Aug 22 2018
06:31 PM
- last edited on
Jan 14 2022
05:22 PM
by
TechCommunityAP
Aug 22 2018
06:31 PM
- last edited on
Jan 14 2022
05:22 PM
by
TechCommunityAP
The Azure AD access reviews feature now has an API in the Microsoft Graph beta endpoint. The list of API methods is at https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/accessreviews_root. While we are in progress of adding access reviews to Azure AD PowerShell and examples of using access reviews from other development platforms to our documentation, the following code sample may be of interest.
The Azure AD access reviews feature adds the following resource types:
The Azure AD access reviews API performs three checks:
If you do not already have those permissions on an application, the section “Register an Azure AD application which can call the access reviews Graph API” below creates a new application and assigns it read permissions. (You can change the scenario to assign it read and write permission).
Target Resource |
Desired Operation |
Required directory role of the user, in addition to the application permission |
Access review of an Azure AD role |
Read |
Global Administrator, |
Create, Update or Delete |
Global Administrator or |
|
Access review of a group or app |
Read |
Global Administrator, |
Create, Update or Delete |
Global Administrator or |
|
Programs or controls |
Read |
Global Administrator, |
Create, Update or Delete |
Global Administrator or |
This example assumes you have already onboarded Azure AD access reviews in your tenant directory. If you have already done so, then skip to the next section “Register an Azure AD application which has permissions to call the access reviews API in Graph”. Otherwise, continue with these steps to ensure the feature is onboarded so the APIs will return some data.
The Graph authorization model requires that an application must be consented by a user or administrator prior to accessing an organization’s data.
urn:ietf:wg:oauth:2.0:oob
Click “Done”.
The Microsoft Graph requires the application calling it to have an access token.
In this example, the sample code to use the API will leverage the ADAL library which is automatically installed when using Azure AD PowerShell cmdlets.
# Example for using Azure AD access reviews in Microsoft Graph # # This material is provided "AS-IS" and has no warranty. # # Last updated August 22, 2018 # # This example is adapted from the documentation example located at # https://docs.microsoft.com/en-us/intune/intune-graph-apis # # Param( [Parameter(Mandatory=$true)][string]$User, [Parameter(Mandatory=$true)][string]$ClientId ) # from Intune graph API samples function Get-GraphExampleAuthToken { [cmdletbinding()] param ( [Parameter(Mandatory = $true)] $User, [Parameter(Mandatory = $true)] $ClientId, [Parameter()] $TenantDomain ) $userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User $tenant = $userUpn.Host if ($TenantDomain -ne $null) { $tenant = $TenantDomain } Write-Verbose "Checking for AzureAD module..." $AadModule = Get-Module -Name "AzureAD" -ListAvailable if ($AadModule -eq $null) { Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview" $AadModule = Get-Module -Name "AzureADPreview" -ListAvailable } if ($AadModule -eq $null) { write-host write-host "AzureAD Powershell module not installed..." -f Red write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow write-host "Script can't continue..." -f Red write-host exit } # Getting path to ActiveDirectory Assemblies # If the module count is greater than 1 find the latest version if ($AadModule.count -gt 1) { $Latest_Version = ($AadModule | select version | Sort-Object)[-1] $aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version } $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll" $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll" } else { $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll" $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll" } [System.Reflection.Assembly]::LoadFrom($adal) | Out-Null [System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null $redirectUri = "urn:ietf:wg:oauth:2.0:oob" $resourceAppIdURI = "https://graph.microsoft.com" $authority = "https://login.microsoftonline.com/$Tenant" try { $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority # https://msdn.microsoft.com/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx # Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession $platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto" $userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId") $authResult = $authContext.AcquireTokenAsync($resourceAppIdURI, $ClientId, $redirectUri, $platformParameters, $userId).Result # If the accesstoken is valid then create the authentication header if ($authResult.AccessToken) { # Creating header for Authorization token $authHeader = @{ 'Content-Type' = 'application/json' 'Authorization' = "Bearer " + $authResult.AccessToken 'ExpiresOn' = $authResult.ExpiresOn } return $authHeader } else { Write-Host Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red Write-Host break } } catch { write-host $_.Exception.Message -f Red write-host $_.Exception.ItemName -f Red write-host break } } # start of access review specific example function Get-GraphExampleProgramControls($authHeaders,$programId) { $uri1 = "https://graph.microsoft.com/beta/programs('" + $programId + "')/controls" Write-Host "GET $uri1" $resp1 = Invoke-WebRequest -UseBasicParsing -headers $authHeaders -Uri $uri1 -Method Get $val1 = ConvertFrom-Json $resp1.Content foreach ($c in $val1.Value) { $cid = $c.controlId $displayname = '"' + $c.displayName + '"' Write-Host "control $cid $displayname" } } function Get-GraphExamplePrograms($authHeaders) { $uri1 = "https://graph.microsoft.com/beta/programs" Write-Host "GET $uri1" $resp1 = Invoke-WebRequest -UseBasicParsing -headers $authHeaders -Uri $uri1 -Method Get $val1 = ConvertFrom-Json $resp1.Content foreach ($program in $val1.Value) { $id = $program.id $displayname = '"' + $program.displayName + '"' Write-Host "program $id $displayName" Get-GraphExampleProgramControls $authHeaders $id Write-Host "" } } function Get-GraphExampleAccessReviewDecisions($authHeaders,$arid) { $uri1 = 'https://graph.microsoft.com/beta/accessReviews(' + "'" + $arid + "')/decisions" Write-Host "GET $uri1" $resp1 = Invoke-WebRequest -UseBasicParsing -headers $authHeaders -Uri $uri1 -Method Get $val1 = ConvertFrom-Json $resp1.Content foreach ($ard in $val1.Value) { $rr = $ard.reviewResult $upn = $ard.userPrincipalName Write-Host "access review decision $upn $rr" } Write-Host "" } function Get-GraphExampleAccessReviewInstances($authHeaders,$arid) { $uri1 = 'https://graph.microsoft.com/beta/accessReviews(' + "'" + $arid + "')/instances" Write-Host "GET $uri1" $resp1 = Invoke-WebRequest -UseBasicParsing -headers $authHeaders -Uri $uri1 -Method Get $val1 = ConvertFrom-Json $resp1.Content foreach ($ard in $val1.Value) { $iid = $ard.id $start = $ard.startDateTime $end = $ard.endDateTime $status = $ard.status Write-Host "access review instance $start $end $status" if ($status -ne "NotStarted") { Get-GraphExampleAccessReviewDecisions $authHeaders $iid } } Write-Host "" } function Get-GraphExampleAccessReviews($authHeaders,$bftid) { $uri1 = 'https://graph.microsoft.com/beta/accessReviews?$filter=businessFlowTemplateId%20eq%20' + "'" + $bftid + "'" Write-Host "GET $uri1" $resp1 = Invoke-WebRequest -UseBasicParsing -headers $authHeaders -Uri $uri1 -Method Get $val1 = ConvertFrom-Json $resp1.Content foreach ($ar in $val1.Value) { $id = $ar.id $displayname = '"' + $ar.displayName + '"' $startDateTime = $ar.startDateTime $status = $ar.status Write-Host "access review $id $displayName $startDateTime $status" Get-GraphExampleAccessReviewDecisions $authHeaders $id Get-GraphExampleAccessReviewInstances $authHeaders $id } } function Get-GraphExampleBusinessFlowTemplates($authHeaders) { $uri1 = "https://graph.microsoft.com/beta/businessFlowTemplates" Write-Host "GET $uri1" $resp1 = Invoke-WebRequest -UseBasicParsing -headers $authHeaders -Uri $uri1 -Method Get $val1 = ConvertFrom-Json $resp1.Content foreach ($bft in $val1.Value) { $id = $bft.id Write-Host "business flow template $id" Get-GraphExampleAccessReviews $authHeaders $id Write-Host "" } } $authHeaders = Get-GraphExampleAuthToken -User $User -ClientId $ClientId Get-GraphExamplePrograms $authHeaders Get-GraphExampleBusinessFlowTemplates $authHeaders