Passer en revue l’accès invité aux groupes à l’aide des API de révisions d’accès
Article 04/01/2024
8 contributeurs
Commentaires
Dans cet article
L’API révisions d’accès dans Microsoft Graph permet aux organisations d’auditer et d’attester de l’accès que les identités (également appelées principaux ) sont affectées aux ressources dans le organization. Avec B2B Collaboration, vous pouvez utiliser des groupes Microsoft 365 pour gérer efficacement l’accès des invités à des ressources telles que des fichiers, des notes, des calendriers et même des conversations Teams. Et à l’aide de l’API de révisions d’accès, les organisations peuvent régulièrement attester des principaux qui ont accès à ces groupes et, par extension, d’autres ressources dans le organization.
Dans ce tutoriel, vous apprenez à effectuer les opérations suivantes :
Créez une révision d’accès périodique des groupes Microsoft 365 avec des invités.
Examiner les décisions appliquées aux révisions d’accès.
Configuration requise
Pour suivre ce didacticiel, vous avez besoin des ressources et privilèges suivants :
Un locataire Microsoft Entra opérationnel avec une licence Microsoft Entra ID P2 ou Gouvernance Microsoft Entra ID activée.
Un invité de test et un groupe Microsoft 365 de test dans votre locataire. L’invité doit être membre du groupe Microsoft 365.
Connectez-vous à un client API tel que Graph Explorer d’appeler Microsoft Graph avec un compte qui a au moins le rôle Administrateur de gouvernance des identités .
Accordez-vous les autorisations déléguées suivantes : AccessReview.ReadWrite.All
.
Étape 1 : Créer une révision d’accès pour tous les groupes Microsoft 365 avec des invités
La série de révision d’accès suivante utilise les paramètres suivants :
Il s’agit d’une révision d’accès périodique et examinée tous les trimestres.
Les propriétaires du groupe sont les décideurs.
L’étendue de la révision est limitée aux seuls groupes Microsoft 365 avec des invités.
Il définit un utilisateur comme réviseur de secours qui peut examiner l’accès au cas où aucun propriétaire n’est attribué au groupe.
autoApplyDecisionsEnabled a la valeur true
. Dans ce cas, les décisions sont appliquées automatiquement une fois que le réviseur a terminé la révision d’accès ou que la durée de la révision d’accès se termine. S’il n’est pas activé, un utilisateur doit appliquer les décisions manuellement une fois la révision terminée.
applyActions a la valeur removeAccessApplyAction
. Cette action supprime les invités refusés du groupe. L’invité peut toujours se connecter à votre locataire, mais ne sera pas membre du groupe ou ne disposera pas des privilèges d’accès accordés par le biais du groupe.
Demande
Dans cet appel, remplacez les valeurs suivantes :
c9a5aff7-9298-4d71-adab-0a222e0a05e4
avec l’ID du réviseur de secours.
Valeur de startDate avec la date du jour et valeur de endDate avec une date un an à partir de la date de début.
POST https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions
Content-type: application/json
{
"displayName": "Guest access to marketing group",
"scope": {
"@odata.type": "#microsoft.graph.accessReviewQueryScope",
"query": "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
"queryType": "MicrosoftGraph"
},
"instanceEnumerationScope": {
"@odata.type": "#microsoft.graph.accessReviewQueryScope",
"query": "/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true",
"queryType": "MicrosoftGraph",
"queryRoot": null
},
"reviewers": [
{
"query": "./owners",
"queryType": "MicrosoftGraph",
"queryRoot": null
}
],
"fallbackReviewers": [
{
"query": "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4",
"queryType": "MicrosoftGraph"
}
],
"settings": {
"mailNotificationsEnabled": true,
"reminderNotificationsEnabled": true,
"justificationRequiredOnApproval": true,
"defaultDecisionEnabled": true,
"defaultDecision": "Deny",
"instanceDurationInDays": 3,
"autoApplyDecisionsEnabled": true,
"recommendationsEnabled": true,
"recommendationLookBackDuration": "P30D",
"decisionHistoriesForReviewersEnabled": false,
"recurrence": {
"pattern": {
"type": "absoluteMonthly",
"interval": 3,
"month": 0,
"dayOfMonth": 0,
"daysOfWeek": [],
"firstDayOfWeek": "sunday",
"index": "first"
},
"range": {
