AADAccessReviewDefinition¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
Id | Key | String | The unique identifier for an entity. Read-only. | |
DisplayName | Required | String | Name of the access review series. Supports $select and $orderby. Required on create. | |
DescriptionForAdmins | Write | String | Description provided by review creators to provide more context of the review to admins. Supports $select. | |
DescriptionForReviewers | Write | String | Description provided by review creators to provide more context of the review to reviewers. Reviewers see this description in the email sent to them requesting their review. Email notifications support up to 256 characters. Supports $select. | |
ScopeValue | Write | MSFT_MicrosoftGraphaccessReviewScope | Defines the entities whose access is reviewed. For supported scopes, see accessReviewScope. Required on create. Supports $select and $filter (contains only). For examples of options for configuring scope, see Configure the scope of your access review definition using the Microsoft Graph API. | |
SettingsValue | Write | MSFT_MicrosoftGraphaccessReviewScheduleSettings | The settings for an access review series, see type definition below. Supports $select. Required on create. | |
StageSettings | Write | MSFT_MicrosoftGraphaccessReviewStageSettings[] | Required only for a multi-stage access review to define the stages and their settings. You can break down each review instance into up to three sequential stages, where each stage can have a different set of reviewers, fallback reviewers, and settings. Stages are created sequentially based on the dependsOn property. Optional. When this property is defined, its settings are used instead of the corresponding settings in the accessReviewScheduleDefinition object and its settings, reviewers, and fallbackReviewers properties. | |
Ensure | Write | String | Present ensures the policy exists, absent ensures it is removed. | Present , Absent |
Credential | Write | PSCredential | Credentials of the Admin | |
ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
ApplicationSecret | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | |
CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
ManagedIdentity | Write | Boolean | Managed ID being used for authentication. | |
AccessTokens | Write | StringArray[] | Access token used for authentication. |
MSFT_MicrosoftGraphAccessReviewScope¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
Query | Write | String | The query representing what will be reviewed in an access review. | |
QueryRoot | Write | String | In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query is specified. For example, ./manager. | |
QueryType | Write | String | Indicates the type of query. Types include MicrosoftGraph and ARM. | |
PrincipalScopes | Write | MSFT_MicrosoftGraphAccessReviewScope[] | Defines the scopes of the principals for which access to resources are reviewed in the access review. | |
ResourceScopes | Write | MSFT_MicrosoftGraphAccessReviewScope[] | Defines the scopes of the resources for which access is reviewed. | |
odataType | Write | String | The type of the entity. | #microsoft.graph.accessReviewQueryScope , #microsoft.graph.accessReviewReviewerScope , #microsoft.graph.principalResourceMembershipsScope , #microsoft.graph.accessReviewInactiveUsersQueryScope |
MSFT_MicrosoftGraphAccessReviewScheduleSettings¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
ApplyActions | Write | MSFT_MicrosoftGraphAccessReviewApplyAction[] | Optional field. Describes the actions to take once a review is complete. There are two types that are currently supported: removeAccessApplyAction (default) and disableAndDeleteUserApplyAction. Field only needs to be specified in the case of disableAndDeleteUserApplyAction. | |
