[Feature]: Enable PATCH operation on Set-AzApiManagement -InputObject

[jdoblams]

Description of the new feature

Related command
Set-AzApiManagement -InputObject

Is your feature request related to a problem? Please describe.
Scenario: APIM with VNET Injection
When you want to perform some update operation into the APIM such as change the SKU and you only have RBAC permissions on the APIM, you cannot update it due permissions missing as below

Code: LinkedAuthorizationFailed Message: The client 'xxxxx@xxxxxx.com' with object id 'xxxxxx-xxxxx-xxxxx-xxxx-xxxxxx' has permission to perform action 'Microsoft.ApiManagement/service/write' on scope '/subscriptions/xxxxxxx-xxxx-xxx-xxxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.ApiManagement/service/apimtestnodel'; however, it does not have permission to perform action 'join/action' on the linked scope(s) '/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.Network/virtualNetworks/moftest-vnet/subnets/apimsub' or the linked scope(s) are invalid. cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f16fc097640>]

This previous error appears because the "Set-AzApiManagement -InputObject" use a PUT method to perform the update and to complete the PUT you need to have permissions in all the subproperties configured at APIM level.

Describe the solution you'd like
We would like to have a PATCH operation for the "Set-AzApiManagement -InputObject" command same as you can perform over the REST API on next link https://docs.microsoft.com/en-us/rest/api/apimanagement/current-ga/api-management-service/update?tabs=HTTP

Proposed implementation details (optional)

Describe alternatives you've considered
There is currently a command which one have both options to perform the update, it the "customlocations" on next link https://docs.microsoft.com/en-us/cli/azure/customlocation?view=azure-cli-latest

Additional context
From "customlocations" You can patch or update as you can see on next image

Full Output from "Set-AzApiManagement" command without permissions on VNET
`PS /home/jose> $apim = Get-AzApiManagement -ResourceGroupName "moftest" -Name "apimtestnodel"
PS /home/jose> $apim.Sku = "Premium"
PS /home/jose> $apim.Capacity = 1
PS /home/jose> Set-AzApiManagement -InputObject $apim
Set-AzApiManagement: Operation returned an invalid status code 'Forbidden'
PS /home/jose> Set-AzApiManagement -InputObject $apim -Verbose
VERBOSE: Performing the operation "Set an API Management service." on target "apimtestnodel".
Set-AzApiManagement: Operation returned an invalid status code 'Forbidden'
PS /home/jose> Set-AzApiManagement -InputObject $apim -Verbose -Debug
DEBUG: 2:42:38 PM - SetAzureApiManagement begin processing with ParameterSet '__AllParameterSets'.
DEBUG: 2:42:38 PM - using account id 'xxxxx@xxxx'...
DEBUG: 2:42:38 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].

Confirm
Are you sure you want to perform this action?
Performing the operation "Set an API Management service." on target "apimtestnodel".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A
DEBUG: [Common.Authentication]: Authenticating using Account: 'xxxxx@xxxx', environment: 'AzureCloud', tenant: 'xxxxx-xxxx-xxxx-xxxx-xxx'
DEBUG: 2:42:41 PM - [ManagedServiceIdentityAuthenticator] Calling ManagedIdentityCredential.GetTokenAsync - TenantId:'xxxxx-xxxx-xxxx-xxxx-xxx', Scopes:'https://management.core.windows.net/', UserId:''
DEBUG: ManagedIdentityCredential.GetToken invoked. Scopes: [ https://management.core.windows.net/ ] ParentRequestId:
DEBUG: Request [2aefb352-9043-4982-984c-7bd86be1e32b] POST http://localhost:50342/oauth2/token
Metadata:REDACTED
x-ms-client-request-id:2aefb352-9043-4982-984c-7bd86be1e32b
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.6.0,(.NET 6.0.6; Linux 5.4.0-1086-azure #91~18.04.1-Ubuntu SMP Thu Jun 23 20:33:05 UTC 2022)
Content-Type:application/x-www-form-urlencoded
client assembly: Azure.Identity
DEBUG: Response [2aefb352-9043-4982-984c-7bd86be1e32b] 200 OK (00.0s)
X-Powered-By:REDACTED
ETag:W/"8f6-xxxxxxxxxxxxxxxxx"
Date:Wed, 03 Aug 2022 14:42:41 GMT
Connection:keep-alive
Content-Type:application/json; charset=utf-8
Content-Length:2294

DEBUG: ManagedIdentityCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net/ ] ParentRequestId: ExpiresOn: 2022-08-03T15:48:58.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: 'xxxxx-xxxx-xxxx-xxxx-xxx', UserId: 'xxxxx@xxxx'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://management.azure.com/subscriptions/xxxxxx-xxxxxx-xxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.ApiManagement/service/apimtestnodel?api-version=2021-08-01

