0

I need help creating an access review. The sample code here seems to be old https://learn.microsoft.com/en-us/graph/api/accessreviewset-post-definitions?view=graph-rest-1.0&tabs=csharp#request

But in the code .PostAsync was not available

Here is my updated code: But running the below I get this error : Message: PartnerData | Partner Record with Id 00000000-0000-0000-0000-000000000000 not found in repository

Console.WriteLine($"Creating AR for Group {groupid}");
      var ar = new AccessReviewScheduleDefinition();
       ar.DisplayName = "One-time self-review for members of Building security";
       ar.DescriptionForAdmins = "One-time self-review for members of Building security";
       ar.DescriptionForReviewers = "One-time self-review for members of Building security";
       ar.Scope = new AccessReviewScope
        {
          AdditionalData = new Dictionary<string, object>
          {           
            {
              ///transitiveMembers - Self Review
              "query" , $"/groups/{groupid}/owners"
            },
            {
              "queryType" , "MicrosoftGraph"
            },
          },
        };
       ar.InstanceEnumerationScope = new AccessReviewScope
        {
          AdditionalData = new Dictionary<string, object>
          {
            {
              "query" , $"/groups/{groupid}"
            },
            {
              "queryType" , "MicrosoftGraph"
            },
          },
        };
       ar.Settings = new AccessReviewScheduleSettings
        {
          MailNotificationsEnabled = true,
          ReminderNotificationsEnabled = true,
          JustificationRequiredOnApproval = true,
          DefaultDecisionEnabled = true,
          DefaultDecision = "Deny",
          InstanceDurationInDays = 5,
          AutoApplyDecisionsEnabled = true,
          RecommendationsEnabled = true,
          Recurrence = new PatternedRecurrence
          {
              Pattern = new RecurrencePattern
              {
                Type = RecurrencePatternType.Weekly,
                Interval = 1,
              },
              Range = new RecurrenceRange
              {
                Type = RecurrenceRangeType.NoEnd,
                StartDate = new Date(2023,03,15),
              },
          },
        };
      try
      {
      var result = await graphClient.IdentityGovernance.AccessReviews.Definitions.Request().AddAsync(ar);
       Console.WriteLine(result);
      }
      catch(Exception ex)
      {
      Console.WriteLine(ex.Message);
      }
    }

I attempted the code on the article but then modified it to the above

jps
  • 20,041
  • 15
  • 75
  • 79
David Steadman
  • 1
  • you may use `Microsoft.Graph v4.x` because you used `.Request().AddAsync(ar)`. and `.PostAsync` should belong to package `v5.0`. – Tiny Wang Mar 17 '23 at 10:00

1 Answers1

0

I tried the below code to create Access review with Client credentials authentication and it was created successfully, Refer below:-

I am using .net 6.0 with latest version of Microsoft.graph package.

Code:-

using System;
using System;
using System.Collections.Generic;
using System.Threading.Tasks;
using Microsoft.Graph;
using Microsoft.Graph.Auth;
using Microsoft.Identity.Client;
using Microsoft.Extensions.Configuration;
using Microsoft.Graph.Models;
using Microsoft.Kiota.Abstractions;
using System.Collections.Generic;
using Microsoft.Graph.Core;
using Azure.Identity;

// The client credentials flow requires that you request the
// /.default scope, and preconfigure your permissions on the
// app registration in Azure. An administrator must grant consent
// to those permissions beforehand.
var scopes = new[] { "https://graph.microsoft.com/.default" };

// Multi-tenant apps can use "common",
// single-tenant apps must use the tenant ID from the Azure portal
var tenantId = "<tenant-id>";

// Values from app registration
var clientId = "<client-id>";
var clientSecret = "<client-secret>";

// using Azure.Identity;
var options = new TokenCredentialOptions
{
    AuthorityHost = AzureAuthorityHosts.AzurePublicCloud
};

// https://learn.microsoft.com/dotnet/api/azure.identity.clientsecretcredential
var clientSecretCredential = new ClientSecretCredential(
    tenantId, clientId, clientSecret, options);

var graphClient = new GraphServiceClient(clientSecretCredential, scopes);



