tessl/pypi-azure-mgmt-authorization
Microsoft Azure Authorization Management Client Library for Python providing RBAC, PIM, and access control capabilities
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
access-reviews.mddocs/
Access Reviews
Systematic access certification and compliance management with configurable review cycles, approval workflows, and automated remediation. Access reviews enable organizations to regularly validate access permissions and maintain security compliance.
Capabilities
Access Review Schedule Definitions
Define and manage recurring access review processes with configurable settings, reviewers, and scope.
def create_or_update_by_id(schedule_definition_id: str, properties: AccessReviewScheduleDefinition) -> AccessReviewScheduleDefinition:
"""
Create or update an access review schedule definition.
Parameters:
- schedule_definition_id: GUID for the schedule definition
- properties: Access review schedule definition properties
Returns:
AccessReviewScheduleDefinition object with created/updated definition
"""
def delete_by_id(schedule_definition_id: str) -> None:
"""
Delete an access review schedule definition.
Parameters:
- schedule_definition_id: ID of the schedule definition to delete
"""
def get_by_id(schedule_definition_id: str) -> AccessReviewScheduleDefinition:
"""
Get details of an access review schedule definition.
Parameters:
- schedule_definition_id: ID of the schedule definition
Returns:
AccessReviewScheduleDefinition object
"""
def list() -> Iterator[AccessReviewScheduleDefinition]:
"""
List all access review schedule definitions.
Returns:
Iterator of AccessReviewScheduleDefinition objects
"""
def stop(schedule_definition_id: str) -> None:
"""
Stop a running access review schedule definition.
Parameters:
- schedule_definition_id: ID of the schedule definition to stop
"""Access Review Instances
Manage individual instances of access reviews that are created from schedule definitions.
def create(schedule_definition_id: str, id: str, properties: AccessReviewInstance) -> AccessReviewInstance:
"""
Create an access review instance manually.
Parameters:
- schedule_definition_id: ID of the parent schedule definition
- id: GUID for the review instance
- properties: Access review instance properties
Returns:
AccessReviewInstance object
"""
def get_by_id(schedule_definition_id: str, id: str) -> AccessReviewInstance:
"""
Get details of an access review instance.
Parameters:
- schedule_definition_id: ID of the parent schedule definition
- id: ID of the review instance
Returns:
AccessReviewInstance object
"""
def list(schedule_definition_id: str, filter: Optional[str] = None) -> Iterator[AccessReviewInstance]:
"""
List access review instances for a schedule definition.
Parameters:
- schedule_definition_id: ID of the schedule definition
- filter: OData filter expression (optional)
Returns:
Iterator of AccessReviewInstance objects
"""
def stop(schedule_definition_id: str, id: str) -> None:
"""
Stop an active access review instance.
Parameters:
- schedule_definition_id: ID of the parent schedule definition
- id: ID of the review instance to stop
"""
def reset_decisions(schedule_definition_id: str, id: str) -> None:
"""
Reset all decisions in an access review instance.
Parameters:
- schedule_definition_id: ID of the parent schedule definition
- id: ID of the review instance
"""
def apply_decisions(schedule_definition_id: str, id: str) -> None:
"""
Apply the decisions from a completed access review instance.
Parameters:
- schedule_definition_id: ID of the parent schedule definition
- id: ID of the review instance
"""
def send_reminders(schedule_definition_id: str, id: str) -> None:
"""
Send reminder notifications to reviewers.
Parameters:
- schedule_definition_id: ID of the parent schedule definition
- id: ID of the review instance
"""Access Review Instance Decisions
Manage individual decisions made by reviewers within access review instances.
def list(schedule_definition_id: str, id: str, filter: Optional[str] = None) -> Iterator[AccessReviewDecision]:
"""
List decisions for an access review instance.
Parameters:
- schedule_definition_id: ID of the schedule definition
- id: ID of the review instance
- filter: OData filter expression (optional)
Returns:
Iterator of AccessReviewDecision objects
"""
def patch(schedule_definition_id: str, id: str, decision_id: str, properties: AccessReviewDecision) -> AccessReviewDecision:
"""
Update a decision in an access review instance.