AutoApplyDecisionsEnabled | Write | Boolean | Indicates whether decisions are automatically applied. When set to false, an admin must apply the decisions manually once the reviewer completes the access review. When set to true, decisions are applied automatically after the access review instance duration ends, whether or not the reviewers have responded. Default value is false. CAUTION: If both autoApplyDecisionsEnabled and defaultDecisionEnabled are true, all access for the principals to the resource risks being revoked if the reviewers fail to respond. | |
DecisionHistoriesForReviewersEnabled | Write | Boolean | Indicates whether decisions on previous access review stages are available for reviewers on an accessReviewInstance with multiple subsequent stages. If not provided, the default is disabled (false). | |
DefaultDecision | Write | String | Decision chosen if defaultDecisionEnabled is enabled. Can be one of Approve, Deny, or Recommendation. | |
DefaultDecisionEnabled | Write | Boolean | Indicates whether the default decision is enabled or disabled when reviewers do not respond. Default value is false. CAUTION: If both autoApplyDecisionsEnabled and defaultDecisionEnabled are true, all access for the principals to the resource risks being revoked if the reviewers fail to respond. | |
InstanceDurationInDays | Write | UInt32 | Duration of each recurrence of review (accessReviewInstance) in number of days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its durationInDays setting will be used instead of the value of this property. | |
JustificationRequiredOnApproval | Write | Boolean | Indicates whether reviewers are required to provide justification with their decision. Default value is false. | |
MailNotificationsEnabled | Write | Boolean | Indicates whether emails are enabled or disabled. Default value is false. | |
RecommendationInsightSettings | Write | MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting[] | Optional. Describes the types of insights that aid reviewers to make access review decisions. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationInsightSettings setting will be used instead of the value of this property. | |
RecommendationLookBackDuration | Write | String | Optional field. Indicates the period of inactivity (with respect to the start date of the review instance) that recommendations will be configured from. The recommendation will be to deny if the user is inactive during the look-back duration. For reviews of groups and Microsoft Entra roles, any duration is accepted. For reviews of applications, 30 days is the maximum duration. If not specified, the duration is 30 days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationLookBackDuration setting will be used instead of the value of this property. | |
RecommendationsEnabled | Write | Boolean | Indicates whether decision recommendations are enabled or disabled. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationsEnabled setting will be used instead of the value of this property. | |
Recurrence | Write | MSFT_MicrosoftGraphPatternedRecurrence | Detailed settings for recurrence using the standard Outlook recurrence object. Note: Only dayOfMonth, interval, and type (weekly, absoluteMonthly) properties are supported. Use the property startDate on recurrenceRange to determine the day the review starts. | |
ReminderNotificationsEnabled | Write | Boolean | Indicates whether reminders are enabled or disabled. Default value is false. |
MSFT_MicrosoftGraphAccessReviewApplyAction¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
odataType | Write | String | The type of the entity. | #microsoft.graph.disableAndDeleteUserApplyAction , #microsoft.graph.removeAccessApplyAction |
MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
RecommendationLookBackDuration | Write | String | Optional. Indicates the time period of inactivity (with respect to the start date of the review instance) that recommendations will be configured from. The recommendation will be to deny if the user is inactive during the look-back duration. For reviews of groups and Microsoft Entra roles, any duration is accepted. For reviews of applications, 30 days is the maximum duration. If not specified, the duration is 30 days. | |
