Forum Discussion

Mark_Wahl's avatar
Mark_Wahl
Icon for Microsoft rankMicrosoft
Aug 15, 2019

Example how to create Azure AD access reviews using Microsoft Graph app permissions with PowerShell

The Azure AD access reviews feature is part of Microsoft Graph, with a list of methods at https://docs.microsoft.com/en-us/graph/api/resources/accessreviews-root?view=graph-rest-beta.  An earlier blo...
Access Management
Azure Active Directory (AAD)
Identity Management
Roger Williams's avatar
Roger Williams
Copper Contributor
Sep 10, 2020

Mark_WahlThanks for providing this script. It is a big help in our project to automate the creation of Group Access Reviews.

Would it be possible for you to update this example using MSAL instead of ADAL since ADAL is going away?

MikeCrowley's avatar
MikeCrowley
Iron Contributor
May 26, 2022

Roger Williams I just came across this post and wanted to share an approach if anyone else has the same question:

 

 

Connect-MgGraph -TenantId mytenant.onmicrosoft.com -Scopes AccessReview.ReadWrite.All
Select-MgProfile -Name beta
Import-Module Microsoft.Graph.Identity.Governance

$AccessReviewTemplate = Get-MgBusinessFlowTemplate | Where DisplayName -eq 'Access reviews of memberships of a group'
$AccessReviewTemplate.Id

$AutoReviewSettings = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAutoReviewSettings]@{
    NotReviewedResult = "None"
}

$RecurrenceSettings = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessReviewRecurrenceSettings]@{
    DurationInDays    = 1
    RecurrenceCount   = 0
    RecurrenceEndType = "never"
    RecurrenceType    = "weekly"
}

$ReviewSettings = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessReviewSettings]@{
    AccessRecommendationsEnabled    = $true   
    ActivityDurationInDays          = 0   
    AutoApplyReviewResultsEnabled   = $false
    AutoReviewEnabled               = $false
    AutoReviewSettings              = $AutoReviewSettings
    JustificationRequiredOnApproval = $true
    MailNotificationsEnabled        = $true
    RecurrenceSettings              = $RecurrenceSettings
    RemindersEnabled                = $true
}

$ReviewedEntity = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphIdentity]@{
    DisplayName = "Group2"
    Id          = "00000001-c59e-48c1-86e9-14ee6daef724" # AAD ObjectId
}

$NewAccessReview = @{
    DisplayName            = "Group2"
    BusinessFlowTemplateId = $AccessReviewTemplate.Id
    Description            = "review2 description!"
    Settings               = $ReviewSettings
    StartDateTime          = (get-date)
    ReviewedEntity         = $ReviewedEntity
    ReviewerType           = "entityOwners"
}

# https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.identity.governance/new-mgaccessreview?view=graph-powershell-beta
New-MgAccessReview @NewAccessReview

 

Resources