Parameters:
- schedule_definition_id: ID of the schedule definition
- id: ID of the review instance
- decision_id: ID of the decision to update
- properties: Updated decision properties
Returns:
Updated AccessReviewDecision object
"""Access Review Instance My Decisions
Manage decisions that the current user is responsible for reviewing.
def list(schedule_definition_id: str, id: str, filter: Optional[str] = None) -> Iterator[AccessReviewDecision]:
"""
List decisions assigned to the current user for review.
Parameters:
- schedule_definition_id: ID of the schedule definition
- id: ID of the review instance
- filter: OData filter expression (optional)
Returns:
Iterator of AccessReviewDecision objects assigned to current user
"""
def patch(schedule_definition_id: str, id: str, decision_id: str, properties: AccessReviewDecision) -> AccessReviewDecision:
"""
Update a decision that the current user is reviewing.
Parameters:
- schedule_definition_id: ID of the schedule definition
- id: ID of the review instance
- decision_id: ID of the decision to update
- properties: Updated decision properties
Returns:
Updated AccessReviewDecision object
"""Access Review Instance Contacted Reviewers
Query information about reviewers who have been contacted for an access review.
def list(schedule_definition_id: str, id: str) -> Iterator[AccessReviewReviewer]:
"""
List reviewers who have been contacted for an access review instance.
Parameters:
- schedule_definition_id: ID of the schedule definition
- id: ID of the review instance
Returns:
Iterator of AccessReviewReviewer objects
"""Access Review Instances Assigned for My Approval
Query access review instances where the current user is assigned as a reviewer.
def list(filter: Optional[str] = None) -> Iterator[AccessReviewInstance]:
"""
List access review instances assigned to the current user for approval.
Parameters:
- filter: OData filter expression (optional)
Returns:
Iterator of AccessReviewInstance objects assigned to current user
"""Access Review Schedule Definitions Assigned for My Approval
Query access review schedule definitions where the current user is assigned as a reviewer.
def list(filter: Optional[str] = None) -> Iterator[AccessReviewScheduleDefinition]:
"""
List access review schedule definitions assigned to the current user.
Parameters:
- filter: OData filter expression (optional)
Returns:
Iterator of AccessReviewScheduleDefinition objects
"""Access Review History Definitions
Configure and manage historical data export for access reviews to support compliance reporting.
def create(history_definition_id: str, properties: AccessReviewHistoryDefinition) -> AccessReviewHistoryDefinition:
"""
Create an access review history definition for data export.
Parameters:
- history_definition_id: GUID for the history definition
- properties: History definition properties including scope and schedule
Returns:
AccessReviewHistoryDefinition object
"""
def delete_by_id(history_definition_id: str) -> None:
"""
Delete an access review history definition.
Parameters:
- history_definition_id: ID of the history definition to delete
"""
def get_by_id(history_definition_id: str) -> AccessReviewHistoryDefinition:
"""
Get details of an access review history definition.
Parameters:
- history_definition_id: ID of the history definition
Returns:
AccessReviewHistoryDefinition object
"""
def list() -> Iterator[AccessReviewHistoryDefinition]:
"""
List all access review history definitions.
Returns:
Iterator of AccessReviewHistoryDefinition objects
"""Access Review History Definition Instances
Manage specific instances of history data exports.
def list(definition_id: str) -> Iterator[AccessReviewHistoryInstance]:
"""
List history instances for a history definition.
Parameters:
- definition_id: ID of the history definition
Returns:
Iterator of AccessReviewHistoryInstance objects
"""
def generate_download_uri(definition_id: str, instance_id: str) -> AccessReviewHistoryDefinitionInstanceDownloadUri:
"""
Generate a download URI for a history instance.
Parameters:
- definition_id: ID of the history definition
- instance_id: ID of the history instance
Returns:
AccessReviewHistoryDefinitionInstanceDownloadUri with download link
"""Access Review Default Settings
Configure default settings that apply to new access reviews.
def get() -> AccessReviewDefaultSettings:
"""
Get the current access review default settings.