"type": "endDate",
"numberOfOccurrences": 0,
"recurrenceTimeZone": null,
"startDate": "2024-03-21",
"endDate": "2025-03-21"
}
},
"applyActions": [
{
"@odata.type": "#microsoft.graph.removeAccessApplyAction"
}
]
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new AccessReviewScheduleDefinition
{
DisplayName = "Guest access to marketing group",
Scope = new AccessReviewQueryScope
{
OdataType = "#microsoft.graph.accessReviewQueryScope",
Query = "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
QueryType = "MicrosoftGraph",
},
InstanceEnumerationScope = new AccessReviewQueryScope
{
OdataType = "#microsoft.graph.accessReviewQueryScope",
Query = "/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true",
QueryType = "MicrosoftGraph",
QueryRoot = null,
},
Reviewers = new List<AccessReviewReviewerScope>
{
new AccessReviewReviewerScope
{
Query = "./owners",
QueryType = "MicrosoftGraph",
QueryRoot = null,
},
},
FallbackReviewers = new List<AccessReviewReviewerScope>
{
new AccessReviewReviewerScope
{
Query = "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4",
QueryType = "MicrosoftGraph",
},
},
Settings = new AccessReviewScheduleSettings
{
MailNotificationsEnabled = true,
ReminderNotificationsEnabled = true,
JustificationRequiredOnApproval = true,
DefaultDecisionEnabled = true,
DefaultDecision = "Deny",
InstanceDurationInDays = 3,
AutoApplyDecisionsEnabled = true,
RecommendationsEnabled = true,
RecommendationLookBackDuration = TimeSpan.Parse("P30D"),
DecisionHistoriesForReviewersEnabled = false,
Recurrence = new PatternedRecurrence
{
Pattern = new RecurrencePattern
{
Type = RecurrencePatternType.AbsoluteMonthly,
Interval = 3,
Month = 0,
DayOfMonth = 0,
DaysOfWeek = new List<DayOfWeekObject>
{
},
FirstDayOfWeek = DayOfWeekObject.Sunday,
Index = WeekIndex.First,
},
Range = new RecurrenceRange
{
Type = RecurrenceRangeType.EndDate,
NumberOfOccurrences = 0,
RecurrenceTimeZone = null,
StartDate = new Date(DateTime.Parse("2024-03-21")),
EndDate = new Date(DateTime.Parse("2025-03-21")),
},
},
ApplyActions = new List<AccessReviewApplyAction>
{
new RemoveAccessApplyAction
{
OdataType = "#microsoft.graph.removeAccessApplyAction",
},
},
},
};
// To initialize your graphClient, see https://video2.skills-academy.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.AccessReviews.Definitions.PostAsync(requestBody);
Pour plus d’informations sur l’ajout du SDK à votre projet et la création d’un instance authProvider , consultez la documentation du Kit de développement logiciel (SDK ).
mgc identity-governance access-reviews definitions create --body '{\
"displayName": "Guest access to marketing group",\
"scope": {\
"@odata.type": "#microsoft.graph.accessReviewQueryScope",\
"query": "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",\
"queryType": "MicrosoftGraph"\
},\
"instanceEnumerationScope": {\
"@odata.type": "#microsoft.graph.accessReviewQueryScope",\
"query": "/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true",\
"queryType": "MicrosoftGraph",\
"queryRoot": null\
},\
"reviewers": [\
{\
"query": "./owners",\
"queryType": "MicrosoftGraph",\
"queryRoot": null\
}\
],\
"fallbackReviewers": [\
{\
"query": "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4",\
"queryType": "MicrosoftGraph"\
}\
],\
"settings": {\
"mailNotificationsEnabled": true,\
"reminderNotificationsEnabled": true,\
"justificationRequiredOnApproval": true,\
"defaultDecisionEnabled": true,\
"defaultDecision": "Deny",\
"instanceDurationInDays": 3,\
"autoApplyDecisionsEnabled": true,\
"recommendationsEnabled": true,\
"recommendationLookBackDuration": "P30D",\
"decisionHistoriesForReviewersEnabled": false,\
"recurrence": {\
"pattern": {\
"type": "absoluteMonthly",\
"interval": 3,\
"month": 0,\
"dayOfMonth": 0,\
"daysOfWeek": [],\
"firstDayOfWeek": "sunday",\
"index": "first"\
},\
"range": {\
"type": "endDate",\
"numberOfOccurrences": 0,\
"recurrenceTimeZone": null,\
"startDate": "2024-03-21",\
"endDate": "2025-03-21"\
}\
},\
"applyActions": [\
{\
"@odata.type": "#microsoft.graph.removeAccessApplyAction"\
}\
]\
}\
}\
'
Pour plus d’informations sur l’ajout du SDK à votre projet et la création d’un instance authProvider , consultez la documentation du Kit de développement logiciel (SDK ).
