Microsoft365DSC icon indicating copy to clipboard operation
Microsoft365DSC copied to clipboard
verified publisher icon microsoft

AADAccessReview: New resource proposal

Open jeffreycloudlife opened this issue 1 year ago • 4 comments

Description

I would like to use this resource to deploy access reviews.

Proposed properties

All properties in the AccessReview object. https://learn.microsoft.com/en-us/powershell/module/Microsoft.Graph.Beta.Identity.Governance/get-mgbetaaccessreview?view=graph-powershell-beta

 Name                   Definition
 ----                   ----------
 AdditionalProperties   System.Collections.Generic.IDictionary[string,System.Obj…
 BusinessFlowTemplateId string BusinessFlowTemplateId {get;set;}
 CreatedBy              Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphUs…
 Decisions              Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphAc…
 Description            string Description {get;set;}
 DisplayName            string DisplayName {get;set;}
 EndDateTime            System.Nullable[datetime] EndDateTime {get;set;}
 Id                     string Id {get;set;}
 Instances              Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphAc…
 MyDecisions            Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphAc…
 ReviewedEntity         Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphId…
 Reviewers              Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphAc…
 ReviewerType           string ReviewerType {get;set;}
 Settings               Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphAc…
 StartDateTime          System.Nullable[datetime] StartDateTime {get;set;}
 Status                 string Status {get;set;}

Special considerations or limitations

The *-MgBetaAccessReview can't be retrieved directly, it needs an AccessReviewID or BusinessFlowTemplateID. The BusinessFlowTemplateID has a set of static template ID's, but organizations can make their own too.

jeffreycloudlife avatar Apr 23 '24 13:04 jeffreycloudlife

I've tried to create a new resource myself via the dynamic resource generator, but I've run into the issue that it doesn't output all of the properties when I do an export. I'll try later on (no ETA), but someone might want to put some effort in too.

You can find the attempt in this fork: https://github.com/jeffreycloudlife/Microsoft365DSC/tree/aadaccessreview/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReview

jeffreycloudlife avatar Apr 23 '24 13:04 jeffreycloudlife

Aren't Access Reviews meant to be operational constructs more than stateful ones? Does it make sense to manage the lifecycle of an Access Review via Configuration-as-Code?

NikCharlebois avatar Apr 23 '24 20:04 NikCharlebois

Maybe I could explain my use case. I am using access reviews on groups that I configure via Microsoft365DSC (with monthly reoccurance), where the reviewer is also a group I configured in Microsoft365DSC. The settings do not change, and lives and dies with the existence of the group. I get what you mean by operational constructs, but I am trying to use this as a continuous access review. Interested to know if this is actually something that fits into (the design of) Microsoft365DSC. I can personally solve this via Graph API calls, but would much rather have this in the module.

For more context, I am trying to automate the access review part of the CA Zero Trust framework shown here: https://github.com/microsoft/ConditionalAccessforZeroTrustResources/

jeffreycloudlife avatar Apr 24 '24 12:04 jeffreycloudlife

I would also be interested in this feature. Indeed, we use access reviews on our groups which give Entra ID roles (like groups admin, user admin, global admin etc...). Access review uses group owners as reviewers. It is therefore a setting which does not change and which could be set as code when creating a group giving roles in Entra ID.

gibi916 avatar May 23 '24 09:05 gibi916