Returns:
AccessReviewDefaultSettings object with current defaults
"""
def put(settings: AccessReviewDefaultSettings) -> AccessReviewDefaultSettings:
"""
Update access review default settings.
Parameters:
- settings: New default settings to apply
Returns:
Updated AccessReviewDefaultSettings object
"""Scope-specific Access Reviews
Manage access reviews at specific scope levels with dedicated operation groups for fine-grained control. These operations provide resource, subscription, and management group-level access review management.
Scope Access Review Default Settings
def get_scope_default_settings(scope: str) -> AccessReviewDefaultSettings:
"""
Get access review default settings for a specific scope.
Parameters:
- scope: The scope to get default settings for (e.g., "/subscriptions/{id}")
Returns:
AccessReviewDefaultSettings object for the scope
"""
def put_scope_default_settings(scope: str, settings: AccessReviewDefaultSettings) -> AccessReviewDefaultSettings:
"""
Update access review default settings for a specific scope.
Parameters:
- scope: The scope to update settings for
- settings: New default settings to apply
Returns:
Updated AccessReviewDefaultSettings object
"""Scope Access Review Schedule Definitions
def create_scope_schedule_definition(scope: str, schedule_definition_id: str, properties: AccessReviewScheduleDefinition) -> AccessReviewScheduleDefinition:
"""
Create a scope-specific access review schedule definition.
Parameters:
- scope: The scope for the review definition
- schedule_definition_id: GUID for the schedule definition
- properties: Access review schedule definition properties
Returns:
AccessReviewScheduleDefinition object
"""
def delete_scope_schedule_definition(scope: str, schedule_definition_id: str) -> None:
"""
Delete a scope-specific access review schedule definition.
Parameters:
- scope: The scope of the schedule definition
- schedule_definition_id: ID of the schedule definition to delete
"""
def get_scope_schedule_definition(scope: str, schedule_definition_id: str) -> AccessReviewScheduleDefinition:
"""
Get a scope-specific access review schedule definition.
Parameters:
- scope: The scope of the schedule definition
- schedule_definition_id: ID of the schedule definition
Returns:
AccessReviewScheduleDefinition object
"""
def list_scope_schedule_definitions(scope: str) -> Iterator[AccessReviewScheduleDefinition]:
"""
List scope-specific access review schedule definitions.
Parameters:
- scope: The scope to list definitions for
Returns:
Iterator of AccessReviewScheduleDefinition objects
"""Scope Access Review Instances
def get_scope_instance(scope: str, schedule_definition_id: str, id: str) -> AccessReviewInstance:
"""
Get a scope-specific access review instance.
Parameters:
- scope: The scope of the review instance
- schedule_definition_id: ID of the parent schedule definition
- id: ID of the review instance
Returns:
AccessReviewInstance object
"""
def list_scope_instances(scope: str, filter: Optional[str] = None) -> Iterator[AccessReviewInstance]:
"""
List access review instances for a specific scope.
Parameters:
- scope: The scope to list instances for
- filter: OData filter expression (optional)
Returns:
Iterator of AccessReviewInstance objects for the scope
"""
def stop_scope_instance(scope: str, schedule_definition_id: str, id: str) -> None:
"""
Stop a scope-specific access review instance.
Parameters:
- scope: The scope of the review instance
- schedule_definition_id: ID of the parent schedule definition
- id: ID of the review instance to stop
"""Scope Access Review Instance Decisions
def list_scope_instance_decisions(scope: str, schedule_definition_id: str, id: str, filter: Optional[str] = None) -> Iterator[AccessReviewDecision]:
"""
List decisions for a scope-specific access review instance.
Parameters:
- scope: The scope of the review instance
- schedule_definition_id: ID of the parent schedule definition
- id: ID of the review instance
- filter: OData filter expression (optional)
Returns:
Iterator of AccessReviewDecision objects
"""
def patch_scope_instance_decision(scope: str, schedule_definition_id: str, id: str, decision_id: str, properties: AccessReviewDecision) -> AccessReviewDecision:
"""
Update a decision in a scope-specific access review instance.