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewAccessReviewScheduleDefinition()
displayName := "Guest access to marketing group"
requestBody.SetDisplayName(&displayName)
scope := graphmodels.NewAccessReviewQueryScope()
query := "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')"
scope.SetQuery(&query)
queryType := "MicrosoftGraph"
scope.SetQueryType(&queryType)
requestBody.SetScope(scope)
instanceEnumerationScope := graphmodels.NewAccessReviewQueryScope()
query := "/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true"
instanceEnumerationScope.SetQuery(&query)
queryType := "MicrosoftGraph"
instanceEnumerationScope.SetQueryType(&queryType)
queryRoot := null
instanceEnumerationScope.SetQueryRoot(&queryRoot)
requestBody.SetInstanceEnumerationScope(instanceEnumerationScope)
accessReviewReviewerScope := graphmodels.NewAccessReviewReviewerScope()
query := "./owners"
accessReviewReviewerScope.SetQuery(&query)
queryType := "MicrosoftGraph"
accessReviewReviewerScope.SetQueryType(&queryType)
queryRoot := null
accessReviewReviewerScope.SetQueryRoot(&queryRoot)
reviewers := []graphmodels.AccessReviewReviewerScopeable {
accessReviewReviewerScope,
}
requestBody.SetReviewers(reviewers)
accessReviewReviewerScope := graphmodels.NewAccessReviewReviewerScope()
query := "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4"
accessReviewReviewerScope.SetQuery(&query)
queryType := "MicrosoftGraph"
accessReviewReviewerScope.SetQueryType(&queryType)
fallbackReviewers := []graphmodels.AccessReviewReviewerScopeable {
accessReviewReviewerScope,
}
requestBody.SetFallbackReviewers(fallbackReviewers)
settings := graphmodels.NewAccessReviewScheduleSettings()
mailNotificationsEnabled := true
settings.SetMailNotificationsEnabled(&mailNotificationsEnabled)
reminderNotificationsEnabled := true
settings.SetReminderNotificationsEnabled(&reminderNotificationsEnabled)
justificationRequiredOnApproval := true
settings.SetJustificationRequiredOnApproval(&justificationRequiredOnApproval)
defaultDecisionEnabled := true
settings.SetDefaultDecisionEnabled(&defaultDecisionEnabled)
defaultDecision := "Deny"
settings.SetDefaultDecision(&defaultDecision)
instanceDurationInDays := int32(3)
settings.SetInstanceDurationInDays(&instanceDurationInDays)
autoApplyDecisionsEnabled := true
settings.SetAutoApplyDecisionsEnabled(&autoApplyDecisionsEnabled)
recommendationsEnabled := true
settings.SetRecommendationsEnabled(&recommendationsEnabled)
recommendationLookBackDuration , err := abstractions.ParseISODuration("P30D")
settings.SetRecommendationLookBackDuration(&recommendationLookBackDuration)
decisionHistoriesForReviewersEnabled := false
settings.SetDecisionHistoriesForReviewersEnabled(&decisionHistoriesForReviewersEnabled)
recurrence := graphmodels.NewPatternedRecurrence()
pattern := graphmodels.NewRecurrencePattern()
type := graphmodels.ABSOLUTEMONTHLY_RECURRENCEPATTERNTYPE
pattern.SetType(&type)
interval := int32(3)
pattern.SetInterval(&interval)
month := int32(0)
pattern.SetMonth(&month)
dayOfMonth := int32(0)
pattern.SetDayOfMonth(&dayOfMonth)
daysOfWeek := []graphmodels.DayOfWeekable {
}
pattern.SetDaysOfWeek(daysOfWeek)
firstDayOfWeek := graphmodels.SUNDAY_DAYOFWEEK
pattern.SetFirstDayOfWeek(&firstDayOfWeek)
index := graphmodels.FIRST_WEEKINDEX
pattern.SetIndex(&index)
recurrence.SetPattern(pattern)
range := graphmodels.NewRecurrenceRange()
type := graphmodels.ENDDATE_RECURRENCERANGETYPE
range.SetType(&type)
numberOfOccurrences := int32(0)
range.SetNumberOfOccurrences(&numberOfOccurrences)
recurrenceTimeZone := null
range.SetRecurrenceTimeZone(&recurrenceTimeZone)
startDate := 2024-03-21
range.SetStartDate(&startDate)
endDate := 2025-03-21
range.SetEndDate(&endDate)
recurrence.SetRange(range)
settings.SetRecurrence(recurrence)
accessReviewApplyAction := graphmodels.NewRemoveAccessApplyAction()
applyActions := []graphmodels.AccessReviewApplyActionable {
accessReviewApplyAction,
}
settings.SetApplyActions(applyActions)
requestBody.SetSettings(settings)
// To initialize your graphClient, see https://video2.skills-academy.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
definitions, err := graphClient.IdentityGovernance().AccessReviews().Definitions().Post(context.Background(), requestBody, nil)
Pour plus d’informations sur l’ajout du SDK à votre projet et la création d’un instance authProvider , consultez la documentation du Kit de développement logiciel (SDK ).
