Unit 4: Create and configure access reviews programmatically
Core idea
- Microsoft Entra access reviews are part of Microsoft Entra ID Governance.
- They ensure the right identities have the right access to the right resources.
- Access reviews can be implemented programmatically using Microsoft Graph access reviews APIs.
Create an access review using Microsoft Graph
What you create in Graph
- You create an access review by calling Microsoft Graph to create an:
- Access review schedule definition.
Who can call it
The caller must be either:
- A user in an appropriate role using delegated permission:
- AccessReview.ReadWrite.All (delegated), or
- An application (service principal) using application permission:
- AccessReview.ReadWrite.All (application).
Create an access review using PowerShell
- You can create an access review using Microsoft Graph PowerShell.
- Cmdlet:
- New-MgIdentityGovernanceAccessReviewDefinition.
- Module:
- Microsoft Graph PowerShell cmdlets for the Identity Governance module.
Why the Graph API matters (what it enables)
- The access reviews API lets organizations audit and attest access assigned to identities.
- Example scenario:
- Reviewing access to a SharePoint site that contains sensitive info (like customer contacts).
- The same approach applies to groups and the resources they control.
Access Review API for security groups (high-level steps only)
This learning module does not provide the full step-by-step API walkthrough. It refers you to the dedicated article. The high-level workflow is:
- Create an access review for the security group.
- List instances of the access review.
- Verify who was contacted for the review.
- Get decisions.
- Self-attest to a pending access decision.
- Confirm decisions and the status of the access review.
- Clean up resources.
- At each step, you can use the API to:
- Create the review, assign/target it, check results, and act on outcomes.