Unable to modify/change values with msgraph_resource

[Sankar-5310]

I am attempting to manage Entitlement Management customWorkflowExtensions using the generic msgraph_resource.

** Initial Creation (This works successfully)**

resource "msgraph_resource" "extention" {
  url = "identityGovernance/entitlementManagement/catalogs/18537acc-f283-44d2-951b-ef1fdfb814c5/customWorkflowExtensions"
  body = {
    "@odata.type" = "#microsoft.graph.accessPackageAssignmentRequestWorkflowExtension"
    authenticationConfiguration = {
      "@odata.type" = "#microsoft.graph.azureAdPopTokenAuthentication"
    }
    callbackConfiguration = null#{
    #   "@odata.type"         = "microsoft.graph.customExtensionCallbackConfiguration"
    #   durationBeforeTimeout = "PT1H"
    # }
    description = "this is for graph testing only"
    displayName = "test_action_0124_email"
    endpointConfiguration = {
      "@odata.type"        = "#microsoft.graph.logicAppTriggerEndpointConfiguration"
      logicAppWorkflowName = "test"
      resourceGroupName    = "SUBRSDE"
      subscriptionId       = "be00c921-a41c-4c48-955b-xxxxxxxxx"
      url                  = "https://prod-68.eastus.logic.azure.com:443/workflows/746bd94b21ac4d848753096253af1cc7/triggers/manual/paths/invoke?api-version=2016-10-01"
    }
  }
}

** Modification (This fails) After the resource is created, I modify the displayName**

resource "msgraph_resource" "extention" {
  url = "identityGovernance/entitlementManagement/catalogs/18537acc-f283-44d2-951b-ef1fdfb814c5/customWorkflowExtensions"
  body = {
    "@odata.type" = "#microsoft.graph.accessPackageAssignmentRequestWorkflowExtension"
    authenticationConfiguration = {
      "@odata.type" = "#microsoft.graph.azureAdPopTokenAuthentication"
    }
    callbackConfiguration = null#{
    #   "@odata.type"         = "microsoft.graph.customExtensionCallbackConfiguration"
    #   durationBeforeTimeout = "PT1H"
    # }
    description = "this is for graph testing only"
    displayName = "test_action_0124_email1"
    endpointConfiguration = {
      "@odata.type"        = "#microsoft.graph.logicAppTriggerEndpointConfiguration"
      logicAppWorkflowName = "test"
      resourceGroupName    = "SUBRSDE"
      subscriptionId       = "be00c921-a41c-4c48-955b-xxxxxxxxx"
      url                  = "https://prod-68.eastus.logic.azure.com:443/workflows/746bd94b21ac4d848753096253af1cc7/triggers/manual/paths/invoke?api-version=2016-10-01"
    }
  }
}

Steps to Reproduce

• Use the first HCL block and run terraform apply. The resource is created successfully.
• Update the HCL with the changes from the second block.
• Run terraform plan. It correctly shows a plan to update the resource in-place.
• Run terraform apply. The operation fails.

Expected Behavior
Terraform should successfully apply the changes via an HTTP PATCH request, and the displayName of the customWorkflowExtension should be updated in Azure.

Actual Behavior

The terraform apply command fails with a 404 Not Found error. It appears the provider is correctly identifying the resource ID and constructing a PATCH request, but the Graph API endpoint returns a 404, indicating it cannot find the resource at that PATCH URL.
Terraform Plan and Error Output
Plan:

Terraform will perform the following actions:

  # msgraph_resource.extensions will be updated in-place
  ~ resource "msgraph_resource" "extensions" {
      ~ body                    = {
          ~ description                 = "this is for graph testing only1" -> "this is for graph testing only2"
          ~ displayName                 = "test_action_0124_email" -> "test_action_0124_email-new"
            # (5 unchanged attributes hidden)
        }
        id                      = "906edc09-7ef4-4ff4-9fbe-fd1b16ef4507"
      ~ output                  = {} -> (known after apply)
        # (4 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Error:

msgraph_resource.extensions: Modifying... [id=906edc09-7ef4-4ff4-9fbe-fd1b16ef4507]
╷
│ Error: Failed to create resource
│
│   with msgraph_resource.extensions,
│   on catalogextention.tf line 1, in resource "msgraph_resource" "extensions":
│    1: resource "msgraph_resource" "extensions" {
│
│ PATCH https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/catalogs/18537acc-f283-44d2-951b-ef1fdfb814c5/customWorkflowExtensions/906edc09-7ef4-4ff4-9fbe-fd1b16ef4507
│ --------------------------------------------------------------------------------
│ RESPONSE 404: 404 Not Found
│ ERROR CODE UNAVAILABLE
│ --------------------------------------------------------------------------------
│ {
│   "error": {
│     "code": "",
│     "message": "No HTTP resource was found that matches the request URI 'https://igaelm-asev3-ecapi-cus.igaelm-asev3-environment-cus.p.azurewebsites.net/api/v1/catalogs('18537acc-f283-44d2-951b-ef1fdfb814c5')/customWorkflowExtensions('906edc09-7ef4-4ff4-9fbe-fd1b16ef4507')'.",
│     "innerError": {
│       "date": "2025-11-05T14:24:05",
│       "request-id": "748ea92a-18d3-4023-87ef-1c34447a8811",
│       "client-request-id": "748ea92a-18d3-4023-87ef-1c34447a8811"
│     }
│   }
│ }

[tjrobinson]

Unfortunately that's a limitation with the Graph API for that resource type, and some others around Access Packages. It only supports PUT rather than PATCH.

https://learn.microsoft.com/en-us/graph/api/accesspackageassignmentrequestworkflowextension-update?view=graph-rest-1.0&tabs=http

I raised a similar issue (#50) and some workarounds were suggested but they didn't really work for what I was looking to do.

[Sankar-5310]

Thank you very much @tjrobinson , let me try the workaround and keep you posted. I hope all the Entitlement Management recourses are only PUT not works as PUSH?

Any one looking into get the recourses work with PUSH in future ?

[ms-henglu]

Hi @Sankar-5310 ,

Thank you for taking time to report this issue and apologize for late response.

I opened this PR to add support for update_method, now you can specify using PUT as the update method.