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AccessReviewScheduleDefinition accessReviewScheduleDefinition = new AccessReviewScheduleDefinition();
accessReviewScheduleDefinition.setDisplayName("Guest access to marketing group");
AccessReviewQueryScope scope = new AccessReviewQueryScope();
scope.setOdataType("#microsoft.graph.accessReviewQueryScope");
scope.setQuery("./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')");
scope.setQueryType("MicrosoftGraph");
accessReviewScheduleDefinition.setScope(scope);
AccessReviewQueryScope instanceEnumerationScope = new AccessReviewQueryScope();
instanceEnumerationScope.setOdataType("#microsoft.graph.accessReviewQueryScope");
instanceEnumerationScope.setQuery("/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true");
instanceEnumerationScope.setQueryType("MicrosoftGraph");
instanceEnumerationScope.setQueryRoot(null);
accessReviewScheduleDefinition.setInstanceEnumerationScope(instanceEnumerationScope);
LinkedList<AccessReviewReviewerScope> reviewers = new LinkedList<AccessReviewReviewerScope>();
AccessReviewReviewerScope accessReviewReviewerScope = new AccessReviewReviewerScope();
accessReviewReviewerScope.setQuery("./owners");
accessReviewReviewerScope.setQueryType("MicrosoftGraph");
accessReviewReviewerScope.setQueryRoot(null);
reviewers.add(accessReviewReviewerScope);
accessReviewScheduleDefinition.setReviewers(reviewers);
LinkedList<AccessReviewReviewerScope> fallbackReviewers = new LinkedList<AccessReviewReviewerScope>();
AccessReviewReviewerScope accessReviewReviewerScope1 = new AccessReviewReviewerScope();
accessReviewReviewerScope1.setQuery("/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4");
accessReviewReviewerScope1.setQueryType("MicrosoftGraph");
fallbackReviewers.add(accessReviewReviewerScope1);
accessReviewScheduleDefinition.setFallbackReviewers(fallbackReviewers);
AccessReviewScheduleSettings settings = new AccessReviewScheduleSettings();
settings.setMailNotificationsEnabled(true);
settings.setReminderNotificationsEnabled(true);
settings.setJustificationRequiredOnApproval(true);
settings.setDefaultDecisionEnabled(true);
settings.setDefaultDecision("Deny");
settings.setInstanceDurationInDays(3);
settings.setAutoApplyDecisionsEnabled(true);
settings.setRecommendationsEnabled(true);
PeriodAndDuration recommendationLookBackDuration = PeriodAndDuration.ofDuration(Duration.parse("P30D"));
settings.setRecommendationLookBackDuration(recommendationLookBackDuration);
settings.setDecisionHistoriesForReviewersEnabled(false);
PatternedRecurrence recurrence = new PatternedRecurrence();
RecurrencePattern pattern = new RecurrencePattern();
pattern.setType(RecurrencePatternType.AbsoluteMonthly);
pattern.setInterval(3);
pattern.setMonth(0);
pattern.setDayOfMonth(0);
LinkedList<DayOfWeek> daysOfWeek = new LinkedList<DayOfWeek>();
pattern.setDaysOfWeek(daysOfWeek);
pattern.setFirstDayOfWeek(DayOfWeek.Sunday);
pattern.setIndex(WeekIndex.First);
recurrence.setPattern(pattern);
RecurrenceRange range = new RecurrenceRange();
range.setType(RecurrenceRangeType.EndDate);
range.setNumberOfOccurrences(0);
range.setRecurrenceTimeZone(null);
LocalDate startDate = LocalDate.parse("2024-03-21");
range.setStartDate(startDate);
LocalDate endDate = LocalDate.parse("2025-03-21");
range.setEndDate(endDate);
recurrence.setRange(range);
settings.setRecurrence(recurrence);
LinkedList<AccessReviewApplyAction> applyActions = new LinkedList<AccessReviewApplyAction>();
RemoveAccessApplyAction accessReviewApplyAction = new RemoveAccessApplyAction();
accessReviewApplyAction.setOdataType("#microsoft.graph.removeAccessApplyAction");
applyActions.add(accessReviewApplyAction);
settings.setApplyActions(applyActions);
accessReviewScheduleDefinition.setSettings(settings);
AccessReviewScheduleDefinition result = graphClient.identityGovernance().accessReviews().definitions().post(accessReviewScheduleDefinition);
Pour plus d’informations sur l’ajout du SDK à votre projet et la création d’un instance authProvider , consultez la documentation du Kit de développement logiciel (SDK ).
const options = {
authProvider,
};
const client = Client.init(options);
const accessReviewScheduleDefinition = {
displayName: 'Guest access to marketing group',
scope: {
'@odata.type': '#microsoft.graph.accessReviewQueryScope',
query: './members/microsoft.graph.user/?$count=true&$filter=(userType eq \'Guest\')',
queryType: 'MicrosoftGraph'
},
instanceEnumerationScope: {
'@odata.type': '#microsoft.graph.accessReviewQueryScope',
query: '/v1.0/groups?$filter=(groupTypes/any(c:c+eq+\'Unified\'))&$count=true',
queryType: 'MicrosoftGraph',
queryRoot: null
},
reviewers: [
{
query: './owners',
queryType: 'MicrosoftGraph',
queryRoot: null
}
],
fallbackReviewers: [
{
query: '/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4',
queryType: 'MicrosoftGraph'
}
],
settings: {
mailNotificationsEnabled: true,
reminderNotificationsEnabled: true,
justificationRequiredOnApproval: true,
defaultDecisionEnabled: true,
defaultDecision: 'Deny',
instanceDurationInDays: 3,
autoApplyDecisionsEnabled: true,
recommendationsEnabled: true,
recommendationLookBackDuration: 'P30D',
decisionHistoriesForReviewersEnabled: false,
recurrence: {
pattern: {
type: 'absoluteMonthly',
interval: 3,
month: 0,
dayOfMonth: 0,
daysOfWeek: [],
firstDayOfWeek: 'sunday',
index: 'first'
},
range: {
type: 'endDate',
numberOfOccurrences: 0,
recurrenceTimeZone: null,
startDate: '2024-03-21',
endDate: '2025-03-21'
}
},
applyActions: [
{
'@odata.type': '#microsoft.graph.removeAccessApplyAction'
}
]
}
};
await client.api('/identityGovernance/accessReviews/definitions')
.post(accessReviewScheduleDefinition);
Pour plus d’informations sur l’ajout du SDK à votre projet et la création d’un instance authProvider , consultez la documentation du Kit de développement logiciel (SDK ).
