Updating App Registration's Configured permission without overwritten existing values

I'm trying to update the "Configured permissions" of a given App Registration (Target App), with a permission offered by another App Registration (Source App). Source App exposes an API using user_impersonation. In fact, I have several Source Apps exposing APIs, which are added in Target App's Configured permissions.

Everything goes fine when updating Target App's Configured permissions through Azure portal. It means that already added permissions remain, and Source App's exposed permission is added. However, if I try to use Graph API, Target App's Configured permissions is updated so that only Source App's exposed permission remains. Previously existing permissions are moved to "Other permissions granted for <MY_TENANT_NAME>".

To restore the previous state, I have to add again all previously existing permissions.

This is how I'm updating Target App's Configured permissions using Graph API:

$ curl --silent -X PATCH -H "Authorization: Bearer ${TOKEN}" -H "Content-Type:application/json" \
-d '{"requiredResourceAccess":[{"resourceAppId":"<SOURCE_APP_CLIENT_ID>","resourceAccess":[{"id":"<SCOPE_ID_USER_IMPERSONATION>","type": "Scope"}]}]}' \
https://graph.microsoft.com/v1.0/applications/<TARGET_APP_OBJECT_ID>

According to this link, the call above is fine.

Any suggestions on how to do the update so that Target App's Configured permission is not overwritten?

EDIT 1

Although @Sridevi has given a working answers, I have to observe that this option has a limitation imposed on the payload size. Essentially, if the payload to be sent for updating Target App's permissions has more than 20 items, we'll see a message just like this:

Graph API HTTP response code: 403
Graph API output: {"error":{"code":"Directory_ResourceSizeExceeded","message":"The 
size of the object has exceeded its limit. Please reduce the number of values and retry your request.","innerError":{"date":"2024-09-25T09:20:29","request
-id":"aaaaaaaa-bbbb-cccc-1234-abcdefgh1234","client-request-id":"kkkkkkkk-a0a0-3333-bbbb-ikujyhtgrfed"}}}

It's not the first time I found such behavior in Microsoft's APIs. Really annoying.

When using the Microsoft Graph API to update the requiredResourceAccess property, the PATCH request replaces the existing permissions with the new ones, moving the previous permissions to "Other permissions granted for <TENANT_NAME>."

I have one TargetApp app registration with below permissions added under Configured permissions:

In SourceApp application, I exposed an API scope named user_impersonation as below:

To achieve your scenario via Graph API, you need to retrieve the current permissions, append the new ones, and then run PATCH request with the combined list.

In my case, I used below bash script with curl requests to update app registration's configured permissions without overwriting existing permissions:

currentPermissions=$(curl --silent -X GET -H "Authorization: Bearer ${TOKEN}" \
https://graph.microsoft.com/v1.0/applications/${TARGET_APP_OBJECT_ID} | jq '.requiredResourceAccess')

newPermission=$(jq -n \
--arg resourceAppId "${SOURCE_APP_CLIENT_ID}" \
--arg scopeId "${SCOPE_ID_USER_IMPERSONATION}" \
'{
  resourceAppId: $resourceAppId,
  resourceAccess: [{
    id: $scopeId,
    type: "Scope"
  }]
}')

updatedPermissions=$(echo "${currentPermissions}" | jq --argjson newPermission "${newPermission}" '. + [$newPermission] | unique_by(.resourceAppId)')

curl --silent -X PATCH -H "Authorization: Bearer ${TOKEN}" -H "Content-Type: application/json" \
-d '{"requiredResourceAccess":'"${updatedPermissions}"'}' \
https://graph.microsoft.com/v1.0/applications/${TARGET_APP_OBJECT_ID}

echo "Permission added successfully."

Response:

To confirm that, I checked the same in Portal where SourceApp permission added successfully without overwriting existing permissions: