Forum Discussion
MicrosoftExample how to create Azure AD access reviews using Microsoft Graph app permissions with PowerShell
Mark_WahlThanks for providing this script. It is a big help in our project to automate the creation of Group Access Reviews.
Would it be possible for you to update this example using MSAL instead of ADAL since ADAL is going away?
Roger Williams I just came across this post and wanted to share an approach if anyone else has the same question:
Connect-MgGraph -TenantId mytenant.onmicrosoft.com -Scopes AccessReview.ReadWrite.All
Select-MgProfile -Name beta
Import-Module Microsoft.Graph.Identity.Governance
$AccessReviewTemplate = Get-MgBusinessFlowTemplate | Where DisplayName -eq 'Access reviews of memberships of a group'
$AccessReviewTemplate.Id
$AutoReviewSettings = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAutoReviewSettings]@{
NotReviewedResult = "None"
}
$RecurrenceSettings = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessReviewRecurrenceSettings]@{
DurationInDays = 1
RecurrenceCount = 0
RecurrenceEndType = "never"
RecurrenceType = "weekly"
}
$ReviewSettings = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessReviewSettings]@{
AccessRecommendationsEnabled = $true
ActivityDurationInDays = 0
AutoApplyReviewResultsEnabled = $false
AutoReviewEnabled = $false
AutoReviewSettings = $AutoReviewSettings
JustificationRequiredOnApproval = $true
MailNotificationsEnabled = $true
RecurrenceSettings = $RecurrenceSettings
RemindersEnabled = $true
}
$ReviewedEntity = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphIdentity]@{
DisplayName = "Group2"
Id = "00000001-c59e-48c1-86e9-14ee6daef724" # AAD ObjectId
}
$NewAccessReview = @{
DisplayName = "Group2"
BusinessFlowTemplateId = $AccessReviewTemplate.Id
Description = "review2 description!"
Settings = $ReviewSettings
StartDateTime = (get-date)
ReviewedEntity = $ReviewedEntity
ReviewerType = "entityOwners"
}
# https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.identity.governance/new-mgaccessreview?view=graph-powershell-beta
New-MgAccessReview @NewAccessReview
When I use this script, the owner of the access review is set as [].
The access review is created, but the reviewer is never notified via email and if the login to the access review portal, they do not see the access review that has been created.
I have tried many variations to set the Access Review owner, but none of them work. Any Ideas?
Thanks
For me it says ##[error]Invalid schedule recurrence type provided : never
Update:
I had to change to this to make it work:$RecurrenceSettings = @{RecurrenceType = "onetime"RecurrenceEndType = "endBy"DurationInDays = 30RecurrenceCount = 180}- ilik0, those types are imported with the modules, sorry I forgot to mention this.
- Thanks, Mike. Do you know how to add an AAD group to the review created by the code above?
This is a great start, thanks MikeCrowley and Mark_Wahl!
Any suggestions on how we can set the reviewers to be the manager of the user?
The https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.identity.governance/new-mgaccessreview?view=graph-powershell-beta says that it needs to be "one of self, delegated or entityOwners". I've tried all three of those and the access review doesn't get created with "managers" as the reviewers like it does when the reviews are manually created.
The https://docs.microsoft.com/en-us/graph/accessreviews-reviewers-concept#example-5-people-managers-as-reviewers says to include this in the body of the web request:
"reviewers": [ { "query": "./manager", "queryType": "MicrosoftGraph", "queryRoot": "decisions" } ]
I've adapted Mark Wahl's original script to literally send that exact string as part of the web request body and the Graph API responds back with "(400) Bad Request".
Any help would greatly be appreciated, thanks again!