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\AccessReviewScheduleDefinition;
use Microsoft\Graph\Generated\Models\AccessReviewQueryScope;
use Microsoft\Graph\Generated\Models\AccessReviewReviewerScope;
use Microsoft\Graph\Generated\Models\AccessReviewScheduleSettings;
use Microsoft\Graph\Generated\Models\PatternedRecurrence;
use Microsoft\Graph\Generated\Models\RecurrencePattern;
use Microsoft\Graph\Generated\Models\RecurrencePatternType;
use Microsoft\Graph\Generated\Models\DayOfWeek;
use Microsoft\Graph\Generated\Models\WeekIndex;
use Microsoft\Graph\Generated\Models\RecurrenceRange;
use Microsoft\Graph\Generated\Models\RecurrenceRangeType;
use Microsoft\Kiota\Abstractions\Types\Date;
use Microsoft\Graph\Generated\Models\AccessReviewApplyAction;
use Microsoft\Graph\Generated\Models\RemoveAccessApplyAction;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new AccessReviewScheduleDefinition();
$requestBody->setDisplayName('Guest access to marketing group');
$scope = new AccessReviewQueryScope();
$scope->setOdataType('#microsoft.graph.accessReviewQueryScope');
$scope->setQuery('./members/microsoft.graph.user/?$count=true&$filter=(userType eq \'Guest\')');
$scope->setQueryType('MicrosoftGraph');
$requestBody->setScope($scope);
$instanceEnumerationScope = new AccessReviewQueryScope();
$instanceEnumerationScope->setOdataType('#microsoft.graph.accessReviewQueryScope');
$instanceEnumerationScope->setQuery('/v1.0/groups?$filter=(groupTypes/any(c:c+eq+\'Unified\'))&$count=true');
$instanceEnumerationScope->setQueryType('MicrosoftGraph');
$instanceEnumerationScope->setQueryRoot(null);
$requestBody->setInstanceEnumerationScope($instanceEnumerationScope);
$reviewersAccessReviewReviewerScope1 = new AccessReviewReviewerScope();
$reviewersAccessReviewReviewerScope1->setQuery('./owners');
$reviewersAccessReviewReviewerScope1->setQueryType('MicrosoftGraph');
$reviewersAccessReviewReviewerScope1->setQueryRoot(null);
$reviewersArray []= $reviewersAccessReviewReviewerScope1;
$requestBody->setReviewers($reviewersArray);
$fallbackReviewersAccessReviewReviewerScope1 = new AccessReviewReviewerScope();
$fallbackReviewersAccessReviewReviewerScope1->setQuery('/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4');
$fallbackReviewersAccessReviewReviewerScope1->setQueryType('MicrosoftGraph');
$fallbackReviewersArray []= $fallbackReviewersAccessReviewReviewerScope1;
$requestBody->setFallbackReviewers($fallbackReviewersArray);
$settings = new AccessReviewScheduleSettings();
$settings->setMailNotificationsEnabled(true);
$settings->setReminderNotificationsEnabled(true);
$settings->setJustificationRequiredOnApproval(true);
$settings->setDefaultDecisionEnabled(true);
$settings->setDefaultDecision('Deny');
$settings->setInstanceDurationInDays(3);
$settings->setAutoApplyDecisionsEnabled(true);
$settings->setRecommendationsEnabled(true);
$settings->setRecommendationLookBackDuration(new \DateInterval('P30D'));
$settings->setDecisionHistoriesForReviewersEnabled(false);
$settingsRecurrence = new PatternedRecurrence();
$settingsRecurrencePattern = new RecurrencePattern();
$settingsRecurrencePattern->setType(new RecurrencePatternType('absoluteMonthly'));
$settingsRecurrencePattern->setInterval(3);
$settingsRecurrencePattern->setMonth(0);
$settingsRecurrencePattern->setDayOfMonth(0);
$settingsRecurrencePattern->setDaysOfWeek([]);
$settingsRecurrencePattern->setFirstDayOfWeek(new DayOfWeek('sunday'));
$settingsRecurrencePattern->setIndex(new WeekIndex('first'));
$settingsRecurrence->setPattern($settingsRecurrencePattern);
$settingsRecurrenceRange = new RecurrenceRange();
$settingsRecurrenceRange->setType(new RecurrenceRangeType('endDate'));
$settingsRecurrenceRange->setNumberOfOccurrences(0);
$settingsRecurrenceRange->setRecurrenceTimeZone(null);
$settingsRecurrenceRange->setStartDate(new Date('2024-03-21'));
$settingsRecurrenceRange->setEndDate(new Date('2025-03-21'));
$settingsRecurrence->setRange($settingsRecurrenceRange);
$settings->setRecurrence($settingsRecurrence);
$applyActionsAccessReviewApplyAction1 = new RemoveAccessApplyAction();
$applyActionsAccessReviewApplyAction1->setOdataType('#microsoft.graph.removeAccessApplyAction');
$applyActionsArray []= $applyActionsAccessReviewApplyAction1;
$settings->setApplyActions($applyActionsArray);
$requestBody->setSettings($settings);
$result = $graphServiceClient->identityGovernance()->accessReviews()->definitions()->post($requestBody)->wait();
Pour plus d’informations sur l’ajout du SDK à votre projet et la création d’un instance authProvider , consultez la documentation du Kit de développement logiciel (SDK ).
