[BUG] Cloud Shell fails to run Terraform Azure AD 2.x (using MS Graph) due to MSI error

[marcosgm]

To Reproduce

system@Azure:~/cloudshell_msgraph$ cat main.tf
provider "azuread" {
}

data "azuread_client_config" "current" {}

resource "azuread_group" "example" {
  display_name     = "example"
  owners           = [data.azuread_client_config.current.object_id]
  security_enabled = true
}
system@Azure:~/cloudshell_msgraph$ terraform init

Initializing the backend...

Initializing provider plugins...
- Finding latest version of hashicorp/azuread...
- Installing hashicorp/azuread v2.6.0...
- Installed hashicorp/azuread v2.6.0 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
system@Azure:~/cloudshell_msgraph$ terraform apply
╷
│ Error: could not configure MSI Authorizer: NewMsiConfig: could not validate MSI endpoint: received HTTP status 404
│
│   with provider["registry.terraform.io/hashicorp/azuread"],
│   on main.tf line 1, in provider "azuread":
│    1: provider "azuread" {
│
╵

Observed Behavior

│ Error: could not configure MSI Authorizer: NewMsiConfig: could not validate MSI endpoint: received HTTP status 404

Expected behavior

I'm Global Admin, and I was able to use Terraform with AzureAD 1.x modules ( using the old Active Directory Graph API). According to the TF upgrade guide, no special actions must be taken when using Azure CLI authentication https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/microsoft-graph

Is this specific to Cloud Shell?

Yes.
Azure CLI from a workstation works fine
Using Cloud shell, with default credentials, doesn't work with MS Graph API it seems

[marcosgm]

To disable MSI authentication you have to unset the MSI_ENDPOINT
unset MSI_ENDPOINT
That allows terraform to perform API calls to MS Graph inside cloudshell