SignInScope | Write | String | Indicates whether inactivity is calculated based on the user's inactivity in the tenant or in the application. The possible values are tenant, application, unknownFutureValue. application is only relevant when the access review is a review of an assignment to an application. | tenant , application , unknownFutureValue |
odataType | Write | String | The type of the entity. | #microsoft.graph.groupPeerOutlierRecommendationInsightSettings , #microsoft.graph.userLastSignInRecommendationInsightSetting |
MSFT_MicrosoftGraphPatternedRecurrence¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
Pattern | Write | MSFT_MicrosoftGraphRecurrencePattern | The frequency of an event. Do not specify for a one-time access review. For access reviews: Do not specify this property for a one-time access review. Only interval, dayOfMonth, and type (weekly, absoluteMonthly) properties of recurrencePattern are supported. | |
Range | Write | MSFT_MicrosoftGraphRecurrenceRange | The duration of an event. |
MSFT_MicrosoftGraphRecurrencePattern¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
DayOfMonth | Write | UInt32 | The day of the month on which the event occurs. Required if type is absoluteMonthly or absoluteYearly. | |
DaysOfWeek | Write | StringArray[] | A collection of the days of the week on which the event occurs. The possible values are: sunday, monday, tuesday, wednesday, thursday, friday, saturday. If type is relativeMonthly or relativeYearly, and daysOfWeek specifies more than one day, the event falls on the first day that satisfies the pattern. Required if type is weekly, relativeMonthly, or relativeYearly. | |
FirstDayOfWeek | Write | String | The first day of the week. The possible values are: sunday, monday, tuesday, wednesday, thursday, friday, saturday. Default is sunday. Required if type is weekly. | |
Index | Write | String | Specifies on which instance of the allowed days specified in daysOfWeek the event occurs, counted from the first instance in the month. The possible values are: first, second, third, fourth, last. Default is first. Optional and used if type is relativeMonthly or relativeYearly. | first , second , third , fourth , last |
Interval | Write | UInt32 | The number of units between occurrences, where units can be in days, weeks, months, or years, depending on the type. Required. | |
Month | Write | UInt32 | The month in which the event occurs. This is a number from 1 to 12. | |
Type | Write | String | The recurrence pattern type: daily, weekly, absoluteMonthly, relativeMonthly, absoluteYearly, relativeYearly. Required. For more information, see values of type property. | daily , weekly , absoluteMonthly , relativeMonthly , absoluteYearly , relativeYearly |
MSFT_MicrosoftGraphRecurrenceRange¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
EndDate | Write | String | The date to stop applying the recurrence pattern. Depending on the recurrence pattern of the event, the last occurrence of the meeting may not be this date. Required if type is endDate. | |
NumberOfOccurrences | Write | UInt32 | The number of times to repeat the event. Required and must be positive if type is numbered. | |
RecurrenceTimeZone | Write | String | Time zone for the startDate and endDate properties. Optional. If not specified, the time zone of the event is used. | |
StartDate | Write | String | The date to start applying the recurrence pattern. The first occurrence of the meeting may be this date or later, depending on the recurrence pattern of the event. Must be the same value as the start property of the recurring event. Required. | |
Type | Write | String | The recurrence range. Possible values are: endDate, noEnd, numbered. Required. | endDate , noEnd , numbered |
MSFT_MicrosoftGraphAccessReviewStageSettings¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
DecisionsThatWillMoveToNextStage | Write | StringArray[] | Indicate which decisions will go to the next stage. Can be a subset of Approve, Deny, Recommendation, or NotReviewed. If not provided, all decisions will go to the next stage. Optional. | |
