README.md

ar-script-examples

Collection of Powershell scripts for automating processes in Access Reviews, such as review creation

Scenarios

• Get contacted reviewers and reviewers with decisions

Azure Resource review authentication

• For the script UpdateAzureResourceReviewsFromMonthlyToQuarterly.ps1 you need to be an owner of a subscription you are modifying

Graph Script Prerequisites

1. Getting approved for Access Reviews Graph API permissions:
   • The person or app which executes any script for managing/reading Access Reviews or makes the equivalent API calls needs to have the proper Graph permissions for Access Reviews in their tenant.
   • Some more information:
     • Required Graph permissions for Azure AD access reviews
     • Get access on behalf of a user
2. One simple way to add Graph permissions for a user principal is for a tenant admin to grant them permissions via the Portal or Graph Explorer.
   • Grant permissions via Graph Explorer:
     1. In your browser navigate to Graph Explorer
     2. Log-in as your user who is tenant admin (top right corner)
     3. Fill out the URL text box with an Access Review’s URL: https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions
     4. The permissions you require will appear in the box below
     5. You need these Graph Permissions:
        • AccessReview.Read.All
        • AccessReview.ReadWrite.All
     6. Click 'Consent' if you don’t already have the permissions, if it reads 'Unconsent' you already have the permissions.

Executing the scripts

1. Run the desired Powershell script like so .\asdf.ps1.
2. You might be prompted for an interactive login as the user you granted permissions to in Prerequisites.

GetListOfContactedReviwersForAadRoleReviews

1. Powershell script
2. Sample execution and output:

Use the APIs to find contacted reviewers and find decisions made:

1. Get a list of review definitions
   • List definitions
   • GET - https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions
2. For each definition get a list of instances:
   • List instances
   • GET - https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions/fd3c47e4-c606-472e-b7de-6a217aa68c57/instances
3. For each instance get a list of contacted reviewers (reviewers who have been notified to review):
   • List contactedReviewers
   • GET - https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions/fd3c47e4-c606-472e-b7de-6a217aa68c57/instances/fd3c47e4-c606-472e-b7de-6a217aa68c57/contactedReviewers
4. For each instance get a list of decision items:
   • List decisions
   • GET - https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions/fd3c47e4-c606-472e-b7de-6a217aa68c57/instances/fd3c47e4-c606-472e-b7de-6a217aa68c57/decisions