Updates from: 01/01/2022 02:10:15
Service Microsoft Docs article Related commit history on GitHub Change details
v1.0 Accesspackage Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackage-delete.md
Namespace: microsoft.graph
Delete an [accessPackage](../resources/accesspackage.md) object.
-You cannot delete an access package if it has any **accessPackageAssignment**. To delete the access package, first [query if there are any assignments](accesspackageassignment-list.md) with a filter to indicate the specific access package, such as: `$filter=accessPackage/id eq 'a914b616-e04e-476b-aa37-91038f0b165b'`. For more information on how to remove assignments that are still in the delivered state, see [Remove an assignment](accesspackageassignmentrequest-post.md#example-4-remove-an-assignment).
+You cannot delete an access package if it has any **accessPackageAssignment**. To delete the access package, first [query if there are any assignments](entitlementmanagement-list-accesspackageassignments.md) with a filter to indicate the specific access package, such as: `$filter=accessPackage/id eq 'a914b616-e04e-476b-aa37-91038f0b165b'`. For more information on how to remove assignments that are still in the delivered state, see [Remove an assignment](entitlementmanagement-post-accesspackageassignmentrequests.md#example-4-remove-an-assignment).
## Permissions
v1.0 Accesspackage Filterbycurrentuser https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackage-filterbycurrentuser.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD Entitlement Management](../resources/entitlementmanagement-root.md), retrieve a list of [accessPackage](../resources/accesspackage.md) objects filtered on the signed-in user.
+In [Azure AD Entitlement Management](../resources/entitlementmanagement-overview.md), retrieve a list of [accessPackage](../resources/accesspackage.md) objects filtered on the signed-in user.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
One of the following permissions is required to call this API. To learn more, in
} --> ``` http
-GET /identityGovernance/entitlementManagement/accessPackages/filterByCurrentUser
+GET /identityGovernance/entitlementManagement/accessPackages/filterByCurrentUser(on='allowedRequestor')
``` ## Function parameters
The following table shows the parameters that can be used with this function.
|Parameter|Type|Description| |:|:|:|
-|on|[accessPackageFilterByCurrentUserOptions](../resources/accesspackage-accesspackagefilterbycurrentuseroptions.md)|The list of current user options that can be used to filter on the access packages list.|
+|on|[accessPackageFilterByCurrentUserOptions](../resources/accesspackage-accesspackagefilterbycurrentuseroptions.md)|The list of current user options that can be used to filter on the access packages list. The allowed value is `allowedRequestor`.|
- `allowedRequestor` is used to get the `accessPackage` objects for which the signed-in user is allowed to submit access requests. The resulting list includes all access packages that can be requested by the caller across all catalogs.
v1.0 Accesspackage Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackage-get.md
GET /identityGovernance/entitlementManagement/accessPackages/{id}
## Optional query parameters
-This method supports some of the OData query parameters to help customize the response. For example, to retrieve the access package policies, add `$expand=accessPackageAssignmentPolicies`. For general information, see [OData query parameters](/graph/query-parameters).
+This method supports the `$select` and `$expand` OData query parameters to help customize the response. For example, to retrieve the access package policies, add `$expand=accessPackageAssignmentPolicies`. For general information, see [OData query parameters](/graph/query-parameters).
## Request headers
v1.0 Accesspackage Getapplicablepolicyrequirements https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackage-getapplicablepolicyrequirements.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD entitlement management](../resources/entitlementmanagement-root.md), this action retrieves a list of [accessPackageAssignmentRequestRequirements](../resources/accesspackageassignmentrequestrequirements.md) objects that the currently signed-in user can use to create an [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md). Each requirement object corresponds to an access package assignment policy that the currently signed-in user is allowed to request an assignment for.
+In [Azure AD entitlement management](../resources/entitlementmanagement-overview.md), this action retrieves a list of [accessPackageAssignmentRequestRequirements](../resources/accesspackageassignmentrequestrequirements.md) objects that the currently signed-in user can use to create an [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md). Each requirement object corresponds to an access package assignment policy that the currently signed-in user is allowed to request an assignment for.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
v1.0 Accesspackage List Accesspackageresourcerolescopes https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackage-list-accesspackageresourcerolescopes.md
GET /identityGovernance/entitlementManagement/accessPackages/{id}?$expand=access
## Optional query parameters
-This method uses OData query parameters to customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+This method supports the `$select`, `$filter`, and `$expand` OData query parameters to customize the response. For general information, see [OData query parameters](/graph/query-parameters).
## Request headers
v1.0 Accesspackage Post Accesspackageresourcerolescopes https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackage-post-accesspackageresourcerolescopes.md
If successful, this method returns a 200-series response code and a new [accessP
#### Request
-The following is an example of the request. Prior to this request, the access package resource `1d08498d-72a1-403f-8511-6b1f875746a0` for the group `b31fe1f1-3651-488f-bd9a-1711887fd4ca` must already have been added to the access package catalog containing this access package. The resource could have been added to the catalog by [creating an access package resource request](accesspackageresourcerequest-post.md).
+The following is an example of the request. Prior to this request, the access package resource `1d08498d-72a1-403f-8511-6b1f875746a0` for the group `b31fe1f1-3651-488f-bd9a-1711887fd4ca` must already have been added to the access package catalog containing this access package. The resource could have been added to the catalog by [creating an access package resource request](entitlementmanagement-post-accesspackageresourcerequests.md).
# [HTTP](#tab/http) <!-- {
v1.0 Accesspackageassignment Filterbycurrentuser https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackageassignment-filterbycurrentuser.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD Entitlement Management](../resources/entitlementmanagement-root.md), retrieve a list of [accessPackageAssignment](../resources/accesspackageassignment.md) objects filtered on the signed-in user.
+In [Azure AD Entitlement Management](../resources/entitlementmanagement-overview.md), retrieve a list of [accessPackageAssignment](../resources/accesspackageassignment.md) objects filtered on the signed-in user.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
One of the following permissions is required to call this API. To learn more, in
} --> ``` http
-GET /identityGovernance/entitlementManagement/accessPackageAssignments/filterByCurrentUser
+GET /identityGovernance/entitlementManagement/accessPackageAssignments/filterByCurrentUser(on='parameterValue')
``` ## Function parameters
The following table shows the parameters that can be used with this function.
|Parameter|Type|Description| |:|:|:|
-|on|[accessPackageAssignmentFilterByCurrentUserOptions](../resources/accesspackageassignment-accesspackageassignmentfilterbycurrentuseroptions.md)|The list of current user options that can be used to filter on the access package assignments list.|
+|on|[accessPackageAssignmentFilterByCurrentUserOptions](../resources/accesspackageassignment-accesspackageassignmentfilterbycurrentuseroptions.md)|The list of current user options that can be used to filter on the access package assignments list. The possible values are: `target`, `createdBy`. |
- `target` is used to get the `accessPackageAssignment` objects where the signed-in user is the target. The resulting list includes all of the assignments, current and expired, for the caller across all catalogs and access packages.
v1.0 Accesspackageassignment Reprocess https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackageassignment-reprocess.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD entitlement management](../resources/entitlementmanagement-root.md), callers can automatically reevaluate and enforce an [accessPackageAssignment](../resources/accesspackageassignment.md) object of a userΓÇÖs assignments for a specific access package. The **assignmentState** of the access package must be `Delivered` for the administrator to reprocess the user's assignment. Only admins with the Access Package Assignment Manager role, or higher, in Azure AD entitlement management can perform this action.
+In [Azure AD entitlement management](../resources/entitlementmanagement-overview.md), callers can automatically reevaluate and enforce an [accessPackageAssignment](../resources/accesspackageassignment.md) object of a userΓÇÖs assignments for a specific access package. The **assignmentState** of the access package must be `Delivered` for the administrator to reprocess the user's assignment. Only admins with the Access Package Assignment Manager role, or higher, in Azure AD entitlement management can perform this action.
## Permissions
v1.0 Accesspackageassignmentpolicy Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackageassignmentpolicy-delete.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD entitlement management](../resources/entitlementmanagement-root.md), delete an [accessPackageAssignmentPolicy](../resources/accesspackageassignmentpolicy.md).
+In [Azure AD entitlement management](../resources/entitlementmanagement-overview.md), delete an [accessPackageAssignmentPolicy](../resources/accesspackageassignmentpolicy.md).
## Permissions
v1.0 Accesspackageassignmentpolicy Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackageassignmentpolicy-get.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD entitlement management](../resources/entitlementmanagement-root.md), retrieve the properties and relationships of an
+In [Azure AD entitlement management](../resources/entitlementmanagement-overview.md), retrieve the properties and relationships of an
[accessPackageAssignmentPolicy](../resources/accesspackageassignmentpolicy.md) object. ## Permissions
GET /identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/{i
## Optional query parameters
-This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+This method supports the `$select` OData query parameter to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
## Request headers
v1.0 Accesspackageassignmentrequest Cancel https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackageassignmentrequest-cancel.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD Entitlement Management](../resources/entitlementmanagement-root.md), cancel [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) objects that are in a cancellable state: `accepted`, `pendingApproval`, `pendingNotBefore`, `pendingApprovalEscalated`.
+In [Azure AD Entitlement Management](../resources/entitlementmanagement-overview.md), cancel [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) objects that are in a cancellable state: `accepted`, `pendingApproval`, `pendingNotBefore`, `pendingApprovalEscalated`.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
v1.0 Accesspackageassignmentrequest Filterbycurrentuser https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackageassignmentrequest-filterbycurrentuser.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD Entitlement Management](../resources/entitlementmanagement-root.md), retrieve a list of [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) objects filtered on the signed-in user.
+In [Azure AD Entitlement Management](../resources/entitlementmanagement-overview.md), retrieve a list of [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) objects filtered on the signed-in user.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
One of the following permissions is required to call this API. To learn more, in
} --> ``` http
-GET /identityGovernance/entitlementManagement/accessPackageAssignmentRequests/filterByCurrentUser
+GET /identityGovernance/entitlementManagement/accessPackageAssignmentRequests/filterByCurrentUser(on='parameterValue')
``` ## Function parameters
The following table shows the parameters that can be used with this function.
|Parameter|Type|Description| |:|:|:|
-|on|[accessPackageAssignmentRequestFilterByCurrentUserOptions](../resources/accesspackageassignmentrequest-accesspackageassignmentrequestfilterbycurrentuseroptions.md)|The list of current user options that can be used to filter on the access package assignment requests list.|
+|on|[accessPackageAssignmentRequestFilterByCurrentUserOptions](../resources/accesspackageassignmentrequest-accesspackageassignmentrequestfilterbycurrentuseroptions.md)|The list of current user options that can be used to filter on the access package assignment requests list. The possible values are `target`, `createdBy`, `approver`.|
- `target` is used to get the `accessPackageAssignmentRequest` objects where the signed-in user is the target. The resulting list includes all the assignment requests, current and expired, that were requested by the caller or for the caller, across all catalogs and access packages.
v1.0 Accesspackageassignmentrequest Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackageassignmentrequest-get.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD entitlement management](../resources/entitlementmanagement-root.md), retrieve the properties and relationships of an [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) object.
+In [Azure AD entitlement management](../resources/entitlementmanagement-overview.md), retrieve the properties and relationships of an [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) object.
## Permissions
v1.0 Accesspackageassignmentrequest Reprocess https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackageassignmentrequest-reprocess.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD entitlement management](../resources/entitlementmanagement-root.md), callers can automatically retry a user's request for access to an access package. It is performed on an [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) object whose **requestState** is in a `DeliveryFailed` or `PartiallyDelivered` state.
+In [Azure AD entitlement management](../resources/entitlementmanagement-overview.md), callers can automatically retry a user's request for access to an access package. It is performed on an [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) object whose **requestState** is in a `DeliveryFailed` or `PartiallyDelivered` state.
## Permissions
v1.0 Accesspackagecatalog Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackagecatalog-get.md
GET /identityGovernance/entitlementManagement/accessPackageCatalogs/{id}
## Optional query parameters
-This method supports some of the OData query parameters to help customize the response. For example, to retrieve the access packages in a catalog, include `$expand=accessPackages` in the query. For general information, see [OData query parameters](/graph/query-parameters).
+This method supports the `$select` and `$expand` OData query parameters to help customize the response. For example, to retrieve the access packages in a catalog, include `$expand=accessPackages` in the query. For general information, see [OData query parameters](/graph/query-parameters).
## Request headers
v1.0 Accesspackagecatalog List Accesspackageresourceroles https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackagecatalog-list-accesspackageresourceroles.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Retrieve a list of [accessPackageResourceRole](../resources/accesspackageresourcerole.md) objects of an [accessPackageResource](../resources/accesspackageresource.md) in an [accessPackageCatalog](../resources/accesspackagecatalog.md). The resource should have been added to the catalog by [creating an accessPackageResourceRequest](accesspackageresourcerequest-post.md). This list of roles can then be used by the caller to select a role, which is needed when subsequently [creating an accessPackageResourceRoleScope](accesspackage-post-accesspackageresourcerolescopes.md).
+Retrieve a list of [accessPackageResourceRole](../resources/accesspackageresourcerole.md) objects of an [accessPackageResource](../resources/accesspackageresource.md) in an [accessPackageCatalog](../resources/accesspackagecatalog.md). The resource should have been added to the catalog by [creating an accessPackageResourceRequest](entitlementmanagement-post-accesspackageresourcerequests.md). This list of roles can then be used by the caller to select a role, which is needed when subsequently [creating an accessPackageResourceRoleScope](accesspackage-post-accesspackageresourcerolescopes.md).
## Permissions
v1.0 Accesspackagecatalog List Accesspackageresources https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackagecatalog-list-accesspackageresources.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Retrieve a list of [accessPackageResource](../resources/accesspackageresource.md) objects in an [accessPackageCatalog](../resources/accesspackagecatalog.md). To request to add or remove an [accessPackageResource](../resources/accesspackageresource.md), use [create accessPackageResourceRequest](accesspackageresourcerequest-post.md).
+Retrieve a list of [accessPackageResource](../resources/accesspackageresource.md) objects in an [accessPackageCatalog](../resources/accesspackagecatalog.md). To request to add or remove an [accessPackageResource](../resources/accesspackageresource.md), use [create accessPackageResourceRequest](entitlementmanagement-post-accesspackageresourcerequests.md).
## Permissions
v1.0 Accessreviewinstance Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accessreviewinstance-get.md
Namespace: microsoft.graph
Retrieve an [accessReviewInstance](../resources/accessreviewinstance.md) object using the identifier of an accessReviewInstance and its parent [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md). This returns all properties of the instance except for the associated [accessReviewInstanceDecisionItems](../resources/accessreviewinstancedecisionitem.md).
-To retrieve the decisions on the instance, use [List accessReviewInstanceDecisionItem](accessreviewinstancedecisionitem-list.md).
+To retrieve the decisions on the instance, use [List accessReviewInstanceDecisionItem](accessreviewinstance-list-decisions.md).
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account)|Not supported.| |Application | AccessReview.Read.All, AccessReview.ReadWrite.All |
-In order to call this API, the signed in user must also be in a directory role that permits them to read an access review, or the user can be assigned as a reviewer on the access review. For more details, see the role and permission requirements for [access reviews](../resources/accessreviewsv2-root.md).
+In order to call this API, the signed in user must also be in a directory role that permits them to read an access review, or the user can be assigned as a reviewer on the access review. For more details, see the role and permission requirements for [access reviews](../resources/accessreviewsv2-overview.md).
## HTTP request <!-- { "blockType": "ignored" } -->
Content-type: application/json
## See also - [Get accessReviewScheduleDefinition](accessreviewscheduledefinition-get.md)-- [List accessReviewInstance](accessreviewinstance-list.md)
+- [List accessReviewInstance](accessreviewscheduledefinition-list-instances.md)
<!--
v1.0 Accessreviewinstance List Decisions https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accessreviewinstance-list-decisions.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Get the [accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) objects from the decisions on an [accessReviewInstance](../resources/accessreviewinstance.md).
+Retrieve the [accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) objects for a specific [accessReviewInstance](../resources/accessreviewinstance.md). A list of zero or more accessReviewInstanceDecisionItem objects are returned, including all of their nested properties.
>[!NOTE] >The default page size for this API is 100 accessReviewInstance objects. To improve efficiency and avoid timeouts due to large result sets, apply pagination using the `$skip` and `$top` query parameters. For more information, see [Paging Microsoft Graph data in your app](/graph/paging).
v1.0 Accessreviewinstancedecisionitem List https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accessreviewinstancedecisionitem-list.md
- Title: "List accessReviewInstanceDecisionItem"
-description: "Retrieve accessReviewInstanceDecisionItem objects."
-
-doc_type: apiPageType
--
-# List accessReviewInstanceDecisionItem
-
-Namespace: microsoft.graph
--
-Retrieve the [accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) objects for a specific [accessReviewInstance](../resources/accessreviewinstance.md). A list of zero or more accessReviewInstanceDecisionItem objects are returned, including all of their nested properties.
-
->[!NOTE]
->The default page size for this API is 100 accessReviewInstanceDecisionItem objects. To improve efficiency and avoid timeouts due to large result sets, apply pagination using the `$skip` and `$top` query parameters. For more information, see [Paging Microsoft Graph data in your app](/graph/paging).
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
-
-|Permission type | Permissions (from least to most privileged) |
-|:--|:|
-|Delegated (work or school account) | AccessReview.Read.All, AccessReview.ReadWrite.All |
-|Delegated (personal Microsoft account)|Not supported.|
-|Application | AccessReview.Read.All, AccessReview.ReadWrite.All |
-
- The signed-in user must also be in a directory role that permits them to read an access review.
-
-## HTTP request
-<!-- { "blockType": "ignored" } -->
-```http
-GET /identityGovernance/accessReviews/definitions/{definition-id}/instances/{instance-id}/decisions
-```
-
-## Optional query parameters
-This method supports `$select`, `$filter`, `$orderBy`, `$skip`, and `$top` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
-
-## Request headers
-None.
-
-## Request body
-Do not supply a request body.
-
-## Response
-If successful, this method returns a `200 OK` response code and an array of [accessReviewInstanceDecisionItem](../resources/accessreviewinstance.md) objects in the response body.
-
-## Examples
-### Request
-The following example shows a request to retrieve all the decisions on an instance of an access review.
--
-# [HTTP](#tab/http)
-<!-- {
- "blockType": "request",
- "name": "list_accessReviewInstanceDecisionItem"
-}-->
-```msgraph-interactive
-GET https://graph.microsoft.com/beta/identityGovernance/accessReviews/definitions/60860cdd-fb4d-4054-91ba-444404f3baa6/instances/14444cdb-6a18-4c08-ba2c-48c02f0a0138/decisions?$top=100&$skip=0
-```
-# [C#](#tab/csharp)
-
-# [JavaScript](#tab/javascript)
-
-# [Objective-C](#tab/objc)
-
-# [Java](#tab/java)
-
-# [Go](#tab/go)
------
-### Response
->**Note:** The response object shown here might be shortened for readability.
-<!-- {
- "blockType": "response",
- "truncated": true,
- "@odata.type": "microsoft.graph.accessReviewInstanceDecisionItem",
- "isCollection": "true"
-} -->
-```http
-HTTP/1.1 200 OK
-Content-type: application/json
-
-{
- "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/accessReviews/definitions('5eac5a70-7cd7-4f20-92b0-f9dba70dd7f0')/instances('6444d4fd-ab55-4608-8cf9-c6702d172bcc')/decisions",
- "@odata.count": 2,
- "value": [
- {
- "id": "e6cafba0-cbf0-4748-8868-0810c7f4cc06",
- "accessReviewId": "6444d4fd-ab55-4608-8cf9-c6702d172bcc",
- "reviewedDateTime": null,
- "decision": "NotReviewed",
- "justification": "",
- "appliedDateTime": null,
- "applyResult": "New",
- "recommendation": "Approve",
- "principalLink": "https://graph.microsoft.com/v1.0/users/04777c4b-4d43-4d32-a2e7-1eba5d03f8cf",
- "resourceLink": null,
- "resource": null,
- "reviewedBy": {
- "id": "00000000-0000-0000-0000-000000000000",
- "displayName": "",
- "userPrincipalName": ""
- },
- "appliedBy": {
- "id": "00000000-0000-0000-0000-000000000000",
- "displayName": "",
- "userPrincipalName": ""
- },
- "target": {
- "@odata.type": "#microsoft.graph.accessReviewInstanceDecisionItemUserTarget",
- "userId": "04777c4b-4d43-4d32-a2e7-1eba5d03f8cf",
- "userDisplayName": "Diego Siciliani",
- "userPrincipalName": "DiegoS@contoso.com"
- },
- "principal": {
- "@odata.type": "#microsoft.graph.userIdentity",
- "id": "04777c4b-4d43-4d32-a2e7-1eba5d03f8cf",
- "displayName": "Diego Siciliani",
- "userPrincipalName": "DiegoS@contoso.com"
- }
- },
- {
- "id": "4bde8d40-9224-4aa3-936b-08d73e1baf47",
- "accessReviewId": "6444d4fd-ab55-4608-8cf9-c6702d172bcc",
- "reviewedDateTime": null,
- "decision": "NotReviewed",
- "justification": "",
- "appliedDateTime": null,
- "applyResult": "New",
- "recommendation": "Approve",
- "principalLink": "https://graph.microsoft.com/v1.0/users/11feb738-0039-4a6c-a045-dcb91a47969a",
- "resourceLink": null,
- "resource": null,
- "reviewedBy": {
- "id": "00000000-0000-0000-0000-000000000000",
- "displayName": "",
- "userPrincipalName": ""
- },
- "appliedBy": {
- "id": "00000000-0000-0000-0000-000000000000",
- "displayName": "",
- "userPrincipalName": ""
- },
- "target": {
- "@odata.type": "#microsoft.graph.accessReviewInstanceDecisionItemUserTarget",
- "userId": "11feb738-0039-4a6c-a045-dcb91a47969a",
- "userDisplayName": "Johanna Lorenz",
- "userPrincipalName": "JohannaL@contoso.com"
- },
- "principal": {
- "@odata.type": "#microsoft.graph.userIdentity",
- "id": "11feb738-0039-4a6c-a045-dcb91a47969a",
- "displayName": "Johanna Lorenz",
- "userPrincipalName": "JohannaL@contoso.com"
- }
- }
- ]
-}
-```
-
-## See also
--- [Get accessReviewScheduleDefinition](accessreviewscheduledefinition-get.md)-- [Get accessReviewInstance](accessreviewinstance-get.md)--
-<!--
-{
- "type": "#page.annotation",
- "description": "List accessReviewInstanceDecisionItem",
- "keywords": "",
- "section": "documentation",
- "tocPath": "",
- "suppressions": [
- ]
-}
>
v1.0 Accessreviewscheduledefinition Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accessreviewscheduledefinition-get.md
Namespace: microsoft.graph
Retrieve an [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) object by ID. This returns all properties of the scheduled access review series except for the associated accessReviewInstances. Each accessReviewScheduleDefinition has at least one instance. An instance represents a review for a specific resource (such as a particular group's members), during one occurrence (e.g., March 2021) of a recurring review.
-To retrieve the instances of the access review series, use the [list accessReviewInstance](accessreviewinstance-list.md) API.
+To retrieve the instances of the access review series, use the [list accessReviewInstance](accessreviewscheduledefinition-list-instances.md) API.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account)|Not supported.| |Application | AccessReview.Read.All, AccessReview.ReadWrite.All |
-To call this API, the signed-in user must also be in a directory role that permits them to read an access review, or the user can be assigned as a reviewer on the access review. For more details, see the role and permission requirements for [access reviews](../resources/accessreviewsv2-root.md).
+To call this API, the signed-in user must also be in a directory role that permits them to read an access review, or the user can be assigned as a reviewer on the access review. For more details, see the role and permission requirements for [access reviews](../resources/accessreviewsv2-overview.md).
## HTTP request <!-- { "blockType": "ignored" } -->
Content-type: application/json
## See also -- [Create accessReviewScheduleDefinition](accessreviewscheduledefinition-post.md)-- [List accessReviewScheduleDefinition](accessreviewscheduledefinition-list.md)-- [List accessReviewInstance](accessreviewinstance-list.md)
+- [Create accessReviewScheduleDefinition](accessreviewset-post-definitions.md)
+- [List accessReviewScheduleDefinition](accessreviewset-list-definitions.md)
+- [List accessReviewInstance](accessreviewscheduledefinition-list-instances.md)
<!--
v1.0 Accessreviewscheduledefinition List Instances https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accessreviewscheduledefinition-list-instances.md
+
+ Title: "List instances"
+description: "Retrieve accessReviewInstance objects."
+ms.localizationpriority: medium
+++
+# List instances
+
+Namespace: microsoft.graph
++
+Retrieve the [accessReviewInstance](../resources/accessreviewinstance.md) objects for a specific [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md). A list of zero or more **accessReviewInstance** objects are returned, including all of their nested properties. Returned objects do not include associated accessReviewInstanceDecisionItems. To retrieve the decisions on the instance, use [List accessReviewInstanceDecisionItem](accessreviewinstance-list-decisions.md).
+
+>[!NOTE]
+>The default page size for this API is 100 accessReviewInstance objects. To improve efficiency and avoid timeouts due to large result sets, apply pagination using the `$skip` and `$top` query parameters. For more information, see [Paging Microsoft Graph data in your app](/graph/paging).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | AccessReview.Read.All, AccessReview.ReadWrite.All |
+|Application | AccessReview.Read.All, AccessReview.ReadWrite.All |
+
+The signed-in user must also be in a directory role that permits them to read an access review. To view just the instances that the signed-in user is assigned the reviewer on, see [List pending access review instances](accessreviewinstance-pendingaccessreviewinstances.md)
+
+## HTTP request
+<!-- { "blockType": "ignored" } -->
+```http
+GET /identityGovernance/accessReviews/definitions/{definition-id}/instances
+```
+
+## Optional query parameters
+This method supports `$select`, `$filter`, `$orderBy`, `$skip`, and `$top` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+None.
+
+## Request body
+Do not supply a request body.
+
+## Response
+If successful, this method returns a `200 OK` response code and an array of [accessReviewInstance](../resources/accessreviewinstance.md) objects in the response body.
+
+## Examples
+### Request
+The following example shows a request to retrieve all the access review instances for a definition.
++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "list_accessReviewInstance"
+}-->
+```msgraph-interactive
+GET https://graph.microsoft.com/beta/identityGovernance/accessReviews/definitions/8564a649-4f67-4e09-88e7-55def6530e88/instances?$top=100&$skip=0
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessReviewInstance",
+ "isCollection": "true"
+} -->
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/accessReviews/definitions('8564a649-4f67-4e09-88e7-55def6530e88')/instances",
+ "@odata.count": 2,
+ "value": [
+ {
+ "id": "7bc18cf4-3d70-4009-bc8e-a7c5adb30849",
+ "startDateTime": "2021-03-09T23:10:28.83Z",
+ "endDateTime": "2021-03-09T23:10:28.83Z",
+ "status": "Applied",
+ "scope": {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/v1.0/groups/f661fdd0-f0f7-42c0-8281-e89c6527ac63/members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": null
+ }
+ },
+ {
+ "id": "f1f35945-3f42-4941-9f7b-465e545f6f99",
+ "startDateTime": "2021-03-09T23:10:28.83Z",
+ "endDateTime": "2021-03-09T23:10:28.83Z",
+ "status": "Applied",
+ "scope": {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/v1.0/groups/f4ac55b3-3b3c-417e-85bd-183bbda3ccf2/members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": null
+ }
+ }
+ ]
+}
+```
+
+## See also
+
+- [List accessReviewScheduleDefinition](accessreviewset-list-definitions.md)
+- [Get accessReviewInstance](accessreviewinstance-get.md)
++
+<!--
+{
+ "type": "#page.annotation",
+ "description": "List accessReviewInstance",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": "",
+ "suppressions": [
+ ]
+}
+-->
v1.0 Accessreviewset List Definitions https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accessreviewset-list-definitions.md
+
+ Title: "List definitions"
+description: "Retrieve accessReviewScheduleDefinition objects."
+ms.localizationpriority: medium
+++
+# List definitions
+
+Namespace: microsoft.graph
++
+Retrieve the [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) objects. A list of zero or more accessReviewScheduleDefinition objects are returned, including all of their nested properties, for each access review series created. This does not include the associated accessReviewInstance objects.
+
+>[!NOTE]
+>The default page size for this API is 100 accessReviewScheduleDefinition objects. To improve efficiency and avoid timeouts due to large result sets, apply pagination using the `$skip` and `$top` query parameters. For more information, see [Paging Microsoft Graph data in your app](/graph/paging).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | AccessReview.Read.All, AccessReview.ReadWrite.All |
+|Delegated (personal Microsoft account)|Not supported.|
+|Application | AccessReview.Read.All, AccessReview.ReadWrite.All |
+
+ The signed-in user must also be in a directory role that permits them to read an access review. See access review [role and application permission authorization checks](../resources/accessreviewsv2-overview.md#role-and-application-permission-authorization-checks).
+
+## HTTP request
+
+To list all your accessReviewScheduleDefinitions:
+
+<!-- { "blockType": "ignored" } -->
+```http
+GET /identityGovernance/accessReviews/definitions
+```
+
+## Optional query parameters
+This method supports the `$select`, `$top`, `$skip`, and `$filter` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+### Use the $filter query parameter
+The `$filter` query parameter with the `contains` operator is supported on the **scope** property of accessReviewScheduleDefinition. Use the following format for the request:
+
+```http
+GET /identityGovernance/accessReviews/definitions?$filter=contains(scope/microsoft.graph.accessReviewQueryScope/query, '{object}')
+```
+
+The value of `{object}` can be one of the following:
+
+|Value|Description|
+|: |: |
+|/groups |List every accessReviewScheduleDefinition on individual groups (excludes definitions scoped to all Microsoft 365 groups with guest users).|
+|/groups/{group id} |List every accessReviewScheduleDefinition on a specific group (excludes definitions scoped to all Microsoft 365 groups with guest users).|
+|./members |List every accessReviewScheduleDefinition scoped to all Microsoft 365 groups with guest users.|
+|accessPackageAssignments |List every accessReviewScheduleDefinition on an access package.|
+|roleAssignmentScheduleInstances |List every accessReviewScheduleDefinition for service principals assigned to a privileged role.|
+
+The `$filter` query parameter is not supported on **accessReviewInactiveUserQueryScope** or **principalResourceMembershipScope**.
++
+## Request headers
+None.
+
+## Request body
+Do not supply a request body.
+
+## Response
+If successful, this method returns a `200 OK` response code and an array of [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) objects in the response body.
+
+## Examples
+
+### Example 1: List the first one hundred access review definitions
+
+#### Request
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "list_accessReviewScheduleDefinition"
+}-->
+```msgraph-interactive
+GET https://graph.microsoft.com/beta/identityGovernance/accessReviews/definitions?$top=100&$skip=0
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessReviewScheduleDefinition",
+ "isCollection": "true"
+} -->
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/accessReviews/definitions",
+ "@odata.count": 1,
+ "value": [
+ {
+ "id": "98dcebed-c7f6-46f4-bcf3-4a3fccdb3e2a",
+ "displayName": "Access Review",
+ "scope": {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/groups/119cc181-22f0-4e18-8537-264e7524ee0b/transitiveMembers",
+ "queryType": "MicrosoftGraph"
+ },
+ "instanceEnumerationScope": {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/groups/119cc181-22f0-4e18-8537-264e7524ee0b",
+ "queryType": "MicrosoftGraph"
+ },
+ "reviewers": [
+ {
+ "query": "./manager",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": "decisions"
+ }
+ ],
+ "settings": {
+ "mailNotificationsEnabled": true,
+ "reminderNotificationsEnabled": true,
+ "justificationRequiredOnApproval": true,
+ "defaultDecisionEnabled": false,
+ "defaultDecision": "None",
+ "instanceDurationInDays": 0,
+ "autoApplyDecisionsEnabled": false,
+ "recommendationsEnabled": true,
+ "recurrence": {
+ "pattern": {
+ "type": "weekly",
+ "interval": 1,
+ "month": 0,
+ "dayOfMonth": 0,
+ "daysOfWeek": [],
+ "firstDayOfWeek": "sunday",
+ "index": "first"
+ },
+ "range": {
+ "type": "numbered",
+ "numberOfOccurrences": 0,
+ "recurrenceTimeZone": null,
+ "startDate": "2020-09-11",
+ "endDate": "9999-12-31"
+ }
+ }
+ }
+ }
+ ]
+}
+```
++
+### Example 2: Retrieve all access review definitions scoped to all Microsoft 365 groups in a tenant
+
+#### Request
+The following example shows a request to retrieve all the access review series scoped to all Microsoft 365 groups in a tenant.
++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "list_accessReviewScheduleDefinition_allgroups"
+}-->
+```msgraph-interactive
+GET https://graph.microsoft.com/beta/identityGovernance/accessReviews/definitions?$filter=contains(scope/microsoft.graph.accessReviewQueryScope/query, './members')
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessReviewScheduleDefinition",
+ "isCollection": "true"
+} -->
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/accessReviews/definitions",
+ "@odata.count": 1,
+ "value": [
+ {
+ "id": "cc701697-762c-439a-81f5-f58d680fde76",
+ "displayName": "Review guest access across Microsoft 365 groups",
+ "status": "InProgress",
+ "scope": {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
+ "queryType": "MicrosoftGraph"
+ },
+ "instanceEnumerationScope": {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true",
+ "queryType": "MicrosoftGraph"
+ },
+ "reviewers": [
+ {
+ "query": "./manager",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": "decisions"
+ }
+ ],
+ "settings": {
+ "mailNotificationsEnabled": true,
+ "reminderNotificationsEnabled": true,
+ "justificationRequiredOnApproval": true,
+ "defaultDecisionEnabled": true,
+ "defaultDecision": "Recommendation",
+ "instanceDurationInDays": 25,
+ "autoApplyDecisionsEnabled": true,
+ "recommendationsEnabled": true,
+ "recurrence": {
+ "pattern": {
+ "type": "absoluteMonthly",
+ "interval": 3,
+ "month": 0,
+ "dayOfMonth": 0,
+ "daysOfWeek": [],
+ "firstDayOfWeek": "sunday",
+ "index": "first"
+ },
+ "range": {
+ "type": "numbered",
+ "numberOfOccurrences": 0,
+ "recurrenceTimeZone": null,
+ "startDate": "2021-04-27",
+ "endDate": "9999-12-31"
+ }
+ },
+ "applyActions": [
+ {
+ "@odata.type": "#microsoft.graph.removeAccessApplyAction"
+ }
+ ]
+ },
+ "instances@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/accessReviews/definitions('cc701697-762c-439a-81f5-f58d680fde76')/instances",
+ "instances": []
+ }
+ ]
+}
+
+```
++
+## See also
+
+- [Get accessReviewScheduleDefinition](accessreviewscheduledefinition-get.md)
++
+<!--
+{
+ "type": "#page.annotation",
+ "description": "List accessReviewScheduleDefinition",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": "",
+ "suppressions": [
+ ]
+}
+-->
v1.0 Accessreviewset List Historydefinitions https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accessreviewset-list-historydefinitions.md
+
+ Title: "List historyDefinitions"
+description: "Get a list of the accessReviewHistoryDefinition objects."
+
+ms.localizationpriority: medium
++
+# List historyDefinitions
+Namespace: microsoft.graph
++
+Retrieve the [accessReviewHistoryDefinition](../resources/accessreviewhistorydefinition.md) objects created in the last 30 days, including all nested properties.
+
+>[!NOTE]
+>The default page size for this API is 100 **accessReviewHistoryDefinitions** objects. To improve efficiency and avoid timeouts due to large result sets, apply pagination using the `$skip` and `$top` query parameters. For more information, see [Paging Microsoft Graph data in your app](/graph/paging).
+>
+>If no query parameters are provided and there are more than 100 results, Microsoft Graph will automatically paginate results at 100 results per page.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|AccessReview.ReadWrite.All|
+|Delegated (personal Microsoft account)|Not supported.|
+|Application|AccessReview.ReadWrite.All|
+
+If the signed-in user is not a Global Admin directory role member or a Global Reader directory role member, only the definitions that the signed-in user created will be returned.
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /identityGovernance/accessReviews/historyDefinitions
+```
+
+## Optional query parameters
+This method supports the `$top`, `$filter`, and `$skip` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [accessReviewHistoryDefinition](../resources/accessreviewhistorydefinition.md) objects in the response body.
+
+## Examples
+
+### Request
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "list_accessreviewhistorydefinition"
+}
+-->
+``` http
+GET https://graph.microsoft.com/beta/identityGovernance/accessReviews/historyDefinitions
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+++++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessReviewHistoryDefinition",
+ "isCollection": "true"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.count": 1,
+ "value": [
+ {
+ "@odata.type": "#microsoft.graph.accessReviewHistoryDefinition",
+ "id": "b2cb022f-b7e1-40f3-9854-c65a40861c38",
+ "displayName": "Last quarter's group reviews April 2021",
+ "reviewHistoryPeriodStartDateTime": "2021-01-01T00:00:00Z",
+ "reviewHistoryPeriodEndDateTime": "2021-04-05T00:00:00Z",
+ "decisions": [
+ "approve",
+ "deny",
+ "dontKnow",
+ "notReviewed",
+ "notNotified"
+ ],
+ "status": "done",
+ "createdDateTime": "2021-04-14T00:22:48.9392594Z",
+ "fulfilledDateTime": "2021-04-14T00:22:58.5276552Z",
+ "downloadUri": "https://contoso.com/df-erm-reports/Last quarter's group reviews April 2021-22be232e-a93d-42a3-8ac5-313cfd29a0eb.csv?sv=2015-04-05&ss=b&srt=o&sp=rl&st=2021-04-15T00:22:58.5276552Z&se=2021-03-23T19:41:38.0000000Z&spr=https&sig=84rlGCIgU4ToMn%2FFLncBXq95O8a8RsFlwQY1Knl%2Fo%2FI%3D",
+ "createdBy": {
+ "id": "957f1027-c0ee-460d-9269-b8444459e0fe",
+ "displayName": "MOD Administrator",
+ "userPrincipalName": "admin@contoso.com"
+ },
+ "scopes": [
+ {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "queryType": "MicrosoftGraph",
+ "query": "/identityGovernance/accessReviews/definitions?$filter=contains(scope/query, 'accessPackageAssignments')",
+ "queryRoot": null
+ },
+ {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "queryType": "MicrosoftGraph",
+ "query": "/identityGovernance/accessReviews/definitions?$filter=contains(scope/query, '/groups')",
+ "queryRoot": null
+ }
+ ]
+ }
+ ]
+}
+```
v1.0 Accessreviewset Post Definitions https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accessreviewset-post-definitions.md
+
+ Title: "Create definitions"
+description: "Create a new accessReviewScheduleDefinition object."
+ms.localizationpriority: medium
+++
+# Create definitions
+
+Namespace: microsoft.graph
++
+Create a new [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) object.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | AccessReview.ReadWrite.All |
+|Delegated (personal Microsoft account)|Not supported.|
+|Application | AccessReview.ReadWrite.All |
+
+The signed-in user must also be in a directory role that permits them to create an access review. For more details, see the role and permission requirements for [access reviews](../resources/accessreviewsv2-overview.md).
+
+## HTTP request
+<!-- { "blockType": "ignored" } -->
+```http
+POST /identityGovernance/accessReviews/definitions
+```
+## Request headers
+| Name | Description |
+|:-|:|
+|Authorization|Bearer {token}. Required.|
+| Content-type | application/json. Required. |
+
+## Request body
+In the request body, supply a JSON representation of an [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) object.
+
+The following table shows the properties accepted to create an accessReview.
+
+| Property | Type | Description |
+|:-|:|:|
+| additionalNotificationRecipients |[accessReviewNotificationRecipientItem](../resources/accessReviewNotificationRecipientItem.md) collection| Defines the list of additional users or group members to be notified of the access review progress. |
+| descriptionForAdmins | String | Context of the review provided to admins. Required. |
+ descriptionForReviewers | String | Context of the review provided to reviewers in email notifications. Email notifications support up to 256 characters. Required. |
+| displayName | String | Name of access review series. Required.|
+| fallbackReviewers |[accessReviewReviewerScope](../resources/accessreviewreviewerscope.md) collection|If provided, the fallback reviewers are asked to complete a review if the primary reviewers do not exist. For example, if managers are selected as `reviewers` and a principal under review does not have a manager in Azure AD, the fallback reviewers are asked to review that principal.|
+| instanceEnumerationScope | [accessReviewScope](../resources/accessreviewscope.md) | In the case of an all groups review, this determines the scope of which groups will be reviewed. See [accessReviewScope](../resources/accessreviewscope.md) and also learn how to [configure the scope of your access review definition](/graph/accessreviews-scope-concept).|
+| reviewers | [accessReviewReviewerScope](../resources/accessreviewreviewerscope.md) collection | Defines who the reviewers are. If none are specified, the review is a self-review (users review their own access). For examples of options for assigning reviewers, see [Assign reviewers to your access review definition using the Microsoft Graph API](/graph/accessreviews-reviewers-concept). |
+| scope | [accessReviewScope](../resources/accessreviewscope.md) | Defines the entities whose access is reviewed. See [accessReviewScope](../resources/accessreviewscope.md) and also learn how to [configure the scope of your access review definition](/graph/accessreviews-scope-concept). Required.|
+| settings | [accessReviewScheduleSettings](../resources/accessreviewschedulesettings.md)| The settings for an access review series. Recurrence is determined here. See [accessReviewScheduleSettings](../resources/accessreviewschedulesettings.md). |
+| backupReviewers (deprecated) |[accessReviewReviewerScope](../resources/accessreviewreviewerscope.md) collection| This property has been replaced by **fallbackReviewers**. However, specifying either **backupReviewers** or **fallbackReviewers** automatically populates the same values to the other property. |
+
+## Response
+If successful, this method returns a `201 Created` response code and an [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) object in the response body.
+
+## Examples
+
+### Example 1: Create an access review on a group
+
+This is an example of creating an access review with the following settings:
++ The review reviews all members of a group, whose group **id** is `02f3bafb-448c-487c-88c2-5fd65ce49a41`.++ A specific user, whose user **id** is `398164b1-5196-49dd-ada2-364b49f99b27` is the reviewer.++ It recurs weekly and continues indefinitely.+
+#### Request
+In the request body, supply a JSON representation of the [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) object.
++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_accessReviewScheduleDefinition"
+}-->
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/accessReviews/definitions
+Content-type: application/json
+
+{
+ "displayName": "Test create",
+ "descriptionForAdmins": "New scheduled access review",
+ "descriptionForReviewers": "If you have any questions, contact jerry@contoso.com",
+ "scope": {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/groups/02f3bafb-448c-487c-88c2-5fd65ce49a41/transitiveMembers",
+ "queryType": "MicrosoftGraph"
+ },
+ "reviewers": [
+ {
+ "query": "/users/398164b1-5196-49dd-ada2-364b49f99b27",
+ "queryType": "MicrosoftGraph"
+ }
+ ],
+ "settings": {
+ "mailNotificationsEnabled": true,
+ "reminderNotificationsEnabled": true,
+ "justificationRequiredOnApproval": true,
+ "defaultDecisionEnabled": false,
+ "defaultDecision": "None",
+ "instanceDurationInDays": 1,
+ "recommendationsEnabled": true,
+ "recurrence": {
+ "pattern": {
+ "type": "weekly",
+ "interval": 1
+ },
+ "range": {
+ "type": "noEnd",
+ "startDate": "2020-09-08T12:02:30.667Z"
+ }
+ }
+ }
+}
+```
+# [JavaScript](#tab/javascript)
+
+# [C#](#tab/csharp)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessReviewScheduleDefinition"
+} -->
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "id": "29f2d16e-9ca6-4052-bbfe-802c48944448",
+ "displayName": "Test create",
+ "createdDateTime": "0001-01-01T00:00:00Z",
+ "lastModifiedDateTime": "0001-01-01T00:00:00Z",
+ "status": "NotStarted",
+ "descriptionForAdmins": "Test create",
+ "descriptionForReviewers": "Test create",
+ "instanceEnumerationScope": null,
+ "createdBy": {
+ "id": "957f1027-c0ee-460d-9269-b8444459e0fe",
+ "displayName": "MOD Administrator",
+ "userPrincipalName": "admin@contoso.com"
+ },
+ "scope": {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/groups/b74444cb-038a-4802-8fc9-b9d1ed0cf11f/transitiveMembers",
+ "queryType": "MicrosoftGraph"
+ },
+ "reviewers": [
+ {
+ "query": "/users/7eae986b-d425-48b2-adf2-3c777f4444f3",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": "decisions"
+ }
+ ],
+ "settings": {
+ "mailNotificationsEnabled": true,
+ "reminderNotificationsEnabled": true,
+ "justificationRequiredOnApproval": true,
+ "defaultDecisionEnabled": false,
+ "defaultDecision": "None",
+ "instanceDurationInDays": 1,
+ "autoApplyDecisionsEnabled": false,
+ "recommendationsEnabled": true,
+ "recurrence": {
+ "pattern": {
+ "type": "weekly",
+ "interval": 1,
+ "month": 0,
+ "dayOfMonth": 0,
+ "daysOfWeek": [],
+ "firstDayOfWeek": "sunday",
+ "index": "first"
+ },
+ "range": {
+ "type": "noEnd",
+ "numberOfOccurrences": 0,
+ "recurrenceTimeZone": null,
+ "startDate": "2020-09-08",
+ "endDate": null
+ }
+ },
+ "applyActions": []
+ },
+ "additionalNotificationRecipients": []
+}
+```
+
+### Example 2: Create an access review on all teams with inactive guest users
+
+This is an example of creating an access review with the following settings:
++ The review reviews all teams with inactive guest users. The period of inactivity is 30 days from the start date of the access review.++ The group owners are the reviewers and fallback reviewers are assigned.++ It recurs on the third day of every quarter and continues indefinitely.++ **autoApplyDecisionsEnabled** is set to `true` with the **defaultDecision** set to `Deny`.+
+#### Request
+In the request body, supply a JSON representation of the [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) object.
