Identity Governance Entitlement Management using /beta/ API instead of /v1/

[tjrobinson]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

The underlying Terraform provider currently uses the beta endpoints of the Microsoft Graph API for Identity Governance Entitlement Management, i.e. access packages.

Microsoft have raised an issue here: hashicorp/terraform-provider-azuread#1337

To summarise:

• /beta/identityGovernance/entitlementManagement is unsupported and will be formally deprecated, then eventually removed from /beta to avoid any future confusion (no specific timeline on this).
• When new functionality is incrementally added into entitlement management, it will be added to v1.0 once it reaches GA.
• For functionality in preview (before GA), guidance will be provided for that specific preview on how to access it and provide feedback.
• If there are breaking changes in the future, Microsoft will provide time for applications to update to the new APIs.

This is mostly an FYI, but if you are able to work with them on a solution to this then that would be much appreciated.

Affected area/feature

Identity Governance Entitlement Management in the Pulumi Azure Active Directory (Azure AD) provider.

[danielrbradley]

Thanks for the heads-up @tjrobinson!

The road to us implementing this will almost certainly be through an update to the Terraform provider which would then be available in the subsequent release of this provider too.

[tjrobinson]

Hi @danielrbradley we're not seeing much momentum in issue with the Terraform provider (hashicorp/terraform-provider-azuread#1337). Do you have any influence over there, people you could nudge?

If it doesn't get updated, would you consider making a Microsoft Graph native provider?

[danielrbradley]

We don't have any direct contact with hashicorp. If you're able to propose a change to the upstream repository via a pull request that's normally the best course of action. This might also be of interest for Microsoft's Entra ID team to contribute too to facilitate access for their customers.

This issue is in our backlog but is not currently assigned an elevated priority. Our approach would also most likely be to propose a change in the hashicorp repository too rather than maintaining a custom patch or building this from scratch.

There would have to be a very strong use case to manually duplicate this functionality into the native provider so I would think this unlikely at this time.