Simplify applications' permissionScopes (OAuth2 scopes) and appRoles updates via Bicep

[dkershaw10]

Is your feature request related to a problem? Please describe.
Updating the permissionScopes or appRoles collections is extremely cumbersome on an application registration. We've seen multiple issues filed for this. While it does conform to desired state configuration, it's unintuitive that to remove a permission scope or app role record from the collection it cannot simply be removed from the Bicep file declaration and deployed. Instead it's a 2-step process where:

1. the existing collection must be updated to mark any records (that need to be deleted) as disabled ("isEnabled": false), and the template deployed
2. one deployed, the collection can be updated to remove the disabled records, and the template deployed

This 2-step process is particularly cumbersome for any pipeline automations.

Describe the solution you'd like
Investigate whether the Graph Bicep extension layer can hide this complexity by offering a more straightforward desired state configuration solution. This solution would allow the template author to simply update the permissionScopes and appRoles collections removing any records that the author no longer needs.

Additional context
It's possible that this safeguard was originally introduced in the REST layer to prevent accidental deletion of records in these collections, for customers who might have expected these collections to have "append semantics". This doesn't seem as desirable in the Bicep layer.

[dkershaw10]

cc: @christianacca

[christianacca]

Thanks @dkershaw10

[Anttarax]

Yes, its a real problem. I had to write a seperated powershell script called RrunBeforeAppregDeploy.ps1
This script sets all scopes and roles to false.

# Import required modules
Import-Module Microsoft.Graph.Applications

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Application.ReadWrite.All"

# Predefined list of application registration Object IDs
$appObjectIds = @(
    "[APP_ID_1]", #app-name-1
    "[APP_ID_2]", #app-name-2
    "[APP_ID_3]", #app-name-3
    "[APP_ID_4]", #app-name-4
    "[APP_ID_5]", #app-name-5
    "[APP_ID_6]", #app-name-6
    "[APP_ID_7]", #app-name-7
    "[APP_ID_8]"  #app-name-8
)

# Process all specified application registrations
foreach ($objectId in $appObjectIds) {
    Write-Host "Processing: $objectId"
    
    try {
        # Get application directly by Object ID
        $app = Get-MgApplication -ApplicationId $objectId
        
        if ($app) {
            # Modify API permissions (oauth2PermissionScopes)
            $updatedApi = @{}
            if ($app.Api) {
                $updatedApi = $app.Api
                if ($updatedApi.Oauth2PermissionScopes) {
                    $updatedApi.Oauth2PermissionScopes = $updatedApi.Oauth2PermissionScopes | ForEach-Object {
                        $_.IsEnabled = $false
                        $_
                    }
                }
            }

            # Modify app roles
            $updatedAppRoles = @()
            if ($app.AppRoles) {
                $updatedAppRoles = $app.AppRoles | ForEach-Object {
                    $_.IsEnabled = $false
                    $_
                }
            }
            
            # Update application
            Update-MgApplication -ApplicationId $objectId -Api $updatedApi -AppRoles $updatedAppRoles
            
            Write-Host "Application successfully updated: $objectId"
        } else {
            Write-Host "No application found with this Object ID: $objectId"
        }
    }
    catch {
        Write-Host "Error occurred while processing application: $objectId"
        Write-Host $_.Exception.Message
    }
}

# Disconnect
Disconnect-MgGraph