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_accessReviewScheduleDefinition_inactiveguests_M365"
+}-->
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/accessReviews/definitions
+Content-type: application/json
+
+{
+ "displayName": "Review inactive guests on teams",
+ "descriptionForAdmins": "Control guest user access to our teams.",
+ "descriptionForReviewers": "Information security is everyone's responsibility. Review our access policy for more.",
+ "instanceEnumerationScope": {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/groups?$filter=(groupTypes/any(c:c+eq+'Unified') and resourceProvisioningOptions/Any(x:x eq 'Team')')",
+ "queryType": "MicrosoftGraph"
+ },
+ "scope": {
+ "@odata.type": "#microsoft.graph.accessReviewInactiveUsersQueryScope",
+ "query": "./members/microsoft.graph.user/?$filter=(userType eq 'Guest')",
+ "queryType": "MicrosoftGraph",
+ "inactiveDuration": "P30D"
+ },
+ "reviewers": [
+ {
+ "query": "./owners",
+ "queryType": "MicrosoftGraph"
+ }
+ ],
+ "fallbackReviewers": [
+ {
+ "query": "/users/fc9a2c2b-1ddc-486d-a211-5fe8ca77fa1f",
+ "queryType": "MicrosoftGraph"
+ }
+ ],
+ "settings": {
+ "mailNotificationsEnabled": true,
+ "reminderNotificationsEnabled": true,
+ "justificationRequiredOnApproval": true,
+ "recommendationsEnabled": true,
+ "instanceDurationInDays": 3,
+ "recurrence": {
+ "pattern": {
+ "type": "absoluteMonthly",
+ "dayOfMonth": 5,
+ "interval": 3
+ },
+ "range": {
+ "type": "noEnd",
+ "startDate": "2020-05-04T00:00:00.000Z"
+ }
+ },
+ "defaultDecisionEnabled": true,
+ "defaultDecision": "Deny",
+ "autoApplyDecisionsEnabled": true
+ }
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessReviewScheduleDefinition"
+} -->
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/accessReviews/definitions/$entity",
+ "id": "b0966e21-a01e-43c9-8f8b-9ba30ed5710a",
+ "displayName": "Review inactive guests on teams",
+ "createdDateTime": "2021-05-04T18:27:02.6719849Z",
+ "lastModifiedDateTime": "2021-05-04T18:27:24.0889623Z",
+ "status": "InProgress",
+ "descriptionForAdmins": "Control guest user access to our teams.",
+ "descriptionForReviewers": "Information security is everyone's responsibility. Review our access policy for more.",
+ "createdBy": {
+ "id": "fc9a2c2b-1ddc-486d-a211-5fe8ca77fa1f",
+ "displayName": "MOD Administrator",
+ "userPrincipalName": "admin@contoso.com"
+ },
+ "scope": {
+ "@odata.type": "#microsoft.graph.accessReviewInactiveUsersQueryScope",
+ "query": "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": null,
+ "inactiveDuration": "P30D"
+ },
+ "instanceEnumerationScope": {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/groups?$filter=(groupTypes/any(c:c+eq+'Unified') and resourceProvisioningOptions/Any(x:x eq 'Team'))&$count=true",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": null
+ },
+ "reviewers": [
+ {
+ "query": "./owners",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": null
+ }
+ ],
+ "backupReviewers": [],
+ "fallbackReviewers": [
+ {
+ "query": "/users/fc9a2c2b-1ddc-486d-a211-5fe8ca77fa1f",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": null
+ }
+ ],
+ "settings": {
+ "mailNotificationsEnabled": true,
+ "reminderNotificationsEnabled": true,
+ "justificationRequiredOnApproval": true,
+ "defaultDecisionEnabled": true,
+ "defaultDecision": "Deny",
+ "instanceDurationInDays": 3,
+ "autoApplyDecisionsEnabled": true,
+ "recommendationsEnabled": true,
+ "recurrence": {
+ "pattern": {
+ "type": "absoluteMonthly",
+ "interval": 3,
+ "month": 0,
+ "dayOfMonth": 5,
+ "daysOfWeek": [],
+ "firstDayOfWeek": "sunday",
+ "index": "first"
+ },
+ "range": {
+ "type": "noEnd",
+ "numberOfOccurrences": 0,
+ "recurrenceTimeZone": null,
+ "startDate": "2021-05-05",
+ "endDate": null
+ }
+ },
+ "applyActions": []
+ },
+ "additionalNotificationRecipients": []
+}
+```
+### Example 3: Create an access review of all users to an application
+
+This is an example of creating an access review with the following settings:
++ The review reviews user access to an application.++ The people managers are the reviewers and fallback reviewers are the members of a group.++ It recurs semi-annually and ends 1 year from the startDate.+
+#### Request
++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_accessReviewScheduleDefinition_allusers_M365_AADRole"
+}-->
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/accessReviews/definitions
+Content-type: application/json
+
+{
+ "displayName": "Review employee access to LinkedIn",
+ "descriptionForAdmins": "Review employee access to LinkedIn",
+ "scope": {
+ "@odata.type": "#microsoft.graph.principalResourceMembershipsScope",
+ "principalScopes": [
+ {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/users",
+ "queryType": "MicrosoftGraph"
+ }
+ ],
+ "resourceScopes": [
+ {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/servicePrincipals/bae11f90-7d5d-46ba-9f55-8112b59d92ae",
+ "queryType": "MicrosoftGraph"
+ }
+ ]
+ },
+ "reviewers": [
+ {
+ "query": "./manager",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": "decisions"
+ }
+ ],
+ "backupReviewers": [
+ {
+ "query": "/groups/072ac5f4-3f13-4088-ab30-0a276f3e6322/transitiveMembers",
+ "queryType": "MicrosoftGraph"
+ }
+ ],
+ "fallbackReviewers": [
+ {
+ "query": "/groups/072ac5f4-3f13-4088-ab30-0a276f3e6322/transitiveMembers",
+ "queryType": "MicrosoftGraph"
+ }
+ ],
+ "settings": {
+ "mailNotificationsEnabled": true,
+ "reminderNotificationsEnabled": true,
+ "justificationRequiredOnApproval": true,
+ "defaultDecisionEnabled": true,
+ "defaultDecision": "Recommendation",
+ "instanceDurationInDays": 180,
+ "autoApplyDecisionsEnabled": true,
+ "recommendationsEnabled": true,
+ "recurrence": {
+ "pattern": {
+ "type": "absoluteMonthly",
+ "interval": 6,
+ "dayOfMonth": 0
+ },
+ "range": {
+ "type": "numbered",
+ "startDate": "2021-05-05",
+ "endDate": "2022-05-05"
+ }
+ }
+ }
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessReviewScheduleDefinition"
+} -->
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/accessReviews/definitions/$entity",
+ "id": "1f79f34b-8667-40d9-875c-893b630b3dec",
+ "scope": {
+ "@odata.type": "#microsoft.graph.principalResourceMembershipsScope",
+ "principalScopes": [
+ {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/users",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": null
+ }
+ ],
+ "resourceScopes": [
+ {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/servicePrincipals/bae11f90-7d5d-46ba-9f55-8112b59d92ae",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": null
+ }
+ ]
+ },
+ "reviewers": [
+ {
+ "query": "./manager",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": "decisions"
+ }
+ ],
+ "backupReviewers": [
+ {
+ "query": "/groups/072ac5f4-3f13-4088-ab30-0a276f3e6322/transitiveMembers",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": null
+ }
+ ],
+ "fallbackReviewers": [
+ {
+ "query": "/groups/072ac5f4-3f13-4088-ab30-0a276f3e6322/transitiveMembers",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": null
+ }
+ ],
+ "settings": {
+ "instanceDurationInDays": 180,
+ "recurrence": {
+ "pattern": {
+ "type": "absoluteMonthly",
+ "interval": 6,
+ "month": 0,
+ "dayOfMonth": 0,
+ "daysOfWeek": [],
+ "firstDayOfWeek": "sunday",
+ "index": "first"
+ },
+ "range": {
+ "type": "numbered",
+ "numberOfOccurrences": 0,
+ "recurrenceTimeZone": null,
+ "startDate": "2021-05-05",
+ "endDate": "2022-05-05"
+ }
+ }
+ },
+ "additionalNotificationRecipients": []
+}
+```
+
+<!--
+{
+ "type": "#page.annotation",
+ "description": "Create accessReviewScheduleDefinition",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": "",
+ "suppressions": [
+ ]
+}
+-->
v1.0 Accessreviewset Post Historydefinitions https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accessreviewset-post-historydefinitions.md
+
+ Title: "Create historyDefinitions"
+description: "Create a new accessReviewHistoryDefinition object."
+
+ms.localizationpriority: medium
++
+# Create historyDefinitions
+
+Namespace: microsoft.graph
++
+Create a new [accessReviewHistoryDefinition](../resources/accessreviewhistorydefinition.md) object.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|AccessReview.ReadWrite.All|
+|Delegated (personal Microsoft account)|Not supported.|
+|Application|AccessReview.ReadWrite.All|
+
+The signed-in user must also be in a directory role that permits them to read an access review to retrieve any data. For more details, see the role and permission requirements for [access reviews](../resources/accessreviewsv2-overview.md).
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+POST /identityGovernance/accessReviews/historyDefinitions
+```
+
+## Request headers
+
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+|Content-Type|application/json. Required.|
+
+## Request body
+
+In the request body, supply a JSON representation of the [accessReviewHistoryDefinition](../resources/accessreviewhistorydefinition.md) object.
+
+The following table shows the required properties used to create an [accessReviewHistoryDefinition](../resources/accessreviewhistorydefinition.md).
+
+|Property|Type|Description|
+|:|:|:|
+|displayName | String | Name for the access review history data collection. Required. |
+|reviewHistoryPeriodStartDateTime | DateTimeOffset | Timestamp, reviews starting on or after this date will be included in the fetched history data. Required. |
+|reviewHistoryPeriodEndDateTime | DateTimeOffset | Timestamp, reviews starting on or before this date will be included in the fetched history data. Required. |
+|scopes|[accessReviewQueryScope](../resources/accessreviewqueryscope.md) collection| Used to filter which reviews are included in the fetched history data. Fetches reviews whose scope matches with this provided scope. Required. <br> For more, see [Supported scope queries for accessReviewHistoryDefinition](#supported-scope-queries-for-accessreviewhistorydefinition). |
+
+### Supported scope queries for accessReviewHistoryDefinition
+
+The **scopes** property of [accessReviewHistoryDefinition](../resources/accessreviewhistorydefinition.md) is based on **accessReviewQueryScope**, a resource that allows you to configure different resources in it's **query** property. These resources then represent the scope of the history definition and dictate the type of review history data that is included in the downloadable CSV file which is generated when the history definition is created.
+
+Use the following format for the **query** property:
+
+```http
+/identityGovernance/accessReviews/definitions?$filter=contains(scope/query, '{object}')
+```
+
+The value of `{object}` is one of the resources that can be configured in an **accessReviewScheduleDefinition**. For example, the following includes every accessReviewScheduleDefinition review result on individual groups (and excludes definitions scoped to all Microsoft 365 groups with guest users).
+
+```http
+/identityGovernance/accessReviews/definitions?$filter=contains(scope/query, '/groups')
+```
+
+For more supported values, see Use the [$filter query parameter on accessReviewScheduleDefinition](accessreviewset-list-definitions.md#use-the-filter-query-parameter).
+
+## Response
+
+If successful, this method returns a `201 Created` response code and an [accessReviewHistoryDefinition](../resources/accessreviewhistorydefinition.md) object in the response body.
+
+## Examples
+
+The following example shows how to create an access review history definition scoped to access reviews on access packages and groups, running between the start date of 01/01/2021 and end date of 04/05/2021.
+
+### Request
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_accessreviewhistorydefinition_from_"
+}
+-->
+``` http
+POST https://graph.microsoft.com/beta/identityGovernance/accessReviews/historyDefinitions
+Content-Type: application/json
+
+{
+ "displayName": "Last quarter's group reviews April 2021",
+ "decisions": [
+ "approve",
+ "deny",
+ "dontKnow",
+ "notReviewed",
+ "notNotified"
+ ],
+ "reviewHistoryPeriodStartDateTime": "2021-01-01T00:00:00Z",
+ "reviewHistoryPeriodEndDateTime": "2021-04-05T00:00:00Z",
+ "scopes": [
+ {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "queryType": "MicrosoftGraph",
+ "query": "/identityGovernance/accessReviews/definitions?$filter=contains(scope/query, 'accessPackageAssignments')",
+ "queryRoot": null
+ },
+ {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "queryType": "MicrosoftGraph",
+ "query": "/identityGovernance/accessReviews/definitions?$filter=contains(scope/query, '/groups')",
+ "queryRoot": null
+ }
+ ]
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+++++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessReviewHistoryDefinition"
+}
+-->
+``` http
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+ "@odata.type": "#microsoft.graph.accessReviewHistoryDefinition",
+ "id": "b2cb022f-b7e1-40f3-9854-c65a40861c38",
+ "displayName": "Last quarter's group reviews April 2021",
+ "reviewHistoryPeriodStartDateTime": "2021-01-01T00:00:00Z",
+ "reviewHistoryPeriodEndDateTime": "2021-04-05T00:00:00Z",
+ "decisions": [
+ "approve",
+ "deny",
+ "dontKnow",
+ "notReviewed",
+ "notNotified"
+ ],
+ "status": "requested",
+ "createdDateTime": "2021-04-14T00:22:48.9392594Z",
+ "fulfilledDateTime": null,
+ "downloadUri": null,
+ "createdBy": {
+ "id": "957f1027-c0ee-460d-9269-b8444459e0fe",
+ "displayName": "MOD Administrator",
+ "userPrincipalName": "admin@contoso.com"
+ },
+ "scopes": [
+ {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "queryType": "MicrosoftGraph",
+ "query": "/identityGovernance/accessReviews/definitions?$filter=contains(scope/query, 'accessPackageAssignments')",
+ "queryRoot": null
+ },
+ {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "queryType": "MicrosoftGraph",
+ "query": "/identityGovernance/accessReviews/definitions?$filter=contains(scope/query, '/groups')",
+ "queryRoot": null
+ }
+ ]
+}
+```
v1.0 Appconsentapprovalroute List Appconsentrequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/appconsentapprovalroute-list-appconsentrequests.md
+
+ Title: "List appConsentRequests"
+description: "Retrieve appConsentRequest objects and their properties."
+
+ms.localizationpriority: medium
++
+# List appConsentRequests
+Namespace: microsoft.graph
++
+Retrieve [appConsentRequest](../resources/appconsentrequest.md) objects and their properties.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|ConsentRequest.Read.All, ConsentRequest.ReadWrite.All|
+|Delegated (personal Microsoft account)|Not supported.|
+|Application|ConsentRequest.Read.All, ConsentRequest.ReadWrite.All.|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /identityGovernance/appConsent/appConsentRequests
+```
+
+## Optional query parameters
+This method supports theΓÇ»`$select`, `$skip`, `$top`, `$filter`, and `$orderby` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [appConsentRequest](../resources/appconsentrequest.md) objects in the response body.
+
+## Example 1: List all appConsentRequests
+
+### Request
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "list_appconsentrequest"
+}
+-->
+``` http
+GET https://graph.microsoft.com/beta/identityGovernance/appConsent/appConsentRequests
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+++++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.appConsentRequest)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/appConsent/appConsentRequests",
+ "@odata.count": 1,
+ "value": [
+ {
+ "id": "af330b30-dd59-4482-a848-0fd81b0438ed",
+ "appId": "3ca5f23f-94b4-4930-aec9-b8ca0f060e68",
+ "appDisplayName": "Moodle",
+ "consentType": "Dynamic",
+ "pendingScopes": [],
+ "userConsentRequests@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/appConsent/appConsentRequests('af330b30-dd59-4482-a848-0fd81b0438ed')/userConsentRequests",
+ "userConsentRequests": []
+ }
+ ]
+}
+```
+
+## Example 2: List all appConsentRequests with at least one userConsentRequest whose status is InProgress
+
+### Request
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "list_appconsentrequest_userconsentrequest_InProgress"
+}
+-->
+``` http
+GET https://graph.microsoft.com/beta/identityGovernance/appConsent/appConsentRequests?$filter=userConsentRequests/any (u:u/status eq 'InProgress')
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+++++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.appConsentRequest)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/appConsent/appConsentRequests",
+ "@odata.count": 1,
+ "value": [
+ {
+ "id": "af330b30-dd59-4482-a848-0fd81b0438ed",
+ "appId": "3ca5f23f-94b4-4930-aec9-b8ca0f060e68",
+ "appDisplayName": "Moodle",
+ "consentType": "Dynamic",
+ "pendingScopes": [],
+ "userConsentRequests@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/appConsent/appConsentRequests('af330b30-dd59-4482-a848-0fd81b0438ed')/userConsentRequests",
+ "userConsentRequests": []
+ }
+ ]
+}
+```
+
v1.0 Appconsentrequest List Userconsentrequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/appconsentrequest-list-userconsentrequests.md
+
+ Title: "List userConsentRequests"
+description: "Retrieve userConsentRequest objects and their properties."
+
+ms.localizationpriority: medium
++
+# List userConsentRequests
+Namespace: microsoft.graph
++
+Retrieve a collection of [userConsentRequest](../resources/userconsentrequest.md) objects and their properties.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|ConsentRequest.Read.All, ConsentRequest.ReadWrite.All|
+|Delegated (personal Microsoft account)|Not supported.|
+|Application|ConsentRequest.Read.All, ConsentRequest.ReadWrite.All|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /identityGovernance/appConsent/appConsentRequests/{id}/userConsentRequests
+```
+
+## Optional query parameters
+This method supports theΓÇ»`$select`, `$skip`, `$top`, `$filter`, and `$orderby` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [userConsentRequest](../resources/userconsentrequest.md) objects in the response body.
+
+## Examples
+
+### Request
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "list_userconsentrequest"
+}
+-->
+``` http
+GET https://graph.microsoft.com/beta/identityGovernance/appConsent/appConsentRequests/ee245379-e3bb-4944-a997-24115f0b8b5e/userConsentRequests
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+++++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.userConsentRequest)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/appConsent/appConsentRequests('ee245379-e3bb-4944-a997-24115f0b8b5e')/userConsentRequests",
+ "@odata.count": 1,
+ "value": [
+ {
+ "id": "acef2660-d194-4943-b927-4fe4fb5cb7e3",
+ "reason": "I need access",
+ "status": "Completed",
+ "createdDateTime": "2019-10-18T19:07:19.7374554Z",
+ "createdBy": {
+ "user": {
+ "id": "db60ab61-caea-4889-a824-98de31ef31b5",
+ "displayName": "Alex Wilber",
+ "userPrincipalName": "AlexW@contoso.com",
+ "mail": "AlexW@contoso.com"
+ }
+ },
+ "approval@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/appConsent/appConsentRequests('ee245379-e3bb-4944-a997-24115f0b8b5e')/userConsentRequests('acef2660-d194-4943-b927-4fe4fb5cb7e3')/approval/$entity",
+ "approval": {
+ "id": "acef2660-d194-4943-b927-4fe4fb5cb7e3",
+ "steps@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/appConsent/appConsentRequests('ee245379-e3bb-4944-a997-24115f0b8b5e')/userConsentRequests('acef2660-d194-4943-b927-4fe4fb5cb7e3')/approval/steps",
+ "steps": [
+ {
+ "id": "f5a4ca4a-1316-4872-8112-993c55dab51e",
+ "displayName": null,
+ "reviewedDateTime": "2019-10-19T04:12:09.633Z",
+ "reviewResult": "Approve",
+ "status": "Completed",
+ "assignedToMe": true,
+ "justification": "Admin consent granted.",
+ "reviewedBy": {
+ "id": "00000001-0000-0000-c000-000000000000",
+ "displayName": "",
+ "userPrincipalName": "",
+ "mail": ""
+ }
+ }
+ ]
+ },
+ "approvalId": "acef2660-d194-4943-b927-4fe4fb5cb7e3",
+ "completedDateTime": null,
+ "customData": null
+ }
+ ]
+}
+```
v1.0 Approval Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/approval-get.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD entitlement management](../resources/entitlementmanagement-root.md), retrieves the properties of an [approval](../resources/approval.md) object. This call can be made by an approver, providing the identifier of the [access package assignment request](../resources/accesspackageassignmentrequest.md).
+In [Azure AD entitlement management](../resources/entitlementmanagement-overview.md), retrieves the properties of an [approval](../resources/approval.md) object. This call can be made by an approver, providing the identifier of the [access package assignment request](../resources/accesspackageassignmentrequest.md).
## Permissions
v1.0 Approval List Steps https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/approval-list-steps.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD entitlement management](../resources/entitlementmanagement-root.md), lists the [approvalStep](../resources/approvalstep.md) objects associated with an [approval](../resources/approval.md) object. This call can be made by an approver, providing the identifier of the [access package assignment request](../resources/accesspackageassignmentrequest.md).
+In [Azure AD entitlement management](../resources/entitlementmanagement-overview.md), lists the [approvalStep](../resources/approvalstep.md) objects associated with an [approval](../resources/approval.md) object. This call can be made by an approver, providing the identifier of the [access package assignment request](../resources/accesspackageassignmentrequest.md).
## Permissions
v1.0 Connectedorganization Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/connectedorganization-get.md
GET /identityGovernance/entitlementManagement/connectedOrganizations/{id}
## Optional query parameters
-This method supports some of the OData query parameters to help customize the response. For example, to retrieve only the identity sources, add `$select=identitySources`. For general information, see [OData query parameters](/graph/query-parameters).
+This method supports the `$select` OData query parameter to help customize the response. For example, to retrieve only the identity sources, add `$select=identitySources`. For general information, see [OData query parameters](/graph/query-parameters).
## Request headers
v1.0 Entitlementmanagement List Accesspackageassignmentpolicies https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/entitlementmanagement-list-accesspackageassignmentpolicies.md
+
+ Title: "List accessPackageAssignmentPolicies"
+description: "Retrieve a list of accessPackageAssignmentPolicy objects."
+ms.localizationpriority: medium
+++
+# List accessPackageAssignmentPolicies
+
+Namespace: microsoft.graph
++
+In [Azure AD entitlement management](../resources/entitlementmanagement-overview.md), retrieve a list of [accessPackageAssignmentPolicy](../resources/accesspackageassignmentpolicy.md) objects. If the delegated user is in a directory role, the resulting list includes all the assignment policies that the caller has access to read, across all catalogs and access packages. If the delegated user is an access package manager or catalog owner, they should instead retrieve the policies for the access packages they can read with [list accessPackages](entitlementmanagement-list-accesspackages.md) by including `$expand=accessPackageAssignmentPolicies` in the query.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+|:|:--|
+| Delegated (work or school account) | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+GET /identityGovernance/entitlementManagement/accessPackageAssignmentPolicies
+```
+
+## Optional query parameters
+
+This method supports the `$select`, `$filter` and `$expand` OData query parameters to help customize the response. For example, to retrieve an access package assignment policy with a specified display name, include `$filter=displayName eq 'Employee sales support'` in the query. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+
+| Name |Description|
+|:-|:-|
+| Authorization | Bearer \{token\}. Required. |
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [accessPackageAssignmentPolicy](../resources/accesspackageassignmentpolicy.md) objects in the response body.
+
+## Examples
+
+### Request
+
+The following is an example of the request.
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "get_accesspackageassignmentpolicies"
+}-->
+
+```msgraph-interactive
+GET https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessPackageAssignmentPolicy",
+ "isCollection": true
+} -->
+
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "value": [
+ {
+ "id": "b2eba9a1-b357-42ee-83a8-336522ed6cbf",
+ "accessPackageId": "1b153a13-76da-4d07-9afa-c6c2b1f2e824",
+ "displayName": "All Users",
+ "description": "All users can request for access to the directory.",
+ "canExtend": false,
+ "durationInDays": 365,
+ "accessReviewSettings": null
+ }
+ ]
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "List accessPackageAssignmentPolicies",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
++
v1.0 Entitlementmanagement List Accesspackageassignmentrequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/entitlementmanagement-list-accesspackageassignmentrequests.md
+
+ Title: "List accessPackageAssignmentRequests"
+description: "Retrieve a list of accessPackageAssignmentRequest objects."
+ms.localizationpriority: medium
+++
+# List accessPackageAssignmentRequests
+
+Namespace: microsoft.graph
++
+In [Azure AD entitlement management](../resources/entitlementmanagement-overview.md), retrieve a list of [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) objects. The resulting list includes all the assignment requests, current and well as expired, that the caller has access to read, across all catalogs and access packages.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+|:|:--|
+| Delegated (work or school account) | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+GET /identityGovernance/entitlementManagement/accessPackageAssignmentRequests
+```
+
+## Optional query parameters
+
+This method supports the `$select`, `$expand` and `$filter` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+### Example scenarios for using query parameters
+
+- To retrieve the access package of each request, include `$expand=accessPackage` in the query.
+- To retrieve only requests for a specific access package, include in the query a filter such as `$expand=accessPackage&$filter=accessPackage/id eq '9bbe5f7d-f1e7-4eb1-a586-38cdf6f8b1ea'`.
+- To retrieve the resulting assignment, include `$expand=accessPackageAssignment` in the query.
+- To obtain more details on the requestor, include `$expand=requestor` in the query.
+
+## Request headers
+
+| Name |Description|
+|:-|:-|
+| Authorization | Bearer \{token\}. Required. |
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) objects in the response body.
+
+## Examples
+
+### Request
+
+The following is an example of the request. The request URI includes `$filter` to only return requests in a particular state, and `$expand` to return details of the requestor and their connected organization as well.
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "get_accesspackageassignmentrequests"
+}-->
+
+```msgraph-interactive
+GET https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentRequests?$expand=requestor($expand=connectedOrganization)&$filter=(requestState eq 'PendingApproval')
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessPackageAssignmentRequest",
+ "isCollection": true
+} -->
+
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "value": [
+ {
+ "id": "433dafca-5047-4614-95f7-a03510b1ded3",
+ "requestType": "UserAdd",
+ "requestState": "PendingApproval",
+ "createdDateTime": "2019-10-25T22:55:11.623Z",
+ "justification": "Need access",
+ "answers": [],
+ "requestor": {
+ "connectedOrganizationId": "c3c2adbc-a863-437f-9383-ee578665317d",
+ "id": "ba7ef0fb-e16f-474b-87aa-02815d061e67",
+ "displayName": "displayname",
+ "email": "displayname@example.com",
+ "type": "User",
+ "connectedOrganization": {
+ "id": "c3c2adbc-a863-437f-9383-ee578665317d",
+ "displayName": "example"
+ }
+ }
+ }
+ ]
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "List accessPackageAssignmentRequests",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
+
v1.0 Entitlementmanagement List Accesspackageassignmentresourceroles https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/entitlementmanagement-list-accesspackageassignmentresourceroles.md
+
+ Title: "List accessPackageAssignmentResourceRoles"
+description: "Retrieve a list of accessPackageAssignmentResourceRole objects."
+ms.localizationpriority: medium
+++
+# List accessPackageAssignmentResourceRoles
+
+Namespace: microsoft.graph
++
+Retrieve a list of [accessPackageAssignmentResourceRole](../resources/accesspackageassignmentresourcerole.md) objects. The resulting list includes all the resource roles of all assignments that the caller has access to read, across all catalogs and access packages.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+|:|:--|
+| Delegated (work or school account) | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+GET /identityGovernance/entitlementManagement/accessPackageAssignmentResourceRoles
+```
+
+## Optional query parameters
+
+This method supports the `$select`, `$filter`, and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+For example, to retrieve only access package assignment resource roles for a particular user, you can include a query with a filter targeting the object ID of that user `?$expand=accessPackageSubject&$filter=accessPackageSubject/objectId+eq+'9b835e5c-bf18-4ad9-8556-9b1ea0019c6b'`.
++
+## Request headers
+
+| Name |Description|
+|:-|:-|
+| Authorization | Bearer \{token\}. Required. |
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [accessPackageAssignmentResourceRole](../resources/accesspackageassignmentresourcerole.md) objects in the response body.
+
+## Examples
+
+### Request
+
+The following is an example of the request.
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "get_accesspackageassignmentresourceroles"
+}-->
+
+```msgraph-interactive
+GET https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentResourceRoles
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessPackageAssignmentResourceRole",
+ "isCollection": true
+} -->
+
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "value": [
+ {
+ "id": "1bf101d2-4d9c-437f-bbf5-3d13d98f5479",
+ "originId": "originId-value",
+ "originSystem": "SharePointOnline",
+ "status": "Fulfilled"
+ }
+ ]
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "List accessPackageAssignmentResourceRoles",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
++
v1.0 Entitlementmanagement List Accesspackageassignments https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/entitlementmanagement-list-accesspackageassignments.md
+
+ Title: "List accessPackageAssignments"
+description: "Retrieve a list of accesspackageassignment objects."
+ms.localizationpriority: medium
+++
+# List accessPackageAssignments
+
+Namespace: microsoft.graph
++
+In [Azure AD entitlement management](../resources/entitlementmanagement-overview.md), retrieve a list of [accessPackageAssignment](../resources/accesspackageassignment.md) objects. For directory-wide administrators, the resulting list includes all the assignments, current and well as expired, that the caller has access to read, across all catalogs and access packages. If the caller is on behalf of a delegated user who is assigned only to catalog-specific delegated administrative roles, the request must supply a filter to indicate a specific access package, such as: `$filter=accessPackage/id eq 'a914b616-e04e-476b-aa37-91038f0b165b'`.
++
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+|:|:--|
+| Delegated (work or school account) | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+GET /identityGovernance/entitlementManagement/accessPackageAssignments
+```
+
+## Optional query parameters
+
+This method supports the `$select`, `$filter`, and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+### Example scenarios for using query parameters
+
+- If the caller is on behalf of a delegated user who is assigned only to catalog-specific delegated administrative roles, the request must supply a filter to indicate a specific access package, such as: `$filter=accessPackage/id eq 'a914b616-e04e-476b-aa37-91038f0b165b'`.
+- To return the target subject and access package, include `$expand=target,accessPackage`.
+- To retrieve only delivered assignments, you can include a query `$filter=assignmentState eq 'Delivered'`.
+- To retrieve only assignments for a particular user, you can include a query with assignments targeting the object ID of that user: `$expand=target&$filter=target/objectid+eq+'7deff43e-1f17-44ef-9e5f-d516b0ba11d4'`.
+- To retrieve only assignments for a particular user and a particular access package, you can include a query with assignments targeting that access package and the object ID of that user: `$expand=accessPackage,target&$filter=accessPackage/id eq '9bbe5f7d-f1e7-4eb1-a586-38cdf6f8b1ea' and target/objectid eq '7deff43e-1f17-44ef-9e5f-d516b0ba11d4'`.
+- To retrieve only assignments resulting from a particular access package assignment policy, you can include a query for that policy: `$filter=accessPackageAssignmentPolicy/id eq 'd92ebb54-9b46-492d-ab7f-01f76767da7f'`.
+
+For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+
+| Name |Description|
+|:-|:-|
+| Authorization | Bearer \{token\}. Required. |
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [accessPackageAssignment](../resources/accesspackageassignment.md) objects in the response body.
+
+## Examples
+
+### Request
+
+The following is an example of the request.
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "get_accesspackageassignments"
+}-->
+
+```msgraph-interactive
+GET https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignments
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessPackageAssignment",
+ "isCollection": true
+} -->
+
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "value": [
+ {
+ "id": "9bdae7b4-6ece-487b-9eb8-9679dbd67aa2",
+ "catalogId": "cc30dc98-6d3c-4fa0-bed8-fd76d0efd993",
+ "accessPackageId": "e3f47362-993f-4fcb-8a38-532ffca16150",
+ "assignmentPolicyId": "63ebd106-8116-40e7-a0ab-01ae475d11bb",
+ "targetId": "ab4291f6-66b7-42bf-b597-a05b29414f5c",
+ "assignmentStatus": "ExpiredNotificationTriggered",
+ "assignmentState": "Expired",
+ "isExtended": false,
+ "expiredDateTime": "2019-04-25T23:45:40.42Z"
+ }
+ ]
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "List accessPackageAssignments",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
++
v1.0 Entitlementmanagement List Accesspackagecatalogs https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/entitlementmanagement-list-accesspackagecatalogs.md
+
+ Title: "List accessPackageCatalogs"
+description: "Retrieve a list of accessPackageCatalog objects."
+ms.localizationpriority: medium
+++
+# List accessPackageCatalogs
+
+Namespace: microsoft.graph
++
+Retrieve a list of [accessPackageCatalog](../resources/accesspackagecatalog.md) objects.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+|:|:--|
+| Delegated (work or school account) | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+GET /identityGovernance/entitlementManagement/accessPackageCatalogs
+```
+
+## Optional query parameters
+
+This method supports the `$select`, `$filter`, and `$expand` OData query parameters to help customize the response. For example, to retrieve the access packages in each catalog, include `$expand=accessPackages` in the query. To search for access package catalogs with a particular name, include a filter such as `$filter=contains(tolower(displayName),'staff')` in the query. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+
+| Name |Description|
+|:-|:-|
+| Authorization | Bearer \{token\}. Required. |
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [accessPackageCatalog](../resources/accesspackagecatalog.md) objects in the response body.
+
+## Examples
+
+### Request
+
+The following is an example of the request.
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "get_accesspackagecatalogs"
+}-->
+
+```msgraph-interactive
+GET https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageCatalogs
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessPackageCatalog",
+ "isCollection": true
+} -->
+
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "value": [
+ {
+ "id":"360fa7de-90be-48dc-a2ce-fc40094a93dd",
+ "description":"Sample access package catalog",
+ "displayName":"Access package catalog for testing",
+ "isExternallyVisible":false,
+ "catalogType":"UserManaged",
+ "catalogStatus":"Published",
+ "createdDateTime":"2019-01-27T18:19:50.74Z",
+ "modifiedDateTime":"2019-01-27T18:19:50.74Z",
+ "createdBy":"TestGA@example.com",
+ "modifiedBy":"TestGA@example.com"
+ }
+ ]
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "List accessPackageCatalogs",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
++
v1.0 Entitlementmanagement List Accesspackageresourceenvironment https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/entitlementmanagement-list-accesspackageresourceenvironment.md
+
+ Title: "List accessPackageResourceEnvironments"
+description: "Retrieve a list of accessPackageResourceEnvironment objects."
+
+ms.localizationpriority: medium
++
+# List accessPackageResourceEnvironments
+Namespace: microsoft.graph
++
+Retrieve a list of [accessPackageResourceEnvironment](../resources/accesspackageresourceenvironment.md) objects and their properties.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|Not supported|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET identityGovernance/entitlementManagement/accessPackageResourceEnvironments?$filter=originSystem eq 'SharePointOnline'
+```
+
+## Query parameters
+
+This method requires the `$filter` [OData query parameter](/graph/query-parameters). You must apply `$filter` to retrieve the **originSystem** that's assigned the value `SharePointOnline`.
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [accessPackageResourceEnvironment](../resources/accesspackageresourceenvironment.md) objects in the response body.
+
+## Examples
+
+### Request
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "list_accesspackageresourceenvironment"
+}
+-->
+``` http
+GET https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageResourceEnvironments?$filter=originSystem eq 'SharePointOnline'
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+++++
+### Response
+> **Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.accessPackageResourceEnvironment)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/entitlementManagement/accessPackageResourceEnvironments",
+ "value": [
+ {
+ "id": "615f2218-678f-471f-a60a-02c2f4f80c57",
+ "displayName": "https://contoso.sharepoint.com/",
+ "description": "https://contoso.sharepoint.com/",
+ "originSystem": "SharePointOnline",
+ "originId": "https://contoso-admin.sharepoint.com/",
+ "isDefaultEnvironment": false,
+ "connectionInfo": {
+ "url": "https://contoso-admin.sharepoint.com/"
+ }
+ }
+ ]
+}
+```
+
v1.0 Entitlementmanagement List Accesspackageresourcerequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/entitlementmanagement-list-accesspackageresourcerequests.md
+
+ Title: "List accessPackageResourceRequests"
+description: "Retrieve a list of accessPackageResourceRequest objects."
+ms.localizationpriority: medium
+++
+# List accessPackageResourceRequests
+
+Namespace: microsoft.graph
++
+Retrieve a list of [accessPackageResourceRequest](../resources/accesspackageresourcerequest.md) objects.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+|:|:--|
+| Delegated (work or school account) | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+GET /identityGovernance/entitlementManagement/accessPackageResourceRequests
+```
+
+## Optional query parameters
+
+This method supports the `$select`, `$filter`, and `$expand` OData query parameters to help customize the response. For example, to retrieve who requested the addition of a resource to a catalog, include `$expand=requestor` in the query. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+
+| Name |Description|
+|:-|:-|
+| Authorization | Bearer {token}. Required. |
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [accessPackageResourceRequest](../resources/accesspackageresourcerequest.md) objects in the response body.
+
+## Examples
+
+### Request
+
+The following is an example of the request.
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "get_accesspackageresourcerequests"
+}-->
+
+```msgraph-interactive
+GET https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageResourceRequests
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessPackageResourceRequest",
+ "isCollection": true
+} -->
+
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "value": [
+ {
+ "catalogId": "26ac0c0a-08bc-4a7b-a313-839f58044ba5",
+ "id": "1fe272f0-d463-42aa-a9a8-b07ab50a1c4d",
+ "isValidationOnly": false,
+ "justification": "String",
+ "requestState": "Delivered",
+ "requestStatus": "Fulfilled",
+ "requestType": "AdminAdd"
+ }
+ ]
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "List accessPackageResourceRequests",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
++
v1.0 Entitlementmanagement List Accesspackages https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/entitlementmanagement-list-accesspackages.md
+
+ Title: "List accessPackages"
+description: "Retrieve a list of accessPackage objects."
+ms.localizationpriority: medium
+++
+# List accessPackages
+
+Namespace: microsoft.graph
++
+Retrieve a list of [accessPackage](../resources/accesspackage.md) objects. The resulting list includes all the access packages that the caller has access to read, across all catalogs.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+|:|:--|
+| Delegated (work or school account) | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+GET /identityGovernance/entitlementManagement/accessPackages
+```
+
+## Optional query parameters
+
+This method supports the `$select` and `$filter` OData query parameters to help customize the response. For example, to retrieve the access package policies for each access package, add `$expand=accessPackageAssignmentPolicies`. To search for access packages with a particular name, include a filter such as `$filter=contains(tolower(displayName),'team')` in the query. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+
+| Name |Description|
+|:-|:-|
+| Authorization | Bearer \{token\}. Required. |
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [accessPackage](../resources/accesspackage.md) objects in the response body.
+
+## Examples
+
+### Request
+
+The following is an example of the request.
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "get_accesspackages"
+}-->
+
+```msgraph-interactive
+GET https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessPackage",
+ "isCollection": true
+} -->
+
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "value": [
+ {
+ "id":"360fa7de-90be-48dc-a2ce-fc40094a93dd",
+ "description":"Sample access package",
+ "displayName":"Access package for testing",
+ "isHidden":false,
+ "catalogId":"662d99e7-6ceb-4c21-9cb4-9b0bbfdefccc",
+ "isRoleScopesVisible":false,
+ "createdDateTime":"2019-01-27T18:19:50.74Z",
+ "modifiedDateTime":"2019-01-27T18:19:50.74Z",
+ "createdBy":"TestGA@example.com",
+ "modifiedBy":"TestGA@example.com"
+ }
+ ]
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "List accessPackages",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
++
v1.0 Entitlementmanagement List Connectedorganizations https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/entitlementmanagement-list-connectedorganizations.md
+
+ Title: "List connectedOrganizations"
+description: "Retrieve a list of connectedOrganization objects."
+
+ms.localizationpriority: medium
++
+# List connectedOrganizations
+
+Namespace: microsoft.graph
++
+Retrieve a list of [connectedOrganization](../resources/connectedorganization.md) objects.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+| Delegated (work or school account) | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All |
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /identityGovernance/entitlementManagement/connectedOrganizations
+```
+
+## Optional query parameters
+This method supports the `$select` and `$filter` of the OData query parameters to help customize the response. For example, to retrieve only the connected organizations with a specific display name, add `$filter=displayName eq 'Name'`. Similarly, to retrieve only the connected organizations with an identity source of a specific tenant, add `$filter=identitySources/any(is:is/microsoft.graph.azureActiveDirectoryTenant/tenantId eq '72f988bf-86f1-41af-91ab-2d7cd011db47')`. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [connectedOrganization](../resources/connectedorganization.md) objects in the response body.
+
+## Examples
+
+### Request
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "get_connectedorganizations"
+}
+-->
+``` http
+GET https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/connectedOrganizations
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+### Response
+**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "collection(microsoft.graph.connectedOrganization)"
+}
+-->
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "value": [
+ {
+ "id": "cd3709c6-be6a-4725-bd07-50f90ccca93f",
+ "displayName": "Wingtip Toys",
+ "description": "Wingtip Toys",
+ "createdBy": "admin@contoso.com",
+ "createdDateTime": "2020-05-13T15:18:04.81Z",
+ "modifiedBy": "admin@contoso.com",
+ "modifiedDateTime": "2020-05-13T15:18:04.81Z",
+ "identitySources": [
+ {
+ "@odata.type": "#microsoft.graph.azureActiveDirectoryTenant",
+ "tenantId": "bf85dc9d-cb43-44a4-80c4-469e8c58249e",
+ "displayName": "Wingtip Toys Co"
+ }
+ ]
+ }
+ ]
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "List connectedOrganizations",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
++
v1.0 Entitlementmanagement Post Accesspackageassignmentpolicies https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/entitlementmanagement-post-accesspackageassignmentpolicies.md
+
+ Title: "Create accessPackageAssignmentPolicy"
+description: "Use this API to create a new accessPackageAssignmentPolicy."
+ms.localizationpriority: medium
+++
+# Create accessPackageAssignmentPolicy
+
+Namespace: microsoft.graph
++
+In [Azure AD entitlement management](../resources/entitlementmanagement-overview.md), create a new [accessPackageAssignmentPolicy](../resources/accesspackageassignmentpolicy.md) object.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+|:|:--|
+| Delegated (work or school account) | EntitlementManagement.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | EntitlementManagement.ReadWrite.All |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+POST /identityGovernance/entitlementManagement/accessPackageAssignmentPolicies
+```
+
+## Request headers
+
+| Name | Description |
+|:--|:--|
+| Authorization | Bearer \{token\}. Required. |
+| Content-Type | application/json. Required. |
+
+## Request body
+
+In the request body, supply a JSON representation of an [accessPackageAssignmentPolicy](../resources/accesspackageassignmentpolicy.md) object.
