Support `EntitlementManagement` for user accounts (missing scopes)

[timja]

Related command

Wasn't able to find an azure cli command although there is powershell: https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-access-package-create-app

Is your feature request related to a problem? Please describe.

I cannot use an access token from Azure CLI to create / manage access packages

Describe the solution you'd like

Add EntitlementManagement.ReadWrite.All to the Azure CLI application

Describe alternatives you've considered

From what I can tell there is no way to make this work with Azure CLI currently. You have to use a different tool and then not rely on Azure CLI authentication.

There is a workaround with terraform to create an app registration and then authenticate to it using environment variables and not logging into it with the Azure CLI

Additional context

I have access to the catalogs / access packages but cannot use Azure CLI authentication to read them etc.
Terraform is used to create them but I can no longer use e.g. terraform plan locally using my own Azure CLI credentials

Related issues:

• Not able to create a valid ms-graph token from azure cli with right permissions #30149
• 403 Forbidden when creating Access package as Catalog Owner hashicorp/terraform-provider-azuread#1818
• 403 The caller is not authorized with azuread provider and identitygovernance resource using az cli auth hashicorp/terraform-provider-azuread#1069
• azuread_access_package_catalog access error despite global administrator hashicorp/terraform-provider-azuread#1169

Error messages I get in terraform when running with my Azure CLI auth:

  │ Error: Listing access package catalogs with filter displayName eq 'ACD Subscription Access Packages'
  │
  │   with data.azuread_access_package_catalog.pim_subscription_catalog,
  │   on data.tf line 90, in data "azuread_access_package_catalog" "pim_subscription_catalog":
  │   90: data "azuread_access_package_catalog" "pim_subscription_catalog" {
  │
  │ unexpected status 403 (403 Forbidden) with error: UnAuthorized: User is not
  │ authorized to perform the operation. Reason: The caller is not authorized.
  ╵
  ╷
  │ Error: No role found matching specified filter: displayName eq 'Catalog owner'
  │
  │   with data.azuread_access_package_catalog_role.owner_role,
  │   on data.tf line 95, in data "azuread_access_package_catalog_role" "owner_role":
  │   95:   display_name = "Catalog owner"
  │
  │ unexpected status 403 (403 Forbidden) with error: UnAuthorized: User is not
  │ authorized to perform the operation. Reason: The caller is not authorized.

[yonzhan]

Thank you for opening this issue, we will look into it.