Add AzureAD/EntraID functionality

[jemrobinson]

✅ Checklist

• You have given your pull request a meaningful title (e.g. Enable foobar integration rather than 515 foobar).
• You are targeting the appropriate branch. If you're not certain which one this is, it should be develop.
• Your branch is up-to-date with the target branch (it probably was when you started, but it may have changed since then).
• You have marked this pull request as a draft and added '[WIP]' to the title if needed (if you're not yet ready to merge).
• You have formatted your code using appropriate automated tools (for example ./tests/AutoFormat_Powershell.ps1 -TargetPath <path to file or directory> for Powershell).

⤴️ Summary

• Add necessary AzureAD/EntraID functionality for managing users and groups directly in the cloud
• Add remove, register and unregister methods to AzureADUsers
• Fix default GraphAPI scopes for SRE deployment
• Add function to create a service principal for AzureAD applications
• Update create_group function to no longer require gidNumber
• Drop support for external linux_schema in AzureAD
• Add functions to grant approval for application/delegated permissions
• Add remove_user function to GraphAPI
• Only remove_user_from_group if the user belongs to the group
• Grant requested permissions to applications during refresh, in case these weren't done at creation time

🌂 Related issues

First step towards #1570

🔬 Tests

Tested on a new deployment

[martintoreilly]

👀 Does this remove the "local" SHM AD servers and the SCE NPS servers?

[jemrobinson]

👀 Does this remove the "local" SHM AD servers and the SCE NPS servers?

• This PR just adds some necessary functionality to our GraphAPI/AzureAPI wrappers.
• Use Apricot for authentication/identity #1772 adds a new SRE identity server that gets its users directly from AzureAD/EntraID
• TBD next PR will remove the SHM AD servers

We've already dropped the NPS servers in 4.2.0 as part of dropping support for Microsoft Remote Desktop

[JimMadge]

A few suggestions and questions.

I really like using dynamic components to keep things "in Pulumi" where we can.

I think I struggled a bit with the Graph API stuff because it feels quite abstract.
Regarding the user management commands, do we want CLI commands for convenience (avoid using a browser) or because it automates some quirks or extra steps DSH requires?

[jemrobinson]

Regarding the user management commands, do we want CLI commands for convenience (avoid using a browser) or because it automates some quirks or extra steps DSH requires?

I guess initially because I want to maintain our current setup of adding/removing users and groups using the CLI. We can definitely remove this in future, but I think it should be a conscious decision, not a by-product of another large change.

[JimMadge]

A few suggestions on tidying things up 👍.

[jemrobinson]

Thanks - I especially liked the clarity on explaining our API (not Microsoft's)!