+
+## Response
+
+If successful, this method returns a 200-series response code and a new [accessPackageAssignmentPolicy](../resources/accesspackageassignmentpolicy.md) object in the response body.
+
+## Examples
+
+### Example 1: Create a direct assignment policy
+
+A direct assignment policy is useful when access package assignment requests will only be created by an administrator, not by users themselves.
+
+#### Request
+
+The following example shows a request to create an access package assignment policy. In this policy, no users can request, no approval is required, and there are no access reviews.
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_accesspackageassignmentpolicy_from_accesspackageassignmentpolicies"
+}-->
+
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies
+Content-type: application/json
+
+{
+ "accessPackageId": "56ff43fd-6b05-48df-9634-956a777fce6d",
+ "displayName": "direct",
+ "description": "direct assignments by administrator",
+ "accessReviewSettings": null,
+ "requestorSettings": {
+ "scopeType": "NoSubjects",
+ "acceptRequests": true,
+ "allowedRequestors": []
+ },
+ "requestApprovalSettings": {
+ "isApprovalRequired": false,
+ "isApprovalRequiredForExtension": false,
+ "isRequestorJustificationRequired": false,
+ "approvalMode": "NoApproval",
+ "approvalStages": []
+ }
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+++
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessPackageAssignmentPolicy"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "id": "4c02f928-7752-49aa-8fc8-e286d973a965",
+ "accessPackageId": "56ff43fd-6b05-48df-9634-956a777fce6d",
+ "displayName": "direct",
+ "description": "direct assignments by administrator"
+}
+```
+
+### Example 2: Create a policy for users from other organizations to request
+
+The following example shows a more complex policy with two-stage approvals and access reviews.
+
+#### Request
+
+The following is an example of the request to create an access package assignment policy.
++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_accesspackageassignmentpolicy_from_accesspackageassignmentpolicies_multistage"
+}-->
+
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies
+Content-type: application/json
+
+{
+ "accessPackageId": "string (identifier)",
+ "displayName": "Users from connected organizations can request",
+ "description": "Allow users from configured connected organizations to request and be approved by their sponsors",
+ "canExtend": false,
+ "durationInDays": 365,
+ "expirationDateTime": null,
+ "requestorSettings": {
+ "scopeType": "AllExistingConnectedOrganizationSubjects",
+ "acceptRequests": true,
+ "allowedRequestors": []
+ },
+ "requestApprovalSettings": {
+ "isApprovalRequired": true,
+ "isApprovalRequiredForExtension": false,
+ "isRequestorJustificationRequired": true,
+ "approvalMode": "Serial",
+ "approvalStages": [
+ {
+ "approvalStageTimeOutInDays": 14,
+ "isApproverJustificationRequired": true,
+ "isEscalationEnabled": true,
+ "escalationTimeInMinutes": 11520,
+ "primaryApprovers": [
+ {
+ "@odata.type": "#microsoft.graph.groupMembers",
+ "isBackup": true,
+ "id": "string (identifier)",
+ "description": "group for users from connected organizations which have no external sponsor"
+ },
+ {
+ "@odata.type": "#microsoft.graph.externalSponsors",
+ "isBackup": false
+ }
+ ],
+ "escalationApprovers": [
+ {
+ "@odata.type": "#microsoft.graph.singleUser",
+ "isBackup": true,
+ "id": "string (identifier)",
+ "description": "user if the external sponsor does not respond"
+ }
+ ]
+ },
+ {
+ "approvalStageTimeOutInDays": 14,
+ "isApproverJustificationRequired": true,
+ "isEscalationEnabled": true,
+ "escalationTimeInMinutes": 11520,
+ "primaryApprovers": [
+ {
+ "@odata.type": "#microsoft.graph.groupMembers",
+ "isBackup": true,
+ "id": "string (identifier)",
+ "description": "group for users from connected organizations which have no internal sponsor"
+ },
+ {
+ "@odata.type": "#microsoft.graph.internalSponsors",
+ "isBackup": false
+ }
+ ],
+ "escalationApprovers": [
+ {
+ "@odata.type": "#microsoft.graph.singleUser",
+ "isBackup": true,
+ "id": "string (identifier)",
+ "description": "user if the internal sponsor does not respond"
+ }
+ ]
+ }
+ ]
+ },
+ "accessReviewSettings": {
+ "isEnabled": true,
+ "recurrenceType": "quarterly",
+ "reviewerType": "Self",
+ "startDateTime": "2020-04-01T07:59:59.998Z",
+ "durationInDays": 25,
+ "reviewers": []
+ }
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+++++
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessPackageAssignmentPolicy"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "id": "4c02f928-7752-49aa-8fc8-e286d973a965",
+ "accessPackageId": "string (identifier)",
+ "displayName": "Users from connected organizations can request",
+ "description": "Allow users from configured connected organizations to request and be approved by their sponsors"
+}
+```
+
+### Example 3: Create assignment policy with questions
+
+Questions configured in an assignment policy will be asked to requestors in scope of the policy. Their answers will be shown to their approvers. Question IDs are read-only and are included in the response by default.
+
+#### Request
+
+The following example shows a request to create an access package assignment policy.
+++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_accesspackageassignmentpolicy_from_accesspackageassignmentpolicies_questions"
+}-->
+
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies
+Content-type: application/json
+
+{
+ "accessPackageId": "b2eba9a1-b357-42ee-83a8-336522ed6cbf",
+ "displayName": "Users from connected organizations can request",
+ "description": "Allow users from configured connected organizations to request and be approved by their sponsors",
+ "canExtend": false,
+ "durationInDays": 365,
+ "expirationDateTime": null,
+ "requestorSettings": {
+ "scopeType": "AllExistingConnectedOrganizationSubjects",
+ "acceptRequests": true
+ },
+ "requestApprovalSettings": {
+ "isApprovalRequired": true,
+ "isApprovalRequiredForExtension": false,
+ "isRequestorJustificationRequired": true,
+ "approvalMode": "SingleStage",
+ "approvalStages": [{
+ "approvalStageTimeOutInDays": 14,
+ "isApproverJustificationRequired": true,
+ "isEscalationEnabled": false,
+ "escalationTimeInMinutes": 11520,
+ "primaryApprovers": [{
+ "@odata.type": "#microsoft.graph.groupMembers",
+ "isBackup": true,
+ "id": "d2dcb9a1-a445-42ee-83a8-476522ed6cbf",
+ "description": "group for users from connected organizations which have no external sponsor"
+ },
+ {
+ "@odata.type": "#microsoft.graph.externalSponsors",
+ "isBackup": false
+ }
+ ]
+ }
+ ]
+ },
+ "questions": [{
+ "isRequired": false,
+ "text": {
+ "defaultText": "what state are you from?",
+ "localizedTexts": [{
+ "text": "¿De qué estado eres?",
+ "languageCode": "es"
+ }]
+ },
+ "@odata.type": "#microsoft.graph.accessPackageMultipleChoiceQuestion",
+ "choices": [{
+ "actualValue": "AZ",
+ "displayValue": {
+ "localizedTexts": [{
+ "text": "Arizona",
+ "languageCode": "es"
+ }]
+ }
+ }, {
+ "actualValue": "CA",
+ "displayValue": {
+ "localizedTexts": [{
+ "text": "California",
+ "languageCode": "es"
+ }]
+ }
+ }, {
+ "actualValue": "OH",
+ "displayValue": {
+ "localizedTexts": [{
+ "text": "Ohio",
+ "languageCode": "es"
+ }]
+ }
+ }],
+ "allowsMultipleSelection": false
+ }, {
+ "isRequired": false,
+ "text": {
+ "defaultText": "Who is your manager?",
+ "localizedTexts": [{
+ "text": "por qué necesita acceso a este paquete",
+ "languageCode": "es"
+ }]
+ },
+ "@odata.type": "#microsoft.graph.accessPackageTextInputQuestion",
+ "isSingleLineQuestion": false
+ }]
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+++++++
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessPackageAssignmentPolicy"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "id": "4c02f928-7752-49aa-8fc8-e286d973a965",
+ "accessPackageId": "string (identifier)",
+ "displayName": "Users from connected organizations can request",
+ "description": "Allow users from configured connected organizations to request and be approved by their sponsors",
+ "questions": [{
+ "id" : "BD3F6B95-458D-4BC8-A9A6-8D4B29F64F3D",
+ "isRequired": false,
+ "text": {
+ "defaultText": "what state are you from?",
+ "localizedTexts": [{
+ "text": "¿De qué estado eres?",
+ "languageCode": "es"
+ }]
+ },
+ "@odata.type": "#microsoft.graph.accessPackageMultipleChoiceQuestion",
+ "choices": [{
+ "actualValue": "AZ",
+ "displayValue": {
+ "localizedTexts": [{
+ "text": "Arizona?",
+ "languageCode": "es"
+ }]
+ }
+ }, {
+ "actualValue": "CA",
+ "displayValue": {
+ "localizedTexts": [{
+ "text": "California",
+ "languageCode": "es"
+ }]
+ }
+ }, {
+ "actualValue": "OH",
+ "displayValue": {
+ "localizedTexts": [{
+ "text": "Ohio",
+ "languageCode": "es"
+ }]
+ }
+ }],
+ "allowsMultipleSelection": false
+ }, {
+ "id" : "F652C13C-A660-4E4C-A1E0-CE9FEC6EE57A",
+ "isRequired": false,
+ "text": {
+ "defaultText": "Who is your manager?",
+ "localizedTexts": [{
+ "text": "por qué necesita acceso a este paquete",
+ "languageCode": "es"
+ }]
+ },
+ "@odata.type": "#microsoft.graph.accessPackageTextInputQuestion",
+ "isSingleLineQuestion": false
+ }]
+}
+```
++
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "Create accessPackageAssignmentPolicy",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
++
v1.0 Entitlementmanagement Post Accesspackageassignmentrequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/entitlementmanagement-post-accesspackageassignmentrequests.md
+
+ Title: "Create accessPackageAssignmentRequest"
+description: "Create a new accessPackageAssignmentRequest."
+ms.localizationpriority: medium
+++
+# Create accessPackageAssignmentRequest
+
+Namespace: microsoft.graph
++
+In [Azure AD Entitlement Management](../resources/entitlementmanagement-overview.md), create a new [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) object. This operation is used to assign a user to an access package, or to remove an access package assignment.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+|:|:--|
+| Delegated (work or school account) | EntitlementManagement.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | EntitlementManagement.ReadWrite.All |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+POST /identityGovernance/entitlementManagement/accessPackageAssignmentRequests
+```
+
+## Request headers
+
+| Name | Description |
+|:--|:--|
+| Authorization | Bearer \{token\}. Required. |
+| Content-Type | application/json. Required. |
+
+## Request body
+
+In the request body, supply a JSON representation of [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) object.
+
+For an administrator to request to create an assignment for a user, the value of the **requestType** property is `AdminAdd`, and the **accessPackageAssignment** property contains the `targetId` of the user being assigned, the **assignmentPolicyId** property identifying the [accessPackageAssignmentPolicy](../resources/accesspackageassignmentpolicy.md), and the **accessPackageId** property identifying the [accessPackage](../resources/accesspackage.md).
+
+For an administrator to request to remove an assignment, the value of the **requestType** property is `AdminRemove`, and the **accessPackageAssignment** property contains the **id** property identifying the [accessPackageAssignment](../resources/accesspackageassignment.md) being removed.
+
+For a non-administrator user to request to create their own assignment for either a first assignment or renew assignment, the value of the **requestType** property is `UserAdd`. The **accessPackageAssignment** property contains the `targetId` with the `id` of the users. The **assignmentPolicyId** property identifies the [accessPackageAssignmentPolicy](../resources/accesspackageassignmentpolicy.md). The **accessPackageId** property identifies the [accessPackage](../resources/accesspackage.md). The user making the request must already exist in the directory.
+
+For a non-administrator user to request to extend their own assignments, the value of the **requestType** property is `UserExtend`. The **accessPackageAssignment** property contains the `targetId` with the `id` of the users. The **assignmentPolicyId** property identifies the [accessPackageAssignmentPolicy](../resources/accesspackageassignmentpolicy.md). The **accessPackageId** property identifies the [accessPackage](../resources/accesspackage.md). The user making the request must already exist in the directory.
+
+## Response
+
+If successful, this method returns a 200-series response code and a new [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) object in the response body.
+
+If this is an `AdminAdd` request, then subsequently an [accessPackageAssignment](../resources/accesspackageassignment.md) and, if needed, an [accessPackageSubject](../resources/accesspackagesubject.md) are also created. You can locate those using the query parameters when [listing accessPackageAssignments](entitlementmanagement-list-accesspackageassignments.md).
+
+## Examples
+### Example 1: Admin requests a direct assignment for a user already in the directory
+#### Request
+
+The following is an example of the request for a direct assignment, in which the administrator is requesting the creation of an assignment for the user. Because the [accessPackageSubject](../resources/accesspackagesubject.md) might not yet exist, the value of the **targetID** is the object ID of the user being assigned, the value of the **accessPackageId** is the desired access package for that user, and the value of **assignmentPolicyId** is a direct assignment policy in that access package.
+
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_accesspackageassignmentrequest_from_accesspackageassignmentrequests_1"
+}-->
+
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentRequests
+Content-type: application/json
+
+{
+ "requestType": "AdminAdd",
+ "accessPackageAssignment":{
+ "targetId":"46184453-e63b-4f20-86c2-c557ed5d5df9",
+ "assignmentPolicyId":"2264bf65-76ba-417b-a27d-54d291f0cbc8",
+ "accessPackageId":"a914b616-e04e-476b-aa37-91038f0b165b"
+ }
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessPackageAssignmentRequest"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+
+ "id": "7e382d02-4454-436b-b700-59c7dd77f466",
+ "requestType": "AdminAdd",
+ "requestState": "Submitted",
+ "requestStatus": "Accepted",
+ "isValidationOnly": false
+}
+```
+
+### Example 2: User requests a package and answers questions for approval
+#### Request
+
+The following is an example of a request where the requestor provided answers to the approver to help them make their decision.
+
+++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_accesspackageassignmentrequest_from_accesspackageassignmentrequests_2"
+}-->
+
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentRequests
+Content-type: application/json
+
+{
+ "requestType": "UserAdd",
+ "accessPackageAssignment": {
+ "targetId": "46184453-e63b-4f20-86c2-c557ed5d5df9",
+ "assignmentPolicyId": "2264bf65-76ba-417b-a27d-54d291f0cbc8",
+ "accessPackageId": "a914b616-e04e-476b-aa37-91038f0b165b"
+ },
+ "answers": [
+ {
+ "@odata.type": "#microsoft.graph.accessPackageAnswerString",
+ "value": "Arizona",
+ "answeredQuestion": {
+ "@odata.type": "#microsoft.graph.accessPackageMultipleChoiceQuestion",
+ "id": "A714EC6F-4EE0-4614-BD81-37E0C5ECBBFF"
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.accessPackageAnswerString",
+ "value": "Need access to marketing campaign material",
+ "answeredQuestion": {
+ "@odata.type": "#microsoft.graph.accessPackageTextInputQuestion",
+ "id": "AA615EE9-D9D8-4C03-BE91-BEE37106DEDA"
+ }
+ }
+ ]
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+++++
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessPackageAssignmentRequest"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "id": "7e382d02-4454-436b-b700-59c7dd77f466",
+ "requestType": "UserAdd",
+ "requestState": "Submitted",
+ "requestStatus": "Accepted",
+ "isValidationOnly": false,
+ "answers": [
+ {
+ "@odata.type": "#microsoft.graph.accessPackageAnswerString",
+ "value": "Arizona",
+ "answeredQuestion": {
+ "id": "A714EC6F-4EE0-4614-BD81-37E0C5ECBBFF",
+ "isRequired": false,
+ "text": {
+ "defaultText": "what state are you from?",
+ "localizedTexts": [
+ {
+ "text": "¿De qué estado eres?",
+ "languageCode": "es"
+ }
+ ]
+ },
+ "@odata.type": "#microsoft.graph.accessPackageMultipleChoiceQuestion",
+ "choices": [
+ {
+ "actualValue": "AZ",
+ "displayValue": {
+ "localizedTexts": [
+ {
+ "text": "Arizona",
+ "languageCode": "es"
+ }
+ ]
+ }
+ },
+ {
+ "actualValue": "CA",
+ "displayValue": {
+ "localizedTexts": [
+ {
+ "text": "California",
+ "languageCode": "es"
+ }
+ ]
+ }
+ },
+ {
+ "actualValue": "OH",
+ "displayValue": {
+ "localizedTexts": [
+ {
+ "text": "Ohio",
+ "languageCode": "es"
+ }
+ ]
+ }
+ }
+ ],
+ "allowsMultipleSelection": false
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.accessPackageAnswerString",
+ "value": "Need access to marketing campaign material",
+ "answeredQuestion": {
+ "id": "AA615EE9-D9D8-4C03-BE91-BEE37106DEDA",
+ "isRequired": false,
+ "text": {
+ "defaultText": "Who is your manager?",
+ "localizedTexts": [
+ {
+ "text": "por qué necesita acceso a este paquete",
+ "languageCode": "es"
+ }
+ ]
+ },
+ "@odata.type": "#microsoft.graph.accessPackageTextInputQuestion",
+ "isSingleLineQuestion": false
+ }
+ }
+ ]
+}
+```
+### Example 3: Request a package and provide a justification
+#### Request
+
+The following example shows how to request an access package and provide justification to the approver.
+
++
+<!-- {
+ "blockType": "request",
+ "name": "create_accesspackageassignmentrequest_from_accesspackageassignmentrequests"
+}-->
+
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentRequests
+Content-type: application/json
+
+{
+ "requestType": "UserAdd",
+ "accessPackageAssignment": {
+ "accessPackageId": "a914b616-e04e-476b-aa37-91038f0b165b"
+ },
+ "justification":"Need access to New Hire access package"
+}
+```
+
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability. All the properties will be returned from an actual call.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessPackageAssignmentRequest"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "id": "813bbc6b-31f5-4cdf-8fed-1ba4284a1e3f",
+ "requestType": "UserAdd",
+ "requestState": "Submitted",
+ "requestStatus": "Accepted",
+ "isValidationOnly": false,
+ "expirationDateTime": null,
+ "justification": "Requested for the new task.",
+ "answers": [],
+ "schedule": {
+ "startDateTime": null,
+ "recurrence": null,
+ "expiration": {
+ "endDateTime": null,
+ "duration": null,
+ "type": null
+ }
+ }
+}
+```
+
+### Example 4: Remove an assignment
+
+To remove assignments, create a new accessPackageAssignmentRequest object with the following settings:
+++ The value of the **requestType** property set to `AdminRemove`.++ In the accessPackageAssignment property, include a list with the identifier of the accessPackageAssignment objects to delete.+
+#### Request
+
+The following example shows how to remove an assignment.
++
+<!-- {
+ "blockType": "request",
+ "name": "create_accesspackageassignmentrequest_from_accesspackageassignmentrequests"
+}-->
+
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentRequests
+Content-type: application/json
+
+{
+ "requestType": "AdminRemove",
+ "accessPackageAssignment":{
+ "id": "a6bb6942-3ae1-4259-9908-0133aaee9377"
+ }
+}
+```
+
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability. All the properties will be returned from an actual call.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessPackageAssignmentRequest"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#accessPackageAssignmentRequests/$entity",
+
+ "id": "78eaee8c-e6cf-48c9-8f99-aae44c35e379",
+ "requestType": "AdminRemove",
+ "requestState": "Submitted",
+ "requestStatus": "Accepted"
+}
+```
+
+### Example 5: Admin requests a direct assignment for a user not yet in the directory
+#### Request
+
+The following is an example of the request for a direct assignment, in which the administrator is requesting the creation of an assignment for the user, for a user who does not exist in the directory. The value of the **accessPackageId** is the desired access package for that user, and the value of **assignmentPolicyId** is a direct assignment policy in that access package.
++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_accesspackageassignmentrequest_from_accesspackageassignmentrequests_5"
+}-->
+
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentRequests
+Content-type: application/json
+
+{
+ "requestType": "AdminAdd",
+ "accessPackageAssignment":{
+ "target": {
+ "email": "user@contoso.com"
+ },
+ "assignmentPolicyId":"2264bf65-76ba-417b-a27d-54d291f0cbc8",
+ "accessPackageId":"a914b616-e04e-476b-aa37-91038f0b165b"
+ }
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessPackageAssignmentRequest"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+
+ "id": "7e382d02-4454-436b-b700-59c7dd77f466",
+ "requestType": "AdminAdd",
+ "requestState": "Submitted",
+ "requestStatus": "Accepted",
+ "isValidationOnly": false
+}
+```
++
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "Create accessPackageAssignmentRequest",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
++
v1.0 Entitlementmanagement Post Accesspackagecatalogs https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/entitlementmanagement-post-accesspackagecatalogs.md
+
+ Title: "Create accessPackageCatalog"
+description: "Create a new accessPackageCatalog."
+ms.localizationpriority: medium
+++
+# Create accessPackageCatalog
+
+Namespace: microsoft.graph
++
+Create a new [accessPackageCatalog](../resources/accesspackagecatalog.md) object.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+|:|:--|
+| Delegated (work or school account) | EntitlementManagement.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | EntitlementManagement.ReadWrite.All |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+POST /identityGovernance/entitlementManagement/accessPackageCatalogs
+```
+
+## Request headers
+
+| Name | Description |
+|:--|:--|
+| Authorization | Bearer \{token\}. Required. |
+| Content-Type | application/json |
+
+## Request body
+
+In the request body, supply a JSON representation of an [accessPackageCatalog](../resources/accesspackagecatalog.md) object. Include the **displayname**, **description**, and **isExternallyVisible** properties.
+
+## Response
+
+If successful, this method returns a 200-series response code and a new [accessPackageCatalog](../resources/accesspackagecatalog.md) object in the response body.
+
+## Examples
+
+### Request
+
+The following is an example of the request.
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_accesspackagecatalog_from_accesspackagecatalogs"
+}-->
+
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageCatalogs
+Content-type: application/json
+
+{
+ "displayName": "sales",
+ "description": "for employees working with sales and outside sales partners",
+ "isExternallyVisible": true
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessPackageCatalog"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "id": "cc30dc98-6d3c-4fa0-bed8-fd76d0efd993",
+ "displayName": "sales",
+ "description": "for employees working with sales and outside sales partners",
+ "catalogType": "UserManaged",
+ "catalogStatus": "Published",
+ "isExternallyVisible": true
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "Create accessPackageCatalog",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
++
v1.0 Entitlementmanagement Post Accesspackageresourcerequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/entitlementmanagement-post-accesspackageresourcerequests.md
+
+ Title: "Create accessPackageResourceRequest"
+description: "Create a new accessPackageResourceRequest."
+ms.localizationpriority: medium
+++
+# Create accessPackageResourceRequest
+
+Namespace: microsoft.graph
++
+Create a new [accessPackageResourceRequest](../resources/accesspackageresourcerequest.md) object to request the addition of a resource to an access package catalog, or the removal of a resource from a catalog. A resource must be included in an access package catalog before the role of that resource can be added to an access package.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+|:|:--|
+| Delegated (work or school account) | EntitlementManagement.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | Not supported. |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+POST /identityGovernance/entitlementManagement/accessPackageResourceRequests
+```
+
+## Request headers
+
+| Name | Description |
+|:--|:--|
+| Authorization | Bearer {token}. Required. |
+| Content-Type | application/json. Required. |
+
+## Request body
+
+In the request body, supply a JSON representation of an [accessPackageResourceRequest](../resources/accesspackageresourcerequest.md) object. Include the `accessPackageResource` relationship with an [accessPackageResource](../resources/accesspackageresource.md) object as part of the request.
+
+To add an Azure AD group as a resource to a catalog, set the **catalogId** to be of the ID of the catalog, **requestType** to be `AdminAdd`, and an `accessPackageResource` representing the resource. The value of the **originSystem** property within the `accessPackageResource` should be `AadGroup` and the value of the **originId** is the identifier of the group.
+
+To remove an Azure AD app from a catalog, set the **catalogId** to be of the ID of the catalog, **requestType** to be `AdminRemove`, and the `accessPackageResource` the resource object to be removed. The resource object can be retrieved using [list accessPackageResources](accesspackagecatalog-list-accesspackageresources.md).
+
+To assign the geolocation environment for a multi-geolocation Sharepoint Online resource, include the **accessPackageResourceEnvironment** relationship in the `accessPackageResource` object. This can be done in two ways:
++ Use `@odata.bind` annotation to assign the `id` of the `accessPackageResourceEnvironment` to an `accessPackageResourceEnvironment` object.++ Specify the `originId` parameter of the `accessPackageResourceEnvironment` in an `accessPackageResourceEnvironment` object.++
+## Response
+
+If successful, this method returns a `201 Created` response code and a new [accessPackageResourceRequest](../resources/accesspackageresourcerequest.md) object in the response body.
+
+## Examples
+
+### Example 1: Create an accessPackageResourceRequest for adding a site as a resource
+
+#### Request
+
+The following is an example of the request.
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_accesspackageresourcerequest_from_accesspackageresourcerequests"
+}-->
+
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageResourceRequests
+Content-type: application/json
+
+{
+ "catalogId":"26ac0c0a-08bc-4a7b-a313-839f58044ba5",
+ "requestType": "AdminAdd",
+ "justification": "",
+ "accessPackageResource": {
+ "displayName": "Sales",
+ "description": "https://contoso.sharepoint.com/sites/Sales",
+ "url": "https://contoso.sharepoint.com/sites/Sales",
+ "resourceType": "SharePoint Online Site",
+ "originId": "https://contoso.sharepoint.com/sites/Sales",
+ "originSystem": "SharePointOnline"
+ }
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessPackageResourceRequest"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "catalogId": "26ac0c0a-08bc-4a7b-a313-839f58044ba5",
+ "id": "1fe272f0-d463-42aa-a9a8-b07ab50a1c4d",
+ "isValidationOnly": false,
+ "justification": "",
+ "requestState": "Delivered",
+ "requestStatus": "Fulfilled",
+ "requestType": "AdminAdd"
+}
+```
+
+### Example 2: Create an accessPackageResourceRequest for adding a site as a resource and assign an accessPackageResourceEnvironment using @odata.bind
+
+#### Request
+
+The following is an example of the request. In this example, the `@odata.bind` annotation is used to assign the `id` of the `accessPackageResourceEnvironment` to an `accessPackageResourceEnvironment` object.
+++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_accesspackageresourcerequest_from_accesspackageresourcerequests_with_accessPackageResourceEnvironment"
+}-->
+
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageResourceRequests
+Content-type: application/json
+
+{
+ "catalogId": "de9315c1-272b-4905-924b-cc112ca180c7",
+ "accessPackageResource": {
+ "displayName": "Community Outreach",
+ "description": "https://contoso.sharepoint.com/sites/CSR",
+ "resourceType": "SharePoint Online Site",
+ "originId": "https://contoso.sharepoint.com/sites/CSR",
+ "originSystem": "SharePointOnline",
+ "accessPackageResourceEnvironment@odata.bind": "accessPackageResourceEnvironments/615f2218-678f-471f-a60a-02c2f4f80c57"
+ },
+ "requestType": "AdminAdd"
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+#### Response
+
+The following is an example of the response.
+
+<!-- {
+ "blockType": "response",
+ "truncated": false,
+ "@odata.type": "microsoft.graph.accessPackageResourceRequest"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/entitlementManagement/accessPackageResourceRequests/$entity",
+ "catalogId": "de9315c1-272b-4905-924b-cc112ca180c7",
+ "executeImmediately": false,
+ "id": "d3f800d5-0dd6-47f3-9e90-ef562c7551dc",
+ "requestType": "AdminAdd",
+ "requestState": "Delivered",
+ "requestStatus": "Fulfilled",
+ "isValidationOnly": false,
+ "expirationDateTime": null,
+ "justification": null
+}
+```
+
+### Example 3: Create an accessPackageResourceRequest for adding a site as a resource and assign an accessPackageResourceEnvironment using originId
+
+#### Request
+
+The following is an example of the request. In this example, the parameters of an `accessPackageResourceEnvironment` are specified in an `accessPackageResourceEnvironment` object.
+++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_accesspackageresourcerequest_from_accesspackageresourcerequests_with_accessPackageResourceEnvironment_New"
+}-->
+
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageResourceRequests
+Content-type: application/json
+
+{
+ "catalogId": "de9315c1-272b-4905-924b-cc112ca180c7",
+ "accessPackageResource": {
+ "displayName": "Community Outreach",
+ "description": "https://contoso.sharepoint.com/sites/CSR",
+ "resourceType": "SharePoint Online Site",
+ "originId": "https://contoso.sharepoint.com/sites/CSR",
+ "originSystem": "SharePointOnline",
+ "accessPackageResourceEnvironment": {
+ "originId": "https://contoso-admin.sharepoint.com/"
+ }
+ },
+ "requestType": "AdminAdd"
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+#### Response
+
+The following is an example of the response.
+
+<!-- {
+ "blockType": "response",
+ "truncated": false,
+ "@odata.type": "microsoft.graph.accessPackageResourceRequest"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/entitlementManagement/accessPackageResourceRequests/$entity",
+ "catalogId": "de9315c1-272b-4905-924b-cc112ca180c7",
+ "executeImmediately": false,
+ "id": "eadf3fbb-668c-4c3a-8d84-7c8bd73dc3e4",
+ "requestType": "AdminAdd",
+ "requestState": "Delivered",
+ "requestStatus": "Fulfilled",
+ "isValidationOnly": false,
+ "expirationDateTime": null,
+ "justification": null
+}
+```
+
+### Example 4: Create an accessPackageResourceRequest for adding a group as a resource
+
+#### Request
+
+The following is an example of the request.
++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_accesspackageresourcerequest_from_accesspackageresourcerequests4"
+}-->
+
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageResourceRequests
+Content-type: application/json
+
+{
+
+ "catalogId":"beedadfe-01d5-4025-910b-84abb9369997",
+ "requestType": "AdminAdd",
+ "accessPackageResource": {
+ "originId": "c6294667-7348-4f5a-be73-9d2c65f574f3",
+ "originSystem": "AadGroup"
+ }
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessPackageResourceRequest"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "catalogId": "beedadfe-01d5-4025-910b-84abb9369997",
+ "id": "acc2294e-f37f-42d3-981d-4e83847ed0ce",
+ "requestType": "AdminAdd",
+ "requestState": "Delivered",
+ "requestStatus": "Fulfilled"
+}
+```
+
+### Example 5: Create an accessPackageResourceRequest for removing a resource
+
+#### Request
+
+The following is an example of the request.
++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_accesspackageresourcerequest_from_accesspackageresourcerequests5"
+}-->
+
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageResourceRequests
+Content-type: application/json
+
+{
+ "catalogId": "beedadfe-01d5-4025-910b-84abb9369997",
+ "requestType": "AdminRemove",
+ "accessPackageResource": {
+ "id": "354078e5-dbce-4894-8af4-0ab274d41662"
+ }
+}
+
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessPackageResourceRequest"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "catalogId": "beedadfe-01d5-4025-910b-84abb9369997",
+ "id": "65c3340d-defb-49a9-8930-63841fda0e68",
+ "requestType": "AdminRemove",
+ "requestState": "Delivered",
+ "requestStatus": "Fulfilled"
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "Create accessPackageResourceRequest",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
v1.0 Entitlementmanagement Post Accesspackages https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/entitlementmanagement-post-accesspackages.md
+
+ Title: "Create accessPackage"
+description: "Create a new accessPackage."
+ms.localizationpriority: medium
+++
+# Create accessPackage
+
+Namespace: microsoft.graph
++
+Create a new [accessPackage](../resources/accesspackage.md) object.
+
+The access package will be added to an existing [accessPackageCatalog](../resources/accesspackagecatalog.md). After the access package is created, you can then create [accessPackageAssignmentPolicies](../resources/accesspackageassignmentpolicy.md) which specify how users are assigned to the access package.
++
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+|:|:--|
+| Delegated (work or school account) | EntitlementManagement.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | EntitlementManagement.ReadWrite.All |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+POST /identityGovernance/entitlementManagement/accessPackages
+```
+
+## Request headers
+
+| Name | Description |
+|:--|:--|
+| Authorization | Bearer \{token\}. Required. |
+| Content-type | application/json. Required. |
+
+## Request body
+
+In the request body, supply a JSON representation of an [accessPackage](../resources/accesspackage.md) object.
+
+## Response
+
+If successful, this method returns a 201 Created response code and a new [accessPackage](../resources/accesspackage.md) object in the response body.
+
+## Examples
+
+### Request
+
+The following is an example of the request.
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_accesspackage_from_accesspackages"
+}-->
+
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages
+Content-type: application/json
+
+{
+ "catalogId": "aa2f6514-3232-46e7-a08a-2411ad8d7128",
+ "displayName": "sales reps",
+ "description": "outside sales representatives"
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessPackage"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "id": "56ff43fd-6b05-48df-9634-956a777fce6d",
+ "catalogId": "aa2f6514-3232-46e7-a08a-2411ad8d7128",
+ "displayName": "sales reps",
+ "description": "outside sales representatives",
+ "isHidden": false,
+ "isRoleScopesVisible": false
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "Create accessPackage",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
++
v1.0 Entitlementmanagement Post Connectedorganizations https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/entitlementmanagement-post-connectedorganizations.md
+
+ Title: "Create connectedOrganization"
+description: "Create a new connectedOrganization."
+
+ms.localizationpriority: medium
++
+# Create connectedOrganization
+
+Namespace: microsoft.graph
++
+Create a new [connectedOrganization](../resources/connectedorganization.md) object.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+| Delegated (work or school account) | EntitlementManagement.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | EntitlementManagement.ReadWrite.All |
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+```http
+POST /identityGovernance/entitlementManagement/connectedOrganizations
+```
+
+## Request headers
+
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+|Content-Type|application/json. Required.|
+
+## Request body
+In the request body, supply a JSON representation of the [connectedOrganization](../resources/connectedorganization.md) object.
+
+The following table shows the properties that are required when you create the [connectedOrganization](../resources/connectedorganization.md).
+
+|Property|Type|Description|
+|:|:|:|
+|displayName|String|The connected organization name. |
+|description|String|The connected organization description.|
+|identitySources|[identitySource](../resources/identitysource.md) collection|A collection with one element, the initial identity source in this connected organization.|
+|state|connectedOrganizationState|The state of a connected organization defines whether assignment policies with requestor scope type `AllConfiguredConnectedOrganizationSubjects` are applicable or not. Possible values are: `configured`, `proposed`.|
+
+The single member of the identitySources collection should be of either the [domainIdentitySource](../resources/domainidentitysource.md) or [externalDomainFederation](../resources/externaldomainfederation.md) type. If the caller provides a domainIdentitySource, the call is successful, and the domain corresponds to a registered domain of an Azure Active Directory tenant, then the resulting connectedOrganization that is created will have an identitySources collection containing a single member of the [azureActiveDirectoryTenant](../resources/azureactivedirectorytenant.md) type.
+
+## Response
+
+If successful, this method returns a `201 Created` response code and a new [connectedOrganization](../resources/connectedorganization.md) object in the response body.
+
+## Examples
+
+### Request
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_connectedorganization_from_connectedorganizations"
+}
+-->
+``` http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/connectedOrganizations/
+Content-Type: application/json
+
+{
+ "displayName":"Connected organization name",
+ "description":"Connected organization description",
+ "identitySources": [
+ {
+ "@odata.type": "#microsoft.graph.domainIdentitySource",
+ "domainName": "example.com",
+ "displayName": "example.com"
+ }
+ ],
+ "state":"proposed"
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+### Response
+**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.connectedOrganization"
+}
+-->
+``` http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "id": "006111db-0810-4494-a6df-904d368bd81b",
+ "displayName":"Connected organization name",
+ "description":"Connected organization description",
+ "createdBy": "admin@contoso.com",
+ "createdDateTime": "2020-06-08T20:13:53.7099947Z",
+ "modifiedBy": "admin@contoso.com",
+ "modifiedDateTime": "2020-06-08T20:13:53.7099947Z",
+ "state":"proposed"
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "Create connectedOrganization",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
++
v1.0 Termsofusecontainer List Agreements https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/termsofusecontainer-list-agreements.md
+
+ Title: "List agreements"
+description: "Retrieve a list of agreement objects."
+ms.localizationpriority: medium
+++
+# List agreements
+
+Namespace: microsoft.graph
++
+Retrieve a list of [agreement](../resources/agreement.md) objects.
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | Agreement.Read.All |
+|Delegated (personal Microsoft account) | Not supported. |
+|Application | Not supported. |
+
+When calling on behalf of a user, the user needs to belong to one of the following directory roles. To learn more about directory roles, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference):
++ Global Administrator++ Conditional Access Administrator++ Security Administrator+
+## HTTP request
+<!-- { "blockType": "ignored" } -->
+```http
+GET /identityGovernance/termsOfUse/agreements
+```
+<!--
+## Optional query parameters
+This method supports the [OData Query Parameters](/graph/query-parameters) to help customize the response.
+-->
+
+## Request headers
+| Name | Type | Description |
+|:-|:|:|
+| Authorization | string | Bearer \{token\}. Required. |
+
+## Request body
+Do not supply a request body for this method.
+## Response
+If successful, this method returns a `200 OK` response code and collection of [agreement](../resources/agreement.md) objects in the response body.
+## Example
+##### Request
++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "get_agreements"
+}-->
+```msgraph-interactive
+GET https://graph.microsoft.com/beta/identityGovernance/termsOfUse/agreements
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+##### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.agreement",
+ "isCollection": true
+} -->
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "value": [
+ {
+ "displayName": "displayName-value",
+ "isViewingBeforeAcceptanceRequired": true,
+ "id": "id-value"
+ }
+ ]
+}
+```
+
+<!-- uuid: 8fcb5dbc-d5aa-4681-8e31-b001d5168d79
+2015-10-25 14:57:30 UTC -->
+<!--
+{
+ "type": "#page.annotation",
+ "description": "List agreements",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": "",
+ "suppressions": [
+ ]
+}
+-->
v1.0 Termsofusecontainer Post Agreements https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/termsofusecontainer-post-agreements.md
+
+ Title: "Create agreement"
+description: "Create a new agreement object."
+ms.localizationpriority: medium
+++
+# Create agreement
+
+Namespace: microsoft.graph
++
+Create a new [agreement](../resources/agreement.md) object.
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | Agreement.ReadWrite.All |
+|Delegated (personal Microsoft account) | Not supported. |
+|Application | Not supported. |
+
+When calling on behalf of a user, the user needs to belong to one of the following directory roles. To learn more about directory roles, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference):
++ Global Administrator++ Conditional Access Administrator++ Security Administrator+
+## HTTP request
+<!-- { "blockType": "ignored" } -->
+```http
+POST /identityGovernance/termsOfUse/agreements
+```
+## Request headers
+| Name | Type | Description |
+|:-|:|:|
+| Authorization | string | Bearer \{token\}. Required. |
+
+## Request body
+In the request body, supply a JSON representation of [agreement](../resources/agreement.md) object.
+
+The following table shows the properties that are required when you create a user.
+
+| Property | Type | Description |
+|:-|:|:|
+|displayName|String|Display name of the agreement.|
+|isViewingBeforeAcceptanceRequired|Boolean|Indicates whether the user has to expand and view the agreement before accepting.|
+|files/fileName|String|Name of the agreement file (for example, TOU.pdf).|
+|files/isDefault|Boolean|Indicates whether this is the default agreement file if none of the culture matches the client preference. If none of the file is marked as default, the first one will be treated as default.|
+|files/language|String|Culture of the agreement file in the format languagecode2-country/regioncode2. languagecode2 is a lowercase two-letter code derived from ISO 639-1. country/regioncode2 is derived from ISO 3166 and usually consists of two uppercase letters, or a BCP-47 language tag (for example, en-US).|
+|files/fileData/data|Binary|Data representing the terms of use the PDF document.|
+
+## Response
+If successful, this method returns a `201, Created` response code and [agreement](../resources/agreement.md) object in the response body.
+
+## Example
+##### Request
+In the request body, supply a JSON representation of the [agreement](../resources/agreement.md) object.
+++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_agreement_from_agreements"
+}-->
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/termsOfUse/agreements
+Content-type: application/json
+
+{
+ "displayName": "MSGraph Sample",
+ "isViewingBeforeAcceptanceRequired": true,
+ "files": [
+ {
+ "fileName": "TOU.pdf",
+ "language": "en",
+ "isDefault": true,
+ "fileData": {
+ "data": "SGVsbG8gd29ybGQ="
+ }
+ }
+ ]
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+++++
+##### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.agreement"
+} -->
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "displayName": "MSGraph Sample",
+ "isViewingBeforeAcceptanceRequired": true,
+ "id": "id-value"
+}
+```
+
+<!-- uuid: 8fcb5dbc-d5aa-4681-8e31-b001d5168d79
+2015-10-25 14:57:30 UTC -->
+<!--
+{
+ "type": "#page.annotation",
+ "description": "Create agreement",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": "",
+ "suppressions": [
+ ]
+}
+-->
++
v1.0 User List Agreementacceptances https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/user-list-agreementacceptances.md
Title: "List agreementAcceptances" description: "Retrieve a list of a user's agreementAcceptance objects." ms.localizationpriority: medium-+ ms.prod: "users" doc_type: apiPageType
One of the following permissions is required to call this API. To learn more, in
## HTTP request <!-- { "blockType": "ignored" } --> ```http
+GET /me/agreementAcceptances
GET /users/{id | userPrincipalName}/agreementAcceptances ``` <!--
Do not supply a request body for this method.
## Response If successful, this method returns a `200 OK` response code and a collection of [agreementAcceptance](../resources/agreementacceptance.md) objects in the response body. ## Example
-##### Request
+### Request
# [HTTP](#tab/http) <!-- {
GET https://graph.microsoft.com/beta/me/agreementAcceptances
-##### Response
+### Response
>**Note:** The response object shown here might be shortened for readability. <!-- {
v1.0 User Post Users https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/user-post-users.md
The following table lists the properties that are required when you create a use
|onPremisesImmutableId |string |Only needs to be specified when creating a new user account if you are using a federated domain for the user's userPrincipalName (UPN) property.| |mailNickname |string |The mail alias for the user.| |passwordProfile|[PasswordProfile](../resources/passwordprofile.md) |The password profile for the user. For Azure B2C tenants, the **forceChangePasswordNextSignIn** property should be set to `false` and instead use custom policies to force password reset at first sign in.|
-|userPrincipalName |string |The user principal name (someuser@contoso.com).|
+|userPrincipalName |string |The user principal name (someuser@contoso.com). It's an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. The verified domains for the tenant can be accessed from the **verifiedDomains** property of [organization](../resources/organization.md). <br>NOTE: This property cannot contain accent characters. Only the following characters are allowed `A - Z`, `a - z`, `0 - 9`, ` ' . - _ ! # ^ ~`. For the complete list of allowed characters, see [username policies](/azure/active-directory/authentication/concept-sspr-policy#userprincipalname-policies-that-apply-to-all-user-accounts).|
Because the **user** resource supports [extensions](/graph/extensibility-overview), you can use the `POST` operation and add custom properties with your own data to the user instance while creating it.
v1.0 User Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/user-update.md
In the request body, supply the values for relevant fields that should be update
|streetAddress|String|The street address of the user's place of business.| |surname|String|The user's surname (family name or last name).| |usageLocation|String|A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: `US`, `JP`, and `GB`. Not nullable.|
-|userPrincipalName|String|The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenantΓÇÖs collection of verified domains. This property is required when a user is created. The verified domains for the tenant can be accessed from the **verifiedDomains** property of [organization](../resources/organization.md).
