internal/functions/validate/Validate-AccessReviewScope.ps1

function Validate-AccessReviewScope
{
    [CmdletBinding()]
    Param (
        [ValidateSet("group","directoryRole")]
        [string] $type,
        [string] $subScope,
        [string] $reference,
        [System.Management.Automation.PSCmdlet]
        $Cmdlet = $PSCmdlet
    )

    begin{
        $parentResourceName = "accessReviews"
    }

    process 
    {
        if (Test-PSFFunctionInterrupt) { return }                
        
        switch ($type) {
            "group" {
                $hashtable = @{                
                    "@odata.type" = "#microsoft.graph.accessReviewQueryScope"
                    "queryType" = "MicrosoftGraph"
                    "queryRoot" = $null
                }
                $id = Resolve-Group -InputReference $reference -Cmdlet $PSCmdlet
                $hashtable["query"] = "/v1.0/groups/$($id)/transitiveMembers/microsoft.graph.user"
            }
            "directoryRole" {
                $id = Resolve-DirectoryRoleTemplate -InputReference $reference -Cmdlet $PSCmdlet
                switch ($subScope) {
                    "servicePrincipals" {
                        $hashtable = @{                
                            "@odata.type" = "#microsoft.graph.accessReviewQueryScope"
                            "queryType" = "MicrosoftGraph"
                            "queryRoot" = $null
                            "query" = "/beta/roleManagement/directory/roleAssignmentScheduleInstances?`$expand=principal&`$filter=(isof(principal,'microsoft.graph.servicePrincipal') and roleDefinitionId eq '$($Id)')"
                        }
                    }
                    "users_groups" {
                        $hashtable = @()
                        $hashtable += @{
                            "@odata.type" = "#microsoft.graph.accessReviewQueryScope"
                            "queryType" = "MicrosoftGraph"
                            "queryRoot" = $null
                            "query" = "/beta/roleManagement/directory/roleAssignmentScheduleInstances?`$expand=principal&`$filter=(assignmentType eq 'Assigned' and isof(principal,'microsoft.graph.user') and roleDefinitionId eq '$($Id)')"
                        }
                        $hashtable += @{
                            "@odata.type" = "#microsoft.graph.accessReviewQueryScope"
                            "queryType" = "MicrosoftGraph"
                            "queryRoot" = $null
                            "query" = "/beta/roleManagement/directory/roleAssignmentScheduleInstances?`$expand=principal&`$filter=(assignmentType eq 'Assigned' and isof(principal,'microsoft.graph.group') and roleDefinitionId eq '$($Id)')"
                        }
                    }
                }
            }
        }
    }

    end 
    {
        $hashtable
    }
}