Parameters:
- scope: The scope of the review instance
- schedule_definition_id: ID of the parent schedule definition
- id: ID of the review instance
- decision_id: ID of the decision to update
- properties: Updated decision properties
Returns:
Updated AccessReviewDecision object
"""Scope Access Review Instance Contacted Reviewers
def list_scope_contacted_reviewers(scope: str, schedule_definition_id: str, id: str) -> Iterator[AccessReviewReviewer]:
"""
List reviewers contacted for a scope-specific access review instance.
Parameters:
- scope: The scope of the review instance
- schedule_definition_id: ID of the parent schedule definition
- id: ID of the review instance
Returns:
Iterator of AccessReviewReviewer objects
"""Scope Access Review History Definitions
def create_scope_history_definition(scope: str, history_definition_id: str, properties: AccessReviewHistoryDefinition) -> AccessReviewHistoryDefinition:
"""
Create a scope-specific access review history definition.
Parameters:
- scope: The scope for the history definition
- history_definition_id: GUID for the history definition
- properties: History definition properties
Returns:
AccessReviewHistoryDefinition object
"""
def delete_scope_history_definition(scope: str, history_definition_id: str) -> None:
"""
Delete a scope-specific access review history definition.
Parameters:
- scope: The scope of the history definition
- history_definition_id: ID of the history definition to delete
"""
def get_scope_history_definition(scope: str, history_definition_id: str) -> AccessReviewHistoryDefinition:
"""
Get a scope-specific access review history definition.
Parameters:
- scope: The scope of the history definition
- history_definition_id: ID of the history definition
Returns:
AccessReviewHistoryDefinition object
"""
def list_scope_history_definitions(scope: str) -> Iterator[AccessReviewHistoryDefinition]:
"""
List scope-specific access review history definitions.
Parameters:
- scope: The scope to list definitions for
Returns:
Iterator of AccessReviewHistoryDefinition objects
"""Scope Access Review History Definition Instance
def generate_scope_history_download_uri(scope: str, history_definition_id: str, instance_id: str) -> AccessReviewHistoryDefinitionInstanceDownloadUri:
"""
Generate a download URI for a scope-specific history instance.
Parameters:
- scope: The scope of the history definition
- history_definition_id: ID of the history definition
- instance_id: ID of the history instance
Returns:
AccessReviewHistoryDefinitionInstanceDownloadUri with download link
"""Scope Access Review History Definition Instances
def list_scope_history_instances(scope: str, history_definition_id: str) -> Iterator[AccessReviewHistoryInstance]:
"""
List history instances for a scope-specific history definition.
Parameters:
- scope: The scope of the history definition
- history_definition_id: ID of the history definition
Returns:
Iterator of AccessReviewHistoryInstance objects
"""Tenant-level Access Reviews
Manage tenant-wide access reviews and reviewer operations at the organizational level.
def list_tenant_contacted_reviewers(schedule_definition_id: str, id: str) -> Iterator[AccessReviewReviewer]:
"""
List reviewers contacted for a tenant-level access review instance.
