search

microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.53k stars 469 forks source link

AADAccessReview: New resource proposal #4591

Open jeffreycloudlife opened 4 months ago

jeffreycloudlife commented 4 months ago

Description

I would like to use this resource to deploy access reviews.

Proposed properties

All properties in the AccessReview object. https://learn.microsoft.com/en-us/powershell/module/Microsoft.Graph.Beta.Identity.Governance/get-mgbetaaccessreview?view=graph-powershell-beta

 Name                   Definition
 ----                   ----------
 AdditionalProperties   System.Collections.Generic.IDictionary[string,System.Obj…
 BusinessFlowTemplateId string BusinessFlowTemplateId {get;set;}
 CreatedBy              Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphUs…
 Decisions              Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphAc…
 Description            string Description {get;set;}
 DisplayName            string DisplayName {get;set;}
 EndDateTime            System.Nullable[datetime] EndDateTime {get;set;}
 Id                     string Id {get;set;}
 Instances              Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphAc…
 MyDecisions            Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphAc…
 ReviewedEntity         Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphId…
 Reviewers              Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphAc…
 ReviewerType           string ReviewerType {get;set;}
 Settings               Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphAc…
 StartDateTime          System.Nullable[datetime] StartDateTime {get;set;}
 Status                 string Status {get;set;}

Special considerations or limitations

The *-MgBetaAccessReview can't be retrieved directly, it needs an AccessReviewID or BusinessFlowTemplateID. The BusinessFlowTemplateID has a set of static template ID's, but organizations can make their own too.

jeffreycloudlife commented 4 months ago

I've tried to create a new resource myself via the dynamic resource generator, but I've run into the issue that it doesn't output all of the properties when I do an export. I'll try later on (no ETA), but someone might want to put some effort in too.

You can find the attempt in this fork: https://github.com/jeffreycloudlife/Microsoft365DSC/tree/aadaccessreview/Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReview

NikCharlebois commented 4 months ago

Aren't Access Reviews meant to be operational constructs more than stateful ones? Does it make sense to manage the lifecycle of an Access Review via Configuration-as-Code?

jeffreycloudlife commented 4 months ago

Maybe I could explain my use case. I am using access reviews on groups that I configure via Microsoft365DSC (with monthly reoccurance), where the reviewer is also a group I configured in Microsoft365DSC. The settings do not change, and lives and dies with the existence of the group. I get what you mean by operational constructs, but I am trying to use this as a continuous access review. Interested to know if this is actually something that fits into (the design of) Microsoft365DSC. I can personally solve this via Graph API calls, but would much rather have this in the module.

For more context, I am trying to automate the access review part of the CA Zero Trust framework shown here: https://github.com/microsoft/ConditionalAccessforZeroTrustResources/

gibi916 commented 3 months ago

I would also be interested in this feature. Indeed, we use access reviews on our groups which give Entra ID roles (like groups admin, user admin, global admin etc...). Access review uses group owners as reviewers. It is therefore a setting which does not change and which could be set as code when creating a group giving roles in Entra ID.