+|userPrincipalName|String|The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. The verified domains for the tenant can be accessed from the **verifiedDomains** property of [organization](../resources/organization.md). <br>NOTE: This property cannot contain accent characters. Only the following characters are allowed `A - Z`, `a - z`, `0 - 9`, ` ' . - _ ! # ^ ~`. For the complete list of allowed characters, see [username policies](/azure/active-directory/authentication/concept-sspr-policy#userprincipalname-policies-that-apply-to-all-user-accounts).|
|userType|String|A string value that can be used to classify user types in your directory, such as `Member` and `Guest`. | Because the **user** resource supports [extensions](/graph/extensibility-overview), you can use the `PATCH` operation to
For more examples for users, see [Assign, update, or remove custom security attr
#### Request --
-# [HTTP](#tab/http)
<!-- { "blockType": "request", "name": "assign_user_customsecurityattribute_string"
Content-type: application/json
} } ```
-# [C#](#tab/csharp)
-
-# [JavaScript](#tab/javascript)
-
-# [Go](#tab/go)
--- #### Response <!-- {
v1.0 Accesspackage https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accesspackage.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD Entitlement Management](entitlementmanagement-root.md), an access package defines the collections of resource roles and the policies for how one or more users can get access to those resources.
+In [Azure AD Entitlement Management](entitlementmanagement-overview.md), an access package defines the collections of resource roles and the policies for how one or more users can get access to those resources.
Each access package is referenced by a single access package catalog, and has links to the resources from that catalog via the resource-specific role scopes that define the access the package provides. An access package also links to the access package assignment policies, each of which define who can request or be assigned an access package assignment.
-To assign a user to an access package, [create an accessPackageAssignmentRequest](../api/accesspackageassignmentrequest-post.md) that references the access package and access package assignment policy.
+To assign a user to an access package, [create an accessPackageAssignmentRequest](../api/entitlementmanagement-post-accesspackageassignmentrequests.md) that references the access package and access package assignment policy.
## Methods | Method | Return Type | Description | |:-|:|:|
-| [List accessPackages](../api/accesspackage-list.md) | [accessPackage](accesspackage.md) collection | Retrieve a list of **accesspackage** objects. |
-| [Create accessPackage](../api/accesspackage-post.md) | [accessPackage](accesspackage.md) | Create a new **accesspackage** object. |
+| [List accessPackages](../api/entitlementmanagement-list-accesspackages.md) | [accessPackage](accesspackage.md) collection | Retrieve a list of **accesspackage** objects. |
+| [Create accessPackage](../api/entitlementmanagement-post-accesspackages.md) | [accessPackage](accesspackage.md) | Create a new **accesspackage** object. |
| [Get accessPackage](../api/accesspackage-get.md) | [accessPackage](accesspackage.md) | Read properties and relationships of an **accesspackage** object. | | [Update accessPackage](../api/accesspackage-update.md)|None | Update the properties of an **accesspackage** object. | | [Delete accessPackage](../api/accesspackage-delete.md) |None | Delete an **accesspackage**. |
To assign a user to an access package, [create an accessPackageAssignmentRequest
| Property | Type | Description | |:-|:|:|
-|catalogId|String|ID of the access package catalog referencing this access package. Read-only.|
-|createdBy|String|UPN of the user or identity of the subject who created this resource. Read-only.|
+|catalogId|String|Identifier of the access package catalog referencing this access package. Read-only.|
+|createdBy|String|The userPrincipalName of the user or identity of the subject who created this resource. Read-only.|
|createdDateTime|DateTimeOffset|The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only.| |description|String|The description of the access package.|
-|displayName|String|The display name of the access package.|
+|displayName|String|The display name of the access package. Supports $filter (`eq`, `contains`).|
|id|String| Read-only.| |isHidden|Boolean|Whether the access package is hidden from the requestor.| |isRoleScopesVisible|Boolean|Indicates whether role scopes are visible.|
-|modifiedBy|String|The UPN of the user who last modified this resource. Read-only.|
+|modifiedBy|String|The userPrincipalName of the user who last modified this resource. Read-only.|
|modifiedDateTime|DateTimeOffset|The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. | ## Relationships | Relationship | Type | Description | |:-|:|:|
-|accessPackageAssignmentPolicies|[accessPackageAssignmentPolicy](accesspackageassignmentpolicy.md) collection| Read-only. Nullable.|
+|accessPackageAssignmentPolicies|[accessPackageAssignmentPolicy](accesspackageassignmentpolicy.md) collection| Read-only. Nullable. Supports `$expand`.|
|accessPackageCatalog|[accessPackageCatalog](accesspackagecatalog.md)| Read-only. Nullable.| |accessPackageResourceRoleScopes|[accessPackageResourceRoleScope](accesspackageresourcerolescope.md) collection| Nullable.| | incompatibleAccessPackages | [accessPackage](accesspackagecatalog.md) collection | The access packages whose assigned users are ineligible to be assigned this access package. |
v1.0 Accesspackageassignment https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accesspackageassignment.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD Entitlement Management](entitlementmanagement-root.md), an access package assignment is an assignment of an access package to a particular subject, for a period of time. For example, an access package assignment can state that user Alice has been assigned access via the access package Sales for the period January 2019 through July 2019.
+In [Azure AD Entitlement Management](entitlementmanagement-overview.md), an access package assignment is an assignment of an access package to a particular subject, for a period of time. For example, an access package assignment can state that user Alice has been assigned access via the access package Sales for the period January 2019 through July 2019.
## Methods | Method | Return Type | Description | |:-|:|:|
-| [List accessPackageAssignments](../api/accesspackageassignment-list.md) | [accessPackageAssignment](accesspackageassignment.md) collection | Retrieve a list of **accessPackageAssignment** objects. |
+| [List accessPackageAssignments](../api/entitlementmanagement-list-accesspackageassignments.md) | [accessPackageAssignment](accesspackageassignment.md) collection | Retrieve a list of **accessPackageAssignment** objects. |
|[filterByCurrentUser](../api/accesspackageassignment-filterbycurrentuser.md)|[accessPackageAssignment](../resources/accesspackageassignment.md) collection|Retrieve the list of **accessPackageAssignment** objects filtered on the signed-in user.| | [reprocess](../api/accesspackageassignment-reprocess.md) | None | Automatically reevaluate and enforce a userΓÇÖs assignments for a specific access package.|
->**Note:** You can't use a method to create or remove an access package assignment. Instead, a client that wants to request an access package assignment for a user, or remove an access package assignment from a user, can [create an accessPackageAssignmentRequest](../api/accesspackageassignmentrequest-post.md).
+> [!NOTE]
+> To create or remove an access package assignment for a user, use the [create an accessPackageAssignmentRequest](../api/entitlementmanagement-post-accesspackageassignmentrequests.md)
## Properties
In [Azure AD Entitlement Management](entitlementmanagement-root.md), an access p
|:-|:|:| |accessPackageId|String|The identifier of the access package. Read-only.| |assignmentPolicyId|String|The identifier of the access package assignment policy. Read-only.|
-|assignmentState|String|The state of the access package assignment. Possible values are `Delivering`, `Delivered`, or `Expired`. Read-only.|
+|assignmentState|String|The state of the access package assignment. Possible values are `Delivering`, `Delivered`, or `Expired`. Read-only. Supports `$filter` (`eq`).|
|assignmentStatus|String|More information about the assignment lifecycle. Possible values include `Delivering`, `Delivered`, `NearExpiry1DayNotificationTriggered`, or `ExpiredNotificationTriggered`. Read-only.| |catalogId|String|The identifier of the catalog containing the access package. Read-only.| |expiredDateTime|DateTimeOffset|The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`|
In [Azure AD Entitlement Management](entitlementmanagement-root.md), an access p
| Relationship | Type | Description | |:-|:|:|
-|accessPackage|[accessPackage](accesspackage.md)| Read-only. Nullable.|
-|accessPackageAssignmentPolicy|[accessPackageAssignmentPolicy](accesspackageassignmentpolicy.md)| Read-only. Nullable.|
+|accessPackage|[accessPackage](accesspackage.md)| Read-only. Nullable. Supports `$filter` (`eq`) on the **id** property and `$expand` query parameters.|
+|accessPackageAssignmentPolicy|[accessPackageAssignmentPolicy](accesspackageassignmentpolicy.md)| Read-only. Nullable. Supports `$filter` (`eq`) on the **id** property|
|accessPackageAssignmentResourceRoles|[accessPackageAssignmentResourceRole](accesspackageassignmentresourcerole.md) collection| The resource roles delivered to the target user for this assignment. Read-only. Nullable.|
-|target|[accessPackageSubject](accesspackagesubject.md)| The subject of the access package assignment. Read-only. Nullable.|
+|target|[accessPackageSubject](accesspackagesubject.md)| The subject of the access package assignment. Read-only. Nullable. Supports `$expand`. Supports `$filter` (`eq`) on **objectId**. |
## JSON representation
v1.0 Accesspackageassignmentpolicy https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accesspackageassignmentpolicy.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD entitlement management](entitlementmanagement-root.md), an access package assignment policy specifies the policy by which subjects can request or be assigned an access package via an access package assignment. An access package can have zero or more policies. When a request from a subject is received, the subject is matched against each policy to find the policy (if any) with requestorSettings that include that subject. The policy then determines whether the request requires approval, the duration of the access package assignment, and whether the assignment needs regularly review.
+In [Azure AD entitlement management](entitlementmanagement-overview.md), an access package assignment policy specifies the policy by which subjects can request or be assigned an access package via an access package assignment. An access package can have zero or more policies. When a request from a subject is received, the subject is matched against each policy to find the policy (if any) with requestorSettings that include that subject. The policy then determines whether the request requires approval, the duration of the access package assignment, and whether the assignment needs regularly review.
-To assign a user to an access package, [create an accessPackageAssignmentRequest](../api/accesspackageassignmentrequest-post.md) which references the access package and access package assignment policy.
+To assign a user to an access package, [create an accessPackageAssignmentRequest](../api/entitlementmanagement-post-accesspackageassignmentrequests.md) which references the access package and access package assignment policy.
## Methods | Method | Return Type | Description | |:-|:|:|
-| [List accessPackageAssignmentPolicies](../api/accesspackageassignmentpolicy-list.md) | [accessPackageAssignmentPolicy](accesspackageassignmentpolicy.md) collection | Retrieve a list of accessPackageAssignmentPolicy objects. |
-| [Create accessPackageAssignmentPolicy](../api/accesspackageassignmentpolicy-post.md) | [accessPackageAssignmentPolicy](accesspackageassignmentpolicy.md) | Create a new accessPackageAssignmentPolicy object. |
+| [List accessPackageAssignmentPolicies](../api/entitlementmanagement-list-accesspackageassignmentpolicies.md) | [accessPackageAssignmentPolicy](accesspackageassignmentpolicy.md) collection | Retrieve a list of accessPackageAssignmentPolicy objects. |
+| [Create accessPackageAssignmentPolicy](../api/entitlementmanagement-post-accesspackageassignmentpolicies.md) | [accessPackageAssignmentPolicy](accesspackageassignmentpolicy.md) | Create a new accessPackageAssignmentPolicy object. |
| [Get accessPackageAssignmentPolicy](../api/accesspackageassignmentpolicy-get.md) | [accessPackageAssignmentPolicy](accesspackageassignmentpolicy.md) | Read properties and relationships of an accessPackageAssignmentPolicy object. | | [Update accessPackageAssignmentPolicy](../api/accesspackageassignmentpolicy-update.md)|[accessPackageAssignmentPolicy](accesspackageassignmentpolicy.md) | Update the properties of an accessPackageAssignmentPolicy object. | | [Delete accessPackageAssignmentPolicy](../api/accesspackageassignmentpolicy-delete.md) | | Delete an accessPackageAssignmentPolicy. |
To assign a user to an access package, [create an accessPackageAssignmentRequest
| Property | Type | Description | |:-|:|:|
-|accessPackageId|String|ID of the access package.|
+|accessPackageId|String|Identifier of the access package.|
|accessReviewSettings|[assignmentReviewSettings](assignmentreviewsettings.md)|Who must review, and how often, the assignments to the access package from this policy. This property is null if reviews are not required.| |canExtend|Boolean|Indicates whether a user can extend the access package assignment duration after approval.| |createdBy|String|Read-only.| |createdDateTime|DateTimeOffset|The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`| |description|String|The description of the policy.|
-|displayName|String|The display name of the policy.|
+|displayName|String|The display name of the policy. Supports `$filter` (`eq`).|
|durationInDays|Int32|The number of days in which assignments from this policy last until they are expired.| |expirationDateTime|DateTimeOffset|The expiration date for assignments created in this policy. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`| |id|String| Read-only.|
To assign a user to an access package, [create an accessPackageAssignmentRequest
| Relationship | Type | Description | |:-|:|:|
-|accessPackage|[accessPackage](accesspackage.md)| The access package with this policy. Read-only. Nullable.|
+|accessPackage|[accessPackage](accesspackage.md)| The access package with this policy. Read-only. Nullable. Supports `$expand`.|
## JSON representation
v1.0 Accesspackageassignmentrequest https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accesspackageassignmentrequest.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD Entitlement Management](entitlementmanagement-root.md), an access package assignment request is created by or on behalf of a user who wants to obtain an access package assignment. If the request is successful, with any necessary approvals, the user receives an access package assignment, and is the subject of that resulting access package assignment. Azure AD also creates access package assignment requests automatically for tracking access removal.
+In [Azure AD Entitlement Management](entitlementmanagement-overview.md), an access package assignment request is created by or on behalf of a user who wants to obtain an access package assignment. If the request is successful, with any necessary approvals, the user receives an access package assignment, and is the subject of that resulting access package assignment. Azure AD also creates access package assignment requests automatically for tracking access removal.
## Methods | Method | Return Type | Description | |:-|:|:|
-| [List accessPackageAssignmentRequests](../api/accesspackageassignmentrequest-list.md) | [accessPackageAssignmentRequest](accesspackageassignmentrequest.md) collection | Retrieve a list of **accesspackageassignmentrequest** objects. |
-| [Create accessPackageAssignmentRequest](../api/accesspackageassignmentrequest-post.md) | [accessPackageAssignmentRequest](accesspackageassignmentrequest.md) | Create a new **accessPackageAssignmentRequest**. |
+| [List accessPackageAssignmentRequests](../api/entitlementmanagement-list-accesspackageassignmentrequests.md) | [accessPackageAssignmentRequest](accesspackageassignmentrequest.md) collection | Retrieve a list of **accesspackageassignmentrequest** objects. |
+| [Create accessPackageAssignmentRequest](../api/entitlementmanagement-post-accesspackageassignmentrequests.md) | [accessPackageAssignmentRequest](accesspackageassignmentrequest.md) | Create a new **accessPackageAssignmentRequest**. |
| [Get accessPackageAssignmentRequest](../api/accesspackageassignmentrequest-get.md) | [accessPackageAssignmentRequest](accesspackageassignmentrequest.md) | Read properties and relationships of an **accessPackageAssignmentRequest** object. | | [Delete accessPackageAssignmentRequest](../api/accesspackageassignmentrequest-delete.md) |None | Delete an **accessPackageAssignmentRequest**. | |[filterByCurrentUser](../api/accesspackageassignmentrequest-filterbycurrentuser.md)|[accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) collection|Retrieve the list of **accessPackageAssignmentRequest** objects filtered on the signed-in user.|
In [Azure AD Entitlement Management](entitlementmanagement-root.md), an access p
| Relationship | Type | Description | |:-|:|:|
-|accessPackage|[accessPackage](../resources/accesspackage.md)|The access package associated with the accessPackageAssignmentRequest. An access package defines the collections of resource roles and the policies for how one or more users can get access to those resources. Read-only. Nullable. <br/><br/> Supports `$expand`.|
-|accessPackageAssignment|[accessPackageAssignment](accesspackageassignment.md)| For a **requestType** of `UserAdd` or `AdminAdd`, this is an access package assignment requested to be created. For a **requestType** of `UserRemove`, `AdminRemove` or `SystemRemove`, this has the `id` property of an existing assignment to be removed. <br/><br/> Supports `$expand`.|
+|accessPackage|[accessPackage](../resources/accesspackage.md)|The access package associated with the accessPackageAssignmentRequest. An access package defines the collections of resource roles and the policies for how one or more users can get access to those resources. Read-only. Nullable. Supports `$expand`.|
+|accessPackageAssignment|[accessPackageAssignment](accesspackageassignment.md)| For a **requestType** of `UserAdd` or `AdminAdd`, this is an access package assignment requested to be created. For a **requestType** of `UserRemove`, `AdminRemove` or `SystemRemove`, this has the `id` property of an existing assignment to be removed. Supports `$expand`.|
|requestor|[accessPackageSubject](accesspackagesubject.md)| The subject who requested or, if a direct assignment, was assigned. Read-only. Nullable. Supports `$expand`.|
v1.0 Accesspackageassignmentresourcerole https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accesspackageassignmentresourcerole.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD entitlement management](entitlementmanagement-root.md), an access package assignment resource role indicates the resource-specific role which a subject has been assigned through an access package assignment.
+In [Azure AD entitlement management](entitlementmanagement-overview.md), an access package assignment resource role indicates the resource-specific role which a subject has been assigned through an access package assignment.
## Methods | Method | Return Type | Description | |:-|:|:| | [Get accessPackageAssignmentResourceRole](../api/accesspackageassignmentresourcerole-get.md) | [accessPackageAssignmentResourceRole](accesspackageassignmentresourcerole.md) | Retrieve an accessPackageAssignmentResourceRole object. |
-| [List accessPackageAssignmentResourceRoles](../api/accesspackageassignmentresourcerole-list.md) | [accessPackageAssignmentResourceRole](accesspackageassignmentresourcerole.md) collection | Retrieve a list of accessPackageAssignmentResourceRole objects. |
+| [List accessPackageAssignmentResourceRoles](../api/entitlementmanagement-list-accesspackageassignmentresourceroles.md) | [accessPackageAssignmentResourceRole](accesspackageassignmentresourcerole.md) collection | Retrieve a list of accessPackageAssignmentResourceRole objects. |
## Properties
In [Azure AD entitlement management](entitlementmanagement-root.md), an access p
|accessPackageAssignments|[accessPackageAssignment](accesspackageassignment.md) collection| The access package assignments resulting in this role assignment. Read-only. Nullable.| |accessPackageResourceRole|[accessPackageResourceRole](accesspackageresourcerole.md)| Read-only. Nullable.| |accessPackageResourceScope|[accessPackageResourceScope](accesspackageresourcescope.md)| Read-only. Nullable.|
-|accessPackageSubject|[accessPackageSubject](accesspackagesubject.md)| Read-only. Nullable.|
+|accessPackageSubject|[accessPackageSubject](accesspackagesubject.md)| Read-only. Nullable. Supports `$filter` (`eq`) on **objectId** and `$expand` query parameters.|
## JSON representation
v1.0 Accesspackagecatalog https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accesspackagecatalog.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD entitlement management](entitlementmanagement-root.md), an access package catalog is a container for zero or more access packages. An access package catalog might also have linked resources that are used in those access packages to provide access. To view or change the membership of catalog-scoped roles, use the [role assignments](unifiedroleassignment.md) API with the entitlement management RBAC provider.
+In [Azure AD entitlement management](entitlementmanagement-overview.md), an access package catalog is a container for zero or more access packages. An access package catalog might also have linked resources that are used in those access packages to provide access. To view or change the membership of catalog-scoped roles, use the [role assignments](unifiedroleassignment.md) API with the entitlement management RBAC provider.
In [Azure AD entitlement management](entitlementmanagement-root.md), an access p
| Method | Return Type | Description | |:-|:|:|
-| [List accessPackageCatalogs](../api/accesspackagecatalog-list.md) | [accessPackageCatalog](accesspackagecatalog.md) collection | Retrieve a list of accesspackagecatalog objects. |
-| [Create accessPackageCatalog](../api/accesspackagecatalog-post.md) | [accessPackageCatalog](accesspackagecatalog.md) | Create a new accessPackageCatalog object. |
+| [List accessPackageCatalogs](../api/entitlementmanagement-list-accesspackagecatalogs.md) | [accessPackageCatalog](accesspackagecatalog.md) collection | Retrieve a list of accesspackagecatalog objects. |
+| [Create accessPackageCatalog](../api/entitlementmanagement-post-accesspackagecatalogs.md) | [accessPackageCatalog](accesspackagecatalog.md) | Create a new accessPackageCatalog object. |
| [Get accessPackageCatalog](../api/accesspackagecatalog-get.md) | [accessPackageCatalog](accesspackagecatalog.md) | Read properties and relationships of an accessPackageCatalog object. | | [Update accessPackageCatalog](../api/accesspackagecatalog-update.md)|None | Update the properties of an accessPackageCatalog object. | | [Delete accessPackageCatalog](../api/accesspackagecatalog-delete.md) | | Delete accessPackageCatalog. |
In [Azure AD entitlement management](entitlementmanagement-root.md), an access p
|createdBy|String|UPN of the user who created this resource. Read-only.| |createdDateTime|DateTimeOffset|The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only.| |description|String|The description of the access package catalog.|
-|displayName|String|The display name of the access package catalog.|
+|displayName|String|The display name of the access package catalog. Supports `$filter` (`eq`, `contains`).|
|id|String| Read-only.| |isExternallyVisible|Boolean|Whether the access packages in this catalog can be requested by users outside of the tenant.| |modifiedBy|String|The UPN of the user who last modified this resource. Read-only.|
In [Azure AD entitlement management](entitlementmanagement-root.md), an access p
| Relationship | Type | Description | |:-|:|:|
-|accessPackages|[accessPackage](accesspackage.md) collection| The access packages in this catalog. Read-only. Nullable.|
+|accessPackages|[accessPackage](accesspackage.md) collection| The access packages in this catalog. Read-only. Nullable. Supports `$expand`.|
|accessPackageResources|[accessPackageResource](accesspackageresource.md) collection| Read-only. Nullable.| ## JSON representation
v1.0 Accesspackageresource https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accesspackageresource.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD Entitlement Management](entitlementmanagement-root.md), an access package resource is a reference to a resource associated with an access package catalog. The roles for the access package resource can be used in one or more access packages. To request to associate a resource with an access package catalog, or remove a resource from a catalog, create an [accessPackageResourceRequest](accesspackageresourcerequest.md).
+In [Azure AD Entitlement Management](entitlementmanagement-overview.md), an access package resource is a reference to a resource associated with an access package catalog. The roles for the access package resource can be used in one or more access packages. To request to associate a resource with an access package catalog, or remove a resource from a catalog, create an [accessPackageResourceRequest](accesspackageresourcerequest.md).
## Methods
v1.0 Accesspackageresourceenvironment https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accesspackageresourceenvironment.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD Entitlement Management](entitlementmanagement-root.md), an access package resource environment is a reference to the geolocation environment in which a resource is located. This environment is automatically provided as part of Azure AD Entitlement Management. The API is only applicable to Multi-Geo SharePoint Online sites.
+In [Azure AD Entitlement Management](entitlementmanagement-overview.md), an access package resource environment is a reference to the geolocation environment in which a resource is located. This environment is automatically provided as part of Azure AD Entitlement Management. The API is only applicable to Multi-Geo SharePoint Online sites.
## Methods |Method|Return type|Description| |:|:|:|
-|[List accessPackageResourceEnvironments](../api/accesspackageresourceenvironment-list.md)|[accessPackageResourceEnvironment](../resources/accesspackageresourceenvironment.md) collection|Retrieve a list of [accessPackageResourceEnvironment](../resources/accesspackageresourceenvironment.md) objects.|
+|[List accessPackageResourceEnvironments](../api/entitlementmanagement-list-accesspackageresourceenvironment.md)|[accessPackageResourceEnvironment](../resources/accesspackageresourceenvironment.md) collection|Retrieve a list of [accessPackageResourceEnvironment](../resources/accesspackageresourceenvironment.md) objects.|
|[Get accessPackageResourceEnvironment](../api/accesspackageresourceenvironment-get.md)|[accessPackageResourceEnvironment](../resources/accesspackageresourceenvironment.md)|Read the properties and relationships of an [accessPackageResourceEnvironment](../resources/accesspackageresourceenvironment.md) object.| ## Properties
In [Azure AD Entitlement Management](entitlementmanagement-root.md), an access p
|connectionInfo|[connectionInfo](../resources/connectioninfo.md)|Connection information of an environment used to connect to a resource. | |createdBy|String|The display name of the user that created this object.| |createdDateTime|DateTimeOffset|The date and time that this object was created. <br>The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
-|description|String|The description of this *accessPackageResourceEnvironment* object.|
+|description|String|The description of this object.|
|displayName|String|The display name of this object.| |id|String|The system-assigned unique identifier of the object.| |isDefaultEnvironment|Boolean|Determines whether this is default environment or not. It is set to `true` for all static origin systems, such as Azure AD groups and Azure AD Applications.| |modifiedBy|String|The display name of the entity that last modified this object.| |modifiedDateTime|DateTimeOffset|The date and time that this object was last modified. <br>The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. | |originId|String|The unique identifier of this environment in the origin system.|
-|originSystem|String|The type of the resource in the origin system such as `SharePointOnline`. Supports `$filter`.|
+|originSystem|String|The type of the resource in the origin system, that is, `SharePointOnline`. Requires `$filter` (`eq`).|
## Relationships |Relationship|Type|Description|
v1.0 Accesspackageresourcerequest https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accesspackageresourcerequest.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD entitlement management](entitlementmanagement-root.md), an access package resource request is a request to a add a resource to a catalog so that the roles of the resource can be used in one or more of the catalog's access packages, or to remove a resource from a catalog that is no longer needed by the access packages.
+In [Azure AD entitlement management](entitlementmanagement-overview.md), an access package resource request is a request to add a resource to a catalog so that the roles of the resource can be used in one or more of the catalog's access packages, or to remove a resource from a catalog that is no longer needed by the access packages.
## Methods | Method | Return Type | Description | |:-|:|:|
-| [List accessPackageResourceRequests](../api/accesspackageresourcerequest-list.md) | [accessPackageResourceRequest](accesspackageresourcerequest.md) collection | Retrieve a list of **accessPackageResourceRequest** objects. |
-| [Create accessPackageResourceRequest](../api/accesspackageresourcerequest-post.md) | [accessPackageCatalog](accesspackageresourcerequest.md) | Create a new **accessPackageResourceRequest** object. |
+| [List accessPackageResourceRequests](../api/entitlementmanagement-list-accesspackageresourcerequests.md) | [accessPackageResourceRequest](accesspackageresourcerequest.md) collection | Retrieve a list of **accessPackageResourceRequest** objects. |
+| [Create accessPackageResourceRequest](../api/entitlementmanagement-post-accesspackageresourcerequests.md) | [accessPackageCatalog](accesspackageresourcerequest.md) | Create a new **accessPackageResourceRequest** object. |
## Properties
In [Azure AD entitlement management](entitlementmanagement-root.md), an access p
| Relationship | Type | Description | |:-|:|:| |accessPackageResource|[accessPackageResource](accesspackageresource.md)| Nullable.|
-|requestor|[accessPackageSubject](accesspackagesubject.md)| Read-only. Nullable.|
+|requestor|[accessPackageSubject](accesspackagesubject.md)| Read-only. Nullable. Supports `$expand`.|
## JSON representation
v1.0 Accesspackageresourcerole https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accesspackageresourcerole.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD entitlement management](entitlementmanagement-root.md), an access package resource role is a reference to a role defined in a resource. That reference can be used after creating an access package to specify the roles of each of the catalog's resources into which an access package should deliver, by [creating an access package resource role scope](../api/accesspackage-post-accesspackageresourcerolescopes.md).
+In [Azure AD entitlement management](entitlementmanagement-overview.md), an access package resource role is a reference to a role defined in a resource. That reference can be used after creating an access package to specify the roles of each of the catalog's resources into which an access package should deliver, by [creating an access package resource role scope](../api/accesspackage-post-accesspackageresourcerolescopes.md).
## Methods
v1.0 Accesspackageresourcerolescope https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accesspackageresourcerolescope.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD entitlement management](entitlementmanagement-root.md), an access package resource role scope is a reference to both a scope within a resource, and a role in that resource for that scope. An access package will have access package resource role scopes for the resources in its catalog which are relevant to that access package. When a subject receives an access package assignment, the subject will be provisioned with the role in that scope of each access package resource role scope.
+In [Azure AD entitlement management](entitlementmanagement-overview.md), an access package resource role scope is a reference to both a scope within a resource, and a role in that resource for that scope. An access package will have access package resource role scopes for the resources in its catalog which are relevant to that access package. When a subject receives an access package assignment, the subject will be provisioned with the role in that scope of each access package resource role scope.
## Methods
In [Azure AD entitlement management](entitlementmanagement-root.md), an access p
| Relationship | Type | Description | |:-|:|:|
-|accessPackageResourceRole|[accessPackageResourceRole](accesspackageresourcerole.md)| Read-only. Nullable.|
+|accessPackageResourceRole|[accessPackageResourceRole](accesspackageresourcerole.md)| Read-only. Nullable. Supports `$expand`.|
|accessPackageResourceScope|[accessPackageResourceScope](accesspackageresourcescope.md)| Read-only. Nullable.| ## JSON representation
v1.0 Accesspackageresourcescope https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accesspackageresourcescope.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD entitlement management](entitlementmanagement-root.md), an access package resource scope is a reference to a scope within a resource, for those resources that have multiple scopes.
+In [Azure AD entitlement management](entitlementmanagement-overview.md), an access package resource scope is a reference to a scope within a resource, for those resources that have multiple scopes.
You can determine the access package resource scope, for a resource which has roles already added to an access package, by using [list accessPackageResourceRoleScopes](../api/accesspackage-list-accesspackageresourcerolescopes.md) to return a collection of [accessPackageResourceRoleScope](accesspackageresourcerolescope.md) objects.
v1.0 Accesspackagesubject https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accesspackagesubject.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD entitlement management](entitlementmanagement-root.md), an access package subject is a user, service principal, or other entity that can be configured to request or be assigned an access package. It may represent a requestor from a connected organization who is not yet in the tenant.
+In [Azure AD entitlement management](entitlementmanagement-overview.md), an access package subject is a user, service principal, or other entity that can be configured to request or be assigned an access package. It may represent a requestor from a connected organization who is not yet in the tenant.
## Properties
v1.0 Accessreviewhistorydefinition https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accessreviewhistorydefinition.md
Represents a collection of access review history data and the scopes used to col
## Methods |Method|Return type|Description| |:|:|:|
-|[List accessReviewHistoryDefinitions](../api/accessreviewhistorydefinition-list.md)|[accessReviewHistoryDefinition](accessreviewhistorydefinition.md) collection|Get a list of the [accessReviewHistoryDefinition](accessreviewhistorydefinition.md) objects and their properties.|
-|[Create accessReviewHistoryDefinition](../api/accessreviewhistorydefinition-post.md)|[accessReviewHistoryDefinition](accessreviewhistorydefinition.md)|Create a new [accessReviewHistoryDefinition](accessreviewhistorydefinition.md) object.|
+|[List accessReviewHistoryDefinitions](../api/accessreviewset-list-historydefinitions.md)|[accessReviewHistoryDefinition](accessreviewhistorydefinition.md) collection|Get a list of the [accessReviewHistoryDefinition](accessreviewhistorydefinition.md) objects and their properties.|
+|[Create accessReviewHistoryDefinition](../api/accessreviewset-post-historydefinitions.md)|[accessReviewHistoryDefinition](accessreviewhistorydefinition.md)|Create a new [accessReviewHistoryDefinition](accessreviewhistorydefinition.md) object.|
|[Get accessReviewHistoryDefinition](../api/accessreviewhistorydefinition-get.md)|[accessReviewHistoryDefinition](accessreviewhistorydefinition.md)|Read the properties and relationships of an [accessReviewHistoryDefinition](accessreviewhistorydefinition.md) object.| |[generateDownloadUri](../api/accessreviewhistorydefinition-generatedownloaduri.md)|[accessReviewHistoryDefinition](accessreviewhistorydefinition.md)|Generate a URI that can be used to retrieve review history data.|
v1.0 Accessreviewinstance https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accessreviewinstance.md
Namespace: microsoft.graph
[!INCLUDE [accessreviews-disclaimer-v2](../../includes/accessreviews-disclaimer-v2.md)]
-Represents an Azure AD [access review](accessreviewsv2-root.md) recurrence. If the parent [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) is a recurring access review, instances represent each recurrence. A review that does not recur will have exactly one instance. Instances also represent each unique group being reviewed in the schedule definition. If a schedule definition reviews multiple groups, each group will have a unique instance for each recurrence.
+Represents an Azure AD [access review](accessreviewsv2-overview.md) recurrence. If the parent [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) is a recurring access review, instances represent each recurrence. A review that does not recur will have exactly one instance. Instances also represent each unique group being reviewed in the schedule definition. If a schedule definition reviews multiple groups, each group will have a unique instance for each recurrence.
Every **accessReviewInstance** contains a list of [decisions](accessreviewinstancedecisionitem.md) that reviewers can take action on. There is one decision per identity being reviewed.
Every **accessReviewInstance** contains a list of [decisions](accessreviewinstan
| Method | Return Type | Description | |:|:--|:-|
-|[List accessReviewInstances](../api/accessreviewinstance-list.md) | [accessReviewInstance](accessreviewinstance.md) collection | Get a list of the [accessReviewInstance](../resources/accessreviewinstance.md) objects and their properties. |
+|[List accessReviewInstances](../api/accessreviewscheduledefinition-list-instances.md) | [accessReviewInstance](accessreviewinstance.md) collection | Get a list of the [accessReviewInstance](../resources/accessreviewinstance.md) objects and their properties. |
|[Get accessReviewInstance](../api/accessreviewinstance-get.md) | [accessReviewInstance](accessreviewinstance.md) | Read the properties and relationships of an [accessReviewInstance](../resources/accessreviewinstance.md) object. | |[Update accessReviewInstance](../api/accessreviewinstance-update.md)|[accessReviewInstance](../resources/accessreviewinstance.md)|Update the reviewers of an [accessReviewInstance](../resources/accessreviewinstance.md) object.| |[filterByCurrentUser](../api/accessreviewinstance-filterbycurrentuser.md)|[accessReviewInstance](../resources/accessreviewinstance.md) collection|Returns all instances on a given [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) for which the calling user is the reviewer of one or more decisions.|
v1.0 Accessreviewinstancedecisionitem https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accessreviewinstancedecisionitem.md
Namespace: microsoft.graph
[!INCLUDE [accessreviews-disclaimer-v2](../../includes/accessreviews-disclaimer-v2.md)]
+Represents an Azure AD [access review](accessreviewsv2-overview.md) decision on an instance of a review. This decision is the determination of a user or service principal's access for a given [access review instance](accessreviewinstance.md). accessReviewInstanceDecisionItem is an open type and allows other properties to be passed in.
+ >[!NOTE] >The property `target` will be deprecated in v1.0 and replaced by the `principal` and `resource` properties.
-Represents an Azure AD [access review](accessreviewsv2-root.md) decision on an instance of a review. This decision is the determination of a user or service principal's access for a given [access review instance](accessreviewinstance.md). accessReviewInstanceDecisionItem is an open type and allows other properties to be passed in.
- ## Methods | Method | Return Type | Description | |:|:--|:-|
-|[List accessReviewInstanceDecisionItems](../api/accessreviewinstancedecisionitem-list.md) | [accessReviewInstanceDecisionItem](accessreviewinstancedecisionitem.md) collection | Get a list of the [accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) objects and their properties.|
+|[List accessReviewInstanceDecisionItems](../api/accessreviewinstance-list-decisions.md) | [accessReviewInstanceDecisionItem](accessreviewinstancedecisionitem.md) collection | Get a list of the [accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) objects and their properties.|
|[Get accessReviewInstanceDecisionItem](../api/accessreviewinstancedecisionitem-get.md)|[accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md)|Read the properties and relationships of an [accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) object.| |[Update accessReviewInstanceDecisionItem](../api/accessreviewinstancedecisionitem-update.md) | None. | For any accessReviewInstanceDecisionItems that the calling user is assigned a reviewer on, calling user can record a decision by patching the decision object. | |[filterByCurrentUser](../api/accessreviewinstancedecisionitem-filterbycurrentuser.md)|[accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) collection|Retrieves all [accessReviewInstanceDecisionItems](accessreviewinstancedecisionitem.md) objects where the calling use is the reviewer for a given [accessReviewInstance](accessreviewinstance.md).|
v1.0 Accessreviewnotificationrecipientitem https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accessreviewnotificationrecipientitem.md
Namespace: microsoft.graph
[!INCLUDE [accessreviews-disclaimer-v2](../../includes/accessreviews-disclaimer-v2.md)]
-Represents an Azure AD [access review](accessreviewsv2-root.md) notification event on an instance of a review. This item contains an email template type and recipient properties to enable sending certain type of notifications for a given [access review instance](accessreviewinstance.md).
+Represents an Azure AD [access review](accessreviewsv2-overview.md) notification event on an instance of a review. This item contains an email template type and recipient properties to enable sending certain type of notifications for a given [access review instance](accessreviewinstance.md).
## Properties
v1.0 Accessreviewqueryscope https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accessreviewqueryscope.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] [!INCLUDE [accessreviews-disclaimer-v2](../../includes/accessreviews-disclaimer-v2.md)]
-An accessReviewQueryScope object defines what will be reviewed in an [access review](../resources/accessreviewsv2-root.md). To scope an access review to inactive users, see [accessReviewInactiveUserQueryScope](../resources/accessreviewinactiveusersqueryscope.md).
+An accessReviewQueryScope object defines what will be reviewed in an [access review](../resources/accessreviewsv2-overview.md). To scope an access review to inactive users, see [accessReviewInactiveUserQueryScope](../resources/accessreviewinactiveusersqueryscope.md).
Inherits from [accessReviewScope](../resources/accessreviewscope.md).
v1.0 Accessreviewscheduledefinition https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accessreviewscheduledefinition.md
Namespace: microsoft.graph
[!INCLUDE [accessreviews-disclaimer-v2](../../includes/accessreviews-disclaimer-v2.md)]
-Represents the scheduling of an Azure AD [access review](accessreviewsv2-root.md).
+Represents the scheduling of an Azure AD [access review](accessreviewsv2-overview.md).
An accessReviewScheduleDefinition contains a list of [accessReviewInstance](accessreviewinstance.md) objects. Each recurrence of the schedule definition creates an instance. Instances also represent each unique resource being reviewed. If a schedule definition reviews multiple resources (including multiple groups), each resource has a unique instance per each recurrence. In the case of a one-time review, only one instance is created per resource.
An accessReviewScheduleDefinition contains a list of [accessReviewInstance](acce
| Method | Return Type |Description| |:|:--|:-|
-|[List accessReviewScheduleDefinitions](../api/accessreviewscheduledefinition-list.md) | [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) collection | Lists every accessReviewScheduleDefinition. Does not include associated accessReviewInstance objects in the results. |
+|[List accessReviewScheduleDefinitions](../api/accessreviewset-list-definitions.md) | [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) collection | Lists every accessReviewScheduleDefinition. Does not include associated accessReviewInstance objects in the results. |
|[Get accessReviewScheduleDefinition](../api/accessreviewscheduledefinition-get.md) | [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) | Get an accessReviewScheduleDefinition with a specified **id**. Does not include associated accessReviewInstance objects in the results. |
-|[Create accessReviewScheduleDefinition](../api/accessreviewscheduledefinition-post.md) | [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) | Create a new accessReviewScheduleDefinition. |
+|[Create accessReviewScheduleDefinition](../api/accessreviewset-post-definitions.md) | [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) | Create a new accessReviewScheduleDefinition. |
|[Delete accessReviewScheduleDefinition](../api/accessreviewscheduledefinition-delete.md) | None. | Delete an accessReviewScheduleDefinition with a specified **id**. | |[Update accessReviewScheduleDefinition](../api/accessreviewscheduledefinition-update.md) | None. | Update properties of an accessReviewScheduleDefinition with a specified **id**. | |[filterByCurrentUser](../api/accessreviewscheduledefinition-filterbycurrentuser.md)|[accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) collection|Retrieves all definitions for which the calling user is a reviewer on one or more instance.|
v1.0 Accessreviewset https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accessreviewset.md
+
+ Title: "accessReviewSet resource type"
+description: "Container for the base resources that expose the access reviews API and features. Currently exposes only the accessReviewScheduleDefinition resource."
+
+ms.localizationpriority: medium
++
+# accessReviewSet resource type
+
+Namespace: microsoft.graph
++
+Container for the base resources that expose the access reviews API and features. Currently exposes only the [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) relationship.
+
+Inherits from [entity](entity.md).
+
+## Methods
+
+None.
+
+## Properties
+
+None.
+
+## Relationships
+
+|Relationship|Type|Description|
+|:|:|:|
+|decisions|[accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) collection| Represents an Azure AD access review decision on an instance of a review.|
+|definitions|[accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) collection| Represents the template and scheduling for an access review. |
+|historyDefinitions|[accessReviewHistoryDefinition](../resources/accessreviewhistorydefinition.md) collection| Represents a collection of access review history data and the scopes used to collect that data.|
+|policy|[accessReviewPolicy](../resources/accessreviewpolicy.md)| Resource that enables administrators to manage directory-level access review policies in their tenant.|
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.accessReviewSet",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.accessReviewSet"
+}
+```
+
v1.0 Accessreviewsv2 Overview https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/accessreviewsv2-overview.md
+
+ Title: "Azure AD access reviews"
+description: "You can use Azure AD access reviews to configure one-time or recurring access reviews for attestation of user's access rights. This documentation serves the 2nd version of the APIs."
+ms.localizationpriority: medium
+++
+# Azure AD access reviews
+
+Namespace: microsoft.graph
+++
+Use [Azure AD access reviews](/azure/active-directory/active-directory-azure-ad-controls-access-reviews-overview) to configure one-time or recurring access reviews for attestation of users' rights to access Azure AD resources. These Azure AD resources include groups, service principals, access packages, and privileged roles.
+
+Typical customer scenarios for access reviews include:
+
+- Customers can review and certify guest user access to groups through group memberships. Reviewers can use the insights that are provided to efficiently decide whether guests should have continued access.
+- Customers can review and certify employee access to Azure AD resources.
+- Customers can review and audit assignments to Azure AD privileged roles. This supports organizations in the management of privileged access.
+
+Note that the access reviews feature, including the API, is included in Azure AD Premium P2. The tenant where an access review is being created must have a valid purchased or trial Azure AD Premium P2 or EMS E5 subscription.
++
+## Methods
+
+The following table lists the methods that you can use to interact with access review-related resources.
