Release API capabilities for Access Packages and Identity Governance
I want to automate Access Package deployment with Terraform as I do with user groups as well as make dynamic groups compatible with Access Packages. This would allow me to assign users to groups based on user attributes, as I can do with Dynamic groups, but also enable group members the ability to request an access package based on their dynamic group membership, which are automatically created after deploying a new subscription with Terraform. Access Packages would be specific to each subscription and include resource and application roles that are applicable to users of that subscription. This would replace the current system of identity management where users would have to be added to 8-10 different user groups to possess the privileged roles they require, and would enhance the oversight capabilities of User Admins that can utilize the approval and expiration settings of Access Packages. The current system of managing group memberships for each user cannot scale, Access Packages would allow User Admins to manage all privileged roles for a user from a single package with an expiration/renewal date, rather than each individual group membership of a user.
The Azure AD entitlement management API is at https://docs.microsoft.com/graph/api/resources/entitlementmanagement-root?view=graph-rest-beta ; for a tutorial that shows how to use entitlement management to create an access package through that API, see https://docs.microsoft.com/graph/tutorial-access-package-api