Parameters:
- schedule_definition_id: ID of the schedule definition
- id: ID of the review instance
Returns:
Iterator of AccessReviewReviewer objects for tenant-level reviews
"""Usage Examples
Creating a Recurring Access Review
from azure.mgmt.authorization.models import AccessReviewScheduleDefinition
from datetime import datetime, timedelta
# Create a monthly access review for a resource group
review_definition = AccessReviewScheduleDefinition(
display_name="Monthly Resource Group Access Review",
description="Review access to production resource group monthly",
settings={
"instance_duration_in_days": 7,
"recurrence": {
"pattern": {
"type": "absoluteMonthly",
"interval": 1,
"month": 0,
"day_of_month": 1
},
"range": {
"type": "numbered",
"number_of_occurrences": 12,
"start_date": datetime.utcnow().isoformat()
}
},
"default_decision": "Deny",
"default_decision_enabled": True,
"justification_required_on_approval": True,
"mail_notifications_enabled": True,
"reminder_notifications_enabled": True,
"auto_apply_decisions_enabled": True
},
reviewers=[{
"principal_id": "reviewer-object-id",
"principal_type": "User"
}],
scope={
"resource_id": "/subscriptions/sub-id/resourceGroups/prod-rg",
"role_definition_id": "/subscriptions/sub-id/providers/Microsoft.Authorization/roleDefinitions/role-id"
}
)
# Create the review definition
created_review = client.access_review_schedule_definitions.create_or_update_by_id(
schedule_definition_id="review-definition-guid",
properties=review_definition
)Making Access Review Decisions
from azure.mgmt.authorization.models import AccessReviewDecision
# Approve access with justification
decision_update = AccessReviewDecision(
decision="Approve",
justification="User still requires access for their current role responsibilities"
)
# Update the decision
updated_decision = client.access_review_instance_decisions.patch(
schedule_definition_id="review-definition-id",
id="review-instance-id",
decision_id="decision-id",
properties=decision_update
)
# Deny access with justification
deny_decision = AccessReviewDecision(
decision="Deny",
justification="User has changed roles and no longer needs this access"
)
denied_decision = client.access_review_instance_decisions.patch(
schedule_definition_id="review-definition-id",
id="review-instance-id",
decision_id="another-decision-id",
properties=deny_decision
)Configuring Review History Export
from azure.mgmt.authorization.models import AccessReviewHistoryDefinition
# Create history definition for compliance reporting
history_definition = AccessReviewHistoryDefinition(
display_name="Quarterly Compliance Report",
review_history_period_start_date_time=datetime.utcnow() - timedelta(days=90),
review_history_period_end_date_time=datetime.utcnow(),
decisions=["Approve", "Deny", "NotReviewed"],
status="Requested",
settings={
"range": {
"type": "numbered",
"number_of_occurrences": 4,
"start_date": datetime.utcnow().isoformat()
},
"pattern": {
"type": "absoluteMonthly",
"interval": 3,
"day_of_month": 1
}
}
)
# Create the history definition
history_export = client.access_review_history_definitions.create(
history_definition_id="history-guid",
properties=history_definition
)Managing Review Instances
# List active review instances for a definition
active_reviews = client.access_review_instances.list(
schedule_definition_id="review-definition-id",
filter="status eq 'InProgress'"
)
for review in active_reviews:
print(f"Review: {review.display_name}")
print(f"Status: {review.status}")
print(f"End Date: {review.end_date_time}")
# Send reminders to reviewers
client.access_review_instances.send_reminders(
schedule_definition_id="review-definition-id",
id=review.name
)
# Apply decisions for completed reviews
completed_reviews = client.access_review_instances.list(
schedule_definition_id="review-definition-id",
filter="status eq 'Completed'"
)
for review in completed_reviews:
client.access_review_instances.apply_decisions(
schedule_definition_id="review-definition-id",
id=review.name
)Types
Access Review Definition Types
class AccessReviewScheduleSettings:
instance_duration_in_days: Optional[int]
recurrence: Optional[AccessReviewRecurrenceSettings]
default_decision: Optional[str]
default_decision_enabled: Optional[bool]
justification_required_on_approval: Optional[bool]
mail_notifications_enabled: Optional[bool]
reminder_notifications_enabled: Optional[bool]
auto_apply_decisions_enabled: Optional[bool]
recommendations_enabled: Optional[bool]
class AccessReviewRecurrenceSettings:
pattern: Optional[AccessReviewRecurrencePattern]
range: Optional[AccessReviewRecurrenceRange]
class AccessReviewRecurrencePattern:
type: Optional[str] # "weekly", "absoluteMonthly", etc.