+
+| Method | Return type |Description|
+|:|:--|:-|
+|**Schedule definitions**| | |
+|[List definitions](../api/accessreviewset-list-definitions.md) | [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) collection | Get a list of the [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) objects and their properties. |
+|[Get accessReviewScheduleDefinition](../api/accessreviewscheduledefinition-get.md) | [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) | Get an accessReviewScheduleDefinition object and its properties. |
+|[Create definitions](../api/accessreviewset-post-definitions.md) | [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) | Create a new accessReviewScheduleDefinition. |
+|[Delete accessReviewScheduleDefinition](../api/accessreviewscheduledefinition-delete.md) | None. | Delete an accessReviewScheduleDefinition. |
+|[Update accessReviewScheduleDefinition](../api/accessreviewscheduledefinition-update.md) | None. | Update properties of an accessReviewScheduleDefinition with a specified identifier. |
+|[filterByCurrentUser](../api/accessreviewscheduledefinition-filterbycurrentuser.md)|[accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) collection|Retrieves all definitions for which the calling user is a reviewer on one or more instance.|
+|**Instances**| | |
+|[List instances](../api/accessreviewscheduledefinition-list-instances.md) | [accessReviewInstance](accessreviewinstance.md) collection | Get a list of the [accessReviewInstance](../resources/accessreviewinstance.md) objects and their properties. |
+|[Get accessReviewInstance](../api/accessreviewinstance-get.md) | [accessReviewInstance](accessreviewinstance.md) | Read the properties and relationships of an [accessReviewInstance](../resources/accessreviewinstance.md) object. |
+|[sendReminder](../api/accessreviewinstance-sendreminder.md) | None. | Send a reminder to the reviewers of an accessReviewInstance. |
+|[stop](../api/accessreviewinstance-stop.md) | None. | Manually stop an accessReviewInstance. |
+|[acceptRecommendations](../api/accessreviewinstance-acceptrecommendations.md) | None. | Allows the calling user to accept the decision recommendation for each NotReviewed accessReviewInstanceDecisionItem that they are the reviewer on for a specific accessReviewInstance. |
+|[applyDecisions](../api/accessreviewinstance-applydecisions.md) | None. | Manually apply decisions on an accessReviewInstance. |
+|[batchRecordDecisions](../api/accessreviewinstance-batchrecorddecisions.md)|None|Review batches of principals or resources in one call.|
+|[resetDecisions](../api/accessreviewinstance-resetdecisions.md)|None|Resets all decision items on an instance to `notReviewed`.|
+|[filterByCurrentUser](../api/accessreviewinstance-filterbycurrentuser.md)|[accessReviewInstance](../resources/accessreviewinstance.md) collection|Returns all instances on a given [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) for which the calling user is the reviewer of one or more decisions.|
+|**Instance decision items**| | |
+|[List decisions](../api/accessreviewinstance-list-decisions.md) | [accessReviewInstanceDecisionItem](accessreviewinstancedecisionitem.md) collection | Get a list of the [accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) objects and their properties.|
+|[Get accessReviewInstanceDecisionItem](../api/accessreviewinstancedecisionitem-get.md)|[accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md)|Read the properties and relationships of an [accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) object.|
+|[Update accessReviewInstanceDecisionItem](../api/accessreviewinstancedecisionitem-update.md) | None. | For any accessReviewInstanceDecisionItems that the calling user is assigned a reviewer on, calling user can record a decision by patching the decision object. |
+|[filterByCurrentUser](../api/accessreviewinstancedecisionitem-filterbycurrentuser.md)|[accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) collection|Retrieves all [accessReviewInstanceDecisionItems](accessreviewinstancedecisionitem.md) objects where the calling use is the reviewer for a given [accessReviewInstance](accessreviewinstance.md).|
+|[listPendingApproval](../api/accessreviewinstancedecisionitem-listpendingapproval.md) (deprecated) | [accessReviewInstanceDecisionItem](accessreviewinstancedecisionitem.md) collection. | Get all accessReviewInstanceDecisionItems assigned to the calling user, for a specific accessReviewInstance. This method is being deprecated and replaced by [accessReviewInstanceDecisionItem: filterByCurrentUser](../api/accessreviewinstancedecisionitem-filterbycurrentuser.md). |
+|**History definitions**| | |
+|[List historyDefinitions](../api/accessreviewset-list-historydefinitions.md)|[accessReviewHistoryDefinition](accessreviewhistorydefinition.md) collection|Get a list of the [accessReviewHistoryDefinition](accessreviewhistorydefinition.md) objects and their properties.|
+|[Create historyDefinitions](../api/accessreviewset-post-historydefinitions.md)|[accessReviewHistoryDefinition](accessreviewhistorydefinition.md)|Create a new [accessReviewHistoryDefinition](accessreviewhistorydefinition.md) object.|
+|[Get accessReviewHistoryDefinition](../api/accessreviewhistorydefinition-get.md)|[accessReviewHistoryDefinition](accessreviewhistorydefinition.md)|Read the properties and relationships of an [accessReviewHistoryDefinition](accessreviewhistorydefinition.md) object.|
+|[generateDownloadUri](../api/accessreviewhistorydefinition-generatedownloaduri.md)|[accessReviewHistoryDefinition](accessreviewhistorydefinition.md)|Generate a URI that can be used to retrieve review history data.|
+|**Policy**| | |
+|[Get accessReviewPolicy](../api/accessreviewpolicy-get.md)|[accessReviewPolicy](../resources/accessreviewpolicy.md)|Read the properties and relationships of an [accessReviewPolicy](../resources/accessreviewpolicy.md) object.|
+|[Update accessReviewPolicy](../api/accessreviewpolicy-update.md)|[accessReviewPolicy](../resources/accessreviewpolicy.md)|Update the properties of an [accessReviewPolicy](../resources/accessreviewpolicy.md) object.|
+|[List definitions pending approval](../api/accessreviewscheduledefinition-filterbycurrentuser.md) (deprecated)|[accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) collection|Retrieves all definitions for which the calling user is a reviewer on one or more instance. This method is being deprecated and replaced by [accessReviewScheduleDefinition: filterByCurrentUser](../api/accessreviewscheduledefinition-filterbycurrentuser.md).|
+|[List pendingAccessReviewInstances](../api/accessreviewinstance-pendingaccessreviewinstances.md) (deprecated) | [accessReviewInstance](accessreviewinstance.md) collection. | Get all pending accessReviewInstance resources assigned to the calling user. This method is being deprecated and replaced by [accessReviewInstance: filterByCurrentUser](../api/accessreviewinstance-filterbycurrentuser.md). |
+
+## Role and application permission authorization checks
+
+The following [Azure AD roles](/azure/active-directory/roles/permissions-reference) are required for a calling user to manage access reviews.
+
+| Operation | Application permissions | Required directory role of the calling user |
+|:|:|:--|
+| Read | AccessReview.Read.All or AccessReview.ReadWrite.All | Global Administrator, Global Reader, Security Administrator, Security Reader or User Administrator |
+| Create, Update or Delete | AccessReview.ReadWrite.All | Global Administrator or User Administrator |
+
+In addition, a user who is an assigned reviewer of an access review can manage their decisions, without needing to be in a directory role.
+
+## See also
+
+- [Tutorials](/graph/accessreviews-overview) to learn how to use the access reviews API to review access to Azure AD resources
+- [How an administrator can manage user access with Azure AD access reviews](/azure/active-directory/active-directory-azure-ad-controls-manage-user-access-with-access-reviews)
+- [How an administrator can manage guest access with Azure AD access reviews](/azure/active-directory/active-directory-azure-ad-controls-manage-guest-access-with-access-reviews)
++
+<!--
+{
+ "type": "#page.annotation",
+ "description": "Service root",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": "",
+ "suppressions": []
+}
+-->
+
v1.0 Agreement https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/agreement.md
Represents a tenant's customizable terms of use agreement that is created and ma
| Method | Return Type | Description | |:-|:|:|
-| [Create agreements](../api/agreement-post-agreements.md) | [agreement](agreement.md) | Create a new agreement by posting to the agreement collection. |
-| [List agreements](../api/agreement-list.md) | [agreement](agreement.md) collection | Get an agreement object collection. |
+| [Create agreements](../api/termsofusecontainer-post-agreements.md) | [agreement](agreement.md) | Create a new agreement by posting to the agreement collection. |
+| [List agreements](../api/termsofusecontainer-list-agreements.md) | [agreement](agreement.md) collection | Get an agreement object collection. |
| [Get agreement](../api/agreement-get.md) | [agreement](agreement.md) | Read properties and relationships of an agreement object. | | [Update agreement](../api/agreement-update.md) | [agreement](agreement.md) | Update an agreement object. | | [Delete agreement](../api/agreement-delete.md) | None | Delete an agreement object. |
Represents a tenant's customizable terms of use agreement that is created and ma
| Relationship | Type | Description | |:-|:|:| |acceptances|[agreementAcceptance](agreementacceptance.md) collection|Read-only. Information about acceptances of this agreement.|
-|files|[agreementFileLocalization](agreementfilelocalization.md) collection| PDFs linked to this agreement. **Note:** This property is in the process of being deprecated. Use the **file** property instead.|
|file|[agreementFile](agreementfile.md) | Default PDF linked to this agreement.|
-|file/localizations|[agreementFileLocalization](agreementfilelocalization.md) collection|The localized versions of the agreement files attached to the agreement.|
-|file/localizations/{localizationId}/versions|[agreementFileVersion](agreementfileversion.md) collection|The version history for the localized agreement file.|
+|files|[agreementFileLocalization](agreementfilelocalization.md) collection| PDFs linked to this agreement. **Note:** This property is in the process of being deprecated. Use the **file** property instead.|
## JSON representation The following is a JSON representation of the resource.- <!-- { "blockType": "resource", "keyProperty": "id",
- "optionalProperties": [
-
- ],
- "@odata.type": "microsoft.graph.agreement"
-}-->
-
-```json
+ "@odata.type": "microsoft.graph.agreement",
+ "openType": false
+}
+-->
+``` json
{
+ "@odata.type": "#microsoft.graph.agreement",
"id": "String (identifier)",
- "displayName": "MSGraph Sample",
- "isViewingBeforeAcceptanceRequired": true,
- "isPerDeviceAcceptanceRequired": false,
+ "displayName": "String",
"termsExpiration": {
- "startDateTime": "2018-10-01T00:00:00.0000000Z",
- "frequency": "PT1M"
- }
+ "@odata.type": "microsoft.graph.termsExpiration"
+ },
+ "userReacceptRequiredFrequency": "String (duration)",
+ "isViewingBeforeAcceptanceRequired": "Boolean",
+ "isPerDeviceAcceptanceRequired": "Boolean"
} ```-
-<!-- uuid: 8fcb5dbc-d5aa-4681-8e31-b001d5168d79
-2015-10-25 14:57:30 UTC -->
-<!--
-{
- "type": "#page.annotation",
- "description": "agreement resource",
- "keywords": "",
- "section": "documentation",
- "tocPath": "",
- "suppressions": []
-}
>--
v1.0 Agreementacceptance https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/agreementacceptance.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Represents the current status of a user within scope of a company's customizable terms of use powered by Azure Active Directory (Azure AD).
+Represents the current status of a user's response to a company's customizable terms of use agreement powered by Azure Active Directory (Azure AD).
<!-- ## Methods
v1.0 Agreementfile https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/agreementfile.md
Namespace: microsoft.graph
Represents a customizable terms of use agreement file that a tenant manages with Azure Active Directory (Azure AD). It contains metadata about the agreement file (for example, the name, the language, and whether it is the default file).
-<!--
+Inherits from [agreementFileProperties](agreementfileproperties.md).
++ ## Methods
-| Method | Return Type | Description |
-|:-|:|:|
-| [Get agreementFile](../api/agreementfile-get.md) | [agreementFile](agreementfile.md) | Read properties and relationships of an **agreementFile** object. |
-| [Update](../api/agreementfile-update.md) | [agreementFile](agreementfile.md) | Update an **agreementFile** object. |
-| [Delete](../api/agreementfile-delete.md) | None | Delete an **agreementFile** object. |
>
+None.
## Properties | Property | Type | Description | |:-|:|:|
-|fileData|[agreementFileData](agreementfiledata.md)|Data representing the terms of use PDF document. Read-only.|
-|fileName|String|Name of the agreement file (for example, TOU.pdf). Read-only.|
-|id|String|Read-only.|
-|isDefault|Boolean|Indicates whether this is the default agreement file if none of the cultures matches the client preference. If none of the files are marked as default, the first one will be treated as the default. Read-only.|
-|language|String|Culture of the agreement file in the format languagecode2-country/regioncode2. languagecode2 is a lowercase two-letter code derived from ISO 639-1. country/regioncode2 is derived from ISO 3166 and usually consists of two uppercase letters, or a BCP-47 language tag (for example, en-US). Read-only.|
-|isMajorVersion|Boolean|Indicates whether the agreement file is a major version update. Major version updates invalidate the agreement's acceptances on the corresponding language. |
-|createdDateTime|DateTimeOffset|The date time representing when the file was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is: '2014-01-01T00:00:00Z'.|
-|displayName|String|Localized display name of the policy file of an agreement. The localized display name is shown to end users who view the agreement.
+|createdDateTime|DateTimeOffset|The date time representing when the file was created.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|displayName|String|Localized display name of the policy file of an agreement. The localized display name is shown to end users who view the agreement. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|fileData|[agreementFileData](agreementfiledata.md)|Data that represents the terms of use PDF document. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|fileName|String|Name of the agreement file (for example, TOU.pdf). Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|id|String|The identifier of the agreementFileVersion object. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|isDefault|Boolean|If none of the languages matches the client preference, indicates whether this is the default agreement file . If none of the files are marked as default, the first one is treated as the default. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|isMajorVersion|Boolean|Indicates whether the agreement file is a major version update. Major version updates invalidate the agreement's acceptances on the corresponding language. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|language|String|The language of the agreement file in the format "languagecode2-country/regioncode2". "languagecode2" is a lowercase two-letter code derived from ISO 639-1, while "country/regioncode2" is derived from ISO 3166 and usually consists of two uppercase letters, or a BCP-47 language tag. For example, U.S. English is `en-US`. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
-<!--
## Relationships | Relationship | Type | Description | |:-|:|:|
-|localizations|[agreementFileLocalization](agreementfilelocalization.md) collection|The localized version of the agreement files attached to the agreement.|
>
+|localizations|[agreementFileLocalization](agreementfilelocalization.md) collection|The localized version of the terms of use agreement files attached to the agreement.|
+ ## JSON representation
v1.0 Agreementfilelocalization https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/agreementfilelocalization.md
Namespace: microsoft.graph
Represents a customizable terms of use agreement file that a tenant manages with Azure Active Directory (Azure AD). It contains metadata about the agreement file (for example, the name, the language, and whether it is the default file).
-<!--
+Inherits from [agreementFileProperties](agreementfileproperties.md).
+ ## Methods
-| Method | Return Type | Description |
-|:-|:|:|
-| [Create agreementFileLocalization](../api/agreementfilelocalization-post-agreementfilelocalizations.md) | [agreementfilelocalization](agreementfilelocalization.md) | Create a new agreementFileLocalization. |
-| [List agreementFileLocalizations](../api/agreementfilelocalization-list.md) | [agreementfilelocalization](agreementfilelocalization.md) collection | Get an agreementFileLocalization object collection. |
-| [Get agreementFileLocalization](../api/agreementfilelocalization-get.md) | [agreementfilelocalization](agreementfilelocalization.md) | Read properties and relationships of an agreementFileLocalization object. |
-| [List agreementFileVersions](../api/agreementfileversion-list.md) | [agreementfileversion](agreementfileversion.md) collection | Get an agreementFileVersion object collection. |
-| [Get agreementFileVersion](../api/agreementfileversion-get.md) | [agreementfileversion](agreementfileversion.md) | Read properties and relationships of an agreementFileVersion object. |
>
+None.
## Properties | Property | Type | Description | |:-|:|:|
-|fileData|[agreementFileData](agreementfiledata.md)|Data representing the terms of use PDF document. Read-only.|
-|fileName|String|Name of the agreement file (for example, TOU.pdf). Read-only.|
-|id|String|Read-only.|
-|isDefault|Boolean|Indicates whether this is the default agreement file if none of the cultures matches the client preference. If none of the files are marked as default, the first one will be treated as the default. Read-only.|
-|language|String|Culture of the agreement file in the format languagecode2-country/regioncode2. languagecode2 is a lowercase two-letter code derived from ISO 639-1. country/regioncode2 is derived from ISO 3166 and usually consists of two uppercase letters, or a BCP-47 language tag (for example, en-US). Read-only.|
-|isMajorVersion|Boolean|Indicates whether the agreement file is a major version update. Major version updates invalidate the agreement's acceptances on the corresponding language. |
-|createdDateTime|DateTimeOffset|The date time representing when the file was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is: '2014-01-01T00:00:00Z'.|
-|displayName|String|Localized display name of the policy file of an agreement. The localized display name is shown to end users who view the agreement.
+|createdDateTime|DateTimeOffset|The date time representing when the file was created.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|displayName|String|Localized display name of the policy file of an agreement. The localized display name is shown to end users who view the agreement. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|fileData|[agreementFileData](agreementfiledata.md)|Data that represents the terms of use PDF document. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|fileName|String|Name of the agreement file (for example, TOU.pdf). Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|id|String|The identifier of the agreementFileVersion object. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|isDefault|Boolean|If none of the languages matches the client preference, indicates whether this is the default agreement file . If none of the files are marked as default, the first one is treated as the default. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|isMajorVersion|Boolean|Indicates whether the agreement file is a major version update. Major version updates invalidate the agreement's acceptances on the corresponding language. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|language|String|The language of the agreement file in the format "languagecode2-country/regioncode2". "languagecode2" is a lowercase two-letter code derived from ISO 639-1, while "country/regioncode2" is derived from ISO 3166 and usually consists of two uppercase letters, or a BCP-47 language tag. For example, U.S. English is `en-US`. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
-<!--
## Relationships | Relationship | Type | Description | |:-|:|:|
-|versions|[agreementFileVersion](agreementfileversion.md) collection|The version history for the localized agreement file.|
>
+|versions|[agreementFileVersion](agreementfileversion.md) collection|Read-only. Customized versions of the terms of use agreement in the Azure AD tenant.|
+ ## JSON representation
v1.0 Agreementfileproperties https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/agreementfileproperties.md
+
+ Title: "agreementFileProperties resource type"
+description: "Represents the properties of a terms of use agreement file; including the localized language and the display name."
+
+ms.localizationpriority: medium
++
+# agreementFileProperties resource type
+
+Namespace: microsoft.graph
++
+Represents the properties of a terms of use agreement file; including the localized language and the display name.
+
+Inherits from [entity](entity.md).
+
+## Methods
+
+None.
+
+## Properties
+
+| Property | Type | Description |
+|:-|:|:|
+|createdDateTime|DateTimeOffset|The date time representing when the file was created.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
+|displayName|String|Localized display name of the policy file of an agreement. The localized display name is shown to end users who view the agreement.|
+|fileData|[agreementFileData](agreementfiledata.md)|Data that represents the terms of use PDF document. Read-only.|
+|fileName|String|Name of the agreement file (for example, TOU.pdf). Read-only.|
+|id|String|The identifier of the agreementFileVersion object. Read-only.|
+|isDefault|Boolean|If none of the languages matches the client preference, indicates whether this is the default agreement file . If none of the files are marked as default, the first one is treated as the default. Read-only.|
+|isMajorVersion|Boolean|Indicates whether the agreement file is a major version update. Major version updates invalidate the agreement's acceptances on the corresponding language.|
+|language|String|The language of the agreement file in the format "languagecode2-country/regioncode2". "languagecode2" is a lowercase two-letter code derived from ISO 639-1, while "country/regioncode2" is derived from ISO 3166 and usually consists of two uppercase letters, or a BCP-47 language tag. For example, U.S. English is `en-US`. Read-only.|
+
+## Relationships
+
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.agreementFileProperties",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.agreementFileProperties",
+ "id": "String (identifier)",
+ "fileName": "String",
+ "language": "String",
+ "isDefault": "Boolean",
+ "isMajorVersion": "Boolean",
+ "createdDateTime": "String (timestamp)",
+ "displayName": "String",
+ "fileData": {
+ "@odata.type": "microsoft.graph.agreementFileData"
+ }
+}
+```
+
v1.0 Agreementfileversion https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/agreementfileversion.md
Namespace: microsoft.graph
Represents a customized version of terms of use agreement file that a tenant manages with Azure Active Directory (Azure AD). It contains metadata about the agreement file (for example, the name, the language, and whether it is the default file).
+Inherits from [agreementFileProperties](agreementfileproperties.md).
+ <!-- ## Methods
Represents a customized version of terms of use agreement file that a tenant man
## Properties | Property | Type | Description | |:-|:|:|
-|fileData|[agreementFileData](agreementfiledata.md)|Data representing the terms of use PDF document. Read-only.|
-|fileName|String|Name of the agreement file (for example, TOU.pdf). Read-only.|
-|id|String|Read-only.|
-|isDefault|Boolean|Indicates whether this is the default agreement file if none of the cultures matches the client preference. If none of the files are marked as default, the first one will be treated as the default. Read-only.|
-|language|String|Culture of the agreement file in the format languagecode2-country/regioncode2. languagecode2 is a lowercase two-letter code derived from ISO 639-1. country/regioncode2 is derived from ISO 3166 and usually consists of two uppercase letters, or a BCP-47 language tag (for example, en-US). Read-only.|
-|isMajorVersion|Boolean|Indicates whether the agreement file is a major version update. Major version updates invalidate the agreement's acceptances on the corresponding language. |
-|createdDateTime|DateTimeOffset|The date time representing when the file was created.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is: '2014-01-01T00:00:00Z'.|
-|displayName|String|Localized display name of the policy file of an agreement. The localized display name is shown to end users who view the agreement.
+|createdDateTime|DateTimeOffset|The date time representing when the file was created.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|displayName|String|Localized display name of the policy file of an agreement. The localized display name is shown to end users who view the agreement. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|fileData|[agreementFileData](agreementfiledata.md)|Data that represents the terms of use PDF document. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|fileName|String|Name of the agreement file (for example, TOU.pdf). Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|id|String|The identifier of the agreementFileVersion object. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|isDefault|Boolean|If none of the languages matches the client preference, indicates whether this is the default agreement file . If none of the files are marked as default, the first one is treated as the default. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|isMajorVersion|Boolean|Indicates whether the agreement file is a major version update. Major version updates invalidate the agreement's acceptances on the corresponding language. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|language|String|The language of the agreement file in the format "languagecode2-country/regioncode2". "languagecode2" is a lowercase two-letter code derived from ISO 639-1, while "country/regioncode2" is derived from ISO 3166 and usually consists of two uppercase letters, or a BCP-47 language tag. For example, U.S. English is `en-US`. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
<!-- ## Relationships
v1.0 Appconsentapprovalroute https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/appconsentapprovalroute.md
+
+ Title: "appConsentApprovalRoute resource type"
+description: "Container for base resources that expose the app consent request API and features. Currently exposes only the appConsentRequests relationship."
+
+ms.localizationpriority: medium
++
+# appConsentApprovalRoute resource type
+
+Namespace: microsoft.graph
++
+Container for base resources that expose the app consent request API and features. Currently exposes only the [appConsentRequests](appconsentrequest.md) relationship.
+
+Inherits from [entity](entity.md).
+
+## Methods
+
+None.
+
+## Properties
+
+None.
+
+## Relationships
+
+|Relationship|Type|Description|
+|:|:|:|
+|appConsentRequests|[appConsentRequest](../resources/appconsentrequest.md) collection| A collection of [userConsentRequest](../resources/userconsentrequest.md) objects for a specific application.|
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.appConsentApprovalRoute",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.appConsentApprovalRoute"
+}
+```
+
v1.0 Appconsentrequest https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/appconsentrequest.md
A collection of [userConsentRequest](../resources/userconsentrequest.md) objects
## Methods |Method|Return type|Description| |:|:|:|
-|[List appConsentRequests](../api/appconsentrequest-list.md)|[appConsentRequest](../resources/appconsentrequest.md) collection|Retrieve a collection of [appConsentRequest](appconsentrequest.md) objects and their properties.|
+|[List appConsentRequests](../api/appconsentapprovalroute-list-appconsentrequests.md)|[appConsentRequest](../resources/appconsentrequest.md) collection|Retrieve a collection of [appConsentRequest](appconsentrequest.md) objects and their properties.|
|[Get appConsentRequest](../api/appconsentrequest-get.md)|[appConsentRequest](../resources/appconsentrequest.md)|Read the properties and relationships of an [appConsentRequest](../resources/appconsentrequest.md) object.| |[filterByCurrentUser](../api/appconsentrequest-filterByCurrentUser.md)|[appConsentRequest](../resources/appconsentrequest.md)|Read the properties of [appConsentRequest](../resources/appconsentrequest.md) objects for which the current user is the reviewer and the status of the user consent request is `InProgress`.|
v1.0 Approval https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/approval.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD Entitlement Management](entitlementmanagement-root.md), the approval object for decisions associated with the `accessPackageAssignmentRequest`. A single step request can have one step associated with it which approvers can act on. Similarly, a multi-step request can have multiple steps associated with it which approvers can act on. However, in multi-step approvals both pending and previously completed steps are shown.
+In [Azure AD Entitlement Management](entitlementmanagement-overview.md), the approval object for decisions associated with the `accessPackageAssignmentRequest`. A single step request can have one step associated with it which approvers can act on. Similarly, a multi-step request can have multiple steps associated with it which approvers can act on. However, in multi-step approvals both pending and previously completed steps are shown.
In [userConsentRequests](../resources/userconsentrequest.md), the approval object for decisions associated with a request.
v1.0 Approvalstep https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/approvalstep.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD Entitlement Management](entitlementmanagement-root.md), the approvalStep object for decisions associated with the `accessPackageAssignmentRequest`. It is used to distinguish decisions for different steps of an approval workflow that approvers can act on.
+In [Azure AD Entitlement Management](entitlementmanagement-overview.md), the approvalStep object for decisions associated with the `accessPackageAssignmentRequest`. It is used to distinguish decisions for different steps of an approval workflow that approvers can act on.
In [userConsentRequests](../resources/userconsentrequest.md), the approval decisions associated with a request.
v1.0 Azure Ad Overview https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/azure-ad-overview.md
The following table lists some common use cases for Azure AD resources.
| **Access reviews** | | | | Ensure group memberships and application access rights are correct with access reviews. | [access reviews API](../resources/accessreviews-root.md) |[Azure AD access reviews](/azure/active-directory/active-directory-azure-ad-controls-access-reviews-overview) | | **Consent requests** | | |
-| Manage the consent request workflow for users attempting to access apps that require admin authorization. | [Consent requests API](../resources/consentrequests-root.md) |[Configure the admin consent workflow](/azure/active-directory/manage-apps/configure-admin-consent-workflow) |
+| Manage the consent request workflow for users attempting to access apps that require admin authorization. | [Consent requests API](../resources/consentrequests-overview.md) |[Configure the admin consent workflow](/azure/active-directory/manage-apps/configure-admin-consent-workflow) |
## What's new Find out about the [latest new features and updates](/graph/whats-new-overview) for this API set.
v1.0 Azureactivedirectorytenant https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/azureactivedirectorytenant.md
Namespace: microsoft.graph
Used in the identity sources of an [connectedOrganization](connectedOrganization.md). The `@odata.type` value `#microsoft.graph.azureActiveDirectoryTenant` indicates that this type identifies another Azure Active Directory tenant as an identity source for a connected organization.
-When [creating a new connectedOrganization](../api/connectedorganization-post.md), if the caller provides in the identitySources collection a domainIdentitySource and the domain corresponds to a registered domain of an Azure Active Directory tenant, then the resulting connectedOrganization that is created will have an identitySources collection containing a single member of the [azureActiveDirectoryTenant](azureactivedirectorytenant.md) type.
+When [creating a new connectedOrganization](../api/entitlementmanagement-post-connectedorganizations.md), if the caller provides in the identitySources collection a domainIdentitySource and the domain corresponds to a registered domain of an Azure Active Directory tenant, then the resulting connectedOrganization that is created will have an identitySources collection containing a single member of the [azureActiveDirectoryTenant](azureactivedirectorytenant.md) type.
## Properties
v1.0 Connectedorganization https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/connectedorganization.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD entitlement management](entitlementmanagement-root.md), a connected organization is a reference to a directory or domain of another organization whose users can request access.
+In [Azure AD entitlement management](entitlementmanagement-overview.md), a connected organization is a reference to a directory or domain of another organization whose users can request access.
## Methods |Method|Return type|Description| |:|:|:|
-|[List connectedOrganizations](../api/connectedorganization-list.md) | [connectedOrganization](connectedorganization.md) collection | Retrieve a list of connectedOrganization objects. |
-|[Create connectedOrganization](../api/connectedorganization-post.md) | [connectedOrganization](connectedorganization.md) | Create a new connectedOrganization object. |
+|[List connectedOrganizations](../api/entitlementmanagement-list-connectedorganizations.md) | [connectedOrganization](connectedorganization.md) collection | Retrieve a list of connectedOrganization objects. |
+|[Create connectedOrganization](../api/entitlementmanagement-post-connectedorganizations.md) | [connectedOrganization](connectedorganization.md) | Create a new connectedOrganization object. |
|[Get connectedOrganization](../api/connectedorganization-get.md) | [connectedOrganization](connectedorganization.md) | Read properties and relationships of a connectedOrganization object. | |[Update connectedOrganization](../api/connectedorganization-update.md) | | Update a connectedOrganization. | |[Delete connectedOrganization](../api/connectedorganization-delete.md) |None | Delete a connectedOrganization. |
In [Azure AD entitlement management](entitlementmanagement-root.md), a connected
|createdBy|String|UPN of the user who created this resource. Read-only.| |createdDateTime|DateTimeOffset|The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only.| |description|String|The description of the connected organization.|
-|displayName|String|The display name of the connected organization.|
+|displayName|String|The display name of the connected organization. Supports `$filter` (`eq`).|
|id|String| Read-only.| |modifiedBy|String|UPN of the user who last modified this resource. Read-only.| |modifiedDateTime|DateTimeOffset|The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only.|
In [Azure AD entitlement management](entitlementmanagement-root.md), a connected
|Relationship|Type|Description| |:|:|:|
-|identitySources|[identitySource](identitySource.md) collection| The identity sources in this connected organization, one of [azureActiveDirectoryTenant](azureactivedirectorytenant.md), [domainIdentitySource](domainidentitysource.md) or [externalDomainFederation](externaldomainfederation.md). Read-only. Nullable.|
+|identitySources|[identitySource](identitySource.md) collection| The identity sources in this connected organization, one of [azureActiveDirectoryTenant](azureactivedirectorytenant.md), [domainIdentitySource](domainidentitysource.md) or [externalDomainFederation](externaldomainfederation.md). Read-only. Nullable. Supports `$select` and `$filter`(`eq`). To filter by the derived types, you must declare the resource using its full OData cast, for example, `microsoft.graph.azureActiveDirectoryTenant.`|
|internalSponsors| [directoryObject](directoryobject.md) collection| Nullable.| |externalSponsors| [directoryObject](directoryobject.md) collection| Nullable.|
v1.0 Consentrequests Overview https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/consentrequests-overview.md
+
+ Title: "Azure Active Directory consent requests"
+description: "Use Azure AD consent requests to manage the request workflow for users attempting to access apps that require admin consent."
+ms.localizationpriority: medium
+++
+# Azure Active Directory consent requests
+
+Namespace: microsoft.graph
++
+Azure Active Directory (Azure AD) consent requests help you manage the request workflow for users attempting to access apps that require admin approval.
+
+To allow users to request access or admin consent for applications they're unauthorized to grant consent to themselves, first enable the consent request workflow.
+
+>[!NOTE]
+>The current APIs are limited to configuring the workflow and reading the list of requests. At this time, there arenΓÇÖt any methods available to programmatically approve or deny a request. However, the contents of the request can be used to recreate a URL which can be used to grant admin consent and approve a request.
+
+The consent request resource types include:
+
+* [adminConsentRequestPolicy](../resources/adminconsentrequestpolicy.md): Specifies the policy by which app consent requests can be created and managed for the entire tenant. There is a single **adminConsentRequestPolicy** per tenant.
+* [appConsentRequest](../resources/appconsentrequest.md): A request that represents a collection of **userConsentRequests** for a specific application.
+* [userConsentRequest](../resources/userconsentrequest.md): A request created by a user to use an app that requires admin consent to access.
+* [appConsentRequestScope](../resources/appconsentrequestscope.md): A resource that contains details of the dynamic permission scopes being requested for an application.
+
+## Methods
+
+The following table lists the methods that you can use to interact with consent request resources.
+
+| Method | Return type |Description|
+|:|:--|:-|
+|[Get adminConsentRequestPolicy](../api/adminconsentrequestpolicy-get.md) | [adminConsentRequestPolicy](adminconsentrequestpolicy.md) collection | Read the properties of the [adminConsentRequestPolicy](adminconsentrequestpolicy.md). |
+|[Update adminConsentRequestPolicy](../api/adminconsentrequestpolicy-update.md) | [adminConsentRequestPolicy](adminconsentrequestpolicy.md) collection | Set configurations for the [adminConsentRequestPolicy](adminconsentrequestpolicy.md). |
+|[List appConsentRequests ](../api/appconsentapprovalroute-list-appconsentrequests.md) | [appConsentRequest](appconsentrequest.md) collection | Retrieve a collection of [appConsentRequest](appconsentrequest.md) objects and their properties. |
+|[Get appConsentRequest ](../api/appconsentrequest-get.md) | [appConsentRequest](appconsentrequest.md) collection | Read an [appConsentRequest](appconsentrequest.md) object. |
+|[appConsentRequests: filterByCurrentUser](../api/appconsentrequest-filterByCurrentUser.md) | [appConsentRequest](../resources/appconsentrequest.md) collection | Read the properties of [appConsentRequest](../resources/appconsentrequest.md) objects for which the current user is the reviewer and the status of the user consent request is `InProgress`. |
+|[Get userConsentRequest ](../api/userconsentrequest-get.md) | [userConsentRequest](userconsentrequest.md) collection | Read a [userConsentRequest](userconsentrequest.md) object for an [appConsentRequest](appconsentrequest.md). |
+|[List userConsentRequests ](../api/appconsentrequest-list-userconsentrequests.md) | [userConsentRequest](userconsentrequest.md) collection | Retrieve a collection of [userConsentRequest](userconsentrequest.md) objects for an [appConsentRequest](appconsentrequest.md). |
+|[userConsentRequest: filterByCurrentUser](../api/userconsentrequest-filterByCurrentUser.md) | [appConsentRequests](../resources/userconsentrequest.md) collection | Read the properties of [userConsentRequest](../resources/userconsentrequest.md) objects for an [appConsentRequest](appconsentrequest.md) for which the current user is the reviewer. |
+
+## Role and delegated permission authorization checks
+
+The following directory roles are required for a calling user to manage the requests workflow or read the list of requests.
+
+| Operation | Delegated permissions | Required directory role of the calling user |
+|:|:|:--|
+| Read | ConsentRequest.Read.All, ConsentRequest.ReadWrite.All | Global Administrator, Global Reader, Cloud App Administrator, and Application Administrator |
+
+## See also
+
+- [Configure the admin consent workflow (preview)](/azure/active-directory/manage-apps/configure-admin-consent-workflow?preserve-view=true)
++
+<!--
+{
+ "type": "#page.annotation",
+ "description": "Service root",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": "",
+ "suppressions": []
+}
+-->
v1.0 Domainidentitysource https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/domainidentitysource.md
Namespace: microsoft.graph
Used in the identity sources of an [connectedOrganization](connectedOrganization.md). The `@odata.type` value `#microsoft.graph.domainIdentitySource` indicates that this type identifies a domain as an identity source for a connected organization.
-When [creating a new connectedOrganization](../api/connectedorganization-post.md), if the caller provides in the identitySources collection a domainIdentitySource and the domain corresponds to a registered domain of an Azure Active Directory tenant, then the resulting connectedOrganization that is created will have an identitySources collection containing a single member of the [azureActiveDirectoryTenant](azureactivedirectorytenant.md) type.
+When [creating a new connectedOrganization](../api/entitlementmanagement-post-connectedorganizations.md), if the caller provides in the identitySources collection a domainIdentitySource and the domain corresponds to a registered domain of an Azure Active Directory tenant, then the resulting connectedOrganization that is created will have an identitySources collection containing a single member of the [azureActiveDirectoryTenant](azureactivedirectorytenant.md) type.
## Properties
v1.0 Entitlementmanagement Overview https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/entitlementmanagement-overview.md
+
+ Title: "Working with the Azure AD entitlement management API"
+description: "Govern access to resources including groups, apps and sites through Azure AD entitlement management"
+ms.localizationpriority: medium
+++
+# Working with the Azure AD entitlement management API
+
+Namespace: microsoft.graph
++
+Azure Active Directory (Azure AD) entitlement management can help you manage access to groups, applications, and SharePoint Online sites for internal users as well as users outside your organization.
+
+By creating access packages with the roles users need to have across those resources, and defining policies for who can request an access package and how long they can have an assignment to an access package, you can govern the lifecycle of access for both internal and external users.
+
+The entitlement management resource types include:
+
+- [accessPackage](accesspackage.md): Defines the collections of resource roles and the policies for how one or more users may obtain access to those resources.
+- [accessPackageAssignmentPolicy](accesspackageassignmentpolicy.md): Specifies the policy by which subjects may request or be assigned an access package via an access package assignment.
+- [accessPackageAssignmentRequest](accesspackageassignmentrequest.md): Created by a user who wishes to obtain an access package assignment.
+- [accessPackageAssignment](accesspackageassignment.md): An assignment of an access package to a particular subject, for a period of time.
+- [accessPackageAssignmentResourceRole](accesspackageassignmentresourcerole.md): Indicates the resource-specific role which a subject has been assigned through an access package assignment.
+- [accessPackageCatalog](accesspackagecatalog.md): A container for access packages.
+- [accessPackageResourceRequest](accesspackageresourcerequest.md): A request to add a resource to an access package catalog.
+- [accessPackageResourceEnvironment](accesspackageresourceenvironment.md): A reference to the geolocation of the resource. Applicable to Multi-Geo SharePoint Online sites.
+- [connectedOrganization](connectedorganization.md): A connected organization for external users who can request access.
+- [entitlementManagementSettings](entitlementmanagementsettings.md): Tenant-wide settings for Azure AD entitlement management.
+- [approval](approval.md): represents the decisions associated with an access package request.
+
+In addition, role assignments for entitlement management-specific roles can be managed through entitlement management [role definitions](unifiedroledefinition.md).
+
+For a tutorial that shows you how to use entitlement management to create a package of resources that internal users can self-service request, see [Create an access package using Microsoft Graph APIs](/graph/tutorial-access-package-api).
+
+Note that the entitlement management feature, including the API, is included in Azure AD Premium P2. The tenant where entitlement management is being used must have a valid purchased or trial Azure AD Premium P2 or EMS E5 subscription.
+
+## Methods
+
+The following table lists the methods that you can use to interact with entitlement management-related resources.
+
+| Method | Return type |Description|
+|:|:--|:-|
+| [Get](../api/entitlementmanagementsettings-get.md) | [entitlementManagementSettings](entitlementmanagementsettings.md) | Read the properties of an **entitlementManagementSettings** object. |
+| [Update](../api/entitlementmanagementsettings-update.md) | [entitlementManagementSettings](entitlementmanagementsettings.md) | Update the properties of an **entitlementManagementSettings** object. |
+| [List accessPackages](../api/entitlementmanagement-list-accesspackages.md) | [accessPackage](accesspackage.md) collection | Retrieve a list of **accessPackage** objects. |
+| [Create accessPackage](../api/entitlementmanagement-post-accesspackages.md) | [accessPackage](accesspackage.md) | Create a new **accessPackage** object. |
+| [Get accessPackage](../api/accesspackage-get.md) | [accessPackage](accesspackage.md) | Read properties and relationships of an **accessPackage** object. |
+| [Update accessPackage](../api/accesspackage-update.md)|None | Update the properties of an **accesspackage** object. |
+| [Delete accessPackage](../api/accesspackage-delete.md) | | Delete **accessPackage**. |
+| [FilterByCurrentUser](../api/accesspackage-filterbycurrentuser.md) | [accessPackage](accesspackage.md) collection | Retrieve a list of **accessPackage** objects filtered on the signed-in user. |
+| [List accessPackageResourceRoleScopes](../api/accesspackage-list-accesspackageresourcerolescopes.md) | [accessPackageResourceRoleScope](accesspackageresourcerolescope.md) collection | Retrieve a list of **accessPackageResourceRoleScope** objects for an access package. |
+| [Create accessPackageResourceRoleScope](../api/accesspackage-post-accesspackageresourcerolescopes.md) | | Create a new **accessPackageResourceRoleScope** object for an access package. |
+| [List incompatibleAccessPackages](../api/accesspackage-list-incompatibleaccesspackages.md) | [accessPackage](accesspackage.md) collection | Retrieve a list of the incompatible **accesspackage** objects for this access package. |
+| [Add accessPackage to incompatibleAccessPackages](../api/accesspackage-post-incompatibleaccesspackage.md) | None | Add a link to indicate another **accesspackage** is incompatible with a specified access package. |
+| [Remove accessPackage from incompatibleAccessPackages](../api/accesspackage-delete-incompatibleaccesspackage.md) | None | Remove a link that indicated an **accesspackage** was incompatible. |
+| [List incompatibleGroups](../api/accesspackage-list-incompatiblegroups.md) | [group](group.md) collection | Retrieve a list of the incompatible **group** objects for this access package. |
+| [Add group to incompatibleGroups](../api/accesspackage-post-incompatiblegroup.md) | None | Add a link to indicate membership of a **group** is incompatible with a specified access package. |
+| [Remove group from incompatibleGroups](../api/accesspackage-delete-incompatiblegroup.md) | None | Remove a link that indicated a **group** membership was incompatible.|
+| [List accessPackagesIncompatibleWith](../api/accesspackage-list-accesspackagesincompatiblewith.md) | [accessPackage](accesspackage.md) collection | Retrieve a list of the **accesspackage** objects which list this access package as incompatible. |
+| [List accessPackageAssignmentPolicies](../api/entitlementmanagement-list-accesspackageassignmentpolicies.md) | [accessPackageAssignmentPolicy](accesspackageassignmentpolicy.md) collection | Retrieve a list of **accessPackageAssignmentPolicy** objects. |
+| [Create accessPackageAssignmentPolicy](../api/entitlementmanagement-post-accesspackageassignmentpolicies.md) | [accessPackageAssignmentPolicy](accesspackageassignmentpolicy.md)| Create a new **accessPackageAssignmentPolicy** object. |
+| [Get accessPackageAssignmentPolicy](../api/accesspackageassignmentpolicy-get.md) | [accessPackageAssignmentPolicy](accesspackageassignmentpolicy.md) | Read properties and relationships of an **accessPackageAssignmentPolicy** object. |
+| [Update accessPackageAssignmentPolicy](../api/accesspackageassignmentpolicy-update.md)|[accessPackageAssignmentPolicy](accesspackageassignmentpolicy.md) | Update the properties of an **accessPackageAssignmentPolicy** object. |
+| [Delete accessPackageAssignmentPolicy](../api/accesspackageassignmentpolicy-delete.md) | | Delete an **accessPackageAssignmentPolicy**. |
+| [List accessPackageAssignmentRequests](../api/entitlementmanagement-list-accesspackageassignmentrequests.md) | [accessPackageAssignmentRequest](accesspackageassignmentrequest.md) collection | Retrieve a list of **accessPackageAssignmentRequest** objects. |
+| [Create accessPackageAssignmentRequest](../api/entitlementmanagement-post-accesspackageassignmentrequests.md) | [accessPackageAssignmentRequest](accesspackageassignmentrequest.md) | Create a new **accessPackageAssignmentRequest**. |
+| [Get accessPackageAssignmentRequest](../api/accesspackageassignmentrequest-get.md) | [accessPackageAssignmentRequest](accesspackageassignmentrequest.md) | Read properties and relationships of an **accessPackageAssignmentRequest** object. |
+| [Delete accessPackageAssignmentRequest](../api/accesspackageassignmentrequest-delete.md) |None | Delete an **accessPackageAssignmentRequest**. |
+|[FilterByCurrentUser](../api/accesspackageassignmentrequest-filterbycurrentuser.md)|[accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) collection|Retrieve the list of **accessPackageAssignmentRequest** objects filtered on the signed-in user.|
+|[cancel](../api/accesspackageassignmentrequest-cancel.md)|[accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) collection|Cancel an **accessPackageAssignmentRequest** object that is in a cancellable state: `accepted`, `pendingApproval`, `pendingNotBefore`, `pendingApprovalEscalated`.|
+| [List accessPackageAssignments](../api/entitlementmanagement-list-accesspackageassignments.md) | [accessPackageAssignment](accesspackageassignment.md) collection | Retrieve a list of **accessPackageAssignment** objects. |
+|[FilterByCurrentUser](../api/accesspackageassignment-filterbycurrentuser.md)|[accessPackageAssignment](../resources/accesspackageassignment.md) collection|Retrieve the list of **accessPackageAssignment** objects filtered on the signed-in user.|
+| [List accessPackageAssignmentResourceRoles](../api/entitlementmanagement-list-accesspackageassignmentresourceroles.md) | [accessPackageAssignmentResourceRole](accesspackageassignmentresourcerole.md) collection | Retrieve a list of **accessPackageAssignmentResourceRole** objects. |
+| [Get accessPackageAssignmentResourceRole](../api/accesspackageassignmentresourcerole-get.md) | [accessPackageAssignmentResourceRole](accesspackageassignmentresourcerole.md) | Retrieve a **accessPackageAssignmentResourceRole** object. |
+| [List accessPackageCatalogs](../api/entitlementmanagement-list-accesspackagecatalogs.md) | [accessPackageCatalog](accesspackagecatalog.md) collection | Retrieve a list of **accessPackageCatalogs** objects. |
+| [Create accessPackageCatalog](../api/entitlementmanagement-post-accesspackagecatalogs.md) | [accessPackageCatalog](accesspackagecatalog.md) | Create a new **accessPackageCatalog** object. |
+| [Get accessPackageCatalog](../api/accesspackagecatalog-get.md) | [accessPackageCatalog](accesspackagecatalog.md) | Read properties and relationships of an **accessPackageCatalog** object. |
+| [Update accessPackageCatalog](../api/accesspackagecatalog-update.md)|None | Update the properties of an **accessPackageCatalog** object. |
+| [Delete accessPackageCatalog](../api/accesspackagecatalog-delete.md) | | Delete an **accessPackageCatalog**. |
+| [List accessPackageCatalog resources](../api/accesspackagecatalog-list-accesspackageresources.md) | [accessPackageResource](accesspackageresource.md) collection | Retrieve a list of **accessPackageResource** objects. |
+| [List accessPackageCatalog resource roles](../api/accesspackagecatalog-list-accesspackageresourceroles.md) | [accessPackageResourceRole](accesspackageresourcerole.md) collection | Retrieve a list of **accessPackageResourceRole** objects. |
+| [List accessPackageResourceRequests](../api/entitlementmanagement-list-accesspackageresourcerequests.md) | [accessPackageResourceRequest](accesspackageresourcerequest.md) collection | Read properties and relationships of **accessPackageResourceRequest** objects. |
+| [Create accessPackageResourceRequest](../api/entitlementmanagement-post-accesspackageresourcerequests.md) | [accessPackageCatalog](accesspackageresourcerequest.md) | Create a new **accessPackageResourceRequest** object. |
+|[List accessPackageResourceEnvironments](../api/entitlementmanagement-list-accesspackageresourceenvironment.md)|[accessPackageResourceEnvironment](../resources/accesspackageresourceenvironment.md) collection|Retrieve a list of [accessPackageResourceEnvironment](../resources/accesspackageresourceenvironment.md) objects.|
+|[Get accessPackageResourceEnvironment](../api/accesspackageresourceenvironment-get.md)|[accessPackageResourceEnvironment](../resources/accesspackageresourceenvironment.md)|Read the properties and relationships of an [accessPackageResourceEnvironment](../resources/accesspackageresourceenvironment.md) object.|
+| [List connectedOrganizations](../api/entitlementmanagement-list-connectedorganizations.md) | [connectedOrganization](connectedorganization.md) collection | Retrieve a list of **connectedOrganization** objects. |
+| [Create connectedOrganization](../api/entitlementmanagement-post-connectedorganizations.md) | [connectedOrganization](connectedorganization.md) | Create a new **connectedOrganization** object. |
+| [Get connectedOrganization](../api/connectedorganization-get.md) | [connectedOrganization](connectedorganization.md) | Read properties and relationships of a **connectedOrganization** object. |
+| [Update connectedOrganization](../api/connectedorganization-update.md) |None | Update a **connectedOrganization**. |
+| [Delete connectedOrganization](../api/connectedorganization-delete.md) |None | Delete a **connectedOrganization**. |
+|[List internalSponsors](../api/connectedorganization-list-internalsponsors.md) | [directoryObject](directoryobject.md) collection | Retrieve a list of a **connectedOrganization's** internal sponsors. |
+|[List externalSponsors](../api/connectedorganization-list-externalsponsors.md) | [directoryObject](directoryobject.md) collection | Retrieve a list of a **connectedOrganization's** external sponsors. |
+|[Add internalSponsors](../api/connectedorganization-post-internalsponsors.md) | None | Add a user or group to a **connectedOrganization's** internal sponsors. |
+|[Add externalSponsors](../api/connectedorganization-post-externalsponsors.md) | None | Add a user or group to a **connectedOrganization's** external sponsors. |
+|[Remove internalSponsors](../api/connectedorganization-delete-internalsponsors.md) | None | Remove a user or group from a **connectedOrganization's** internal sponsors. |
+|[Get approval](../api/approval-get.md) | [approval](approval.md) | Retrieve the properties of an **approval** object. |
+|[List approvalSteps](../api/approval-list-steps.md) | [approvalStep](approvalstep.md) collection | List the **approvalStep** objects associated with an **approval** object. |
+|[Get approvalStep](../api/approvalstep-get.md) | [approvalStep](approvalstep.md) | Retrieve the properties of an **approvalStep** object. |
+|[Update approvalStep](../api/approvalstep-update.md) | None | Apply approve or deny decision on an **approvalStep** object. |
++
+## Types
+
+- [requestorSettings](requestorsettings.md), [approvalSettings](approvalsettings.md), [questions](accesspackagequestion.md) and [assignmentReviewSettings](assignmentreviewsettings.md) - Used in an [accessPackageAssignmentPolicy](accesspackageassignmentpolicy.md) to specify who can request, who approves, and who reviews access package assignment requests on that policy.
