled <Boolean?>]: Indicates whether showing recommendations to reviewers is enabled. Required. NOTE: The value of this property overrides override the corresponding setting on the accessReviewScheduleDefinition object.
  • [Reviewers <IMicrosoftGraphAccessReviewReviewerScope- []>]: Defines who the reviewers are. If none is specified, the review is a self-review (users review their own access). For examples of options for assigning reviewers, see Assign reviewers to your access review definition using the Microsoft Graph API. NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition.
  • [StageId <String>]: Unique identifier of the accessReviewStageSettings object. The stageId is used by the dependsOn property to indicate the order of the stages. Required.

https://learn.microsoft.com/powershell/module/microsoft.graph.identity.governance/new-mgidentitygovernanceaccessreviewdefinition

https://learn.microsoft.com/graph/api/accessreviewset-post-definitions?view=graph-rest-1.0