DependsOnValue | Write | StringArray[] | Defines the sequential or parallel order of the stages and depends on the stageId. Only sequential stages are currently supported. For example, if stageId is 2, then dependsOn must be 1. If stageId is 1, don't specify dependsOn. Required if stageId isn't 1. | |
DurationInDays | Write | UInt32 | The duration of the stage. Required. NOTE: The cumulative value of this property across all stages 1. Will override the instanceDurationInDays setting on the accessReviewScheduleDefinition object. 2. Can't exceed the length of one recurrence. That is, if the review recurs weekly, the cumulative durationInDays can't exceed 7. | |
RecommendationInsightSettings | Write | MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting[] | Recommendation Insights Settings | |
RecommendationLookBackDuration | Write | String | Optional field. Indicates the time period of inactivity (with respect to the start date of the review instance) from which that recommendations will be configured. The recommendation is to deny if the user is inactive during the look back duration. For reviews of groups and Microsoft Entra roles, any duration is accepted. For reviews of applications, 30 days is the maximum duration. If not specified, the duration is 30 days. NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object. | |
RecommendationsEnabled | Write | Boolean | Indicates whether showing recommendations to reviewers is enabled. Required. NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object. | |
StageId | Write | String | Unique identifier of the accessReviewStageSettings. The stageId is used in dependsOn property to indicate the stage relationship. Required. |
Description¶
Azure AD Access Review Definition
Permissions¶
Microsoft Graph¶
To authenticate with the Microsoft Graph API, this resource required the following permissions:
Delegated permissions¶
-
Read
- AccessReview.Read.All
-
Update
- None
Application permissions¶
-
Read
- AccessReview.Read.All
-
Update
- None
Examples¶
Example 1¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AADAccessReviewDefinition "AADAccessReviewDefinition-Example"
{
DescriptionForAdmins = "description for admins";
DescriptionForReviewers = "description for reviewers";
DisplayName = "Test Access Review Definition";
Ensure = "Present";
Id = "613854e6-c458-4a2c-83fc-e0f4b8b17d60";
ScopeValue = MSFT_MicrosoftGraphaccessReviewScope{
PrincipalScopes = @(
MSFT_MicrosoftGraphAccessReviewScope{
Query = '/v1.0/users?$filter=userType eq ''Guest'''
odataType = '#microsoft.graph.accessReviewQueryScope'
QueryType = 'MicrosoftGraph'
}
)
ResourceScopes = @(
MSFT_MicrosoftGraphAccessReviewScope{
Query = '/v1.0/groups/a8ab05ba-6680-4f93-88ae-71099eedfda1/transitiveMembers/microsoft.graph.user/?$count=true&$filter=(userType eq ''Guest'')'
odataType = '#microsoft.graph.accessReviewQueryScope'
QueryType = 'MicrosoftGraph'
}
MSFT_MicrosoftGraphAccessReviewScope{
Query = '/beta/teams/a8ab05ba-6680-4f93-88ae-71099eedfda1/channels?$filter=membershipType eq ''shared'''
odataType = '#microsoft.graph.accessReviewQueryScope'
QueryType = 'MicrosoftGraph'
}
)
odataType = '#microsoft.graph.principalResourceMembershipsScope'
};
SettingsValue = MSFT_MicrosoftGraphaccessReviewScheduleSettings{
ApplyActions = @(
MSFT_MicrosoftGraphAccessReviewApplyAction{
odataType = '#microsoft.graph.removeAccessApplyAction'
}
)
InstanceDurationInDays = 4
RecommendationsEnabled = $False
DecisionHistoriesForReviewersEnabled = $False
DefaultDecisionEnabled = $False
JustificationRequiredOnApproval = $True
RecommendationInsightSettings = @(
MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting{
SignInScope = 'tenant'
RecommendationLookBackDuration = 'P15D'
odataType = '#microsoft.graph.userLastSignInRecommendationInsightSetting'
}
)
AutoApplyDecisionsEnabled = $False
ReminderNotificationsEnabled = $True
Recurrence = MSFT_MicrosoftGraphPatternedRecurrence{
Range = MSFT_MicrosoftGraphRecurrenceRange{