+- [approvalStage](approvalstage.md) - Used in the [approvalSettings](approvalsettings.md) to specify the primary, backup, and escalation approvers.
+- [approvalStep](approvalstep.md) - Used in [approval](approval.md) to distinguish the different approval steps.
+- [userSet](userset.md) subtypes [singleUser](singleuser.md), [groupMembers](groupmembers.md), [connectedOrganizationMembers](connectedorganizationmembers.md), [requestorManager](requestormanager.md), [internalSponsors](internalsponsors.md), and [externalSponsors](externalsponsors.md) - Used in [requestorSettings](requestorsettings.md), [approvalStage](approvalstage.md), [approvalStep](approvalstep.md) and [assignmentReviewSettings](assignmentreviewsettings.md).
+- [accessPackageSubject](accesspackagesubject.md) - Used in the [accessPackageAssignment](accesspackageassignment.md) as a subject user who has an access package assignment.
+- [identitySource](identitysource.md) - used in the [connectedOrganization](connectedorganization.md), one of [azureActiveDirectoryTenant](azureactivedirectorytenant.md), [domainIdentitySource](domainidentitysource.md) or [externalDomainFederation](externaldomainfederation.md).
+
+## See also
+
+ - [What is Azure AD entitlement management?](/azure/active-directory/governance/entitlement-management-overview)
+++
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "Service root",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
v1.0 Entitlementmanagement https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/entitlementmanagement.md
+
+ Title: "entitlementManagement resource type"
+description: "The container for entitlement management resources."
+
+ms.localizationpriority: medium
++
+# entitlementManagement resource type
+
+Namespace: microsoft.graph
++
+The entitlement management singleton is the container for entitlement management resources, including [accessPackageCatalog](accesspackagecatalog.md), [connectedOrganization](connectedorganization.md), and [entitlementManagementSettings](entitlementmanagementsettings.md). For a full list of resources see [entitlement management overview](entitlementmanagement-overview.md).
+
+Inherits from [entity](entity.md).
+
+## Methods
+
+None.
+
+## Properties
+
+None.
+
+## Relationships
+
+|Relationship|Type|Description|
+|:|:|:|
+|accessPackageAssignmentPolicies|[accessPackageAssignmentPolicy](../resources/accesspackageassignmentpolicy.md) collection| Represents the policy that governs which subjects can request or be assigned an access package via an access package assignment. |
+|accessPackageAssignmentRequests|[accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) collection|Represents access package assignment requests created by or on behalf of a user.|
+|accessPackageAssignmentResourceRoles|[accessPackageAssignmentResourceRole](../resources/accesspackageassignmentresourcerole.md) collection| Represents the resource-specific role which a subject has been assigned through an access package assignment.|
+|accessPackageAssignments|[accessPackageAssignment](../resources/accesspackageassignment.md) collection|Represents the grant of an access package to a subject (user or group).|
+|accessPackageCatalogs|[accessPackageCatalog](../resources/accesspackagecatalog.md) collection|Represents a group of access packages.|
+|accessPackageResourceEnvironments|[accessPackageResourceEnvironment](../resources/accesspackageresourceenvironment.md) collection| A reference to the geolocation environment in which a resource is located.|
+|accessPackageResourceRequests|[accessPackageResourceRequest](../resources/accesspackageresourcerequest.md) collection|Represents a request to add or remove a resource to or from a catalog respectively. |
+|accessPackageResourceRoleScopes|[accessPackageResourceRoleScope](../resources/accesspackageresourcerolescope.md) collection| A reference to both a scope within a resource, and a role in that resource for that scope. |
+|accessPackageResources|[accessPackageResource](../resources/accesspackageresource.md) collection| A reference to a resource associated with an access package catalog.|
+|accessPackages|[accessPackage](../resources/accesspackage.md) collection|Represents access package objects.|
+|connectedOrganizations|[connectedOrganization](../resources/connectedorganization.md) collection|Represents references to a directory or domain of another organization whose users can request access.|
+|settings|[entitlementManagementSettings](../resources/entitlementmanagementsettings.md)|Represents the settings that control the behavior of Azure AD entitlement management.|
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.entitlementManagement",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.entitlementManagement",
+ "id": "String (identifier)"
+}
+```
+
v1.0 Entitlementmanagementsettings https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/entitlementmanagementsettings.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Represents settings that control the behavior of [Azure AD entitlement management](entitlementmanagement-root.md). This resource does not include the catalog creators setting; to view or change the catalog creators role membership, use the [role assignments](unifiedroleassignment.md) API with the entitlement management RBAC provider.
+Represents settings that control the behavior of [Azure AD entitlement management](entitlementmanagement-overview.md). This resource does not include the catalog creators setting; to view or change the catalog creators role membership, use the [role assignments](unifiedroleassignment.md) API with the entitlement management RBAC provider.
## Methods
v1.0 Expirationpattern https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/expirationpattern.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD entitlement management](entitlementmanagement-root.md), an access package assignment request is created by a user who wants to obtain an access package assignment. This request can include a schedule for when the user would like to have an assignment. An access package assignment that results from such a request also has a schedule. The expiration field of a [requestSchedule](requestschedule.md) indicates when the access package assignment should expire.
+In [Azure AD entitlement management](entitlementmanagement-overview.md), an access package assignment request is created by a user who wants to obtain an access package assignment. This request can include a schedule for when the user would like to have an assignment. An access package assignment that results from such a request also has a schedule. The expiration field of a [requestSchedule](requestschedule.md) indicates when the access package assignment should expire.
## Properties
v1.0 Identitygovernance https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/identitygovernance.md
+
+ Title: "identityGovernance resource type"
+description: "The singleton for containing identity governance resources."
+ms.localizationpriority: medium
+++
+# identityGovernance resource type
+
+Namespace: microsoft.graph
++
+The identity governance singleton is the container for the following Azure Active Directory identity governance features that are exposed through the following resources and APIs:
+++ [Access reviews](accessreviewsv2-overview.md)++ [Entitlement management](entitlementmanagement-overview.md)++ [App consent](consentrequests-overview.md)++ [Terms of use](agreement.md)+
+## Methods
+
+None.
+
+## Properties
+
+None.
+
+## Relationships
+
+|Relationship|Type|Description|
+|:|:|:|
+|accessReviews|[accessReviewSet](accessreviewset.md)| Container for the base resources that expose the access reviews API and features.|
+|appConsent|[appConsent](appconsentapprovalroute.md)| Container for base resources that expose the app consent request API and features. Currently exposes only the [appConsentRequests](appconsentrequest.md) resource.|
+|entitlementManagement|[entitlementManagement](entitlementmanagement.md)| Container for entitlement management resources, including [accessPackageCatalog](accesspackagecatalog.md), [connectedOrganization](connectedorganization.md), and [entitlementManagementSettings](entitlementmanagementsettings.md).|
+|termsOfUse|[termsOfUseContainer](termsofusecontainer.md)| Container for the resources that expose the terms of use API and its features, including [agreements](agreement.md) and [agreementAcceptances](agreementacceptance.md). |
+
v1.0 Requestschedule https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/requestschedule.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-In [Azure AD entitlement management](entitlementmanagement-root.md), an access package assignment request is created by a user who wants to obtain an access package assignment. This request can include a schedule for when the user would like to have an assignment. An access package assignment that results from such a request also has a schedule.
+In [Azure AD entitlement management](entitlementmanagement-overview.md), an access package assignment request is created by a user who wants to obtain an access package assignment. This request can include a schedule for when the user would like to have an assignment. An access package assignment that results from such a request also has a schedule.
## Properties
v1.0 Termsofusecontainer https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/termsOfUseContainer.md
+
+ Title: "termsOfUseContainer resource type"
+description: "Container for the relationships that expose the terms of use API and its features. Currently exposes the agreements and agreementAcceptances relationships."
+ms.localizationpriority: medium
+++
+# termsOfUseContainer resource type
+
+Namespace: microsoft.graph
++
+Container for the relationships that expose the terms of use API and its features. Currently exposes the [agreements](agreement.md) and [agreementAcceptances](agreementacceptance.md) relationships.
+
+Inherits from [entity](entity.md).
+
+## Methods
+
+None.
+
+## Properties
+
+None.
+
+## Relationships
+
+|Relationship|Type|Description|
+|:|:|:|
+|agreementAcceptances|[agreementAcceptance](agreementacceptance.md) collection| Represents the current status of a user's response to a company's customizable terms of use agreement.|
+|agreements|[agreement](agreement.md) collection|Represents a tenant's customizable terms of use agreement that's created and managed with Azure Active Directory (Azure AD).|
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.termsOfUseContainer",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.termsOfUseContainer"
+}
+```
+
v1.0 User https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/user.md
This resource supports:
| streetAddress | String | The street address of the user's place of business. Maximum length is 1024 characters. <br><br>Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).| | surname | String | The user's surname (family name or last name). Maximum length is 64 characters. <br><br>Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values). | | usageLocation | String | A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: `US`, `JP`, and `GB`. Not nullable. <br><br>Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).|
-| userPrincipalName | String | The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. This property is required when a user is created. The verified domains for the tenant can be accessed from the **verifiedDomains** property of [organization](organization.md).<br>NOTE: This property cannot contain accent characters. <br><br>Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, `endsWith`) and `$orderBy`.
+| userPrincipalName | String | The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. This property is required when a user is created. The verified domains for the tenant can be accessed from the **verifiedDomains** property of [organization](organization.md).<br>NOTE: This property cannot contain accent characters. Only the following characters are allowed `A - Z`, `a - z`, `0 - 9`, ` ' . - _ ! # ^ ~`. For the complete list of allowed characters, see [username policies](/azure/active-directory/authentication/concept-sspr-policy#userprincipalname-policies-that-apply-to-all-user-accounts). <br><br>Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, `endsWith`) and `$orderBy`.
| userType | String | A String value that can be used to classify user types in your directory, such as `Member` and `Guest`. <br><br>Supports `$filter` (`eq`, `ne`, `not`, `in`, and `eq` on `null` values). **NOTE:** For more information about the permissions for member and guest users, see [What are the default user permissions in Azure Active Directory?](/azure/active-directory/fundamentals/users-default-permissions#member-and-guest-users) | ### Legal age group property definitions
v1.0 Userconsentrequest https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/userconsentrequest.md
A [userConsentRequest](../resources/userconsentrequest.md) is created by a user
## Methods |Method|Return type|Description| |:|:|:|
-|[List userConsentRequests](../api/userconsentrequest-list.md)|[userConsentRequest](../resources/userconsentrequest.md) collection|Retrieve a collection of [userConsentRequest](userconsentrequest.md) objects for an [appConsentRequest](appconsentrequest.md).|
+|[List userConsentRequests](../api/appconsentrequest-list-userconsentrequests.md)|[userConsentRequest](../resources/userconsentrequest.md) collection|Retrieve a collection of [userConsentRequest](userconsentrequest.md) objects for an [appConsentRequest](appconsentrequest.md).|
|[Get userConsentRequest](../api/userconsentrequest-get.md)|[userConsentRequest](../resources/userconsentrequest.md)|Read the properties and relationships of a [userConsentRequest](../resources/userconsentrequest.md) object.| |[filterByCurrentUser](../api/userconsentrequest-filterByCurrentUser.md)|[userConsentRequest](../resources/userconsentrequest.md) collection|Read the properties of [userConsentRequest](../resources/userconsentrequest.md) objects for an [appConsentRequest](appconsentrequest.md) for which the current user is the reviewer.|
v1.0 Accesspackage Filterbycurrentuser https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/accesspackage-filterbycurrentuser.md
doc_type: apiPageType
Namespace: microsoft.graph
-In [Azure AD Entitlement Management](../resources/entitlementmanagement-root.md), retrieve a list of [accessPackage](../resources/accesspackage.md) objects filtered on the signed-in user.
+In [Azure AD Entitlement Management](../resources/entitlementmanagement-overview.md), retrieve a list of [accessPackage](../resources/accesspackage.md) objects filtered on the signed-in user.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
One of the following permissions is required to call this API. To learn more, in
} --> ``` http
-GET /identityGovernance/entitlementManagement/accessPackages/filterByCurrentUser(on='parameterValue')
+GET /identityGovernance/entitlementManagement/accessPackages/filterByCurrentUser(on='allowedRequestor')
``` ## Function parameters
The following table shows the parameters that can be used with this function.
|Parameter|Type|Description| |:|:|:|
-|on|accessPackageFilterByCurrentUserOptions|The list of user options that can be used to filter on the access packages list.|
+|on|accessPackageFilterByCurrentUserOptions|The list of user options that can be used to filter on the access packages list. The allowed value is `allowedRequestor`.|
- `allowedRequestor` is used to get the `accessPackage` objects for which the signed-in user is allowed to submit access requests. The resulting list includes all access packages that can be requested by the caller across all catalogs.
v1.0 Accesspackage Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/accesspackage-get.md
GET /identityGovernance/entitlementManagement/accessPackages/{accessPackageId}
This method supports the `$select` [OData query parameter](/graph/query-parameters) to retrieve specific properties. -- ## Request headers | Name |Description|
v1.0 Accesspackage Getapplicablepolicyrequirements https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/accesspackage-getapplicablepolicyrequirements.md
doc_type: apiPageType
Namespace: microsoft.graph
-In [Azure AD entitlement management](../resources/entitlementmanagement-root.md), this action retrieves a list of [accessPackageAssignmentRequestRequirements](../resources/accesspackageassignmentrequestrequirements.md) objects that the currently signed-in user can use to create an [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md). Each requirement object corresponds to an access package assignment policy that the currently signed-in user is allowed to request an assignment for.
+In [Azure AD entitlement management](../resources/entitlementmanagement-overview.md), this action retrieves a list of [accessPackageAssignmentRequestRequirements](../resources/accesspackageassignmentrequestrequirements.md) objects that the currently signed-in user can use to create an [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md). Each requirement object corresponds to an access package assignment policy that the currently signed-in user is allowed to request an assignment for.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
v1.0 Accesspackageassignment Filterbycurrentuser https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/accesspackageassignment-filterbycurrentuser.md
doc_type: apiPageType
Namespace: microsoft.graph
-In [Azure AD Entitlement Management](../resources/entitlementmanagement-root.md), retrieve a list of [accessPackageAssignment](../resources/accesspackageassignment.md) objects filtered on the signed-in user.
+In [Azure AD Entitlement Management](../resources/entitlementmanagement-overview.md), retrieve a list of [accessPackageAssignment](../resources/accesspackageassignment.md) objects filtered on the signed-in user.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
The following table shows the parameters that can be used with this function.
|Parameter|Type|Description| |:|:|:|
-|on|accessPackageAssignmentFilterByCurrentUserOptions|The list of user options that can be used to filter on the access package assignments list.|
+|on|accessPackageAssignmentFilterByCurrentUserOptions|The list of user options that can be used to filter on the access package assignments list. The possible values are: `target`, `createdBy`. |
- `target` is used to get the `accessPackageAssignment` objects where the signed-in user is the target. The resulting list includes all of the assignments, current and expired, for the caller across all catalogs and access packages.
v1.0 Accesspackageassignmentrequest Cancel https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/accesspackageassignmentrequest-cancel.md
doc_type: apiPageType
Namespace: microsoft.graph
-In [Azure AD Entitlement Management](../resources/entitlementmanagement-root.md), cancel [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) objects that are in a cancellable state: `accepted`, `pendingApproval`, `pendingNotBefore`, `pendingApprovalEscalated`.
+In [Azure AD Entitlement Management](../resources/entitlementmanagement-overview.md), cancel [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) objects that are in a cancellable state: `accepted`, `pendingApproval`, `pendingNotBefore`, `pendingApprovalEscalated`.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
v1.0 Accesspackageassignmentrequest Filterbycurrentuser https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/accesspackageassignmentrequest-filterbycurrentuser.md
doc_type: apiPageType
Namespace: microsoft.graph
-In [Azure AD Entitlement Management](../resources/entitlementmanagement-root.md), retrieve a list of [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) objects filtered on the signed-in user.
+In [Azure AD Entitlement Management](../resources/entitlementmanagement-overview.md), retrieve a list of [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) objects filtered on the signed-in user.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
The following table shows the parameters that can be used with this function.
|Parameter|Type|Description| |:|:|:|
-|on|accessPackageAssignmentRequestFilterByCurrentUserOptions|The list of user options that can be used to filter on the access package assignment requests list.|
+|on|accessPackageAssignmentRequestFilterByCurrentUserOptions|The list of user options that can be used to filter on the access package assignment requests list. The possible values are `target`, `createdBy`, `approver`.|
- `target` is used to get the `accessPackageAssignmentRequest` objects where the signed-in user is the target. The resulting list includes all the assignment requests, current and expired, that were requested by the caller or for the caller, across all catalogs and access packages.
v1.0 Accesspackageassignmentrequest Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/accesspackageassignmentrequest-get.md
doc_type: apiPageType
Namespace: microsoft.graph
-In [Azure AD entitlement management](../resources/entitlementmanagement-root.md), retrieve the properties and relationships of an [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) object.
+In [Azure AD entitlement management](../resources/entitlementmanagement-overview.md), retrieve the properties and relationships of an [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) object.
## Permissions
v1.0 Accessreviewinstance List Decisions https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/accessreviewinstance-list-decisions.md
doc_type: apiPageType
# List decisions Namespace: microsoft.graph
-Get the [accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) resources from the decisions navigation property on a given [accessReviewInstance](../resources/accessreviewinstance.md).
+Get the [accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) resources from the decisions navigation property on a given [accessReviewInstance](../resources/accessreviewinstance.md). A list of zero or more accessReviewInstanceDecisionItem objects are returned, including all of their nested properties.
>[!NOTE] >The default page size for this API is 100 accessReviewScheduleDefinition objects. To improve efficiency and avoid timeouts due to large result sets, apply pagination using the `$skip` and `$top` query parameters. For more information, see [Paging Microsoft Graph data in your app](/graph/paging).
v1.0 Accessreviewinstance List https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/accessreviewinstance-list.md
- Title: "List accessReviewInstances"
-description: "Get a list of the accessReviewInstance objects and their properties."
-
-doc_type: apiPageType
--
-# List accessReviewInstances
-Namespace: microsoft.graph
-
-Get a list of the [accessReviewInstance](../resources/accessreviewinstance.md) objects and their properties.
-
->[!NOTE]
->The default page size for this API is 100 accessReviewScheduleDefinition objects. To improve efficiency and avoid timeouts due to large result sets, apply pagination using the `$skip` and `$top` query parameters. For more information, see [Paging Microsoft Graph data in your app](/graph/paging).
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
-
-|Permission type|Permissions (from least to most privileged)|
-|:|:|
-|Delegated (work or school account)|AccessReview.Read.All, AccessReview.ReadWrite.All|
-|Delegated (personal Microsoft account)|Not supported.|
-|Application|AccessReview.Read.All, AccessReview.ReadWrite.All|
-
-## HTTP request
-
-<!-- {
- "blockType": "ignored"
-}
>
-``` http
-GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances
-```
-
-## Optional query parameters
-This method supports `$select`, `$filter`, `$orderBy`, `$skip`, and `$top` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
-
-## Request headers
-|Name|Description|
-|:|:|
-|Authorization|Bearer {token}. Required.|
-
-## Request body
-Do not supply a request body for this method.
-
-## Response
-
-If successful, this method returns a `200 OK` response code and a collection of [accessReviewInstance](../resources/accessreviewinstance.md) objects in the response body.
-
-## Examples
-
-### Request
-
-# [HTTP](#tab/http)
-<!-- {
- "blockType": "request",
- "name": "list_accessreviewinstance"
-}
>
-``` http
-GET https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions/8564a649-4f67-4e09-88e7-55def6530e88/instances
-```
-# [C#](#tab/csharp)
-
-# [JavaScript](#tab/javascript)
-
-# [Objective-C](#tab/objc)
-
-# [Java](#tab/java)
-
-# [Go](#tab/go)
-----
-### Response
->**Note:** The response object shown here might be shortened for readability.
-<!-- {
- "blockType": "response",
- "truncated": true,
- "@odata.type": "Collection(microsoft.graph.accessReviewInstance)"
-}
>
-``` http
-HTTP/1.1 200 OK
-Content-Type: application/json
-
-{
- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/accessReviews/definitions('8564a649-4f67-4e09-88e7-55def6530e88')/instances",
- "@odata.count": 2,
- "value": [
- {
- "id": "7bc18cf4-3d70-4009-bc8e-a7c5adb30849",
- "startDateTime": "2021-03-09T23:10:28.83Z",
- "endDateTime": "2021-03-09T23:10:28.83Z",
- "status": "Applied",
- "scope": {
- "@odata.type": "#microsoft.graph.accessReviewQueryScope",
- "query": "/v1.0/groups/f661fdd0-f0f7-42c0-8281-e89c6527ac63/members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
- "queryType": "MicrosoftGraph",
- "queryRoot": null
- }
- }
- ]
-}
-```
v1.0 Accessreviewinstancedecisionitem List https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/accessreviewinstancedecisionitem-list.md
- Title: "List accessReviewInstanceDecisionItems"
-description: "Get a list of the accessReviewInstanceDecisionItem objects and their properties."
-
-doc_type: apiPageType
--
-# List accessReviewInstanceDecisionItems
-Namespace: microsoft.graph
-
-Get a list of the [accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) objects and their properties.
-
->[!NOTE]
->The default page size for this API is 100 accessReviewScheduleDefinition objects. To improve efficiency and avoid timeouts due to large result sets, apply pagination using the `$skip` and `$top` query parameters. For more information, see [Paging Microsoft Graph data in your app](/graph/paging).
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
-
-|Permission type|Permissions (from least to most privileged)|
-|:|:|
-|Delegated (work or school account)|AccessReview.Read.All, AccessReview.ReadWrite.All |
-|Delegated (personal Microsoft account)|Not supported.|
-|Application|AccessReview.Read.All, AccessReview.ReadWrite.All|
-
-## HTTP request
-
-<!-- {
- "blockType": "ignored"
-}
>
-``` http
-GET /identityGovernance/accessReviews/definitions/{accessReviewScheduleDefinitionId}/instances/{accessReviewInstanceId}/decisions
-```
-
-## Optional query parameters
-This method supports `$select`, `$filter`, `$orderBy`, `$skip`, and `$top` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
-
-## Request headers
-|Name|Description|
-|:|:|
-|Authorization|Bearer {token}. Required.|
-
-## Request body
-Do not supply a request body for this method.
-
-## Response
-
-If successful, this method returns a `200 OK` response code and a collection of [accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) objects in the response body.
-
-## Examples
-
-### Request
-
-# [HTTP](#tab/http)
-<!-- {
- "blockType": "request",
- "name": "list_accessreviewinstancedecisionitem"
-}
>
-``` http
-GET https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions/abadf3b6-8ea4-4dea-90a5-9eac8fe93fbd/instances/7070ea1c-8d12-457b-bd35-a37dc59e54e0/decisions
-```
-# [C#](#tab/csharp)
-
-# [JavaScript](#tab/javascript)
-
-# [Objective-C](#tab/objc)
-
-# [Java](#tab/java)
-
-# [Go](#tab/go)
-----
-### Response
->**Note:** The response object shown here might be shortened for readability.
-<!-- {
- "blockType": "response",
- "truncated": true,
- "@odata.type": "Collection(microsoft.graph.accessReviewInstanceDecisionItem)"
-}
>
-``` http
-HTTP/1.1 200 OK
-Content-Type: application/json
-
-{
- "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/accessReviews/definitions('abadf3b6-8ea4-4dea-90a5-9eac8fe93fbd')/instances('7070ea1c-8d12-457b-bd35-a37dc59e54e0')/decisions",
- "@odata.count": 1,
- "value": [
- {
- "id": "9550e25b-f315-4454-9d87-16b885c35de4",
- "accessReviewId": "7070ea1c-8d12-457b-bd35-a37dc59e54e0",
- "reviewedDateTime": null,
- "decision": "NotReviewed",
- "justification": "",
- "appliedDateTime": null,
- "applyResult": "New",
- "recommendation": "Deny",
- "principalLink": "https://graph.microsoft.com/v1.0/users/1800bb2c-955d-4205-8471-3a6c3116435d",
- "resourceLink": null,
- "resource": null,
- "reviewedBy": {
- "id": "00000000-0000-0000-0000-000000000000",
- "displayName": "",
- "userPrincipalName": ""
- },
- "appliedBy": {
- "id": "00000000-0000-0000-0000-000000000000",
- "displayName": "",
- "userPrincipalName": ""
- },
- "target": {
- "@odata.type": "#microsoft.graph.accessReviewInstanceDecisionItemUserTarget",
- "userId": "1800bb2c-955d-4205-8471-3a6c3116435d",
- "userDisplayName": "guest example",
- "userPrincipalName": "guest@guest.com"
- },
- "principal": {
- "@odata.type": "#microsoft.graph.userIdentity",
- "id": "1800bb2c-955d-4205-8471-3a6c3116435d",
- "displayName": "guest example",
- "userPrincipalName": "guest@guest.com"
- }
- }
- ]
-}
-```
v1.0 Accessreviewscheduledefinition Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/accessreviewscheduledefinition-get.md
Namespace: microsoft.graph
Read the properties and relationships of an [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) object.
-To retrieve the instances of the access review series, use the [list accessReviewInstance](accessreviewinstance-list.md) API.
+To retrieve the instances of the access review series, use the [list accessReviewInstance](accessreviewscheduledefinition-list-instances.md) API.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account)|Not supported.| |Application|AccessReview.Read.All, AccessReview.ReadWrite.All|
-To call this API, the signed-in user must also be in a directory role that permits them to read an access review, or the user can be assigned as a reviewer on the access review. For more details, see the role and permission requirements for [access reviews](../resources/accessreviewsv2-root.md).
+To call this API, the signed-in user must also be in a directory role that permits them to read an access review, or the user can be assigned as a reviewer on the access review. For more details, see the role and permission requirements for [access reviews](../resources/accessreviewsv2-overview.md).
## HTTP request
Content-Type: application/json
## See also -- [Create accessReviewScheduleDefinition](accessreviewscheduledefinition-post.md)-- [List accessReviewScheduleDefinition](accessreviewscheduledefinition-list.md)-- [List accessReviewInstance](accessreviewinstance-list.md)
+- [Create accessReviewScheduleDefinition](accessreviewset-post-definitions.md)
+- [List accessReviewScheduleDefinition](accessreviewset-list-definitions.md)
+- [List accessReviewInstance](accessreviewscheduledefinition-list-instances.md)
v1.0 Accessreviewscheduledefinition List Instances https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/accessreviewscheduledefinition-list-instances.md
Title: "List instances"
-description: "Get the accessReviewInstance resources from the instances navigation property."
+description: "Get a list of the accessReviewInstance objects and their properties."
ms.localizationpriority: medium ms.prod: "governance"
doc_type: apiPageType
# List instances Namespace: microsoft.graph
-Get the [accessReviewInstance](../resources/accessreviewinstance.md) resources from the instances navigation property on an [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md).
+Get a list of the [accessReviewInstance](../resources/accessreviewinstance.md) objects and their properties.
>[!NOTE] >The default page size for this API is 100 accessReviewScheduleDefinition objects. To improve efficiency and avoid timeouts due to large result sets, apply pagination using the `$skip` and `$top` query parameters. For more information, see [Paging Microsoft Graph data in your app](/graph/paging).
If successful, this method returns a `200 OK` response code and a collection of
} --> ``` http
-GET https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions/2dca8959-b716-4b4c-a93d-a535c01eb6e0/instances
+GET https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions/8564a649-4f67-4e09-88e7-55def6530e88/instances
``` # [C#](#tab/csharp) [!INCLUDE [sample-code](../includes/snippets/csharp/list-accessreviewinstance-csharp-snippets.md)]
HTTP/1.1 200 OK
Content-Type: application/json {
- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/accessReviews/definitions('2dca8959-b716-4b4c-a93d-a535c01eb6e0')/instances",
- "@odata.count": 1,
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/accessReviews/definitions('8564a649-4f67-4e09-88e7-55def6530e88')/instances",
+ "@odata.count": 2,
"value": [ {
- "id": "8d035c9d-798d-47fa-beb4-f986a4b8126f",
- "startDateTime": "2021-05-01T07:00:00Z",
- "endDateTime": "2021-05-15T07:00:00Z",
- "status": "InProgress",
+ "id": "7bc18cf4-3d70-4009-bc8e-a7c5adb30849",
+ "startDateTime": "2021-03-09T23:10:28.83Z",
+ "endDateTime": "2021-03-09T23:10:28.83Z",
+ "status": "Applied",
"scope": { "@odata.type": "#microsoft.graph.accessReviewQueryScope",
- "query": "/v1.0/groups/0914d821-ca3b-45cc-98ee-54c00a04deef/transitiveMembers",
+ "query": "/v1.0/groups/f661fdd0-f0f7-42c0-8281-e89c6527ac63/members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
"queryType": "MicrosoftGraph", "queryRoot": null }
v1.0 Accessreviewset List Definitions https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/accessreviewset-list-definitions.md
+
+ Title: "List definitions"
+description: "Get a list of the accessReviewScheduleDefinition objects and their properties."
+
+ms.localizationpriority: medium
++
+# List definitions
+Namespace: microsoft.graph
+
+Get a list of the [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) objects and their properties.
+
+>[!NOTE]
+>The default page size for this API is 100 accessReviewScheduleDefinition objects. To improve efficiency and avoid timeouts due to large result sets, apply pagination using the `$skip` and `$top` query parameters. For more information, see [Paging Microsoft Graph data in your app](/graph/paging).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|AccessReview.Read.All, AccessReview.ReadWrite.All|
+|Delegated (personal Microsoft account)|Not supported.|
+|Application|AccessReview.Read.All, AccessReview.ReadWrite.All|
+
+ The signed-in user must also be in a directory role that permits them to read an access review. See access review [role and application permission authorization checks](../resources/accessreviewsv2-overview.md#role-and-application-permission-authorization-checks).
+
+## HTTP request
+
+To list all your accessReviewScheduleDefinitions:
+<!-- { "blockType": "ignored" } -->
+```http
+GET /identityGovernance/accessReviews/definitions
+```
+
+## Optional query parameters
+This method supports the `$select`, `$top`, `$skip`,`$orderBy`, and `$filter` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+### Use the $filter query parameter
+The `$filter` query parameter with the `contains` operator is supported on the **scope** property of accessReviewScheduleDefinition. Use the following format for the request:
+
+```http
+GET /identityGovernance/accessReviews/definitions?$filter=contains(scope/microsoft.graph.accessReviewQueryScope/query, '{object}')
+```
+
+The value of `{object}` can be one of the following:
+
+|Value|Description|
+|: |: |
+|`/groups` |List every accessReviewScheduleDefinition on individual groups (excludes definitions scoped to all Microsoft 365 groups with guest users).|
+|`/groups/{group id}` |List every accessReviewScheduleDefinition on a specific group (excludes definitions scoped to all Microsoft 365 groups with guest users).|
+|`./members` |List every accessReviewScheduleDefinition scoped to all Microsoft 365 groups with guest users.|
+|`accessPackageAssignments` |List every accessReviewScheduleDefinition on an access package.|
+|`roleAssignmentScheduleInstances` |List every accessReviewScheduleDefinition for service principals assigned to a privileged role.|
+
+The `$filter` query parameter is not supported on **accessReviewInactiveUserQueryScope** or **principalResourceMembershipScope**.
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) objects in the response body.
+
+## Examples
+
+### Example 1: List the first one hundred access review definitions
+
+#### Request
++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "list_accessReviewScheduleDefinition"
+}-->
+```
+GET https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions?$top=100&$skip=0
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessReviewScheduleDefinition",
+ "isCollection": "true"
+} -->
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/accessReviews/definitions",
+ "@odata.count": 1,
+ "value": [
+ {
+ "id": "98dcebed-c7f6-46f4-bcf3-4a3fccdb3e2a",
+ "displayName": "Access Review",
+ "scope": {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/groups/119cc181-22f0-4e18-8537-264e7524ee0b/transitiveMembers",
+ "queryType": "MicrosoftGraph"
+ },
+ "instanceEnumerationScope": {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/groups/119cc181-22f0-4e18-8537-264e7524ee0b",
+ "queryType": "MicrosoftGraph"
+ },
+ "reviewers": [
+ {
+ "query": "./manager",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": "decisions"
+ }
+ ],
+ "settings": {
+ "mailNotificationsEnabled": true,
+ "reminderNotificationsEnabled": true,
+ "justificationRequiredOnApproval": true,
+ "defaultDecisionEnabled": false,
+ "defaultDecision": "None",
+ "instanceDurationInDays": 0,
+ "autoApplyDecisionsEnabled": false,
+ "recommendationsEnabled": true,
+ "recurrence": {
+ "pattern": {
+ "type": "weekly",
+ "interval": 1,
+ "month": 0,
+ "dayOfMonth": 0,
+ "daysOfWeek": [],
+ "firstDayOfWeek": "sunday",
+ "index": "first"
+ },
+ "range": {
+ "type": "numbered",
+ "numberOfOccurrences": 0,
+ "recurrenceTimeZone": null,
+ "startDate": "2020-09-11",
+ "endDate": "9999-12-31"
+ }
+ }
+ }
+ }
+ ]
+}
+```
+
+### Example 2: Retrieve all access review definitions scoped to all Microsoft 365 groups in a tenant
+
+#### Request
+The following example shows a request to retrieve all the access review series scoped to all Microsoft 365 groups in a tenant.
++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "list_accessReviewScheduleDefinition_allgroups"
+}-->
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions?$filter=contains(scope/microsoft.graph.accessReviewQueryScope/query, './members')
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessReviewScheduleDefinition",
+ "isCollection": "true"
+} -->
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/accessReviews/definitions",
+ "@odata.count": 1,
+ "value": [
+ {
+ "id": "cc701697-762c-439a-81f5-f58d680fde76",
+ "displayName": "Review guest access across Microsoft 365 groups",
+ "status": "InProgress",
+ "scope": {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
+ "queryType": "MicrosoftGraph"
+ },
+ "instanceEnumerationScope": {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/groups?$filter=(groupTypes/any(c:c+eq+'Unified'))&$count=true",
+ "queryType": "MicrosoftGraph"
+ },
+ "reviewers": [
+ {
+ "query": "./manager",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": "decisions"
+ }
+ ],
+ "settings": {
+ "mailNotificationsEnabled": true,
+ "reminderNotificationsEnabled": true,
+ "justificationRequiredOnApproval": true,
+ "defaultDecisionEnabled": true,
+ "defaultDecision": "Recommendation",
+ "instanceDurationInDays": 25,
+ "autoApplyDecisionsEnabled": true,
+ "recommendationsEnabled": true,
+ "recurrence": {
+ "pattern": {
+ "type": "absoluteMonthly",
+ "interval": 3,
+ "month": 0,
+ "dayOfMonth": 0,
+ "daysOfWeek": [],
+ "firstDayOfWeek": "sunday",
+ "index": "first"
+ },
+ "range": {
+ "type": "numbered",
+ "numberOfOccurrences": 0,
+ "recurrenceTimeZone": null,
+ "startDate": "2021-04-27",
+ "endDate": "9999-12-31"
+ }
+ },
+ "applyActions": [
+ {
+ "@odata.type": "#microsoft.graph.removeAccessApplyAction"
+ }
+ ]
+ },
+ "instances@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/accessReviews/definitions('cc701697-762c-439a-81f5-f58d680fde76')/instances",
+ "instances": []
+ }
+ ]
+}
+
+```
v1.0 Accessreviewset Post Definitions https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/accessreviewset-post-definitions.md
+
+ Title: "Create definitions"
+description: "Create a new accessReviewScheduleDefinition object."
+ms.localizationpriority: medium
+++
+# Create definitions
+
+Namespace: microsoft.graph
+
+Create a new [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) object.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | AccessReview.ReadWrite.All |
+|Delegated (personal Microsoft account)|Not supported.|
+|Application | AccessReview.ReadWrite.All |
+
+The signed-in user must also be in a directory role that permits them to create an access review. For more details, see the role and permission requirements for [access reviews](../resources/accessreviewsv2-overview.md).
+
+## HTTP request
+<!-- { "blockType": "ignored" } -->
+```http
+POST /identityGovernance/accessReviews/definitions
+```
+## Request headers
+| Name | Description |
+|:-|:|
+|Authorization|Bearer {token}. Required.|
+| Content-type | application/json. Required. |
+
+## Request body
+In the request body, supply a JSON representation of an [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) object.
+
+The following table shows the properties accepted to create an accessReview.
+
+| Property | Type | Description |
+|:-|:|:|
+| additionalNotificationRecipients |[accessReviewNotificationRecipientItem](../resources/accessReviewNotificationRecipientItem.md) collection| Defines the list of additional users or group members to be notified of the access review progress. |
+| descriptionForAdmins | String | Context of the review provided to admins. Required. |
+| descriptionForReviewers | String | Context of the review provided to reviewers in email notifications. Email notifications support up to 256 characters. Required. |
+| displayName | String | Name of access review series. Required.|
+| fallbackReviewers|[accessReviewReviewerScope](../resources/accessreviewreviewerscope.md) collection|If provided, the fallback reviewers are asked to complete a review if the primary reviewers do not exist. For example, if managers are selected as `reviewers` and a principal under review does not have a manager in Azure AD, the fallback reviewers are asked to review that principal.|
+| instanceEnumerationScope | [accessReviewScope](../resources/accessreviewscope.md) | In the case of an all groups review, this determines the scope of which groups will be reviewed. See [accessReviewScope](../resources/accessreviewscope.md) and also learn how to [configure the scope of your access review definition](/graph/accessreviews-scope-concept).|
+| reviewers | [accessReviewReviewerScope](../resources/accessreviewreviewerscope.md) collection | Defines who the reviewers are. If none are specified, the review is a self-review (users review their own access). For examples of options for assigning reviewers, see [Assign reviewers to your access review definition using the Microsoft Graph API](/graph/accessreviews-reviewers-concept). |
+| scope | [accessReviewScope](../resources/accessreviewscope.md) | Defines the entities whose access is reviewed. See [accessReviewScope](../resources/accessreviewscope.md) and also learn how to [configure the scope of your access review definition](/graph/accessreviews-scope-concept). Required.|
+| settings | [accessReviewScheduleSettings](../resources/accessreviewschedulesettings.md)| The settings for an access review series. Recurrence is determined here. See [accessReviewScheduleSettings](../resources/accessreviewschedulesettings.md). |
+
+## Response
+If successful, this method returns a `201 Created` response code and an [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) object in the response body.
+
+## Examples
+
+### Example 1: Create an access review on a group
+
+This is an example of creating an access review with the following settings:
++ The review reviews all members of a group, whose group **id** is `02f3bafb-448c-487c-88c2-5fd65ce49a41`.++ A specific user, whose user **id** is `398164b1-5196-49dd-ada2-364b49f99b27` is the reviewer.++ It recurs weekly and continues indefinitely.+
+#### Request
+In the request body, supply a JSON representation of the [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) object.
