Forum Discussion

Mark_Wahl's avatar
Mark_Wahl
Icon for Microsoft rankMicrosoft
Aug 15, 2019

Example how to create Azure AD access reviews using Microsoft Graph app permissions with PowerShell

The Azure AD access reviews feature is part of Microsoft Graph, with a list of methods at https://docs.microsoft.com/en-us/graph/api/resources/accessreviews-root?view=graph-rest-beta.  An earlier blo...
Access Management
Azure Active Directory (AAD)
Identity Management
MikeCrowley's avatar
MikeCrowley
Iron Contributor
May 26, 2022

Roger Williams I just came across this post and wanted to share an approach if anyone else has the same question:

 

 

Connect-MgGraph -TenantId mytenant.onmicrosoft.com -Scopes AccessReview.ReadWrite.All
Select-MgProfile -Name beta
Import-Module Microsoft.Graph.Identity.Governance

$AccessReviewTemplate = Get-MgBusinessFlowTemplate | Where DisplayName -eq 'Access reviews of memberships of a group'
$AccessReviewTemplate.Id

$AutoReviewSettings = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAutoReviewSettings]@{
    NotReviewedResult = "None"
}

$RecurrenceSettings = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessReviewRecurrenceSettings]@{
    DurationInDays    = 1
    RecurrenceCount   = 0
    RecurrenceEndType = "never"
    RecurrenceType    = "weekly"
}

$ReviewSettings = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessReviewSettings]@{
    AccessRecommendationsEnabled    = $true   
    ActivityDurationInDays          = 0   
    AutoApplyReviewResultsEnabled   = $false
    AutoReviewEnabled               = $false
    AutoReviewSettings              = $AutoReviewSettings
    JustificationRequiredOnApproval = $true
    MailNotificationsEnabled        = $true
    RecurrenceSettings              = $RecurrenceSettings
    RemindersEnabled                = $true
}

$ReviewedEntity = [Microsoft.Graph.PowerShell.Models.MicrosoftGraphIdentity]@{
    DisplayName = "Group2"
    Id          = "00000001-c59e-48c1-86e9-14ee6daef724" # AAD ObjectId
}

$NewAccessReview = @{
    DisplayName            = "Group2"
    BusinessFlowTemplateId = $AccessReviewTemplate.Id
    Description            = "review2 description!"
    Settings               = $ReviewSettings
    StartDateTime          = (get-date)
    ReviewedEntity         = $ReviewedEntity
    ReviewerType           = "entityOwners"
}

# https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.identity.governance/new-mgaccessreview?view=graph-powershell-beta
New-MgAccessReview @NewAccessReview

 

ilik0's avatar
ilik0
Brass Contributor
Nov 22, 2022

For me it says ##[error]Invalid schedule recurrence type provided : never

Update:
I had to change to this to make it work:

$RecurrenceSettings = @{
            RecurrenceType = "onetime"
            RecurrenceEndType = "endBy"
            DurationInDays = 30
            RecurrenceCount = 180
            }
  • MikeCrowley's avatar
    MikeCrowley
    Iron Contributor
    Dec 01, 2022
    ilik0, those types are imported with the modules, sorry I forgot to mention this.
    • ilik0's avatar
      ilik0
      Brass Contributor
      Dec 12, 2022
      Thanks, Mike. Do you know how to add an AAD group to the review created by the code above?