Forum Discussion

Mark_Wahl's avatar
Mark_Wahl
Icon for Microsoft rankMicrosoft
Aug 15, 2019

Example how to create Azure AD access reviews using Microsoft Graph app permissions with PowerShell

The Azure AD access reviews feature is part of Microsoft Graph, with a list of methods at https://docs.microsoft.com/en-us/graph/api/resources/accessreviews-root?view=graph-rest-beta.  An earlier blo...
Access Management
Azure Active Directory (AAD)
Identity Management
MikeCrowley's avatar
MikeCrowley
Iron Contributor
May 26, 2022

Roger Williams I just came across this post and wanted to share an approach if anyone else has the same question:

 

 

Connect-MgGraph -TenantId mytenant.onmicrosoft.com -Scopes AccessReview.ReadWrite.All
Select-MgProfile -Name beta
Import-Module Microsoft.Graph.Identity.Governance

$AccessReviewTemplate = Get-MgBusinessFlowTemplate | Where DisplayName -eq 'Access reviews of memberships of a group'
$AccessReviewTemplate.Id

$AutoReviewSettings = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAutoReviewSettings]@{
    NotReviewedResult = "None"
}

$RecurrenceSettings = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessReviewRecurrenceSettings]@{
    DurationInDays    = 1
    RecurrenceCount   = 0
    RecurrenceEndType = "never"
    RecurrenceType    = "weekly"
}

$ReviewSettings = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessReviewSettings]@{
    AccessRecommendationsEnabled    = $true   
    ActivityDurationInDays          = 0   
    AutoApplyReviewResultsEnabled   = $false
    AutoReviewEnabled               = $false
    AutoReviewSettings              = $AutoReviewSettings
    JustificationRequiredOnApproval = $true
    MailNotificationsEnabled        = $true
    RecurrenceSettings              = $RecurrenceSettings
    RemindersEnabled                = $true
}

$ReviewedEntity = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphIdentity]@{
    DisplayName = "Group2"
    Id          = "00000001-c59e-48c1-86e9-14ee6daef724" # AAD ObjectId
}

$NewAccessReview = @{
    DisplayName            = "Group2"
    BusinessFlowTemplateId = $AccessReviewTemplate.Id
    Description            = "review2 description!"
    Settings               = $ReviewSettings
    StartDateTime          = (get-date)
    ReviewedEntity         = $ReviewedEntity
    ReviewerType           = "entityOwners"
}

# https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.identity.governance/new-mgaccessreview?view=graph-powershell-beta
New-MgAccessReview @NewAccessReview

 

frenjd's avatar
frenjd
Copper Contributor
Aug 13, 2024

MikeCrowley 

When I use this script, the owner of the access review is set as [].

The access review is created, but the reviewer is never notified via email and if the login to the access review portal, they do not see the access review that has been created.

 

I have tried many variations to set the Access Review owner, but none of them work.  Any Ideas?

 

Thanks

Resources