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_accessReviewScheduleDefinition"
+}-->
+```http
+POST https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions
+Content-type: application/json
+
+{
+ "displayName": "Test create",
+ "descriptionForAdmins": "New scheduled access review",
+ "descriptionForReviewers": "If you have any questions, contact jerry@contoso.com",
+ "scope": {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/groups/02f3bafb-448c-487c-88c2-5fd65ce49a41/transitiveMembers",
+ "queryType": "MicrosoftGraph"
+ },
+ "reviewers": [
+ {
+ "query": "/users/398164b1-5196-49dd-ada2-364b49f99b27",
+ "queryType": "MicrosoftGraph"
+ }
+ ],
+ "settings": {
+ "mailNotificationsEnabled": true,
+ "reminderNotificationsEnabled": true,
+ "justificationRequiredOnApproval": true,
+ "defaultDecisionEnabled": false,
+ "defaultDecision": "None",
+ "instanceDurationInDays": 1,
+ "recommendationsEnabled": true,
+ "recurrence": {
+ "pattern": {
+ "type": "weekly",
+ "interval": 1
+ },
+ "range": {
+ "type": "noEnd",
+ "startDate": "2020-09-08T12:02:30.667Z"
+ }
+ }
+ }
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessReviewScheduleDefinition"
+} -->
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "id": "29f2d16e-9ca6-4052-bbfe-802c48944448",
+ "displayName": "Test create",
+ "createdDateTime": "0001-01-01T00:00:00Z",
+ "lastModifiedDateTime": "0001-01-01T00:00:00Z",
+ "status": "NotStarted",
+ "descriptionForAdmins": "Test create",
+ "descriptionForReviewers": "Test create",
+ "instanceEnumerationScope": null,
+ "createdBy": {
+ "id": "957f1027-c0ee-460d-9269-b8444459e0fe",
+ "displayName": "MOD Administrator",
+ "userPrincipalName": "admin@contoso.com"
+ },
+ "scope": {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/groups/b74444cb-038a-4802-8fc9-b9d1ed0cf11f/transitiveMembers",
+ "queryType": "MicrosoftGraph"
+ },
+ "reviewers": [
+ {
+ "query": "/users/7eae986b-d425-48b2-adf2-3c777f4444f3",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": "decisions"
+ }
+ ],
+ "settings": {
+ "mailNotificationsEnabled": true,
+ "reminderNotificationsEnabled": true,
+ "justificationRequiredOnApproval": true,
+ "defaultDecisionEnabled": false,
+ "defaultDecision": "None",
+ "instanceDurationInDays": 1,
+ "autoApplyDecisionsEnabled": false,
+ "recommendationsEnabled": true,
+ "recurrence": {
+ "pattern": {
+ "type": "weekly",
+ "interval": 1,
+ "month": 0,
+ "dayOfMonth": 0,
+ "daysOfWeek": [],
+ "firstDayOfWeek": "sunday",
+ "index": "first"
+ },
+ "range": {
+ "type": "noEnd",
+ "numberOfOccurrences": 0,
+ "recurrenceTimeZone": null,
+ "startDate": "2020-09-08",
+ "endDate": null
+ }
+ },
+ "applyActions": []
+ },
+ "additionalNotificationRecipients": []
+}
+```
+
+### Example 2: Create an access review on all teams with inactive guest users
+
+This is an example of creating an access review with the following settings:
++ The review reviews all teams with inactive guest users. The period of inactivity is 30 days from the start date of the access review.++ The group owners are the reviewers and fallback reviewers are assigned.++ It recurs on the third day of every quarter and continues indefinitely.++ **autoApplyDecisionsEnabled** is set to `true` with the **defaultDecision** set to `Deny`.+
+#### Request
+In the request body, supply a JSON representation of the [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) object.
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_accessReviewScheduleDefinition_inactiveguests_M365"
+}-->
+```http
+POST https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions
+Content-type: application/json
+
+{
+ "displayName": "Review inactive guests on teams",
+ "descriptionForAdmins": "Control guest user access to our teams.",
+ "descriptionForReviewers": "Information security is everyone's responsibility. Review our access policy for more.",
+ "instanceEnumerationScope": {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/groups?$filter=(groupTypes/any(c:c+eq+'Unified') and resourceProvisioningOptions/Any(x:x eq 'Team')')",
+ "queryType": "MicrosoftGraph"
+ },
+ "scope": {
+ "@odata.type": "#microsoft.graph.accessReviewInactiveUsersQueryScope",
+ "query": "./members/microsoft.graph.user/?$filter=(userType eq 'Guest')",
+ "queryType": "MicrosoftGraph",
+ "inactiveDuration": "P30D"
+ },
+ "reviewers": [
+ {
+ "query": "./owners",
+ "queryType": "MicrosoftGraph"
+ }
+ ],
+ "fallbackReviewers": [
+ {
+ "query": "/users/fc9a2c2b-1ddc-486d-a211-5fe8ca77fa1f",
+ "queryType": "MicrosoftGraph"
+ }
+ ],
+ "settings": {
+ "mailNotificationsEnabled": true,
+ "reminderNotificationsEnabled": true,
+ "justificationRequiredOnApproval": true,
+ "recommendationsEnabled": true,
+ "instanceDurationInDays": 3,
+ "recurrence": {
+ "pattern": {
+ "type": "absoluteMonthly",
+ "dayOfMonth": 5,
+ "interval": 3
+ },
+ "range": {
+ "type": "noEnd",
+ "startDate": "2020-05-04T00:00:00.000Z"
+ }
+ },
+ "defaultDecisionEnabled": true,
+ "defaultDecision": "Deny",
+ "autoApplyDecisionsEnabled": true
+ }
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessReviewScheduleDefinition"
+} -->
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/accessReviews/definitions/$entity",
+ "id": "b0966e21-a01e-43c9-8f8b-9ba30ed5710a",
+ "displayName": "Review inactive guests on teams",
+ "createdDateTime": "2021-05-04T18:27:02.6719849Z",
+ "lastModifiedDateTime": "2021-05-04T18:27:24.0889623Z",
+ "status": "InProgress",
+ "descriptionForAdmins": "Control guest user access to our teams.",
+ "descriptionForReviewers": "Information security is everyone's responsibility. Review our access policy for more.",
+ "createdBy": {
+ "id": "fc9a2c2b-1ddc-486d-a211-5fe8ca77fa1f",
+ "displayName": "MOD Administrator",
+ "userPrincipalName": "admin@contoso.com"
+ },
+ "scope": {
+ "@odata.type": "#microsoft.graph.accessReviewInactiveUsersQueryScope",
+ "query": "./members/microsoft.graph.user/?$count=true&$filter=(userType eq 'Guest')",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": null,
+ "inactiveDuration": "P30D"
+ },
+ "instanceEnumerationScope": {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/groups?$filter=(groupTypes/any(c:c+eq+'Unified') and resourceProvisioningOptions/Any(x:x eq 'Team'))&$count=true",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": null
+ },
+ "reviewers": [
+ {
+ "query": "./owners",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": null
+ }
+ ],
+ "backupReviewers": [
+ {
+ "query": "/users/fc9a2c2b-1ddc-486d-a211-5fe8ca77fa1f",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": null
+ }
+ ],
+ "fallbackReviewers": [
+ {
+ "query": "/users/fc9a2c2b-1ddc-486d-a211-5fe8ca77fa1f",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": null
+ }
+ ],
+ "settings": {
+ "mailNotificationsEnabled": true,
+ "reminderNotificationsEnabled": true,
+ "justificationRequiredOnApproval": true,
+ "defaultDecisionEnabled": true,
+ "defaultDecision": "Deny",
+ "instanceDurationInDays": 3,
+ "autoApplyDecisionsEnabled": true,
+ "recommendationsEnabled": true,
+ "recurrence": {
+ "pattern": {
+ "type": "absoluteMonthly",
+ "interval": 3,
+ "month": 0,
+ "dayOfMonth": 0,
+ "daysOfWeek": [],
+ "firstDayOfWeek": "sunday",
+ "index": "first"
+ },
+ "range": {
+ "type": "numbered",
+ "numberOfOccurrences": 0,
+ "recurrenceTimeZone": null,
+ "startDate": "2021-05-05",
+ "endDate": "9999-12-31"
+ }
+ },
+ "applyActions": [
+ {
+ "@odata.type": "#microsoft.graph.removeAccessApplyAction"
+ }
+ ]
+ },
+ "additionalNotificationRecipients": []
+}
+```
+
+### Example 3: Create an access review of all users to an application
+
+This is an example of creating an access review with the following settings:
++ The review reviews user access to an application.++ The people managers are the reviewers and fallback reviewers are the members of a group.++ It recurs semi-annually and ends 1 year from the startDate.+
+#### Request
++
+<!-- {
+ "blockType": "request",
+ "name": "create_accessReviewScheduleDefinition_allusers_M365_AADRole"
+}-->
+```http
+POST https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions
+Content-type: application/json
+
+{
+ "displayName": "Review employee access to LinkedIn",
+ "descriptionForAdmins": "Review employee access to LinkedIn",
+ "scope": {
+ "@odata.type": "#microsoft.graph.principalResourceMembershipsScope",
+ "principalScopes": [
+ {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/users",
+ "queryType": "MicrosoftGraph"
+ }
+ ],
+ "resourceScopes": [
+ {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/servicePrincipals/bae11f90-7d5d-46ba-9f55-8112b59d92ae",
+ "queryType": "MicrosoftGraph"
+ }
+ ]
+ },
+ "reviewers": [
+ {
+ "query": "./manager",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": "decisions"
+ }
+ ],
+ "backupReviewers": [
+ {
+ "query": "/groups/072ac5f4-3f13-4088-ab30-0a276f3e6322/transitiveMembers",
+ "queryType": "MicrosoftGraph"
+ }
+ ],
+ "fallbackReviewers": [
+ {
+ "query": "/groups/072ac5f4-3f13-4088-ab30-0a276f3e6322/transitiveMembers",
+ "queryType": "MicrosoftGraph"
+ }
+ ],
+ "settings": {
+ "mailNotificationsEnabled": true,
+ "reminderNotificationsEnabled": true,
+ "justificationRequiredOnApproval": true,
+ "defaultDecisionEnabled": true,
+ "defaultDecision": "Recommendation",
+ "instanceDurationInDays": 180,
+ "autoApplyDecisionsEnabled": true,
+ "recommendationsEnabled": true,
+ "recurrence": {
+ "pattern": {
+ "type": "absoluteMonthly",
+ "interval": 6,
+ "dayOfMonth": 0
+ },
+ "range": {
+ "type": "numbered",
+ "startDate": "2021-05-05",
+ "endDate": "2022-05-05"
+ }
+ }
+ }
+}
+```
++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.accessReviewScheduleDefinition"
+} -->
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/accessReviews/definitions/$entity",
+ "id": "1f79f34b-8667-40d9-875c-893b630b3dec",
+ "scope": {
+ "@odata.type": "#microsoft.graph.principalResourceMembershipsScope",
+ "principalScopes": [
+ {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/users",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": null
+ }
+ ],
+ "resourceScopes": [
+ {
+ "@odata.type": "#microsoft.graph.accessReviewQueryScope",
+ "query": "/servicePrincipals/bae11f90-7d5d-46ba-9f55-8112b59d92ae",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": null
+ }
+ ]
+ },
+ "reviewers": [
+ {
+ "query": "./manager",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": "decisions"
+ }
+ ],
+ "backupReviewers": [
+ {
+ "query": "/groups/072ac5f4-3f13-4088-ab30-0a276f3e6322/transitiveMembers",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": null
+ }
+ ],
+ "fallbackReviewers": [
+ {
+ "query": "/groups/072ac5f4-3f13-4088-ab30-0a276f3e6322/transitiveMembers",
+ "queryType": "MicrosoftGraph",
+ "queryRoot": null
+ }
+ ],
+ "settings": {
+ "instanceDurationInDays": 180,
+ "recurrence": {
+ "pattern": {
+ "type": "absoluteMonthly",
+ "interval": 6,
+ "month": 0,
+ "dayOfMonth": 0,
+ "daysOfWeek": [],
+ "firstDayOfWeek": "sunday",
+ "index": "first"
+ },
+ "range": {
+ "type": "numbered",
+ "numberOfOccurrences": 0,
+ "recurrenceTimeZone": null,
+ "startDate": "2021-05-05",
+ "endDate": "2022-05-05"
+ }
+ }
+ },
+ "additionalNotificationRecipients": []
+}
+```
+
+<!--
+{
+ "type": "#page.annotation",
+ "description": "Create accessReviewScheduleDefinition",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": "",
+ "suppressions": [
+ ]
+}
+-->
v1.0 Appconsentapprovalroute List Appconsentrequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/appconsentapprovalroute-list-appconsentrequests.md
+
+ Title: "List appConsentRequests"
+description: "Retrieve appConsentRequest objects and their properties"
+
+ms.localizationpriority: medium
++
+# List appConsentRequests
+Namespace: microsoft.graph
+
+Retrieve [appConsentRequest](../resources/appconsentrequest.md) objects and their properties.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|ConsentRequest.Read.All, ConsentRequest.ReadWrite.All|
+|Delegated (personal Microsoft account)|Not supported.|
+|Application|ConsentRequest.Read.All, ConsentRequest.ReadWrite.All|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /identityGovernance/appConsent/appConsentRequests
+```
+
+## Optional query parameters
+
+This method supports theΓÇ»`$select`, `$skip`, `$top`, `$filter`, and `$orderby` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [appConsentRequest](../resources/appconsentrequest.md) objects in the response body.
+
+## Examples
+
+### Request
++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "list_appconsentrequest"
+}
+-->
+``` http
+GET https://graph.microsoft.com/v1.0/identityGovernance/appConsent/appConsentRequests
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+### Response
+
+**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.appConsentRequest)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/appConsent/appConsentRequests",
+ "@odata.count": 1,
+ "value": [
+ {
+ "id": "af330b30-dd59-4482-a848-0fd81b0438ed",
+ "appId": "3ca5f23f-94b4-4930-aec9-b8ca0f060e68",
+ "appDisplayName": "Moodle",
+ "pendingScopes": [],
+ "userConsentRequests@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/appConsent/appConsentRequests('af330b30-dd59-4482-a848-0fd81b0438ed')/userConsentRequests",
+ "userConsentRequests": []
+ }
+ ]
+}
+```
v1.0 Appconsentrequest List Userconsentrequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/appconsentrequest-list-userconsentrequests.md
+
+ Title: "List userConsentRequests"
+description: "Retrieve userConsentRequest objects and their properties."
+
+ms.localizationpriority: medium
++
+# List userConsentRequests
+
+Namespace: microsoft.graph
+
+Retrieve a collection of [userConsentRequest](../resources/userconsentrequest.md) objects and their properties.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|ConsentRequest.Read.All, ConsentRequest.ReadWrite.All|
+|Delegated (personal Microsoft account)|Not supported.|
+|Application|ConsentRequest.Read.All, ConsentRequest.ReadWrite.All|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /identityGovernance/appConsent/appConsentRequests/{id}/userConsentRequests
+```
+
+## Optional query parameters
+
+This method supports theΓÇ»`$select`, `$skip`, `$top`, `$filter`, and `$orderby` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [userConsentRequest](../resources/userconsentrequest.md) objects in the response body.
+
+## Examples
+
+### Request
++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "list_userconsentrequest"
+}
+-->
+``` http
+GET https://graph.microsoft.com/v1.0/identityGovernance/appConsent/appConsentRequests/ee245379-e3bb-4944-a997-24115f0b8b5e/userConsentRequests
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+### Response
+
+**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.userConsentRequest)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/appConsent/appConsentRequests('ee245379-e3bb-4944-a997-24115f0b8b5e')/userConsentRequests",
+ "@odata.count": 1,
+ "value": [
+ {
+ "id": "acef2660-d194-4943-b927-4fe4fb5cb7e3",
+ "reason": "I need access",
+ "status": "Completed",
+ "createdDateTime": "2019-10-18T19:07:19.7374554Z",
+ "createdBy": {
+ "user": {
+ "id": "db60ab61-caea-4889-a824-98de31ef31b5",
+ "displayName": "Alex Wilber",
+ "userPrincipalName": "AlexW@contoso.com",
+ "mail": "AlexW@contoso.com"
+ }
+ },
+ "approval@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/appConsent/appConsentRequests('ee245379-e3bb-4944-a997-24115f0b8b5e')/userConsentRequests('acef2660-d194-4943-b927-4fe4fb5cb7e3')/approval/$entity",
+ "approval": {
+ "id": "acef2660-d194-4943-b927-4fe4fb5cb7e3",
+ "stages@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/appConsent/appConsentRequests('ee245379-e3bb-4944-a997-24115f0b8b5e')/userConsentRequests('acef2660-d194-4943-b927-4fe4fb5cb7e3')/approval/stages",
+ "stages": [
+ {
+ "id": "f5a4ca4a-1316-4872-8112-993c55dab51e",
+ "displayName": null,
+ "reviewedDateTime": "2019-10-19T04:12:09.633Z",
+ "reviewResult": "Approve",
+ "status": "Completed",
+ "assignedToMe": true,
+ "justification": "Admin consent granted.",
+ "reviewedBy": {
+ "id": "00000001-0000-0000-c000-000000000000",
+ "displayName": "",
+ "userPrincipalName": "",
+ "mail": ""
+ }
+ }
+ ]
+ },
+ "approvalId": "acef2660-d194-4943-b927-4fe4fb5cb7e3",
+ "completedDateTime": null,
+ "customData": null
+ }
+ ]
+}
+```
v1.0 Entitlementmanagement List Assignmentrequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/entitlementmanagement-list-assignmentrequests.md
doc_type: apiPageType
Namespace: microsoft.graph
-In [Azure AD entitlement management](../resources/entitlementmanagement-root.md), retrieve a list of [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) objects. The resulting list includes all the assignment requests, current and well as expired, that the caller has access to read, across all catalogs and access packages.
+In [Azure AD entitlement management](../resources/entitlementmanagement-overview.md), retrieve a list of [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) objects. The resulting list includes all the assignment requests, current and well as expired, that the caller has access to read, across all catalogs and access packages.
## Permissions
GET /identityGovernance/entitlementManagement/assignmentRequests
## Optional query parameters
-This method supports the `$expand` and `$filter` OData query parameters to help customize the response.
+This method supports the `$select`, `$expand` and `$filter` OData query parameters to help customize the response.
### Example scenarios for using query parameters
v1.0 Entitlementmanagement List Assignments https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/entitlementmanagement-list-assignments.md
doc_type: apiPageType
Namespace: microsoft.graph
-In [Azure AD entitlement management](../resources/entitlementmanagement-root.md), retrieve a list of [accessPackageAssignment](../resources/accesspackageassignment.md) objects.
+In [Azure AD entitlement management](../resources/entitlementmanagement-overview.md), retrieve a list of [accessPackageAssignment](../resources/accesspackageassignment.md) objects.
For directory-wide administrators, the resulting list includes all the assignments, current and well as expired, that the caller has access to read, across all catalogs and access packages. If the caller is on behalf of a delegated user who is assigned only to catalog-specific delegated administrative roles, the request must supply a filter to indicate a specific access package, such as: `$filter=accessPackage/id eq 'a914b616-e04e-476b-aa37-91038f0b165b'`.
v1.0 Entitlementmanagement Post Assignmentrequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/entitlementmanagement-post-assignmentrequests.md
doc_type: apiPageType
Namespace: microsoft.graph
-In [Azure AD Entitlement Management](../resources/entitlementmanagement-root.md), create a new [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) object.
+In [Azure AD Entitlement Management](../resources/entitlementmanagement-overview.md), create a new [accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) object.
## Permissions
v1.0 Termsofusecontainer List Agreements https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/termsofusecontainer-list-agreements.md
+
+ Title: "List agreements"
+description: "Retrieve a list of agreement objects."
+ms.localizationpriority: medium
+++
+# List agreements
+
+Namespace: microsoft.graph
+
+Retrieve a list of [agreement](../resources/agreement.md) objects.
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | Agreement.Read.All |
+|Delegated (personal Microsoft account) | Not supported. |
+|Application | Not supported. |
+
+## HTTP request
+<!-- { "blockType": "ignored" } -->
+```http
+GET /identityGovernance/termsOfUse/agreements
+```
+
+## Optional query parameters
+This method supports the [OData query parameters](/graph/query-parameters) to help customize the response.
+
+## Request headers
+| Name | Type | Description |
+|:-|:|:|
+| Authorization | string | Bearer \{token\}. Required. |
+
+## Request body
+Do not supply a request body for this method.
+## Response
+If successful, this method returns a `200 OK` response code and collection of [agreement](../resources/agreement.md) objects in the response body.
+## Examples
+### Request
++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "get_agreements"
+}-->
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/identityGovernance/termsOfUse/agreements
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
++++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.agreement",
+ "isCollection": true
+} -->
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "value": [
+ {
+ "displayName": "Sample ToU",
+ "isViewingBeforeAcceptanceRequired": true,
+ "id": "093b947f-8363-4979-a47d-4c52b33ee1be"
+ }
+ ]
+}
+```
+
+<!-- uuid: 8fcb5dbc-d5aa-4681-8e31-b001d5168d79
+2015-10-25 14:57:30 UTC -->
+<!--
+{
+ "type": "#page.annotation",
+ "description": "List agreements",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": "",
+ "suppressions": [
+ ]
+}
+-->
v1.0 Termsofusecontainer Post Agreements https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/termsofusecontainer-post-agreements.md
+
+ Title: "Create agreement"
+description: "Create a new agreement object."
+ms.localizationpriority: medium
+++
+# Create agreement
+
+Namespace: microsoft.graph
+
+Create a new [agreement](../resources/agreement.md) object.
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | Agreement.ReadWrite.All |
+|Delegated (personal Microsoft account) | Not supported. |
+|Application | Not supported. |
+
+## HTTP request
+<!-- { "blockType": "ignored" } -->
+```http
+POST /identityGovernance/termsOfUse/agreements
+```
+## Request headers
+| Name | Description |
+|:-|:|
+| Authorization | Bearer \{token\}. Required. |
+| Content-type | application/json. Required. |
+
+## Request body
+In the request body, supply a JSON representation of an [agreement](../resources/agreement.md) object.
+
+The following table shows the properties that are required when you create an agreement.
+
+| Property | Type | Description |
+|:-|:|:|
+|displayName|String|Display name of the agreement.|
+|isViewingBeforeAcceptanceRequired|Boolean|Indicates whether the user has to expand and view the agreement before accepting.|
+|fileName|String|Name of the agreement file (for example, TOU.pdf).|
+|isDefault|Boolean|Indicates whether this is the default agreement file if the language matches the client preference. If none of the files are marked as default, the first one is treated as default.|
+|language|String|The language of the agreement file in the format "languagecode2-country/regioncode2". "languagecode2" is a lowercase two-letter code derived from ISO 639-1, while "country/regioncode2" is derived from ISO 3166 and usually consists of two uppercase letters, or a BCP-47 language tag. For example, U.S. English is `en-US`.|
+|data|Binary|Data that represents the terms of use for the PDF document.|
+
+## Response
+If successful, this method returns a `201, Created` response code and an [agreement](../resources/agreement.md) object in the response body.
+
+## Example
+### Request
+In the request body, supply a JSON representation of the [agreement](../resources/agreement.md) object.
++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_agreement_from_agreements"
+}-->
+```http
+POST https://graph.microsoft.com/v1.0/identityGovernance/termsOfUse/agreements
+Content-type: application/json
+
+{
+ "displayName": "MSGraph Sample",
+ "isViewingBeforeAcceptanceRequired": true,
+ "files": [
+ {
+ "fileName": "TOU.pdf",
+ "language": "en",
+ "isDefault": true,
+ "fileData": {
+ "data": "SGVsbG8gd29ybGQ="
+ }
+ }
+ ]
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+++++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.agreement"
+} -->
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "displayName": "MSGraph Sample",
+ "isViewingBeforeAcceptanceRequired": true,
+ "id": "093b947f-8363-4979-a47d-4c52b33ee1be"
+}
+```
+
+<!-- uuid: 8fcb5dbc-d5aa-4681-8e31-b001d5168d79
+2015-10-25 14:57:30 UTC -->
+<!--
+{
+ "type": "#page.annotation",
+ "description": "Create agreement",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": "",
+ "suppressions": [
+ ]
+}
+-->
++
v1.0 User List Agreementacceptances https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/user-list-agreementacceptances.md
Title: "List agreementAcceptances" description: "Retrieve a list of a user's agreementAcceptance objects." ms.localizationpriority: medium-+ ms.prod: "users" doc_type: apiPageType
v1.0 User Post Users https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/user-post-users.md
The following table lists the properties that are required when you create a use
|onPremisesImmutableId |string |Only needs to be specified when creating a new user account if you are using a federated domain for the user's userPrincipalName (UPN) property.| |mailNickname |string |The mail alias for the user.| |passwordProfile|[PasswordProfile](../resources/passwordprofile.md) |The password profile for the user. For Azure B2C tenants, the **forceChangePasswordNextSignIn** property should be set to `false` and instead use custom policies to force password reset at first sign in.|
-|userPrincipalName |string |The user principal name (someuser@contoso.com).|
+|userPrincipalName |string |The user principal name (someuser@contoso.com). It's an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. The verified domains for the tenant can be accessed from the **verifiedDomains** property of [organization](../resources/organization.md). <br>NOTE: This property cannot contain accent characters. Only the following characters are allowed `A - Z`, `a - z`, `0 - 9`, ` ' . - _ ! # ^ ~`. For the complete list of allowed characters, see [username policies](/azure/active-directory/authentication/concept-sspr-policy#userprincipalname-policies-that-apply-to-all-user-accounts).|
Because the **user** resource supports [extensions](/graph/extensibility-overview), you can use the `POST` operation and add custom properties with your own data to the user instance while creating it.
v1.0 User Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/user-update.md
In the request body, supply the values for relevant fields that should be update
|streetAddress|String|The street address of the user's place of business.| |surname|String|The user's surname (family name or last name).| |usageLocation|String|A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: `US`, `JP`, and `GB`. Not nullable.|
-|userPrincipalName|String|The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenantΓÇÖs collection of verified domains. This property is required when a user is created. The verified domains for the tenant can be accessed from the **verifiedDomains** property of [organization](../resources/organization.md).
+|userPrincipalName|String|The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. The verified domains for the tenant can be accessed from the **verifiedDomains** property of [organization](../resources/organization.md). <br>NOTE: This property cannot contain accent characters. Only the following characters are allowed `A - Z`, `a - z`, `0 - 9`, ` ' . - _ ! # ^ ~`. For the complete list of allowed characters, see [username policies](/azure/active-directory/authentication/concept-sspr-policy#userprincipalname-policies-that-apply-to-all-user-accounts). |
|userType|String|A string value that can be used to classify user types in your directory, such as `Member` and `Guest`. | > [!NOTE]
v1.0 Accesspackage https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/accesspackage.md
doc_type: resourcePageType
Namespace: microsoft.graph
-In [Azure AD Entitlement Management](entitlementmanagement-root.md), an access package defines the collections of resource roles and the policies for how one or more users can get access to those resources.
+In [Azure AD Entitlement Management](entitlementmanagement-overview.md), an access package defines the collections of resource roles and the policies for how one or more users can get access to those resources.
Each access package is referenced by a single access package catalog, and has links to the resources from that catalog via the resource-specific role scopes that define the access the package provides. An access package also links to the access package assignment policies, each of which define who can request or be assigned an access package assignment.
Each access package is referenced by a single access package catalog, and has li
|:|:|:| |createdDateTime|DateTimeOffset|The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only.| |description|String|The description of the access package.|
-|displayName|String|The display name of the access package.|
+|displayName|String|The display name of the access package. Supports $filter (`eq`, `contains`).|
|id|String|Read-only.| |isHidden|Boolean|Whether the access package is hidden from the requestor.| |modifiedDateTime|DateTimeOffset|The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. |
v1.0 Accesspackageassignment https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/accesspackageassignment.md
doc_type: resourcePageType
Namespace: microsoft.graph
-In [Azure AD Entitlement Management](entitlementmanagement-root.md), an access package assignment is an assignment of an access package to a particular subject, for a period of time. For example, an access package assignment can state that user Alice has been assigned access via the access package Sales for the period January 2019 through July 2019.
+In [Azure AD Entitlement Management](entitlementmanagement-overview.md), an access package assignment is an assignment of an access package to a particular subject, for a period of time. For example, an access package assignment can state that user Alice has been assigned access via the access package Sales for the period January 2019 through July 2019.
## Methods
In [Azure AD Entitlement Management](entitlementmanagement-root.md), an access p
|[List accessPackageAssignments](../api/entitlementmanagement-list-assignments.md)|[accessPackageAssignment](accesspackageassignment.md) collection|Retrieve a list of **accessPackageAssignment** objects. | |[filterByCurrentUser](../api/accesspackageassignment-filterbycurrentuser.md)|[accessPackageAssignment](../resources/accesspackageassignment.md) collection|Retrieve the list of **accessPackageAssignment** objects filtered on the signed-in user.|
+> [!NOTE]
+> To create or remove an access package assignment for a user, use the [create an accessPackageAssignmentRequest](../api/entitlementmanagement-post-assignmentrequests.md) method.
+ ## Properties |Property|Type|Description| |:|:|:| |expiredDateTime|DateTimeOffset|The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.| |id|String|Read-only.| |schedule|[entitlementManagementSchedule](../resources/entitlementmanagementschedule.md)|When the access assignment is to be in place. Read-only.|
-|state|accessPackageAssignmentState|The state of the access package assignment. The possible values are: `delivering`, `partiallyDelivered`, `delivered`, `expired`, `deliveryFailed`, `unknownFutureValue`. Read-only.|
+|state|accessPackageAssignmentState|The state of the access package assignment. The possible values are: `delivering`, `partiallyDelivered`, `delivered`, `expired`, `deliveryFailed`, `unknownFutureValue`. Read-only. Supports `$filter` (`eq`).|
|status|String|More information about the assignment lifecycle. Possible values include `Delivering`, `Delivered`, `NearExpiry1DayNotificationTriggered`, or `ExpiredNotificationTriggered`. Read-only.| ## Relationships |Relationship|Type|Description| |:|:|:|
-|accessPackage|[accessPackage](accesspackage.md)|Read-only. Nullable.|
-|target|[accessPackageSubject](accesspackagesubject.md)|The subject of the access package assignment. Read-only. Nullable.|
+|accessPackage|[accessPackage](accesspackage.md)|Read-only. Nullable. Supports `$filter` (`eq`) on the **id** property and `$expand` query parameters.|
+|target|[accessPackageSubject](accesspackagesubject.md)|The subject of the access package assignment. Read-only. Nullable. Supports `$expand`. Supports `$filter` (`eq`) on **objectId**.|
## JSON representation The following is a JSON representation of the resource.
v1.0 Accesspackageassignmentrequest https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/accesspackageassignmentrequest.md
doc_type: resourcePageType
Namespace: microsoft.graph
-In [Azure AD Entitlement Management](entitlementmanagement-root.md), an access package assignment request is created by or on behalf of a user who wants to obtain an access package assignment. If the request is successful, with any necessary approvals, the user receives an access package assignment, and is the subject of that resulting access package assignment. Azure AD also creates access package assignment requests automatically for tracking access removal.
+In [Azure AD Entitlement Management](entitlementmanagement-overview.md), an access package assignment request is created by or on behalf of a user who wants to obtain an access package assignment. If the request is successful, with any necessary approvals, the user receives an access package assignment, and is the subject of that resulting access package assignment. Azure AD also creates access package assignment requests automatically for tracking access removal.
## Methods |Method|Return type|Description|
v1.0 Accesspackagecatalog https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/accesspackagecatalog.md
doc_type: resourcePageType
Namespace: microsoft.graph
-In [Azure AD entitlement management](entitlementmanagement-root.md), an access package catalog is a container for zero or more access packages. An access package catalog might also have linked resources that are used in those access packages to provide access. To view or change the membership of catalog-scoped roles, use the [role assignments](unifiedroleassignment.md) API with the entitlement management RBAC provider.
+In [Azure AD entitlement management](entitlementmanagement-overview.md), an access package catalog is a container for zero or more access packages. An access package catalog might also have linked resources that are used in those access packages to provide access. To view or change the membership of catalog-scoped roles, use the [role assignments](unifiedroleassignment.md) API with the entitlement management RBAC provider.
v1.0 Accesspackagesubject https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/accesspackagesubject.md
doc_type: resourcePageType
Namespace: microsoft.graph
-In [Azure AD entitlement management](entitlementmanagement-root.md), an access package subject is a user, service principal, or other entity that can be configured to request or be assigned an access package. It may represent a requestor from a connected organization who is not yet in the tenant.
+In [Azure AD entitlement management](entitlementmanagement-overview.md), an access package subject is a user, service principal, or other entity that can be configured to request or be assigned an access package. It may represent a requestor from a connected organization who is not yet in the tenant.
## Methods
v1.0 Accessreviewinstance https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/accessreviewinstance.md
doc_type: resourcePageType
Namespace: microsoft.graph
-Represents an Azure AD [access review](accessreviewsv2-root.md) recurrence. System-generated based off of the parent [accessReviewScheduleDefinition](accessreviewscheduledefinition.md). All properties are read-only.
+Represents an Azure AD [access review](accessreviewsv2-overview.md) recurrence. System-generated based off of the parent [accessReviewScheduleDefinition](accessreviewscheduledefinition.md). All properties are read-only.
If the instance is a part of a recurring access review, instances represent each recurrence. A review that does not recur will have exactly one instance. Instances also represent each unique resource being reviewed in the schedule definition. If a schedule definition reviews multiple resources, each resource will have a unique instance for each recurrence.
Inherits from [entity](../resources/entity.md).
## Methods |Method|Return type|Description| |:|:|:|
-|[List accessReviewInstances](../api/accessreviewinstance-list.md)|[accessReviewInstance](../resources/accessreviewinstance.md) collection|Get a list of the [accessReviewInstance](../resources/accessreviewinstance.md) objects and their properties.|
+|[List accessReviewInstances](../api/accessreviewscheduledefinition-list-instances.md)|[accessReviewInstance](../resources/accessreviewinstance.md) collection|Get a list of the [accessReviewInstance](../resources/accessreviewinstance.md) objects and their properties.|
|[Get accessReviewInstance](../api/accessreviewinstance-get.md)|[accessReviewInstance](../resources/accessreviewinstance.md)|Read the properties and relationships of an [accessReviewInstance](../resources/accessreviewinstance.md) object.| |[Update accessReviewInstance](../api/accessreviewinstance-update.md)|[accessReviewInstance](../resources/accessreviewinstance.md)|Update the reviewers of an [accessReviewInstance](../resources/accessreviewinstance.md) object.| |[filterByCurrentUser](../api/accessreviewinstance-filterbycurrentuser.md)|[accessReviewInstance](../resources/accessreviewinstance.md) collection|Returns all instance objects on a definition for which the calling user is the reviewer.|
v1.0 Accessreviewinstancedecisionitem https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/accessreviewinstancedecisionitem.md
doc_type: resourcePageType
Namespace: microsoft.graph
-Represents an Azure AD [access review](accessreviewsv2-root.md) decision on an instance of a review. This decision is the determination of an identity's access to a resource for a given [accessReviewInstance](accessreviewinstance.md). accessReviewInstanceDecisionItem is an open type and allows other properties to be passed in.
+Represents an Azure AD [access review](accessreviewsv2-overview.md) decision on an instance of a review. This decision is the determination of an identity's access to a resource for a given [accessReviewInstance](accessreviewinstance.md). accessReviewInstanceDecisionItem is an open type and allows other properties to be passed in.
Each decision item is system-generated based off of the parent [accessReviewInstance](accessreviewinstance.md).
Inherits from [entity](../resources/entity.md).
## Methods |Method|Return type|Description| |:|:|:|
-|[List accessReviewInstanceDecisionItems](../api/accessreviewinstancedecisionitem-list.md)|[accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) collection|Get a list of the [accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) objects and their properties.|
+|[List accessReviewInstanceDecisionItems](../api/accessreviewinstance-list-decisions.md)|[accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) collection|Get a list of the [accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) objects and their properties.|
|[Get accessReviewInstanceDecisionItem](../api/accessreviewinstancedecisionitem-get.md)|[accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md)|Read the properties and relationships of an [accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) object.| |[Update accessReviewInstanceDecisionItem](../api/accessreviewinstancedecisionitem-update.md)|[accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md)|Update the properties of an [accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) object.| |[filterByCurrentUser](../api/accessreviewinstancedecisionitem-filterbycurrentuser.md)|[accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) collection|Returns the decision items for which the calling user is the reviewer.|
v1.0 Accessreviewnotificationrecipientitem https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/accessreviewnotificationrecipientitem.md
doc_type: resourcePageType
Namespace: microsoft.graph
-Represents an Azure AD [access review](accessreviewsv2-root.md) notification event on an instance of a review. This item contains an email template type and recipient properties to enable sending certain type of notifications for a given [access review instance](accessreviewinstance.md).
+Represents an Azure AD [access review](accessreviewsv2-overview.md) notification event on an instance of a review. This item contains an email template type and recipient properties to enable sending certain type of notifications for a given [access review instance](accessreviewinstance.md).
## Properties
v1.0 Accessreviewqueryscope https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/accessreviewqueryscope.md
doc_type: resourcePageType
Namespace: microsoft.graph
-An accessReviewQueryScope object defines what is reviewed in an [access review](../resources/accessreviewsv2-root.md). To scope an access review to inactive users, see [accessReviewInactiveUserQueryScope](../resources/accessreviewinactiveusersqueryscope.md).
+An accessReviewQueryScope object defines what is reviewed in an [access review](../resources/accessreviewsv2-overview.md). To scope an access review to inactive users, see [accessReviewInactiveUserQueryScope](../resources/accessreviewinactiveusersqueryscope.md).
Inherits from [accessReviewScope](../resources/accessreviewscope.md).
v1.0 Accessreviewscheduledefinition https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/accessreviewscheduledefinition.md
doc_type: resourcePageType
Namespace: microsoft.graph
-Represents the scheduling of an Azure AD [access review](accessreviewsv2-root.md).
+Represents the scheduling of an Azure AD [access review](accessreviewsv2-overview.md).
An accessReviewScheduleDefinition contains a list of [accessReviewInstance](accessreviewinstance.md) objects. Each recurrence of the schedule definition creates an instance. Instances also represent each unique resource being reviewed. If a schedule definition reviews multiple resources, each resource has a unique instance per each recurrence. In the case of a one-time review, only one instance is created per resource.
Inherits from [entity](../resources/entity.md).
## Methods |Method|Return type|Description| |:|:|:|
-|[List accessReviewScheduleDefinitions](../api/accessreviewscheduledefinition-list.md) | [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) collection | Lists every accessReviewScheduleDefinition. Does not include associated accessReviewInstance objects in the results. |
+|[List accessReviewScheduleDefinitions](../api/accessreviewset-list-definitions.md) | [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) collection | Lists every accessReviewScheduleDefinition. Does not include associated accessReviewInstance objects in the results. |
|[Get accessReviewScheduleDefinition](../api/accessreviewscheduledefinition-get.md) | [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) | Get an accessReviewScheduleDefinition with a specified **id**. Does not include associated accessReviewInstance objects in the results. |
-|[Create accessReviewScheduleDefinition](../api/accessreviewscheduledefinition-post.md) | [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) | Create a new accessReviewScheduleDefinition. |
+|[Create accessReviewScheduleDefinition](../api/accessreviewset-post-definitions.md) | [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) | Create a new accessReviewScheduleDefinition. |
|[Delete accessReviewScheduleDefinition](../api/accessreviewscheduledefinition-delete.md) | None. | Delete an accessReviewScheduleDefinition with a specified **id**. | |[Update accessReviewScheduleDefinition](../api/accessreviewscheduledefinition-update.md) | None. | Update properties of an accessReviewScheduleDefinition with a specified **id**. | |[filterByCurrentUser](../api/accessreviewscheduledefinition-filterbycurrentuser.md)|[accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) collection|Retrieves all definitions for which the calling user is a reviewer on one or more instance.|
v1.0 Accessreviewset https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/accessreviewset.md
+
+ Title: "accessReviewSet resource type"
+description: "Container for the base resources that expose the access reviews API and features. Currently exposes only the accessReviewScheduleDefinition resource."
+
+ms.localizationpriority: medium
++
+# accessReviewSet resource type
+
+Namespace: microsoft.graph
++
+Container for the base resources that expose the access reviews API and features. Currently exposes only the [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) relationship.
+
+Inherits from [entity](entity.md).
+
+## Methods
+
+None.
+
+## Properties
+
+None.
+
+## Relationships
+
+|Relationship|Type|Description|
+|:|:|:|
+|definitions|[accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) collection| Represents the template and scheduling for an access review. |
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.accessReviewSet",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.accessReviewSet"
+}
+```
+
v1.0 Accessreviewsv2 Overview https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/accessreviewsv2-overview.md
+
+ Title: "Azure AD access reviews"
+description: "Use Azure AD access reviews to configure one-time or recurring access reviews for attestation of user's access rights to Azure AD resources."
+ms.localizationpriority: medium
+++
+# Azure AD access reviews
+
+Namespace: microsoft.graph
+
+Use [Azure AD access reviews](/azure/active-directory/active-directory-azure-ad-controls-access-reviews-overview) to configure one-time or recurring access reviews for attestation of users' rights to access Azure AD resources. These Azure AD resources include groups, service principals, access packages, and privileged roles.
+
+Typical customer scenarios for access reviews include:
+
+- Customers can review and certify guest user access to groups through group memberships. Reviewers can use the insights that are provided to efficiently decide whether guests should have continued access.
+- Customers can review and certify employee access to Azure AD resources.
+- Customers can review and audit assignments to Azure AD privileged roles. This supports organizations in the management of privileged access.
+
+The access reviews feature, including the API, is available only with a valid purchase or trial license of Azure AD Premium P2 or EMS E5 subscription.
+
+## Methods
+
+The following table lists the methods that you can use to interact with access review-related resources.
+
+| Method | Return type |Description|
+|:|:--|:-|
+|**Schedule definitions**| | |
+|[List definitions](../api/accessreviewset-list-definitions.md)|[accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) collection|Get a list of the [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) objects and their properties.|
+|[Create definitions](../api/accessreviewset-post-definitions.md)|[accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md)|Create a new [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) object.|
+|[Get accessReviewScheduleDefinition](../api/accessreviewscheduledefinition-get.md)|[accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md)|Read the properties and relationships of an [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) object.|
+|[Update accessReviewScheduleDefinition](../api/accessreviewscheduledefinition-update.md)|[accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md)|Update the properties of an [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) object.|
+|[Delete accessReviewScheduleDefinition](../api/accessreviewscheduledefinition-delete.md)|None|Deletes an [accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) object.|
+|[filterByCurrentUser](../api/accessreviewscheduledefinition-filterbycurrentuser.md)|[accessReviewScheduleDefinition](../resources/accessreviewscheduledefinition.md) collection|Returns all definitions where the calling user is the reviewer of any instances.|
+|**Instances**| | |
+|[List instances](../api/accessreviewscheduledefinition-list-instances.md)|[accessReviewInstance](../resources/accessreviewinstance.md) collection|Get a list of the [accessReviewInstance](../resources/accessreviewinstance.md) objects and their properties.|
+|[Get accessReviewInstance](../api/accessreviewinstance-get.md)|[accessReviewInstance](../resources/accessreviewinstance.md)|Read the properties and relationships of an [accessReviewInstance](../resources/accessreviewinstance.md) object.|
+|[stop](../api/accessreviewinstance-stop.md)|None|Manually stop an accessReviewInstance.|
+|[sendReminder](../api/accessreviewinstance-sendreminder.md)|None|Send a reminder to the reviewers of an accessReviewInstance.|
+|[resetDecisions](../api/accessreviewinstance-resetdecisions.md)|None|Resets all decision items on an instance to `notReviewed`|
+|[applyDecisions](../api/accessreviewinstance-applydecisions.md)|None|Manually apply decision on an accessReviewInstance.|
+|[acceptRecommendations](../api/accessreviewinstance-acceptrecommendations.md)|None| Allows the calling user to accept the decision recommendation for each NotReviewed accessReviewInstanceDecisionItem that they are the reviewer on for a specific accessReviewInstance.|
+|[batchRecordDecisions](../api/accessreviewinstance-batchrecorddecisions.md)|None|Review batches of principals or resources in one call.|
+|[filterByCurrentUser](../api/accessreviewinstance-filterbycurrentuser.md)|[accessReviewInstance](../resources/accessreviewinstance.md) collection|Returns all instance objects on a definition for which the calling user is the reviewer.|
+|**Instance decision items**| | |
+|[List decisions](../api/accessreviewinstance-list-decisions.md)|[accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) collection|Get a list of the [accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) objects and their properties.|
+|[Get accessReviewInstanceDecisionItem](../api/accessreviewinstancedecisionitem-get.md)|[accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md)|Read the properties and relationships of an [accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) object.|
+|[Update accessReviewInstanceDecisionItem](../api/accessreviewinstancedecisionitem-update.md)|[accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md)|Update the properties of an [accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) object.|
+|[accessReviewInstanceDecisionItem: filterByCurrentUser](../api/accessreviewinstancedecisionitem-filterbycurrentuser.md)|[accessReviewInstanceDecisionItem](../resources/accessreviewinstancedecisionitem.md) collection|Returns the decision items for which the calling user is the reviewer of.|
++
+## Role and application permission authorization checks
+
+The following [Azure AD roles](/azure/active-directory/roles/permissions-reference) are required for a calling user to manage access reviews.
