Support/Ability to use MS Graph Beta endpoint?

[Adamvg]

Currently it seems there's no way to tell TF to use the Graph /beta endpoint (rather than /v1.0)- which is required when using preview features like Custom Authentication Levels on Conditional Access policies. I believe the hamilton sdk can already do this from a quick search but I am not completely sure.

Perhaps a good way would be something like:

provider "azuread" {
  use_beta_graph = true
}

Example of what I mean:

$ terraform import azuread_conditional_access_policy.example e57ab754-18b0-4535-a242-25c91b3a9c34

Error: Retrieving Conditional Access Policy with object ID "e57ab754-18b0-4535-a242-25c91b3a9c34"

ConditionalAccessPoliciesClient.BaseClient.Get(): unexpected status 400 with OData error: BadRequest: 1037: The policy you requested contains preview features. Use the Beta endpoint to retrieve this policy.

[manicminer]

@Adamvg We are currently looking at ways to allow more configurability when it comes to the API version. Although a simple toggle unfortunately won't work due to compatibility issues - many of these issues in fact attributable to the Conditional Access Policies API. For example, manipulating a policy with the beta API can break it and make it unusable with the v1.0 API. There are also some features for which both validation and behavior is different/broken between API versions.

This is largely why our current approach is to select the best available API version for a given resource, with preference for the v1.0 API, however this is something we are actively looking at improving with a view to making it more configurable.

[dhduvall]

Are there things which make azapi feasible (for Azure RM resources) which don't apply on the Entra side? AFAICT, azapi can't be used for beta/preview Entra APIs (e.g., Azure/azure-workload-identity#373)