NumberOfOccurrences = 0
Type = 'noEnd'
StartDate = '10/18/2024 12:00:00 AM'
EndDate = '12/31/9999 12:00:00 AM'
}
Pattern = MSFT_MicrosoftGraphRecurrencePattern{
DaysOfWeek = @()
Type = 'weekly'
Interval = 1
Month = 0
Index = 'first'
FirstDayOfWeek = 'sunday'
DayOfMonth = 0
}
}
DefaultDecision = 'None'
RecommendationLookBackDuration = '15.00:00:00'
MailNotificationsEnabled = $False
};
StageSettings = @(
MSFT_MicrosoftGraphaccessReviewStageSettings{
StageId = '1'
RecommendationsEnabled = $True
DependsOnValue = @()
DecisionsThatWillMoveToNextStage = @('Approve')
DurationInDays = 3
}
MSFT_MicrosoftGraphaccessReviewStageSettings{
StageId = '2'
RecommendationsEnabled = $True
DependsOnValue = @('1')
DecisionsThatWillMoveToNextStage = @('Approve')
DurationInDays = 3
}
);
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
}
}
Example 2¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AADAccessReviewDefinition "AADAccessReviewDefinition-Example"
{
DescriptionForAdmins = "description for admins";
DescriptionForReviewers = "description for reviewers updated"; # drifted properties
DisplayName = "Test Access Review Definition";
Ensure = "Present";
Id = "613854e6-c458-4a2c-83fc-e0f4b8b17d60";
ScopeValue = MSFT_MicrosoftGraphaccessReviewScope{
PrincipalScopes = @(
MSFT_MicrosoftGraphAccessReviewScope{
Query = '/v1.0/users?$filter=userType eq ''Guest'''
odataType = '#microsoft.graph.accessReviewQueryScope'
QueryType = 'MicrosoftGraph'
}
)
ResourceScopes = @(
MSFT_MicrosoftGraphAccessReviewScope{
Query = '/v1.0/groups/a8ab05ba-6680-4f93-88ae-71099eedfda1/transitiveMembers/microsoft.graph.user/?$count=true&$filter=(userType eq ''Guest'')'
odataType = '#microsoft.graph.accessReviewQueryScope'
QueryType = 'MicrosoftGraph'
}
MSFT_MicrosoftGraphAccessReviewScope{
Query = '/beta/teams/a8ab05ba-6680-4f93-88ae-71099eedfda1/channels?$filter=membershipType eq ''shared'''
odataType = '#microsoft.graph.accessReviewQueryScope'
QueryType = 'MicrosoftGraph'
}
)
odataType = '#microsoft.graph.principalResourceMembershipsScope'
};
SettingsValue = MSFT_MicrosoftGraphaccessReviewScheduleSettings{
ApplyActions = @(
MSFT_MicrosoftGraphAccessReviewApplyAction{
odataType = '#microsoft.graph.removeAccessApplyAction'
}
)
InstanceDurationInDays = 4
RecommendationsEnabled = $False
DecisionHistoriesForReviewersEnabled = $False
DefaultDecisionEnabled = $False
JustificationRequiredOnApproval = $True
RecommendationInsightSettings = @(
MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting{
SignInScope = 'tenant'
RecommendationLookBackDuration = 'P15D'
odataType = '#microsoft.graph.userLastSignInRecommendationInsightSetting'
}
)
AutoApplyDecisionsEnabled = $False
ReminderNotificationsEnabled = $True
Recurrence = MSFT_MicrosoftGraphPatternedRecurrence{
Range = MSFT_MicrosoftGraphRecurrenceRange{
NumberOfOccurrences = 0
Type = 'noEnd'
StartDate = '10/18/2024 12:00:00 AM'
EndDate = '12/31/9999 12:00:00 AM'
}
Pattern = MSFT_MicrosoftGraphRecurrencePattern{
DaysOfWeek = @()
Type = 'weekly'
Interval = 1
Month = 0
Index = 'first'
FirstDayOfWeek = 'sunday'
DayOfMonth = 0
}
}
DefaultDecision = 'None'
RecommendationLookBackDuration = '15.00:00:00'
MailNotificationsEnabled = $False
};
StageSettings = @(
MSFT_MicrosoftGraphaccessReviewStageSettings{
StageId = '1'
RecommendationsEnabled = $True
DependsOnValue = @()
DecisionsThatWillMoveToNextStage = @('Approve')
DurationInDays = 3
}
MSFT_MicrosoftGraphaccessReviewStageSettings{
StageId = '2'
RecommendationsEnabled = $True
DependsOnValue = @('1')
DecisionsThatWillMoveToNextStage = @('Approve')
DurationInDays = 3
}
);
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
}
}
Example 3¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AADAccessReviewDefinition "AADAccessReviewDefinition-Example"
{
DescriptionForAdmins = "description for admins";
DescriptionForReviewers = "description for reviewers";
DisplayName = "Test Access Review Definition";
Ensure = "Absent";
Id = "613854e6-c458-4a2c-83fc-e0f4b8b17d60";
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
}
}