+
+| Operation | Application permissions | Required directory role of the calling user |
+|:|:|:--|
+| Read | AccessReview.Read.All or AccessReview.ReadWrite.All | Global Administrator, Global Reader, Security Administrator, Security Reader or User Administrator |
+| Create, Update or Delete | AccessReview.ReadWrite.All | Global Administrator or User Administrator |
+
+In addition, a user who is an assigned reviewer of an access review can manage their decisions, without needing to be in a directory role.
+
+## See also
+
+- [Tutorials](/graph/accessreviews-overview) to learn how to use the access reviews API to review access to Azure AD resources
+- [How an administrator can manage user access with Azure AD access reviews](/azure/active-directory/active-directory-azure-ad-controls-manage-user-access-with-access-reviews)
+- [How an administrator can manage guest access with Azure AD access reviews](/azure/active-directory/active-directory-azure-ad-controls-manage-guest-access-with-access-reviews)
v1.0 Agreement https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/agreement.md
Represents a tenant's customizable terms of use agreement that is created and ma
| Method | Return Type | Description | |:-|:|:|
-| [List agreements](../api/agreement-list.md) | [agreement](agreement.md) collection | Get an agreement object collection. |
-| [Create agreements](../api/agreement-post-agreements.md) | [agreement](agreement.md) | Create a new agreement by posting to the agreement collection. |
+| [List agreements](../api/termsofusecontainer-list-agreements.md) | [agreement](agreement.md) collection | Get an agreement object collection. |
+| [Create agreements](../api/termsofusecontainer-post-agreements.md) | [agreement](agreement.md) | Create a new agreement by posting to the agreement collection. |
| [Get agreement](../api/agreement-get.md) | [agreement](agreement.md) | Read properties and relationships of an agreement object. | | [Update agreement](../api/agreement-update.md) | [agreement](agreement.md) | Update an agreement object. | | [Delete agreement](../api/agreement-delete.md) | None | Delete an agreement object. |
Represents a tenant's customizable terms of use agreement that is created and ma
| Relationship | Type | Description | |:-|:|:| |acceptances|[agreementAcceptance](agreementacceptance.md) collection|Read-only. Information about acceptances of this agreement.|
-|files|[agreementFileLocalization](agreementfilelocalization.md) collection| PDFs linked to this agreement. This property is in the process of being deprecated. Use the **file** property instead.|
|file|[agreementFile](agreementfile.md) | Default PDF linked to this agreement.|
-|localizations|[agreementFileLocalization](agreementfilelocalization.md) collection|The localized versions of the agreement files attached to the agreement.|
-|versions|[agreementFileVersion](agreementfileversion.md) collection|The version history for the localized agreement file.|
+|files|[agreementFileLocalization](agreementfilelocalization.md) collection| PDFs linked to this agreement. This property is in the process of being deprecated. Use the **file** property instead.|
## JSON representation The following is a JSON representation of the resource.- <!-- { "blockType": "resource", "keyProperty": "id",
- "optionalProperties": [
-
- ],
- "@odata.type": "microsoft.graph.agreement"
-}-->
-
-```json
+ "@odata.type": "microsoft.graph.agreement",
+ "openType": false
+}
+-->
+``` json
{
+ "@odata.type": "#microsoft.graph.agreement",
"id": "String (identifier)",
- "displayName": "MSGraph Sample",
- "isViewingBeforeAcceptanceRequired": true,
- "isPerDeviceAcceptanceRequired": false,
+ "displayName": "String",
"termsExpiration": {
- "startDateTime": "2018-10-01T00:00:00.0000000Z",
- "frequency": "PT1M"
- }
+ "@odata.type": "microsoft.graph.termsExpiration"
+ },
+ "userReacceptRequiredFrequency": "String (duration)",
+ "isViewingBeforeAcceptanceRequired": "Boolean",
+ "isPerDeviceAcceptanceRequired": "Boolean"
} ```-
-<!-- uuid: 8fcb5dbc-d5aa-4681-8e31-b001d5168d79
-2015-10-25 14:57:30 UTC -->
-<!--
-{
- "type": "#page.annotation",
- "description": "agreement resource",
- "keywords": "",
- "section": "documentation",
- "tocPath": "",
- "suppressions": []
-}
>--
v1.0 Agreementacceptance https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/agreementacceptance.md
Namespace: microsoft.graph
-Represents the current status of a user within scope of a company's customizable terms of use powered by Azure Active Directory (Azure AD).
+Represents the current status of a user's response to a company's customizable terms of use agreement powered by Azure Active Directory (Azure AD).
## Properties | Property | Type | Description |
v1.0 Agreementfile https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/agreementfile.md
Namespace: microsoft.graph
Represents a customizable terms of use agreement file that a tenant manages with Azure Active Directory (Azure AD). It contains metadata about the agreement file (for example, the name, the language, and whether it is the default file).
+Inherits from [agreementFileProperties](agreementfileproperties.md).
+ ## Properties+ | Property | Type | Description | |:-|:|:|
-|fileData|[agreementFileData](agreementfiledata.md)|Data that represents the terms of use PDF document. Read-only.|
-|fileName|String|Name of the agreement file (for example, TOU.pdf). Read-only.|
-|id|String|The identifier of the agreement file. Read-only.|
-|isDefault|Boolean|If none of the languages matches the client preference, indicates that this is the default agreement file. If none of the files are marked as default, the first one is treated as the default. Read-only.|
-|language|String|The language of the agreement file in the format languagecode2-country/regioncode2. languagecode2 is a lowercase two-letter code derived from ISO 639-1. country/regioncode2 is derived from ISO 3166 and usually consists of two uppercase letters, or a BCP-47 language tag (for example, en-US). Read-only.|
-|isMajorVersion|Boolean|Indicates whether the agreement file is a major version update. Major version updates invalidate the agreement's acceptances on the corresponding language. |
-|createdDateTime|DateTimeOffset|The date time representing when the file was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
-|displayName|String|Localized display name of the policy file of an agreement. The localized display name is shown to end users who view the agreement.
+|createdDateTime|DateTimeOffset|The date time representing when the file was created.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|displayName|String|Localized display name of the policy file of an agreement. The localized display name is shown to end users who view the agreement. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|fileData|[agreementFileData](agreementfiledata.md)|Data that represents the terms of use PDF document. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|fileName|String|Name of the agreement file (for example, TOU.pdf). Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|id|String|The identifier of the agreementFileVersion object. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|isDefault|Boolean|If none of the languages matches the client preference, indicates whether this is the default agreement file . If none of the files are marked as default, the first one is treated as the default. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|isMajorVersion|Boolean|Indicates whether the agreement file is a major version update. Major version updates invalidate the agreement's acceptances on the corresponding language. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|language|String|The language of the agreement file in the format "languagecode2-country/regioncode2". "languagecode2" is a lowercase two-letter code derived from ISO 639-1, while "country/regioncode2" is derived from ISO 3166 and usually consists of two uppercase letters, or a BCP-47 language tag. For example, U.S. English is `en-US`. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
-<!--
## Relationships | Relationship | Type | Description | |:-|:|:|
-|localizations|[agreementFileLocalization](agreementfilelocalization.md) collection|The localized version of the agreement files attached to the agreement.|
>
+|localizations|[agreementFileLocalization](agreementfilelocalization.md) collection|The localized version of the terms of use agreement files attached to the agreement.|
+ ## JSON representation
v1.0 Agreementfilelocalization https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/agreementfilelocalization.md
Namespace: microsoft.graph
Represents a customizable terms of use agreement file that a tenant manages with Azure Active Directory (Azure AD). It contains metadata about the agreement file (for example, the name, the language, and whether it is the default file).
+Inherits from [agreementFileProperties](agreementfileproperties.md).
+
+## Methods
+
+None.
+ ## Properties+ | Property | Type | Description | |:-|:|:|
-|fileData|[agreementFileData](agreementfiledata.md)|Data that represents the terms of use PDF document. Read-only.|
-|fileName|String|Name of the agreement file (for example, TOU.pdf). Read-only.|
-|id|String|The identifier of the agreementFileLocalization object. Read-only.|
-|isDefault|Boolean| If none of the languages matches the client preference, indicates that this is the default agreement file. If none of the files are marked as default, the first one is treated as the default. Read-only.|
-|language|String|The language of the agreement file in the format languagecode2-country/regioncode2. languagecode2 is a lowercase two-letter code derived from ISO 639-1. country/regioncode2 is derived from ISO 3166 and usually consists of two uppercase letters, or a BCP-47 language tag (for example, en-US). Read-only.|
-|isMajorVersion|Boolean|Indicates whether the agreement file is a major version update. Major version updates invalidate the agreement's acceptances on the corresponding language. |
-|createdDateTime|DateTimeOffset|The date time representing when the file was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time.For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
-|displayName|String|Localized display name of the policy file of an agreement. The localized display name is shown to end users who view the agreement.
+|createdDateTime|DateTimeOffset|The date time representing when the file was created.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|displayName|String|Localized display name of the policy file of an agreement. The localized display name is shown to end users who view the agreement. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|fileData|[agreementFileData](agreementfiledata.md)|Data that represents the terms of use PDF document. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|fileName|String|Name of the agreement file (for example, TOU.pdf). Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|id|String|The identifier of the agreementFileVersion object. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|isDefault|Boolean|If none of the languages matches the client preference, indicates whether this is the default agreement file . If none of the files are marked as default, the first one is treated as the default. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|isMajorVersion|Boolean|Indicates whether the agreement file is a major version update. Major version updates invalidate the agreement's acceptances on the corresponding language. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|language|String|The language of the agreement file in the format "languagecode2-country/regioncode2". "languagecode2" is a lowercase two-letter code derived from ISO 639-1, while "country/regioncode2" is derived from ISO 3166 and usually consists of two uppercase letters, or a BCP-47 language tag. For example, U.S. English is `en-US`. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
++
+## Relationships
+| Relationship | Type | Description |
+|:-|:|:|
+|versions|[agreementFileVersion](agreementfileversion.md) collection|Read-only. Customized versions of the terms of use agreement in the Azure AD tenant.|
## JSON representation
v1.0 Agreementfileproperties https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/agreementfileproperties.md
+
+ Title: "agreementFileProperties resource type"
+description: "Represents the properties of a terms of use agreement file; including the localized language and the display name."
+
+ms.localizationpriority: medium
++
+# agreementFileProperties resource type
+
+Namespace: microsoft.graph
+
+Represents the properties of a terms of use agreement file; including the localized language and the display name.
+
+Inherits from [entity](entity.md).
+
+## Methods
+
+None.
+
+## Properties
+
+| Property | Type | Description |
+|:-|:|:|
+|createdDateTime|DateTimeOffset|The date time representing when the file was created.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
+|displayName|String|Localized display name of the policy file of an agreement. The localized display name is shown to end users who view the agreement.|
+|fileData|[agreementFileData](agreementfiledata.md)|Data that represents the terms of use PDF document. Read-only.|
+|fileName|String|Name of the agreement file (for example, TOU.pdf). Read-only.|
+|id|String|The identifier of the agreementFileVersion object. Read-only.|
+|isDefault|Boolean|If none of the languages matches the client preference, indicates whether this is the default agreement file . If none of the files are marked as default, the first one is treated as the default. Read-only.|
+|isMajorVersion|Boolean|Indicates whether the agreement file is a major version update. Major version updates invalidate the agreement's acceptances on the corresponding language.|
+|language|String|The language of the agreement file in the format "languagecode2-country/regioncode2". "languagecode2" is a lowercase two-letter code derived from ISO 639-1, while "country/regioncode2" is derived from ISO 3166 and usually consists of two uppercase letters, or a BCP-47 language tag. For example, U.S. English is `en-US`. Read-only.|
+
+## Relationships
+
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.agreementFileProperties",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.agreementFileProperties",
+ "id": "String (identifier)",
+ "fileName": "String",
+ "language": "String",
+ "isDefault": "Boolean",
+ "isMajorVersion": "Boolean",
+ "createdDateTime": "String (timestamp)",
+ "displayName": "String",
+ "fileData": {
+ "@odata.type": "microsoft.graph.agreementFileData"
+ }
+}
+```
+
v1.0 Agreementfileversion https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/agreementfileversion.md
Namespace: microsoft.graph
Represents a customized version of terms of use agreement file that a tenant manages with Azure Active Directory (Azure AD). It contains metadata about the agreement file (for example, the name, the language, and whether it is the default file).
+Inherits from [agreementFileProperties](agreementfileproperties.md).
+ ## Properties | Property | Type | Description | |:-|:|:|
-|fileData|[agreementFileData](agreementfiledata.md)|Data that represents the terms of use PDF document. Read-only.|
-|fileName|String|Name of the agreement file (for example, TOU.pdf). Read-only.|
-|id|String|The identifier of the agreementFileVersion object. Read-only.|
-|isDefault|Boolean|If none of the languages matches the client preference, indicates whether this is the default agreement file . If none of the files are marked as default, the first one is treated as the default. Read-only.|
-|language|String|The language of the agreement file in the format languagecode2-country/regioncode2. languagecode2 is a lowercase two-letter code derived from ISO 639-1. country/regioncode2 is derived from ISO 3166 and usually consists of two uppercase letters, or a BCP-47 language tag (for example, en-US). Read-only.|
-|isMajorVersion|Boolean|Indicates whether the agreement file is a major version update. Major version updates invalidate the agreement's acceptances on the corresponding language. |
-|createdDateTime|DateTimeOffset|The date time representing when the file was created.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
-|displayName|String|Localized display name of the policy file of an agreement. The localized display name is shown to end users who view the agreement.
+|createdDateTime|DateTimeOffset|The date time representing when the file was created.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|displayName|String|Localized display name of the policy file of an agreement. The localized display name is shown to end users who view the agreement. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|fileData|[agreementFileData](agreementfiledata.md)|Data that represents the terms of use PDF document. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|fileName|String|Name of the agreement file (for example, TOU.pdf). Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|id|String|The identifier of the agreementFileVersion object. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|isDefault|Boolean|If none of the languages matches the client preference, indicates whether this is the default agreement file . If none of the files are marked as default, the first one is treated as the default. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|isMajorVersion|Boolean|Indicates whether the agreement file is a major version update. Major version updates invalidate the agreement's acceptances on the corresponding language. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
+|language|String|The language of the agreement file in the format "languagecode2-country/regioncode2". "languagecode2" is a lowercase two-letter code derived from ISO 639-1, while "country/regioncode2" is derived from ISO 3166 and usually consists of two uppercase letters, or a BCP-47 language tag. For example, U.S. English is `en-US`. Read-only. Inherited from [agreementFileProperties](../resources/agreementfileproperties.md).|
## JSON representation
v1.0 Appconsentapprovalroute https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/appconsentapprovalroute.md
+
+ Title: "appConsentApprovalRoute resource type"
+description: "Container for base resources that expose the app consent request API and features. Currently exposes only the appConsentRequests relationship."
+
+ms.localizationpriority: medium
++
+# appConsentApprovalRoute resource type
+
+Namespace: microsoft.graph
++
+Container for base resources that expose the app consent request API and features. Currently exposes only the [appConsentRequests](appconsentrequest.md) relationship.
+
+Inherits from [entity](entity.md).
+
+## Methods
+
+None.
+
+## Properties
+
+None.
+
+## Relationships
+
+|Relationship|Type|Description|
+|:|:|:|
+|appConsentRequests|[appConsentRequest](../resources/appconsentrequest.md) collection| A collection of [userConsentRequest](../resources/userconsentrequest.md) objects for a specific application.|
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.appConsentApprovalRoute",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.appConsentApprovalRoute"
+}
+```
+
v1.0 Appconsentrequest https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/appconsentrequest.md
A collection of [userConsentRequest](../resources/userconsentrequest.md) objects
|Method|Return type|Description| |:|:|:|
-|[List appConsentRequests](../api/appconsentrequest-list.md)|[appConsentRequest](../resources/appconsentrequest.md) collection|Retrieve a collection of [appConsentRequest](appconsentrequest.md) objects and their properties.|
+|[List appConsentRequests](../api/appconsentapprovalroute-list-appconsentrequests.md)|[appConsentRequest](../resources/appconsentrequest.md) collection|Retrieve a collection of [appConsentRequest](appconsentrequest.md) objects and their properties.|
|[Get appConsentRequest](../api/appconsentrequest-get.md)|[appConsentRequest](../resources/appconsentrequest.md)|Read the properties and relationships of an [appConsentRequest](../resources/appconsentrequest.md) object.| |[filterByCurrentUser](../api/appconsentrequest-filterByCurrentUser.md)|[appConsentRequest](../resources/appconsentrequest.md)|Read the properties of [appConsentRequest](../resources/appconsentrequest.md) objects for which the current user is the reviewer and the status of the user consent request is `InProgress`. |
v1.0 Azure Ad Overview https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/azure-ad-overview.md
The following table lists some common use cases for Azure AD resources.
| Invite external (guest) users to an organization. | [invitation](../resources/invitation.md) | [What is Azure AD B2B collaboration?](/azure/active-directory/active-directory-b2b-what-is-azure-ad-b2b) | | Manage branding for the sign-in experience of an organization. | [organizationalbranding](../resources/organizationalbranding.md) | [Add branding to your organization's Azure Active Directory sign-in page](/azure/active-directory/fundamentals/customize-branding)| | **Consent requests** | | |
-| Manage the consent request workflow for users attempting to access apps that require admin authorization. | [Consent requests API](../resources/consentrequests-root.md) |[Configure the admin consent workflow](/azure/active-directory/manage-apps/configure-admin-consent-workflow) |
+| Manage the consent request workflow for users attempting to access apps that require admin authorization. | [Consent requests API](../resources/consentrequests-overview.md) |[Configure the admin consent workflow](/azure/active-directory/manage-apps/configure-admin-consent-workflow) |
## What's new Find out about the [latest new features and updates](/graph/whats-new-overview) for this API set.
v1.0 Connectedorganization https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/connectedorganization.md
doc_type: resourcePageType
Namespace: microsoft.graph
-In [Azure AD entitlement management](entitlementmanagement-root.md), a connected organization is a reference to a directory or domain of another organization whose users can request access.
+In [Azure AD entitlement management](entitlementmanagement-overview.md), a connected organization is a reference to a directory or domain of another organization whose users can request access.
## Methods |Method|Return type|Description|
In [Azure AD entitlement management](entitlementmanagement-root.md), a connected
|:|:|:| |createdDateTime|DateTimeOffset|The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only.| |description|String|The description of the connected organization.|
-|displayName|String|The display name of the connected organization.|
+|displayName|String|The display name of the connected organization. Supports `$filter` (`eq`).|
|id|String|Read-only.| |identitySources|[identitySource](../resources/identitysource.md) collection|The identity sources in this connected organization, one of [azureActiveDirectoryTenant](azureactivedirectorytenant.md), [domainIdentitySource](domainidentitysource.md) or [externalDomainFederation](externaldomainfederation.md). Nullable.| |modifiedDateTime|DateTimeOffset|*The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only.|
v1.0 Consentrequests Overview https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/consentrequests-overview.md
+
+ Title: "Azure Active Directory consent requests"
+description: "Use Azure AD consent requests to manage the request workflow for users attempting to access apps that require admin consent."
+ms.localizationpriority: medium
+++
+# Azure Active Directory consent requests
+
+Namespace: microsoft.graph
+
+Azure Active Directory (Azure AD) consent requests help you manage the request workflow for users attempting to access apps that require admin approval.
+
+To allow users to request access or admin consent for applications they're unauthorized to grant consent to themselves, first enable the consent request workflow.
+
+>[!NOTE]
+>The current APIs are limited to configuring the workflow and reading the list of requests. At this time, there arenΓÇÖt any methods available to programmatically approve or deny a request. However, the contents of the request can be used to recreate a URL which can be used to grant admin consent and approve a request.
+
+The consent request resource types include:
+
+* [adminConsentRequestPolicy](../resources/adminconsentrequestpolicy.md): Specifies the policy by which app consent requests can be created and managed for the entire tenant. There is a single **adminConsentRequestPolicy** per tenant.
+* [appConsentRequest](../resources/appconsentrequest.md): A request that represents a collection of **userConsentRequest** objects for a specific application.
+* [userConsentRequest](../resources/userconsentrequest.md): A request created by a user to use an app that requires admin consent to access.
+* [appConsentRequestScope](../resources/appconsentrequestscope.md): A resource that contains details of the dynamic permission scopes being requested for an application.
+
+## Methods
+
+The following table lists the methods that you can use to interact with consent request resources.
+
+| Method | Return type |Description|
+|:|:--|:-|
+|[Get adminConsentRequestPolicy](../api/adminconsentrequestpolicy-get.md) | [adminConsentRequestPolicy](adminconsentrequestpolicy.md) collection | Read the properties of the [adminConsentRequestPolicy](adminconsentrequestpolicy.md). |
+|[Update adminConsentRequestPolicy](../api/adminconsentrequestpolicy-update.md) | [adminConsentRequestPolicy](adminconsentrequestpolicy.md) collection | Set configurations for the [adminConsentRequestPolicy](adminconsentrequestpolicy.md). |
+|[List appConsentRequests ](../api/appconsentapprovalroute-list-appconsentrequests.md) | [appConsentRequest](appconsentrequest.md) collection | Retrieve a collection of [appConsentRequest](appconsentrequest.md) objects. |
+|[Get appConsentRequests ](../api/appconsentrequest-get.md) | [appConsentRequest](appconsentrequest.md) collection | Read an [appConsentRequest](appconsentrequest.md) object. |
+|[appConsentRequest: filterByCurrentUser](../api/appconsentrequest-filterByCurrentUser.md) | [appConsentRequests](../resources/appconsentrequest.md) collection | Read the properties of [appConsentRequest](../resources/appconsentrequest.md) objects for which the current user is the reviewer and the status of the user consent request is `InProgress`. |
+|[Get userConsentRequest ](../api/userconsentrequest-get.md) | [userConsentRequest](userconsentrequest.md) collection | Read a [userConsentRequest](userconsentrequest.md) object for an [appConsentRequest](appconsentrequest.md). |
+|[List userConsentRequests ](../api/appconsentrequest-list-userconsentrequests.md) | [userConsentRequest](userconsentrequest.md) collection | Retrieve a collection of [userConsentRequest](userconsentrequest.md) objects for an [appConsentRequest](appconsentrequest.md). |
+|[userConsentRequest: filterByCurrentUser](../api/userconsentrequest-filterByCurrentUser.md) | [appConsentRequests](../resources/userconsentrequest.md) collection | Read the properties of [userConsentRequest](../resources/userconsentrequest.md) objects for which the current user is the reviewer. |
+
+## Role and delegated permission authorization checks
+
+The following directory roles are required for a calling user to manage the requests workflow or read the list of requests.
+
+| Operation | Delegated permissions | Required directory role of the calling user |
+|:|:|:--|
+| Read | ConsentRequest.Read.All, ConsentRequest.ReadWrite.All | Global Administrator, Global Reader, Cloud App Administrator, and Application Administrator |
+
+## See also
+
+- [Configure the admin consent workflow (preview)](/azure/active-directory/manage-apps/configure-admin-consent-workflow?preserve-view=true)
++
+<!--
+{
+ "type": "#page.annotation",
+ "description": "Service root",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": "",
+ "suppressions": []
+}
+-->
v1.0 Entitlementmanagement Overview https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/entitlementmanagement-overview.md
+
+ Title: "Working with the Azure AD entitlement management API"
+description: "Govern access to resources including groups, apps and sites through Azure AD entitlement management"
+ms.localizationpriority: medium
+++
+# Working with the Azure AD entitlement management API
+
+Namespace: microsoft.graph
+
+Azure Active Directory (Azure AD) entitlement management can help you manage access to groups, applications, and SharePoint Online sites for internal users as well as users outside your organization.
+
+By creating access packages with the roles users need to have across those resources, and defining policies for who can request an access package and how long they can have an assignment to an access package, you can govern the lifecycle of access for both internal and external users.
+
+The entitlement management resource types include:
+
+- [accessPackage](accesspackage.md): Defines the collections of resource roles and the policies for how one or more users may obtain access to those resources.
+- accessPackageAssignmentPolicy: Specifies the policy by which subjects may request or be assigned an access package via an access package assignment.
+- [accessPackageAssignmentRequest](accesspackageassignmentrequest.md): Created by a user who wishes to obtain an access package assignment.
+- [accessPackageAssignment](accesspackageassignment.md): An assignment of an access package to a particular subject, for a period of time.
+- [accessPackageCatalog](accesspackagecatalog.md): A container for access packages.
+- [connectedOrganization](connectedorganization.md): A connected organization for external users who can request access.
+- [entitlementManagementSettings](entitlementmanagementsettings.md): Tenant-wide settings for Azure AD entitlement management.
+- [approval](approval.md): represents the decisions associated with an access package request.
+
+Note that the entitlement management feature, including the API, is included in Azure AD Premium P2. The tenant where entitlement management is being used must have a valid purchased or trial Azure AD Premium P2 or EMS E5 subscription.
+
+The following table lists the methods that you can use to interact with entitlement management-related resources.
+
+## Methods
+
+| Method | Return type |Description|
+|:|:--|:-|
+| [Get](../api/entitlementmanagementsettings-get.md) | [entitlementManagementSettings](entitlementmanagementsettings.md) | Read the properties of an **entitlementManagementSettings** object. |
+| [Update](../api/entitlementmanagementsettings-update.md) | [entitlementManagementSettings](entitlementmanagementsettings.md) | Update the properties of an **entitlementManagementSettings** object. |
+| [List accessPackages](../api/entitlementmanagement-list-accesspackages.md) | [accessPackage](accesspackage.md) collection | Retrieve a list of **accessPackage** objects. |
+| [Create accessPackage](../api/entitlementmanagement-post-accesspackages.md) | [accessPackage](accesspackage.md) | Create a new **accessPackage** object. |
+| [Get accessPackage](../api/accesspackage-get.md) | [accessPackage](accesspackage.md) | Read properties and relationships of an **accessPackage** object. |
+| [Update accessPackage](../api/accesspackage-update.md)|None | Update the properties of an **accesspackage** object. |
+| [Delete accessPackage](../api/accesspackage-delete.md) | | Delete **accessPackage**. |
+| [FilterByCurrentUser](../api/accesspackage-filterbycurrentuser.md) | [accessPackage](accesspackage.md) collection | Retrieve a list of **accessPackage** objects filtered on the signed-in user. |
+| [List accessPackageAssignmentRequests](../api/entitlementmanagement-list-assignmentrequests.md) | [accessPackageAssignmentRequest](accesspackageassignmentrequest.md) collection | Retrieve a list of **accessPackageAssignmentRequest** objects. |
+| [Create accessPackageAssignmentRequest](../api/entitlementmanagement-post-assignmentrequests.md) | [accessPackageAssignmentRequest](accesspackageassignmentrequest.md) | Creates a new **accessPackageAssignmentRequest** object. |
+| [Get accessPackageAssignmentRequest](../api/accesspackageassignmentrequest-get.md) | [accessPackageAssignmentRequest](accesspackageassignmentrequest.md) | Read properties and relationships of an **accessPackageAssignmentRequest** object. |
+| [Delete accessPackageAssignmentRequest](../api/accesspackageassignmentrequest-delete.md) |None | Delete an **accessPackageAssignmentRequest**. |
+|[FilterByCurrentUser](../api/accesspackageassignmentrequest-filterbycurrentuser.md)|[accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) collection|Retrieve the list of **accessPackageAssignmentRequest** objects filtered on the signed-in user.|
+|[cancel](../api/accesspackageassignmentrequest-cancel.md)|[accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) collection|Cancel an **accessPackageAssignmentRequest** object that is in a cancellable state: `accepted`, `pendingApproval`, `pendingNotBefore`, `pendingApprovalEscalated`.|
+| [List accessPackageAssignments](../api/entitlementmanagement-list-assignments.md) | [accessPackageAssignment](accesspackageassignment.md) collection | Retrieve a list of **accessPackageAssignment** objects. |
+|[FilterByCurrentUser](../api/accesspackageassignment-filterbycurrentuser.md)|[accessPackageAssignment](../resources/accesspackageassignment.md) collection|Retrieve the list of **accessPackageAssignment** objects filtered on the signed-in user.|
+| [List accessPackageCatalogs](../api/entitlementmanagement-list-catalogs.md) | [accessPackageCatalog](accesspackagecatalog.md) collection | Retrieve a list of **accessPackageCatalogs** objects. |
+| [Create accessPackageCatalog](../api/entitlementmanagement-post-catalogs.md) | [accessPackageCatalog](accesspackagecatalog.md) | Create a new **accessPackageCatalog** object. |
+| [Get accessPackageCatalog](../api/accesspackagecatalog-get.md) | [accessPackageCatalog](accesspackagecatalog.md) | Read properties and relationships of an **accessPackageCatalog** object. |
+| [Update accessPackageCatalog](../api/accesspackagecatalog-update.md)|None | Update the properties of an **accessPackageCatalog** object. |
+| [Delete accessPackageCatalog](../api/accesspackagecatalog-delete.md) | | Delete an **accessPackageCatalog**. |
+| [List connectedOrganizations](../api/entitlementmanagement-list-connectedorganizations.md) | [connectedOrganization](connectedorganization.md) collection | Retrieve a list of **connectedOrganization** objects. |
+| [Create connectedOrganization](../api/entitlementmanagement-post-connectedorganizations.md) | [connectedOrganization](connectedorganization.md) | Create a new **connectedOrganization** object. |
+| [Get connectedOrganization](../api/connectedorganization-get.md) | [connectedOrganization](connectedorganization.md) | Read properties and relationships of a **connectedOrganization** object. |
+| [Update connectedOrganization](../api/connectedorganization-update.md) |None | Update a **connectedOrganization**. |
+| [Delete connectedOrganization](../api/connectedorganization-delete.md) |None | Delete a **connectedOrganization**. |
+|[List internalSponsors](../api/connectedorganization-list-internalsponsors.md) | [directoryObject](directoryobject.md) collection | Retrieve a list of a **connectedOrganization's** internal sponsors. |
+|[List externalSponsors](../api/connectedorganization-list-externalsponsors.md) | [directoryObject](directoryobject.md) collection | Retrieve a list of a **connectedOrganization's** external sponsors. |
+|[Add internalSponsors](../api/connectedorganization-post-internalsponsors.md) | None | Add a user or group to a **connectedOrganization's** internal sponsors. |
+|[Add externalSponsors](../api/connectedorganization-post-externalsponsors.md) | None | Add a user or group to a **connectedOrganization's** external sponsors. |
+|[Remove internalSponsors](../api/connectedorganization-delete-internalsponsors.md) | None | Remove a user or group from a **connectedOrganization's** internal sponsors. |
+|[Remove externalSponsors](../api/connectedorganization-delete-externalsponsors.md) | None | Remove a user or group from a **connectedOrganization's** external sponsors. |
+
+## See also
+
+- [What is Azure AD entitlement management?](/azure/active-directory/governance/entitlement-management-overview)
+- [subjectSet](subjectset.md) subtypes [singleUser](singleuser.md), [groupMembers](groupmembers.md), [connectedOrganizationMembers](connectedorganizationmembers.md), [requestorManager](requestormanager.md), [internalSponsors](internalsponsors.md), and [externalSponsors](externalsponsors.md).
+- [accessPackageSubject](accesspackagesubject.md) - Used in the [accessPackageAssignment](accesspackageassignment.md) as a subject user who has an access package assignment.
+- [identitySource](identitysource.md) - used in the [connectedOrganization](connectedorganization.md), one of [azureActiveDirectoryTenant](azureactivedirectorytenant.md), [domainIdentitySource](domainidentitysource.md) or [externalDomainFederation](externaldomainfederation.md).
++
v1.0 Entitlementmanagement https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/entitlementmanagement.md
Title: "entitlementManagement resource type"
-description: "The singleton for containing entitlement management resources."
+description: "The container for entitlement management resources."
ms.localizationpriority: medium ms.prod: "governance" doc_type: resourcePageType + # entitlementManagement resource type
-The entitlement management singleton is the container for entitlement management resources, including [accessPackageCatalog](accesspackagecatalog.md), [connectedOrganization](connectedorganization.md), and [entitlementManagementSettings](entitlementmanagementsettings.md). For a full list of resources see [entitlement management overview](entitlementmanagement-root.md).
+The entitlement management singleton is the container for entitlement management resources, including [accessPackageCatalog](accesspackagecatalog.md), [connectedOrganization](connectedorganization.md), and [entitlementManagementSettings](entitlementmanagementsettings.md). For a full list of resources see [entitlement management overview](entitlementmanagement-overview.md).
Inherits from [entity](entity.md).
None.
## Relationships |Relationship|Type|Description| |:|:|:|
-|accessPackages|[accessPackage](../resources/accesspackage.md) collection|Access packages.|
-|assignmentRequests|[accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) collection|Access package assignment requests.|
-|assignments|[accessPackageAssignment](../resources/accesspackageassignment.md) collection|Access package assignments.|
-|catalogs|[accessPackageCatalog](../resources/accesspackagecatalog.md) collection|Access package catalogs.|
-|connectedOrganizations|[connectedOrganization](../resources/connectedorganization.md) collection|Connected organizations.|
-|settings|[entitlementManagementSettings](../resources/entitlementmanagementsettings.md)|Entitlement management settings.|
+|accessPackages|[accessPackage](../resources/accesspackage.md) collection|Represents access package objects.|
+|assignmentRequests|[accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) collection|Represents access package assignment requests created by or on behalf of a user.|
+|assignments|[accessPackageAssignment](../resources/accesspackageassignment.md) collection| Represents the grant of an access package to a subject (user or group).|
+|catalogs|[accessPackageCatalog](../resources/accesspackagecatalog.md) collection| Represents a group of access packages.|
+|connectedOrganizations|[connectedOrganization](../resources/connectedorganization.md) collection|Represents references to a directory or domain of another organization whose users can request access.|
+|settings|[entitlementManagementSettings](../resources/entitlementmanagementsettings.md)| Represents the settings that control the behavior of Azure AD entitlement management.|
## JSON representation The following is a JSON representation of the resource.
v1.0 Entitlementmanagementschedule https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/entitlementmanagementschedule.md
doc_type: resourcePageType
Namespace: microsoft.graph
-In [Azure AD entitlement management](entitlementmanagement-root.md), an access package assignment request is created by a user who wants to obtain an access package assignment. This request can include a schedule for when the user would like to have an assignment. An access package assignment that results from such a request also has a schedule.
+In [Azure AD entitlement management](entitlementmanagement-overview.md), an access package assignment request is created by a user who wants to obtain an access package assignment. This request can include a schedule for when the user would like to have an assignment. An access package assignment that results from such a request also has a schedule.
## Properties |Property|Type|Description|
v1.0 Entitlementmanagementsettings https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/entitlementmanagementsettings.md
doc_type: resourcePageType
Namespace: microsoft.graph
-Represents settings that control the behavior of [Azure AD entitlement management](entitlementmanagement-root.md). This resource does not include the catalog creators setting; to view or change the catalog creators role membership, use the [role assignments](unifiedroleassignment.md) API with the entitlement management RBAC provider.
+Represents settings that control the behavior of [Azure AD entitlement management](entitlementmanagement-overview.md). This resource does not include the catalog creators setting; to view or change the catalog creators role membership, use the [role assignments](unifiedroleassignment.md) API with the entitlement management RBAC provider.
## Methods |Method|Return type|Description|
v1.0 Expirationpattern https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/expirationpattern.md
doc_type: resourcePageType
Namespace: microsoft.graph
-In [Azure AD entitlement management](entitlementmanagement-root.md), an access package assignment request is created by a user who wants to obtain an access package assignment. This request can include a schedule for when the user would like to have an assignment. An access package assignment that results from such a request also has a schedule. The expiration field of an [entitlementManagementSchedule](entitlementmanagementschedule.md) indicates when the access package assignment should expire.
+In [Azure AD entitlement management](entitlementmanagement-overview.md), an access package assignment request is created by a user who wants to obtain an access package assignment. This request can include a schedule for when the user would like to have an assignment. An access package assignment that results from such a request also has a schedule. The expiration field of an [entitlementManagementSchedule](entitlementmanagementschedule.md) indicates when the access package assignment should expire.
## Properties |Property|Type|Description|
v1.0 Identitygovernance https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/identitygovernance.md
doc_type: "resourcePageType"
Namespace: microsoft.graph
-The identity governance singleton is the container for identity governance resources, including [access reviews](accessreviewsv2-root.md) and [entitlement management](entitlementmanagement.md).
+The identity governance singleton is the container for the following Azure Active Directory identity governance features that are exposed through the following resources and APIs:
+++ [Access reviews](accessreviewsv2-overview.md)++ [Entitlement management](entitlementmanagement-overview.md)++ [App consent](consentrequests-overview.md)++ [Terms of use](agreement.md) ## Methods
None.
|Relationship|Type|Description| |:|:|:|
+|accessReviews|[accessReviewSet](accessreviewset.md)| Container for the base resources that expose the access reviews API and features. Currently exposes only the [definitions](accessreviewscheduledefinition.md) resource.|
+|appConsent|[appConsent](appconsentapprovalroute.md)| Container for base resources that expose the app consent request API and features. Currently exposes only the [appConsentRequests](appconsentrequest.md) resource.|
|entitlementManagement|[entitlementManagement](entitlementmanagement.md)| Container for entitlement management resources, including [accessPackageCatalog](accesspackagecatalog.md), [connectedOrganization](connectedorganization.md), and [entitlementManagementSettings](entitlementmanagementsettings.md).|
+|termsOfUse|[termsOfUseContainer](termsofusecontainer.md)| Container for the resources that expose the terms of use API and its features, including [agreements](agreement.md) and [agreementAcceptances](agreementacceptance.md). |
v1.0 Termsofusecontainer https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/termsOfUseContainer.md
+
+ Title: "termsOfUseContainer resource type"
+description: "Container for the relationships that expose the terms of use API and its features. Currently exposes the agreements and agreementAcceptances relationships."
+ms.localizationpriority: medium
+++
+# termsOfUseContainer resource type
+
+Namespace: microsoft.graph
++
+Container for the relationships that expose the terms of use API and its features. Currently exposes the [agreements](agreement.md) and [agreementAcceptances](agreementacceptance.md) relationships.
+
+Inherits from [entity](entity.md).
+
+## Methods
+
+None.
+
+## Properties
+
+None.
+
+## Relationships
+
+|Relationship|Type|Description|
+|:|:|:|
+|agreementAcceptances|[agreementAcceptance](agreementacceptance.md) collection| Represents the current status of a user's response to a company's customizable terms of use agreement.|
+|agreements|[agreement](agreement.md) collection|Represents a tenant's customizable terms of use agreement that's created and managed with Azure Active Directory (Azure AD).|
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.termsOfUseContainer",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.termsOfUseContainer"
+}
+```
+
v1.0 User https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/user.md
This resource supports:
|streetAddress|String|The street address of the user's place of business. Maximum length is 1024 characters. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).| |surname|String|The user's surname (family name or last name). Maximum length is 64 characters. <br><br>Returned by default. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).| |usageLocation|String|A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: `US`, `JP`, and `GB`. Not nullable. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).|
-|userPrincipalName|String|The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. This property is required when a user is created. The verified domains for the tenant can be accessed from the **verifiedDomains** property of [organization](organization.md).<br>NOTE: This property cannot contain accent characters. <br><br>Returned by default. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, `endsWith`) and `$orderBy`.
+|userPrincipalName|String|The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. This property is required when a user is created. The verified domains for the tenant can be accessed from the **verifiedDomains** property of [organization](organization.md).<br>NOTE: This property cannot contain accent characters. Only the following characters are allowed `A - Z`, `a - z`, `0 - 9`, ` ' . - _ ! # ^ ~`. For the complete list of allowed characters, see [username policies](/azure/active-directory/authentication/concept-sspr-policy#userprincipalname-policies-that-apply-to-all-user-accounts). <br><br>Returned by default. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, `endsWith`) and `$orderBy`.
|userType|String|A string value that can be used to classify user types in your directory, such as `Member` and `Guest`. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, `in`, and `eq` on `null` values). **NOTE:** For more information about the permissions for member and guest users, see [What are the default user permissions in Azure Active Directory?](/azure/active-directory/fundamentals/users-default-permissions#member-and-guest-users) | ### Legal age group property definitions
v1.0 Userconsentrequest https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/userconsentrequest.md
A [userConsentRequest](../resources/userconsentrequest.md) is created by a user
Method|Return type|Description| |:|:|:|
-|[List userConsentRequests](../api/userconsentrequest-list.md)|[userConsentRequest](../resources/userconsentrequest.md) collection|Retrieve a collection of [userConsentRequest](userconsentrequest.md) objects for an [appConsentRequest](appconsentrequest.md).|
+|[List userConsentRequests](../api/appconsentrequest-list-userconsentrequests.md)|[userConsentRequest](../resources/userconsentrequest.md) collection|Retrieve a collection of [userConsentRequest](userconsentrequest.md) objects for an [appConsentRequest](appconsentrequest.md).|
|[Get userConsentRequest](../api/userconsentrequest-get.md)|[userConsentRequest](../resources/userconsentrequest.md)|Read the properties and relationships of a [userConsentRequest](../resources/userconsentrequest.md) object.| |[filterByCurrentUser](../api/userconsentrequest-filterByCurrentUser.md)|[userConsentRequest](../resources/userconsentrequest.md) collection|Read the properties of [userConsentRequest](../resources/userconsentrequest.md) objects for an [appConsentRequest](appconsentrequest.md) for which the current user is the reviewer.|
v1.0 Toc.Yml https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/toc.yml a/api-reference/v1.0/toc.yml
items:
- name: Governance items: - name: Access reviews
- href: resources/accessreviewsv2-root.md
+ href: resources/accessreviewsv2-overview.md
items: - name: Access review schedule definition href: resources/accessreviewscheduledefinition.md items: - name: List
- href: api/accessreviewscheduledefinition-list.md
+ href: api/accessreviewset-list-definitions.md
- name: Get href: api/accessreviewscheduledefinition-get.md - name: Create
- href: api/accessreviewscheduledefinition-post.md
+ href: api/accessreviewset-post-definitions.md
- name: Delete href: api/accessreviewscheduledefinition-delete.md - name: Update
items:
href: resources/accessreviewinstance.md items: - name: List
- href: api/accessreviewinstance-list.md
+ href: api/accessreviewscheduledefinition-list-instances.md
- name: Get href: api/accessreviewinstance-get.md - name: Update
items:
- name: Get href: api/accessreviewinstancedecisionitem-get.md - name: List
- href: api/accessreviewinstancedecisionitem-list.md
+ href: api/accessreviewinstance-list-decisions.md
- name: Update href: api/accessreviewinstancedecisionitem-update.md - name: Filter by current user href: api/accessreviewinstancedecisionitem-filterbycurrentuser.md - name: Consent requests
- href: resources/consentrequests-root.md
+ href: resources/consentrequests-overview.md
items: - name: Admin consent request policy href: resources/adminconsentrequestpolicy.md
items:
href: resources/appconsentrequest.md items: - name: List
- href: api/appconsentrequest-list.md
+ href: api/appconsentapprovalroute-list-appconsentrequests.md
- name: Get href: api/appconsentrequest-get.md - name: Filter by current user
items:
href: resources/userconsentrequest.md items: - name: List
- href: api/userconsentrequest-list.md
+ href: api/appconsentrequest-list-userconsentrequests.md
- name: Get href: api/userconsentrequest-get.md - name: Filter by current user href: api/userconsentrequest-filterByCurrentUser.md - name: Entitlement management
- href: resources/entitlementmanagement-root.md
+ href: resources/entitlementmanagement-overview.md
items: - name: Access package href: resources/accesspackage.md
items:
- name: Agreement href: resources/agreement.md - name: List
- href: api/agreement-list.md
+ href: api/termsofusecontainer-list-agreements.md
- name: Create
- href: api/agreement-post-agreements.md
+ href: api/termsofusecontainer-post-agreements.md
- name: Get href: api/agreement-get.md - name: Update