interval: Optional[int]
month: Optional[int]
day_of_month: Optional[int]
class AccessReviewRecurrenceRange:
type: Optional[str] # "endDate", "noEnd", "numbered"
number_of_occurrences: Optional[int]
start_date: Optional[str]
end_date: Optional[str]
class AccessReviewReviewer:
principal_id: Optional[str]
principal_type: Optional[str]
class AccessReviewScope:
resource_id: Optional[str]
role_definition_id: Optional[str]
principal_type: Optional[str]
assignment_state: Optional[str]
inactive_duration: Optional[str]Access Review Instance Types
class AccessReviewInstanceProperties:
status: Optional[str]
start_date_time: Optional[datetime]
end_date_time: Optional[datetime]
reviewers: Optional[List[AccessReviewReviewer]]
backup_reviewers: Optional[List[AccessReviewReviewer]]
reviewers_type: Optional[str]
class AccessReviewDecisionPrincipal:
id: Optional[str]
display_name: Optional[str]
type: Optional[str]
principal_name: Optional[str]
class AccessReviewDecisionTarget:
id: Optional[str]
display_name: Optional[str]
type: Optional[str]
principal_name: Optional[str]Access Review History Types
class AccessReviewHistoryDefinitionProperties:
display_name: Optional[str]
review_history_period_start_date_time: Optional[datetime]
review_history_period_end_date_time: Optional[datetime]
decisions: Optional[List[str]]
status: Optional[str]
created_date_time: Optional[datetime]
reviewed_date_time: Optional[datetime]
settings: Optional[AccessReviewHistoryScheduleSettings]
scopes: Optional[List[AccessReviewScope]]
class AccessReviewHistoryInstance:
id: Optional[str]
name: Optional[str]
display_name: Optional[str]
status: Optional[str]
reviewed_date_time: Optional[datetime]
download_uri: Optional[str]
expiration: Optional[datetime]
class AccessReviewHistoryDefinitionInstanceDownloadUri:
uri: Optional[str]
class AccessReviewDefaultSettings:
mail_notifications_enabled: Optional[bool]
reminder_notifications_enabled: Optional[bool]
justification_required_on_approval: Optional[bool]
default_decision_enabled: Optional[bool]
default_decision: Optional[str]
instance_duration_in_days: Optional[int]
auto_apply_decisions_enabled: Optional[bool]
recommendations_enabled: Optional[bool]Constants
Access Review Results
class AccessReviewResult:
APPROVE = "Approve"
DENY = "Deny"
NOT_REVIEWED = "NotReviewed"
DONT_KNOW = "DontKnow"
class DefaultDecisionType:
APPROVE = "Approve"
DENY = "Deny"
RECOMMENDATION = "Recommendation"
class AccessReviewInstanceStatus:
NOT_STARTED = "NotStarted"
IN_PROGRESS = "InProgress"
COMPLETED = "Completed"
APPLIED = "Applied"
INITIALIZING = "Initializing"
APPLYING = "Applying"
COMPLETING = "Completing"
SCHEDULED = "Scheduled"
AUTO_REVIEWING = "AutoReviewing"
AUTO_REVIEWED = "AutoReviewed"
STARTING = "Starting"Access Review Recurrence Types
class AccessReviewRecurrencePatternType:
WEEKLY = "weekly"
ABSOLUTE_MONTHLY = "absoluteMonthly"
class AccessReviewRecurrenceRangeType:
END_DATE = "endDate"
NO_END = "noEnd"
NUMBERED = "numbered"
class ReviewersType:
ASSIGNED = "Assigned"
SELF = "Self"
MANAGERS = "Managers"Access Review History Status
class AccessReviewHistoryStatus:
REQUESTED = "Requested"
IN_PROGRESS = "InProgress"
COMPLETED = "Completed"
ERROR = "Error"Error Handling
Common access review exceptions:
- BadRequestError: Invalid review configuration or malformed request
- ForbiddenError: Insufficient permissions to create or manage reviews
- ResourceNotFoundError: Review definition or instance not found
- ConflictError: Review already exists or conflicting operation
from azure.core.exceptions import BadRequestError, ResourceNotFoundError
try:
review_instance = client.access_review_instances.get_by_id(
schedule_definition_id, instance_id
)
except ResourceNotFoundError:
print("Access review instance not found")
except BadRequestError as e:
print(f"Invalid request: {e.message}")Install with Tessl CLI
npx tessl i tessl/pypi-azure-mgmt-authorization