Import-Module Microsoft.Graph.Identity.Governance
$params = @{
displayName = "Guest access to marketing group"
scope = @{
"@odata.type" = "#microsoft.graph.accessReviewQueryScope"
query = "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')"
queryType = "MicrosoftGraph"
}
instanceEnumerationScope = @{
"@odata.type" = "#microsoft.graph.accessReviewQueryScope"
query = "/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true"
queryType = "MicrosoftGraph"
queryRoot = $null
}
reviewers = @(
@{
query = "./owners"
queryType = "MicrosoftGraph"
queryRoot = $null
}
)
fallbackReviewers = @(
@{
query = "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4"
queryType = "MicrosoftGraph"
}
)
settings = @{
mailNotificationsEnabled = $true
reminderNotificationsEnabled = $true
justificationRequiredOnApproval = $true
defaultDecisionEnabled = $true
defaultDecision = "Deny"
instanceDurationInDays = 3
autoApplyDecisionsEnabled = $true
recommendationsEnabled = $true
recommendationLookBackDuration = "P30D"
decisionHistoriesForReviewersEnabled = $false
recurrence = @{
pattern = @{
type = "absoluteMonthly"
interval = 3
month = 0
dayOfMonth = 0
daysOfWeek = @(
)
firstDayOfWeek = "sunday"
index = "first"
}
range = @{
type = "endDate"
numberOfOccurrences = 0
recurrenceTimeZone = $null
startDate = "2024-03-21"
endDate = "2025-03-21"
}
}
applyActions = @(
@{
"@odata.type" = "#microsoft.graph.removeAccessApplyAction"
}
)
}
}
New-MgIdentityGovernanceAccessReviewDefinition -BodyParameter $params
Pour plus d’informations sur l’ajout du SDK à votre projet et la création d’un instance authProvider , consultez la documentation du Kit de développement logiciel (SDK ).
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.access_review_schedule_definition import AccessReviewScheduleDefinition
from msgraph.generated.models.access_review_query_scope import AccessReviewQueryScope
from msgraph.generated.models.access_review_reviewer_scope import AccessReviewReviewerScope
from msgraph.generated.models.access_review_schedule_settings import AccessReviewScheduleSettings
from msgraph.generated.models.patterned_recurrence import PatternedRecurrence
from msgraph.generated.models.recurrence_pattern import RecurrencePattern
from msgraph.generated.models.recurrence_pattern_type import RecurrencePatternType
from msgraph.generated.models.day_of_week import DayOfWeek
from msgraph.generated.models.week_index import WeekIndex
from msgraph.generated.models.recurrence_range import RecurrenceRange
from msgraph.generated.models.recurrence_range_type import RecurrenceRangeType
from msgraph.generated.models.access_review_apply_action import AccessReviewApplyAction
from msgraph.generated.models.remove_access_apply_action import RemoveAccessApplyAction
# To initialize your graph_client, see https://video2.skills-academy.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AccessReviewScheduleDefinition(
display_name = "Guest access to marketing group",
scope = AccessReviewQueryScope(
odata_type = "#microsoft.graph.accessReviewQueryScope",
query = "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
query_type = "MicrosoftGraph",
),
instance_enumeration_scope = AccessReviewQueryScope(
odata_type = "#microsoft.graph.accessReviewQueryScope",
query = "/v1.0/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true",
query_type = "MicrosoftGraph",
query_root = None,
),
reviewers = [
AccessReviewReviewerScope(
query = "./owners",
query_type = "MicrosoftGraph",
query_root = None,
),
],
fallback_reviewers = [
AccessReviewReviewerScope(
query = "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4",
query_type = "MicrosoftGraph",
),
],
settings = AccessReviewScheduleSettings(
mail_notifications_enabled = True,
reminder_notifications_enabled = True,
justification_required_on_approval = True,
default_decision_enabled = True,
default_decision = "Deny",
instance_duration_in_days = 3,
auto_apply_decisions_enabled = True,
recommendations_enabled = True,
recommendation_look_back_duration = "P30D",
decision_histories_for_reviewers_enabled = False,
recurrence = PatternedRecurrence(
pattern = RecurrencePattern(
type = RecurrencePatternType.AbsoluteMonthly,
interval = 3,
month = 0,
day_of_month = 0,
days_of_week = [
],
first_day_of_week = DayOfWeek.Sunday,
index = WeekIndex.First,
),
range = RecurrenceRange(
type = RecurrenceRangeType.EndDate,
number_of_occurrences = 0,
recurrence_time_zone = None,
start_date = "2024-03-21",
end_date = "2025-03-21",
),
),
apply_actions = [
RemoveAccessApplyAction(
odata_type = "#microsoft.graph.removeAccessApplyAction",
),
],
),
)
result = await graph_client.identity_governance.access_reviews.definitions.post(request_body)
Pour plus d’informations sur l’ajout du SDK à votre projet et la création d’un instance authProvider , consultez la documentation du Kit de développement logiciel (SDK ).
