DSCResources/MSFT_AADAccessReviewDefinition/MSFT_AADAccessReviewDefinition.schema.mof
[ClassVersion("1.0.0")]
class MSFT_MicrosoftGraphAccessReviewScope { [Write, Description("The query representing what will be reviewed in an access review.")] String Query; [Write, Description("In the scenario where reviewers need to be specified dynamically, this property is used to indicate the relative source of the query. This property is only required if a relative query is specified. For example, ./manager.")] String QueryRoot; [Write, Description("Indicates the type of query. Types include MicrosoftGraph and ARM.")] String QueryType; [Write, Description("Defines the scopes of the principals for which access to resources are reviewed in the access review."), EmbeddedInstance("MSFT_MicrosoftGraphAccessReviewScope")] String PrincipalScopes[]; [Write, Description("Defines the scopes of the resources for which access is reviewed."), EmbeddedInstance("MSFT_MicrosoftGraphAccessReviewScope")] String ResourceScopes[]; [Write, Description("The type of the entity."), ValueMap{"#microsoft.graph.accessReviewQueryScope","#microsoft.graph.accessReviewReviewerScope","#microsoft.graph.principalResourceMembershipsScope","#microsoft.graph.accessReviewInactiveUsersQueryScope"}, Values{"#microsoft.graph.accessReviewQueryScope","#microsoft.graph.accessReviewReviewerScope","#microsoft.graph.principalResourceMembershipsScope","#microsoft.graph.accessReviewInactiveUsersQueryScope"}] String odataType; }; [ClassVersion("1.0.0")] class MSFT_MicrosoftGraphAccessReviewScheduleSettings { [Write, Description("Optional field. Describes the actions to take once a review is complete. There are two types that are currently supported: removeAccessApplyAction (default) and disableAndDeleteUserApplyAction. Field only needs to be specified in the case of disableAndDeleteUserApplyAction."), EmbeddedInstance("MSFT_MicrosoftGraphAccessReviewApplyAction")] String ApplyActions[]; [Write, Description("Indicates whether decisions are automatically applied. When set to false, an admin must apply the decisions manually once the reviewer completes the access review. When set to true, decisions are applied automatically after the access review instance duration ends, whether or not the reviewers have responded. Default value is false. CAUTION: If both autoApplyDecisionsEnabled and defaultDecisionEnabled are true, all access for the principals to the resource risks being revoked if the reviewers fail to respond.")] Boolean AutoApplyDecisionsEnabled; [Write, Description("Indicates whether decisions on previous access review stages are available for reviewers on an accessReviewInstance with multiple subsequent stages. If not provided, the default is disabled (false).")] Boolean DecisionHistoriesForReviewersEnabled; [Write, Description("Decision chosen if defaultDecisionEnabled is enabled. Can be one of Approve, Deny, or Recommendation.")] String DefaultDecision; [Write, Description("Indicates whether the default decision is enabled or disabled when reviewers do not respond. Default value is false. CAUTION: If both autoApplyDecisionsEnabled and defaultDecisionEnabled are true, all access for the principals to the resource risks being revoked if the reviewers fail to respond.")] Boolean DefaultDecisionEnabled; [Write, Description("Duration of each recurrence of review (accessReviewInstance) in number of days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its durationInDays setting will be used instead of the value of this property.")] UInt32 InstanceDurationInDays; [Write, Description("Indicates whether reviewers are required to provide justification with their decision. Default value is false.")] Boolean JustificationRequiredOnApproval; [Write, Description("Indicates whether emails are enabled or disabled. Default value is false.")] Boolean MailNotificationsEnabled; [Write, Description("Optional. Describes the types of insights that aid reviewers to make access review decisions. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationInsightSettings setting will be used instead of the value of this property."), EmbeddedInstance("MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting")] String RecommendationInsightSettings[]; [Write, Description("Optional field. Indicates the period of inactivity (with respect to the start date of the review instance) that recommendations will be configured from. The recommendation will be to deny if the user is inactive during the look-back duration. For reviews of groups and Microsoft Entra roles, any duration is accepted. For reviews of applications, 30 days is the maximum duration. If not specified, the duration is 30 days. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationLookBackDuration setting will be used instead of the value of this property.")] String RecommendationLookBackDuration; [Write, Description("Indicates whether decision recommendations are enabled or disabled. NOTE: If the stageSettings of the accessReviewScheduleDefinition object is defined, its recommendationsEnabled setting will be used instead of the value of this property.")] Boolean RecommendationsEnabled; [Write, Description("Detailed settings for recurrence using the standard Outlook recurrence object. Note: Only dayOfMonth, interval, and type (weekly, absoluteMonthly) properties are supported. Use the property startDate on recurrenceRange to determine the day the review starts."), EmbeddedInstance("MSFT_MicrosoftGraphPatternedRecurrence")] String Recurrence; [Write, Description("Indicates whether reminders are enabled or disabled. Default value is false.")] Boolean ReminderNotificationsEnabled; }; [ClassVersion("1.0.0")] class MSFT_MicrosoftGraphAccessReviewApplyAction { [Write, Description("The type of the entity."), ValueMap{"#microsoft.graph.disableAndDeleteUserApplyAction","#microsoft.graph.removeAccessApplyAction"}, Values{"#microsoft.graph.disableAndDeleteUserApplyAction","#microsoft.graph.removeAccessApplyAction"}] String odataType; }; [ClassVersion("1.0.0")] class MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting { [Write, Description("Optional. Indicates the time period of inactivity (with respect to the start date of the review instance) that recommendations will be configured from. The recommendation will be to deny if the user is inactive during the look-back duration. For reviews of groups and Microsoft Entra roles, any duration is accepted. For reviews of applications, 30 days is the maximum duration. If not specified, the duration is 30 days.")] String RecommendationLookBackDuration; [Write, Description("Indicates whether inactivity is calculated based on the user's inactivity in the tenant or in the application. The possible values are tenant, application, unknownFutureValue. application is only relevant when the access review is a review of an assignment to an application."), ValueMap{"tenant","application","unknownFutureValue"}, Values{"tenant","application","unknownFutureValue"}] String SignInScope; [Write, Description("The type of the entity."), ValueMap{"#microsoft.graph.groupPeerOutlierRecommendationInsightSettings","#microsoft.graph.userLastSignInRecommendationInsightSetting"}, Values{"#microsoft.graph.groupPeerOutlierRecommendationInsightSettings","#microsoft.graph.userLastSignInRecommendationInsightSetting"}] String odataType; }; [ClassVersion("1.0.0")] class MSFT_MicrosoftGraphPatternedRecurrence { [Write, Description("The frequency of an event. Do not specify for a one-time access review. For access reviews: Do not specify this property for a one-time access review. Only interval, dayOfMonth, and type (weekly, absoluteMonthly) properties of recurrencePattern are supported."), EmbeddedInstance("MSFT_MicrosoftGraphRecurrencePattern")] String Pattern; [Write, Description("The duration of an event."), EmbeddedInstance("MSFT_MicrosoftGraphRecurrenceRange")] String Range; }; [ClassVersion("1.0.0")] class MSFT_MicrosoftGraphRecurrencePattern { [Write, Description("The day of the month on which the event occurs. Required if type is absoluteMonthly or absoluteYearly.")] UInt32 DayOfMonth; [Write, Description("A collection of the days of the week on which the event occurs. The possible values are: sunday, monday, tuesday, wednesday, thursday, friday, saturday. If type is relativeMonthly or relativeYearly, and daysOfWeek specifies more than one day, the event falls on the first day that satisfies the pattern. Required if type is weekly, relativeMonthly, or relativeYearly.")] String DaysOfWeek[]; [Write, Description("The first day of the week. The possible values are: sunday, monday, tuesday, wednesday, thursday, friday, saturday. Default is sunday. Required if type is weekly.")] String FirstDayOfWeek; [Write, Description("Specifies on which instance of the allowed days specified in daysOfWeek the event occurs, counted from the first instance in the month. The possible values are: first, second, third, fourth, last. Default is first. Optional and used if type is relativeMonthly or relativeYearly."), ValueMap{"first","second","third","fourth","last"}, Values{"first","second","third","fourth","last"}] String Index; [Write, Description("The number of units between occurrences, where units can be in days, weeks, months, or years, depending on the type. Required.")] UInt32 Interval; [Write, Description("The month in which the event occurs. This is a number from 1 to 12.")] UInt32 Month; [Write, Description("The recurrence pattern type: daily, weekly, absoluteMonthly, relativeMonthly, absoluteYearly, relativeYearly. Required. For more information, see values of type property."), ValueMap{"daily","weekly","absoluteMonthly","relativeMonthly","absoluteYearly","relativeYearly"}, Values{"daily","weekly","absoluteMonthly","relativeMonthly","absoluteYearly","relativeYearly"}] String Type; }; [ClassVersion("1.0.0")] class MSFT_MicrosoftGraphRecurrenceRange { [Write, Description("The date to stop applying the recurrence pattern. Depending on the recurrence pattern of the event, the last occurrence of the meeting may not be this date. Required if type is endDate.")] String EndDate; [Write, Description("The number of times to repeat the