Permissions are different for /applications depending on whether id or appid is used as a key

[saraelsa]

It seems that the least-privilege permission under the 'Application' scheme necessary for any operation on an application depends on whether it is addressed using its ID or its appID.

(I'm using the permissions document in the new directory.)

Application.ReadWrite.All and Application.ReadWrite.Owned are only least-privilege permissions for the 'Application' scheme if the app is addressed by its ID.

This is true, for instance, for /applications(appid={value})/federatedidentitycredentials.

It's also occasionally the opposite, with a permission being least-privilege only where it is addressed by its appId. This is true, for instance, with /applications(appid={value})/tokenlifetimepolicies and Application.ReadWrite.All.

There's also an odd repair action that's confusingly both not in alphabetical order and for which Application.ReadWrite.OwnedBy is the least-privilege permission for the 'Application' scheme with the POST method:

{ // for syntax highlighting
            "/applications(appid={value})/addkey": "",
            "/applications(appid={value})/addpassword": "",
            "/applications(appid={value})/removekey": "",
            "/applications(appid={value})/removepassword": "",
            "/applications(appid={value})/repair": "least=Application",
            "/applications/{id}}/repair": "least=Application",
            "/applications/{id}/addkey": "least=Application",
            "/applications/{id}/addpassword": "least=Application",
            "/applications/{id}/removekey": "least=Application",
            "/applications/{id}/removepassword": "least=Application",
            "/applications/{id}/synchronization/acquireaccesstoken": "least=Application",
} // for syntax highlighting

Is there a reason for this discrepancy?