Réponse
Remarque : l’objet de réponse affiché ci-après peut être raccourci pour plus de lisibilité.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/accessReviews/definitions/$entity",
"id": "c22ae540-b89a-4d24-bac0-4ef35e6591ea",
"displayName": "Guest access to marketing group",
"createdDateTime": null,
"lastModifiedDateTime": null,
"status": "NotStarted",
"descriptionForAdmins": null,
"descriptionForReviewers": null,
"scope": {
"@odata.type": "#microsoft.graph.accessReviewQueryScope",
"query": "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
"queryType": "MicrosoftGraph",
"queryRoot": null
},
"instanceEnumerationScope": {
"@odata.type": "#microsoft.graph.accessReviewQueryScope",
"query": "/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true",
"queryType": "MicrosoftGraph",
"queryRoot": null
},
"reviewers": [
{
"query": "./owners",
"queryType": "MicrosoftGraph",
"queryRoot": null
}
],
"fallbackReviewers": [
{
"query": "/users/c9a5aff7-9298-4d71-adab-0a222e0a05e4",
"queryType": "MicrosoftGraph",
"queryRoot": null
}
],
"settings": {
"mailNotificationsEnabled": true,
"reminderNotificationsEnabled": true,
"justificationRequiredOnApproval": true,
"defaultDecisionEnabled": true,
"defaultDecision": "Deny",
"instanceDurationInDays": 3,
"autoApplyDecisionsEnabled": true,
"recommendationsEnabled": true,
"recommendationLookBackDuration": "P30D",
"decisionHistoriesForReviewersEnabled": false,
"recurrence": {
"pattern": {
"type": "absoluteMonthly",
"interval": 3,
"month": 0,
"dayOfMonth": 0,
"daysOfWeek": [],
"firstDayOfWeek": "sunday",
"index": "first"
},
"range": {
"type": "endDate",
"numberOfOccurrences": 0,
"recurrenceTimeZone": null,
"startDate": "2024-03-21",
"endDate": "2025-03-21"
}
},
"applyActions": [
{
"@odata.type": "#microsoft.graph.removeAccessApplyAction"
}
],
"recommendationInsightSettings": []
},
"stageSettings": [],
"additionalNotificationRecipients": []
}
Étape 2 : Répertorier les instances de la révision d’accès
La requête suivante répertorie toutes les instances de la définition de révision d’accès. S’il existe plusieurs groupes Microsoft 365 avec des invités dans votre locataire, cette demande retourne une instance pour chaque groupe Microsoft 365 avec des invités .
Demande
GET https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions/c22ae540-b89a-4d24-bac0-4ef35e6591ea/instances
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://video2.skills-academy.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.AccessReviews.Definitions["{accessReviewScheduleDefinition-id}"].Instances.GetAsync();
Pour plus d’informations sur l’ajout du SDK à votre projet et la création d’un instance authProvider , consultez la documentation du Kit de développement logiciel (SDK ).
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
//other-imports
)
// To initialize your graphClient, see https://video2.skills-academy.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
instances, err := graphClient.IdentityGovernance().AccessReviews().Definitions().ByAccessReviewScheduleDefinitionId("accessReviewScheduleDefinition-id").Instances().Get(context.Background(), nil)
Pour plus d’informations sur l’ajout du SDK à votre projet et la création d’un instance authProvider , consultez la documentation du Kit de développement logiciel (SDK ).
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AccessReviewInstanceCollectionResponse result = graphClient.identityGovernance().accessReviews().definitions().byAccessReviewScheduleDefinitionId("{accessReviewScheduleDefinition-id}").instances().get();
Pour plus d’informations sur l’ajout du SDK à votre projet et la création d’un instance authProvider , consultez la documentation du Kit de développement logiciel (SDK ).
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://video2.skills-academy.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
result = await graph_client.identity_governance.access_reviews.definitions.by_access_review_schedule_definition_id('accessReviewScheduleDefinition-id').instances.get()
Pour plus d’informations sur l’ajout du SDK à votre projet et la création d’un instance authProvider , consultez la documentation du Kit de développement logiciel (SDK ).
Réponse
Dans cette réponse, l’étendue inclut le groupe de tests, car il a un invité. Dans cette réponse, le instance de révision d’accès est actuellement InProgress
. Étant donné qu’il s’agit d’une révision trimestrielle, une nouvelle instance de révision est créée automatiquement tous les trois mois et les réviseurs peuvent appliquer de nouvelles décisions.
Remarque : l’objet de réponse affiché ci-après peut être raccourci pour plus de lisibilité.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/accessReviews/definitions('c22ae540-b89a-4d24-bac0-4ef35e6591ea')/instances",
"value": [
{
"id": "6392b1a7-9c25-4844-83e5-34e23c88e16a",
"startDateTime": "2024-03-21T17:00:36.96Z",
"endDateTime": "2024-03-24T17:00:36.96Z",
"status": "InProgress",
"scope": {
"query": "/groups/59ab642a-2776-4e32-9b68-9ff7a47b7f6a/members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
"queryType": "MicrosoftGraph"
}
}
]
}
Étape 3 : Obtenir des décisions
Obtenez les décisions prises pour la instance d’une révision d’accès. Dans une révision trimestrielle comme celle-ci, et tant que la révision d’accès est toujours active :
Tous les trois mois, une nouvelle instance de révision est créée.
Les réviseurs doivent appliquer de nouvelles décisions pour les nouvelles instances.