event. Required and must be positive if type is numbered.")] UInt32 NumberOfOccurrences; [Write, Description("Time zone for the startDate and endDate properties. Optional. If not specified, the time zone of the event is used.")] String RecurrenceTimeZone; [Write, Description("The date to start applying the recurrence pattern. The first occurrence of the meeting may be this date or later, depending on the recurrence pattern of the event. Must be the same value as the start property of the recurring event. Required.")] String StartDate; [Write, Description("The recurrence range. Possible values are: endDate, noEnd, numbered. Required."), ValueMap{"endDate","noEnd","numbered"}, Values{"endDate","noEnd","numbered"}] String Type; }; [ClassVersion("1.0.0")] class MSFT_MicrosoftGraphAccessReviewStageSettings { [Write, Description("Indicate which decisions will go to the next stage. Can be a subset of Approve, Deny, Recommendation, or NotReviewed. If not provided, all decisions will go to the next stage. Optional.")] String DecisionsThatWillMoveToNextStage[]; [Write, Description("Defines the sequential or parallel order of the stages and depends on the stageId. Only sequential stages are currently supported. For example, if stageId is 2, then dependsOn must be 1. If stageId is 1, don't specify dependsOn. Required if stageId isn't 1.")] String DependsOnValue[]; [Write, Description("The duration of the stage. Required. NOTE: The cumulative value of this property across all stages 1. Will override the instanceDurationInDays setting on the accessReviewScheduleDefinition object. 2. Can't exceed the length of one recurrence. That is, if the review recurs weekly, the cumulative durationInDays can't exceed 7.")] UInt32 DurationInDays; [Write, Description("Recommendation Insights Settings"), EmbeddedInstance("MSFT_MicrosoftGraphAccessReviewRecommendationInsightSetting")] String RecommendationInsightSettings[]; [Write, Description("Optional field. Indicates the time period of inactivity (with respect to the start date of the review instance) from which that recommendations will be configured. The recommendation is to deny if the user is inactive during the look back duration. For reviews of groups and Microsoft Entra roles, any duration is accepted. For reviews of applications, 30 days is the maximum duration. If not specified, the duration is 30 days. NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object.")] String RecommendationLookBackDuration; [Write, Description("Indicates whether showing recommendations to reviewers is enabled. Required. NOTE: The value of this property overrides the corresponding setting on the accessReviewScheduleDefinition object.")] Boolean RecommendationsEnabled; [Write, Description("Unique identifier of the accessReviewStageSettings. The stageId is used in dependsOn property to indicate the stage relationship. Required.")] String StageId; }; [ClassVersion("1.0.0.0"), FriendlyName("AADAccessReviewDefinition")] class MSFT_AADAccessReviewDefinition : OMI_BaseResource { [Key, Description("The unique identifier for an entity. Read-only.")] String Id; [Required, Description("Name of the access review series. Supports $select and $orderby. Required on create.")] String DisplayName; [Write, Description("Description provided by review creators to provide more context of the review to admins. Supports $select.")] String DescriptionForAdmins; [Write, Description("Description provided by review creators to provide more context of the review to reviewers. Reviewers see this description in the email sent to them requesting their review. Email notifications support up to 256 characters. Supports $select.")] String DescriptionForReviewers; [Write, Description("Defines the entities whose access is reviewed. For supported scopes, see accessReviewScope. Required on create. Supports $select and $filter (contains only). For examples of options for configuring scope, see Configure the scope of your access review definition using the Microsoft Graph API."), EmbeddedInstance("MSFT_MicrosoftGraphaccessReviewScope")] String ScopeValue; [Write, Description("The settings for an access review series, see type definition below. Supports $select. Required on create."), EmbeddedInstance("MSFT_MicrosoftGraphaccessReviewScheduleSettings")] String SettingsValue; [Write, Description("Required only for a multi-stage access review to define the stages and their settings. You can break down each review instance into up to three sequential stages, where each stage can have a different set of reviewers, fallback reviewers, and settings. Stages are created sequentially based on the dependsOn property. Optional. When this property is defined, its settings are used instead of the corresponding settings in the accessReviewScheduleDefinition object and its settings, reviewers, and fallbackReviewers properties."), EmbeddedInstance("MSFT_MicrosoftGraphaccessReviewStageSettings")] String StageSettings[]; [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; [Write, Description("Access token used for authentication.")] String AccessTokens[]; }; |