Identity Governance Entitlement Management using /beta/ API instead of /v1/

[TeeEarls]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

It appears that the Access Package functionality exposed through Terraform is using the /beta/ version of the Entitlement Management APIs, which lacks capabilities that exist in /v1/ (not to mention beta is unsupported).

It's strongly suggested to adopt /v1.0/identityGovernance/entitlementManagement instead.

New or Affected Resource(s)

• azuread_access_package_assignment_policy (quite possibly related ones also)

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

• 0000

[tjrobinson]

Thanks @TeeEarls.

For some context, Tee is a Principal Product Manager for Microsoft Entra ID, leading a team focused on Identity Governance and Access Management.

To summarise the key points from some prior discussion with Tee, my understanding is the following (please correct me if I'm wrong):

• /beta/identityGovernance/entitlementManagement is unsupported and will be formally deprecated, then eventually removed from /beta to avoid any future confusion (no specific timeline on this).
• When new functionality is incrementally added into entitlement management, it will be added to v1.0 once it reaches GA.
• For functionality in preview (before GA), guidance will be provided for that specific preview on how to access it and provide feedback.
• If there are breaking changes in the future, Microsoft will provide time for applications to update to the new APIs.

Changing to use v1.0 would allow this issue to be resolved (the beta API has no support for durations in hours, and there is no plan to change this):

1148 - access_package_assignment_policy doesn't support duration_in_hours

It would also be an opportunity to make this potentially breaking change:

1325 - azuread_access_package_assignment_policy.approval_settings.approval_stage.primary_approver blocks sensitive to order

And perhaps also help with this:

1066 - azuread_access_package_resource_package_association only supports groups

My assumption is that this would need to be released in a v3 of the provider?

My team may be able to help with the PRs to implement this change but would need some guidance on the approach first.