Feature Request for permission classifications and Identity governance features in azuread provider

[Hemanth1007]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

We were looking into automating the creation of new tenant by importing and exporting the existing configurations of our current managed tenant. For this to work end-to-end, we have few feature requests thats we want to raise as we could not find these features in the documentation of the provider.

New or Affected Resource(s)

azuread provider (New features) azuread_application - Enterprise application->consent and permissions->permission classification (want to export this to the new tenant) Identity Governance->PIM Identity Governance->Access Packages Identity Governance->Access Reviews

Potential Terraform Configuration

N/A

References

Permission classifications - https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-permission-classifications?tabs=azure-portal PIM - https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure?WT.mc_id=Portal-Microsoft_Azure_PIMCommon Access Package - https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-onboard-external-user?wt.mc_id=azureportal_gettingstarted_inproduct_idgovernance Access Reviews - https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview

• #0000

[manicminer]

Thanks for requesting this @Hemanth1007. Is this a duplicate of https://github.com/hashicorp/terraform-provider-azuread/issues/218?

[g-psantos]

@manicminer The other ticket is focused on "Entitlement Management", where you can create Access Packages that assign can grant users access to multiple resources and roles in one go (plus have rules for how long that access will last, etc.).

I believe this request is broader in that it includes not just Access Packages but also Access Reviews (which I requested separately under #927) and Privileged Identity Management (enables just-in-time and time-bound access to roles and groups).

As for "Permission Classifications", I believe this is already supported by the required_resource_access attribute of azuread_application (where you can specify which permissions an application needs), but maybe the OP could clarify further.

[Hemanth1007]

Hello @g-psantos , you are right. This is of a broader scope compared to request - 218/927. The request was to mainly address the following - PIM, Access Packages,Access Reviews and permission classification. For the permission classification, the request was to get all the permission classified as low, medium and high risk in the current tenant and deploy it into a new tenant. I have not tried the required_resource_access attribute of azuread_application and i will check and see if it solves the permission_classification part of the request.

[manicminer]

Thanks for clarifying! We do already have open issues for all of the above (e.g. #68). In order to minimise issue sprawl and keep discussion to as few threads as possible, I'm going to close this in favor of the existing issues. Please subscribe to those issues for future updates.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.