Demande
GET https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions/c22ae540-b89a-4d24-bac0-4ef35e6591ea/instances/6392b1a7-9c25-4844-83e5-34e23c88e16a/decisions
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://video2.skills-academy.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.AccessReviews.Definitions["{accessReviewScheduleDefinition-id}"].Instances["{accessReviewInstance-id}"].Decisions.GetAsync();
Pour plus d’informations sur l’ajout du SDK à votre projet et la création d’un instance authProvider , consultez la documentation du Kit de développement logiciel (SDK ).
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
//other-imports
)
// To initialize your graphClient, see https://video2.skills-academy.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
decisions, err := graphClient.IdentityGovernance().AccessReviews().Definitions().ByAccessReviewScheduleDefinitionId("accessReviewScheduleDefinition-id").Instances().ByAccessReviewInstanceId("accessReviewInstance-id").Decisions().Get(context.Background(), nil)
Pour plus d’informations sur l’ajout du SDK à votre projet et la création d’un instance authProvider , consultez la documentation du Kit de développement logiciel (SDK ).
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AccessReviewInstanceDecisionItemCollectionResponse result = graphClient.identityGovernance().accessReviews().definitions().byAccessReviewScheduleDefinitionId("{accessReviewScheduleDefinition-id}").instances().byAccessReviewInstanceId("{accessReviewInstance-id}").decisions().get();
Pour plus d’informations sur l’ajout du SDK à votre projet et la création d’un instance authProvider , consultez la documentation du Kit de développement logiciel (SDK ).
<?php
use Microsoft\Graph\GraphServiceClient;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$result = $graphServiceClient->identityGovernance()->accessReviews()->definitions()->byAccessReviewScheduleDefinitionId('accessReviewScheduleDefinition-id')->instances()->byAccessReviewInstanceId('accessReviewInstance-id')->decisions()->get()->wait();
Pour plus d’informations sur l’ajout du SDK à votre projet et la création d’un instance authProvider , consultez la documentation du Kit de développement logiciel (SDK ).
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://video2.skills-academy.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
result = await graph_client.identity_governance.access_reviews.definitions.by_access_review_schedule_definition_id('accessReviewScheduleDefinition-id').instances.by_access_review_instance_id('accessReviewInstance-id').decisions.get()
Pour plus d’informations sur l’ajout du SDK à votre projet et la création d’un instance authProvider , consultez la documentation du Kit de développement logiciel (SDK ).
Réponse
La réponse suivante montre la décision prise pour la instance de l’examen.
Remarque : l’objet de réponse affiché ci-après peut être raccourci pour plus de lisibilité.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/accessReviews/definitions('c22ae540-b89a-4d24-bac0-4ef35e6591ea')/instances('6392b1a7-9c25-4844-83e5-34e23c88e16a')/decisions",
"@odata.count": 1,
"value": [
{
"id": "0e76ee07-b4c6-469e-bc9d-e73fc9a8d660",
"accessReviewId": "6392b1a7-9c25-4844-83e5-34e23c88e16a",
"reviewedDateTime": "2021-02-10T17:06:26.147Z",
"decision": "Approve",
"justification": "",
"appliedDateTime": null,
"applyResult": "New",
"recommendation": "Deny",
"reviewedBy": {
"id": "00000000-0000-0000-0000-000000000000",
"displayName": "AAD Access Reviews",
"userPrincipalName": "AAD Access Reviews"
},
"appliedBy": {
"id": "00000000-0000-0000-0000-000000000000",
"displayName": "",
"userPrincipalName": ""
},
"target": {
"@odata.type": "#microsoft.graph.accessReviewInstanceDecisionItemUserTarget",
"userId": "baf1b0a0-1f9a-4a56-9884-6a30824f8d20",
"userDisplayName": "John Doe (Tailspin Toys)",
"userPrincipalName": "john@tailspintoys.com"
},
"principal": {
"@odata.type": "#microsoft.graph.userIdentity",
"id": "baf1b0a0-1f9a-4a56-9884-6a30824f8d20",
"displayName": "John Doe (Tailspin Toys)",
"userPrincipalName": "john@tailspintoys.com"
}
}
]
}
Étape 4 : Nettoyer les ressources
Dans cette étape, vous supprimez la définition de révision d’accès. Étant donné que la définition de la planification de révision d’accès est le blueprint de la révision d’accès, la suppression de la définition supprime les paramètres, instances et décisions associés. La requête retourne une 204 No Content
réponse.
DELETE https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions/c22ae540-b89a-4d24-bac0-4ef35e6591ea
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
//other-imports
)
// To initialize your graphClient, see https://video2.skills-academy.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
graphClient.IdentityGovernance().AccessReviews().Definitions().ByAccessReviewScheduleDefinitionId("accessReviewScheduleDefinition-id").Delete(context.Background(), nil)
Pour plus d’informations sur l’ajout du SDK à votre projet et la création d’un instance authProvider , consultez la documentation du Kit de développement logiciel (SDK ).
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://video2.skills-academy.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
await graph_client.identity_governance.access_reviews.definitions.by_access_review_schedule_definition_id('accessReviewScheduleDefinition-id').delete()
Pour plus d’informations sur l’ajout du SDK à votre projet et la création d’un instance authProvider , consultez la documentation du Kit de développement logiciel (SDK ).
Contenu connexe