terraform-provider-azuread icon indicating copy to clipboard operation
terraform-provider-azuread copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Why does Identity Governance service uses a mix of v1.0 and beta msgraph endpoints?

Open tabroughton opened this issue 1 year ago • 7 comments

Within the Identity Governance service the msgraph client is using a mixture of beta and v1.0 endpoints but this poses some potential issues.

  1. some features within EntraID currently in use are not available in the beta api
  2. the API spec for beta and v1.0 are often quite different to interoperability could be an issue
  3. Microsoft state not to use the beta api for anything in production which creates risk that we (and many other) organisations will struggle to accept

When the service was first being developed It would appear from the original commit, (Add support to manage access packages in identitygovernance), beta api was used because it returned more information about access packages.

        // Use beta version because it replies more info than v1.0
	accessPackageClient := &msgraph.AccessPackageClient{
		BaseClient: msgraph.NewClient(msgraph.VersionBeta, o.TenantID),
	}

Apart from the risks of using beta in production environment one of the drivers for looking into this was that we couldn't find the features we are using in EntraID in the TF Provider. For example:

The access package policy assignments in the beta are constrained to DurationInDays BUT we need access packages to be only assigned for hours.

In v1.0 this is doable using the expiration<expirationPattern> attribute and it is this that is currently supported by microsoft (proven by using the EntraID UI and checking the read msgraph endpoints).

We are not alone with this issue - there are a couple of feature requests for this in the azuread backlog:

  • #1119
  • #1148

Almost all other services within this provider are using the default v1.0 msgraph endpoints. Could we discuss the options/implications for addressing this or whether it is feasible at all to accommodate v1.0 for all of Identity Governance?

tabroughton avatar Sep 19 '24 12:09 tabroughton

Hi @tabroughton, for a bit of background, we are currently migrating from the Hamilton SDK to a new Pandora-based SDK that will be maintained by HashiCorp. The new SDK is much more modular and makes it easier to select v1.0 or beta APIs depending on the context.

I worked on migrating Identity Governance to the new SDK earlier this week. Whilst I cannot say for sure which operations I needed to continue using beta APIs, I've moved some operations to the stable API where the transition was straightforward. As you say, there are implementation differences which gets fairly complex to navigate. We can certainly look to move more operations/resources in Identity Governance (perhaps all of them) to the v1.0 API, and PRs would certainly be welcomed once the SDK migration has landed.

We do seek to use v1.0 APIs wherever possible, however in our experience it's often necessary to lean on a beta API, either due to feature gaps, or limitations or demonstrable bugs in a given v1.0 API. As to the veracity of Microsoft's guidance on not using beta APIs "in production", due to the above we have to take that with a degree of salt and there is no better example of this guidance being flouted than in the Azure Portal, which regularly makes use of beta APIs in MS Graph 🙂

manicminer avatar Sep 19 '24 14:09 manicminer

Thanks for your response @manicminer

PRs would certainly be welcomed once the SDK migration has landed.

Is there any suggested time frame for a release of the SDK?

there is no better example of this guidance being flouted than in the Azure Portal, which regularly makes use of beta APIs in MS Graph

Good point, yes after a bit more inspection, it would appear that perhaps even in this case their Access Packages UI seems to be using a mixture of their v1.0 and beta APIs.

tabroughton avatar Sep 19 '24 15:09 tabroughton

The new SDK is largely complete, as well as the provider migration over to the new SDK. I am working through a long tail of acceptance test runs and bugfixes, so it's difficult to say exactly, but expect something very soon 😁

manicminer avatar Sep 19 '24 21:09 manicminer

@manicminer - any update on the timeline for release? Supporting duration in hours would be a big help for me.

bharper3c avatar Jan 07 '25 15:01 bharper3c

Another one for the support of the duration in hours

leandroscarduarelex avatar Feb 10 '25 12:02 leandroscarduarelex

@manicminer That's great to hear.

For some additional context, there's a related issue which was raised by @TeeEarls, Principal Product Manager for Microsoft Entra ID, leading a team focused on Identity Governance and Access Management: #1337

I'd be happy to try and put you in touch with him if that would be helpful.

I would also be happy to help where I can with any PRs.

If you're looking at this area, it would be a great opportunity to look at this related issue too? This one causes me pain on an almost daily basis so I'd love to help get it resolved: #1325

tjrobinson avatar Mar 05 '25 12:03 tjrobinson

Any updates on the migration to the v1 api?

kvedes avatar May 27 '25 07:05 kvedes