How to handle PIM for Entra ID roles

[anderseide]

Is there a way to manage PIM for Entra Roles with this provider?

The APIs is a bit creative, and not following normal delete for deleting resources for example. Fails on Update as well
For example Role Eligibility Request

Delete
POST /roleManagement/directory/roleEligibilityScheduleRequests/{unifiedRoleEligibilityScheduleRequestId}/cancel

Docs

• https://learn.microsoft.com/en-us/graph/api/rbacapplication-post-roleeligibilityschedulerequests?view=graph-rest-1.0&tabs=http
• https://learn.microsoft.com/en-us/graph/api/unifiedroleeligibilityschedulerequest-cancel?view=graph-rest-1.0&tabs=http

Example error messages

Delete

Destroying... [id=62c252b0-7327-490f-9796-b3facca809d8]
╷
│ Error: Failed to delete resource
│ 
│ DELETE https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleRequests/956b93d3-04b2-4e67-bb2c-7067469bd163
│ --------------------------------------------------------------------------------
│ RESPONSE 404: 404 Not Found
│ ERROR CODE: UnknownError
│ --------------------------------------------------------------------------------
│ {
│   "error": {
│     "code": "UnknownError",
│     "message": "{\"message\":\"No HTTP resource was found that matches the request URI 'https://api.azrbac.mspim.azure.com/api/v3/roleManagement/directory/roleEligibilityScheduleRequests('956b93d3-04b2-4e67-bb2c-7067469bd163')?'.\"}",
│     "innerError": {
│       "date": "2025-10-11T15:02:25",
│       "request-id": "e3f96448-9190-4ea8-a1b2-c4bc87549a56",
│       "client-request-id": "e3f96448-9190-4ea8-a1b2-c4bc87549a56"
│     }
│   }
│ }

Update

│   16: resource "msgraph_resource" "group_role_assignment" {
│ 
│ PATCH https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleRequests/62c252b0-7327-490f-9796-b3facca809d8
│ --------------------------------------------------------------------------------
│ RESPONSE 404: 404 Not Found
│ ERROR CODE: UnknownError
│ --------------------------------------------------------------------------------
│ {
│   "error": {
│     "code": "UnknownError",
│     "message": "{\"message\":\"No HTTP resource was found that matches the request URI 'https://api.azrbac.mspim.azure.com/api/v3/roleManagement/directory/roleEligibilityScheduleRequests('62c252b0-7327-490f-9796-b3facca809d8')?'.\"}",
│     "innerError": {
│       "date": "2025-10-11T15:01:46",
│       "request-id": "942d7b4f-f0d1-4602-9178-2a30582be503",
│       "client-request-id": "942d7b4f-f0d1-4602-9178-2a30582be503"
│     }
│   }
│ }

[sjovang]

I don't think so. At least not a straight forward and elegant way.

For now I think its best to stick with azuread_directory_role_eligibility_schedule_request, but use this provider to manage the role policy for active/eligible assignments. I created an example here: https://github.com/sjovang/terraform-msgraph-entraid-role-assignment-policy

I also ran into the same problem with PIM Groups and assigning eligible member/owner in an access package where the API endpoint has the same type of creativity with a parameter for which action to take instead of using http methods. It would be very interesting to hear from someone in the msgraph team why certain endpoints have been implemented this way.

[kewalaka]

This also affects PIM for Groups eligibility schedules with the same error pattern.

Endpoint: identityGovernance/privilegedAccess/group/eligibilityScheduleRequests

Error: DELETE [https://graph.microsoft.com/v1.0/identityGovernance/privilegedAccess/group/eligibilityScheduleRequests/](vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-browser/workbench/workbench.html)<id> RESPONSE 404: 404 Not Found ERROR CODE: UnknownError

Schedule requests are ephemeral workflow objects consumed after processing?

Example:

terraform {
  required_providers {
    azuread = { source = "hashicorp/azuread", version = "~> 2.0" }
    msgraph = { source = "microsoft/msgraph", version = "~> 0.2.0" }
  }
}

resource "azuread_group" "test" {
  display_name       = "PIM-Test-Group"
  security_enabled   = true
  assignable_to_role = true
}

data "azuread_client_config" "current" {}

resource "msgraph_resource" "request" {
  url         = "identityGovernance/privilegedAccess/group/eligibilityScheduleRequests"
  api_version = "v1.0"
  body = {
    groupId       = azuread_group.test.id
    principalId   = data.azuread_client_config.current.object_id
    action        = "adminAssign"
    accessId      = "member"
    justification = "Test"
    scheduleInfo  = { expiration = { type = "noExpiration" } }
  }
}

Apply succeeds, destroy fails with 404. Workaround: terraform state rm before destroy.

Potential fix: Extend PR #73's ResponseErrorWasNotFound() to handle DELETE operations, treating 404 as success for ephemeral resources?

If removed from state then destroy runs cleanly.

[jamie-oconnell]

I would also note roleEligibilityScheduleRequests get cleaned up after a period of time. This doesn't seem to be documented anywhere but you can see how the azuread provider handles it here. They note typically after 45 days.

https://github.com/hashicorp/terraform-provider-azuread/blob/723c5f61653d9f3cfcbe5de35051e314d7f49f26/internal/services/directoryroles/directory_role_eligibility_schedule_request_resource.go#L156

Update: PG confirmed they are guaranteed to exist only for 30 days. They have added a backlog item to update the documentation.