var requestBody = new AccessReviewScheduleDefinition
{
    DisplayName = "Test create",
    DescriptionForAdmins = "New scheduled access review",
    DescriptionForReviewers = "If you have any questions, contact sid24desai@outlook.com",
    Scope = new AccessReviewScope
    {
        OdataType = "microsoft.graph.accessReviewQueryScope",
        AdditionalData = new Dictionary<string, object>
        {
            {
                "query" , "/groups/<objectid>/transitiveMembers"
            },
            {
                "queryType" , "MicrosoftGraph"
            },
        },
    },
    Reviewers = new List<AccessReviewReviewerScope>
    {
        new AccessReviewReviewerScope
        {
            Query = "/users/<objectid>",
            QueryType = "MicrosoftGraph",
        },
    },
    Settings = new AccessReviewScheduleSettings
    {
        MailNotificationsEnabled = true,
        ReminderNotificationsEnabled = true,
        JustificationRequiredOnApproval = true,
        DefaultDecisionEnabled = false,
        DefaultDecision = "None",
        InstanceDurationInDays = 1,
        RecommendationsEnabled = true,
        Recurrence = new PatternedRecurrence
        {
            Pattern = new RecurrencePattern
            {
                Type = RecurrencePatternType.Weekly,
                Interval = 1,
            },
            Range = new RecurrenceRange
            {
                Type = RecurrenceRangeType.NoEnd,
                StartDate = new Date(DateTime.Parse("2020-09-08T12:02:30.667Z")),
            },
        },
    },
};
var _ = await graphClient.IdentityGovernance.AccessReviews.Definitions.PostAsync(requestBody);

Output:-

enter image description here

When I ran your code I received the same error code also, When I changed my query group parameter from transitiveMember to Owners in my code I got the same error, Refer below:-

enter image description here

This error occurrs when you’re not following the default SDK method in the MS Graph document and using wrong parameters for self review. Your code is missing OdataType and also Reviewers function should include this method:-

Odata type:-

OdataType = "#microsoft.graph.accessReviewQueryScope"
OdataType = "#microsoft.graph.accessReviewInactiveUsersQueryScope"

Reviewers:-

Reviewers = new List<AccessReviewReviewerScope> { new AccessReviewReviewerScope { Query = "./owners", QueryType = "MicrosoftGraph", }, }, FallbackReviewers = new List<AccessReviewReviewerScope> { new AccessReviewReviewerScope { Query = "/users/fc9a2c2b-1ddc-486d-a211-5fe8ca77fa1f", QueryType = "MicrosoftGraph", }, },

I tried the above parameter in my code below and it worked. I added AccessReviewReviewerScope to Owner:-

var graphClient = new GraphServiceClient(requestAdapter);

var requestBody = new AccessReviewScheduleDefinition
{
    DisplayName = "Review inactive guests on teams",
    DescriptionForAdmins = "Control guest user access to our teams.",
    DescriptionForReviewers = "Information security is everyone's responsibility. Review our access policy for more.",
    InstanceEnumerationScope = new AccessReviewScope
    {
        OdataType = "#microsoft.graph.accessReviewQueryScope",
        AdditionalData = new Dictionary<string, object>
        {
            {
                "query" , "/groups?$filter=(groupTypes/any(c:c+eq+'Unified') and resourceProvisioningOptions/Any(x:x eq 'Team')')"
            },
            {
                "queryType" , "MicrosoftGraph"
            },
        },
    },
    Scope = new AccessReviewScope
    {
        OdataType = "#microsoft.graph.accessReviewInactiveUsersQueryScope",
        AdditionalData = new Dictionary<string, object>
        {
            {
                "query" , "./members/microsoft.graph.user/?$filter=(userType eq 'Guest')"
            },
            {
                "queryType" , "MicrosoftGraph"
            },
            {
                "inactiveDuration" , "P30D"
            },
        },
    },
    Reviewers = new List<AccessReviewReviewerScope>
    {
        new AccessReviewReviewerScope
        {
            Query = "./owners",
            QueryType = "MicrosoftGraph",
        },
    },
    FallbackReviewers = new List<AccessReviewReviewerScope>
    {
        new AccessReviewReviewerScope
        {
            Query = "/users/fc9a2c2b-1ddc-486d-a211-5fe8ca77fa1f",
            QueryType = "MicrosoftGraph",
        },
    },
    Settings = new AccessReviewScheduleSettings
    {
        MailNotificationsEnabled = true,
        ReminderNotificationsEnabled = true,
        JustificationRequiredOnApproval = true,
        RecommendationsEnabled = true,
        InstanceDurationInDays = 3,
        Recurrence = new PatternedRecurrence
        {
            Pattern = new RecurrencePattern
            {
                Type = RecurrencePatternType.AbsoluteMonthly,
                DayOfMonth = 5,
                Interval = 3,
            },
            Range = new RecurrenceRange
            {
                Type = RecurrenceRangeType.NoEnd,
                StartDate = new Date(DateTime.Parse("2020-05-04T00:00:00.000Z")),
            },
        },
        DefaultDecisionEnabled = true,
        DefaultDecision = "Deny",
        AutoApplyDecisionsEnabled = true,
    },
};
var result = await graphClient.IdentityGovernance.AccessReviews.Definitions.PostAsync(requestBody);

Output:-

enter image description here

enter image description here

Make sure you check valid and supported parameters in this documents:-

References:-

Create definitions - Microsoft Graph v1.0 | Microsoft Learn

Assign reviewers to your access review using the Microsoft Graph API - Microsoft Graph | Microsoft Learn

SiddheshDesai
  • 3,668
  • 1
  • 2
  • 11