support Azure AD App roles

[nbutton23]

Overview

Support assigning Azure AD App Roles to the created Service Principal. This can be used to grant Service Principals access to the Azure Graph API. GraphAPI is the only supported way to perform actions in AAD

Design of Change

Adds a new field app_roles that accepts an array of apps and the roles to be assigned. Using the Graph API appRoleAssignment the roles are added.

Roles are expected to be provided as a JSON formatted string in the format

"app_roles": “[
        {   
                \"app_id\": \"<uuid>\",
                \"roles\": [
                        {
                                \"role_name\": \"Directory.Read.All\"
                        }
                ]
        }
]”

I have been running a version of this plugin on our vault instance for a few months with no issues.

Related Issues/Pull Requests

[ ] Issue #92

Contributor Checklist

[x] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
My Docs PR Link
[x] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)
[x] Backwards compatible

[nbutton23]

This is needed to fix an issue with persist_app since the default value will only allow 2 active tokens at a time.

If needed I can pull this into its own PR.