Headers:
x-ms-client-request-id : 64cd2370-39ba-4230-aaf3-55606fdc1972
Accept-Language : en-US

Body:
{
"properties": {
"notificationSenderEmail": "apimgmt-noreply@mail.windowsazure.com",
"hostnameConfigurations": [
{
"type": "Proxy",
"hostName": "apimtestnodel.azure-api.net",
"defaultSslBinding": true,
"negotiateClientCertificate": false,
"certificateSource": "BuiltIn"
}
],
"publicIpAddressId": "/subscriptions/xxxxxx-xxxxxx-xxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.Network/publicIPAddresses/apimtestnodel",
"publicNetworkAccess": "Enabled",
"virtualNetworkConfiguration": {
"subnetResourceId": "/subscriptions/xxxxxx-xxxxxx-xxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.Network/virtualNetworks/moftest-vnet/subnets/apimsub"
},
"customProperties": {
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2": "false"
},
"disableGateway": false,
"virtualNetworkType": "External",
"publisherEmail": "louay@louay.com",
"publisherName": "louay"
},
"sku": {
"name": "Premium",
"capacity": 1
},
"location": "West US",
"tags": {}
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Cache-Control : no-cache
Pragma : no-cache
x-ms-failure-cause : gateway
x-ms-request-id : 91a682d1-f2a7-4c21-a29c-48f1a6f3ec86
x-ms-correlation-request-id : 91a682d1-f2a7-4c21-a29c-48f1a6f3ec86
x-ms-routing-request-id : WESTEUROPE:20220803T144241Z:91a682d1-f2a7-4c21-a29c-48f1a6f3ec86
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
Date : Wed, 03 Aug 2022 14:42:41 GMT
Connection : close

Body:
{
"error": {
"code": "LinkedAuthorizationFailed",
"message": "The client 'xxxx@xxx.com' with object id 'xxxx-xxxx-xxxxx-xxxxxxx' has permission to perform action 'Microsoft.ApiManagement/service/write' on scope '/subscriptions/xxxxxx-xxxxxx-xxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.ApiManagement/service/apimtestnodel'; however, it does not have permission to perform action 'join/action' on the linked scope(s) '/subscriptions/xxxxxx-xxxxxx-xxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.Network/virtualNetworks/moftest-vnet/subnets/apimsub' or the linked scope(s) are invalid."
}
}

DEBUG: 2:42:41 PM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
Set-AzApiManagement: Operation returned an invalid status code 'Forbidden'
DEBUG: 2:42:41 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent: Module: Az.ApiManagement:3.0.0; CommandName: Set-AzApiManagement; PSVersion: 7.2.5; IsSuccess: False; Duration: 00:00:02.4164112; Exception: Operation returned an invalid status code 'Forbidden';
DEBUG: Finish sending metric.
DEBUG: 2:42:41 PM - SetAzureApiManagement end processing.`

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @adrianhall, @KedarJoshi.

Issue Details

---

Description of the new feature

Related command
Set-AzApiManagement -InputObject

Is your feature request related to a problem? Please describe.
Scenario: APIM with VNET Injection
When you want to perform some update operation into the APIM such as change the SKU and you only have RBAC permissions on the APIM, you cannot update it due permissions missing as below

Code: LinkedAuthorizationFailed Message: The client 'xxxxx@xxxxxx.com' with object id 'xxxxxx-xxxxx-xxxxx-xxxx-xxxxxx' has permission to perform action 'Microsoft.ApiManagement/service/write' on scope '/subscriptions/xxxxxxx-xxxx-xxx-xxxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.ApiManagement/service/apimtestnodel'; however, it does not have permission to perform action 'join/action' on the linked scope(s) '/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.Network/virtualNetworks/moftest-vnet/subnets/apimsub' or the linked scope(s) are invalid. cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f16fc097640>]

This previous error appears because the "Set-AzApiManagement -InputObject" use a PUT method to perform the update and to complete the PUT you need to have permissions in all the subproperties configured at APIM level.

Describe the solution you'd like
We would like to have a PATCH operation for the "Set-AzApiManagement -InputObject" command same as you can perform over the REST API on next link https://docs.microsoft.com/en-us/rest/api/apimanagement/current-ga/api-management-service/update?tabs=HTTP

Proposed implementation details (optional)

Describe alternatives you've considered
There is currently a command which one have both options to perform the update, it the "customlocations" on next link https://docs.microsoft.com/en-us/cli/azure/customlocation?view=azure-cli-latest

Additional context
From "customlocations" You can patch or update as you can see on next image

Full Output from "Set-AzApiManagement" command without permissions on VNET
`PS /home/jose> $apim = Get-AzApiManagement -ResourceGroupName "moftest" -Name "apimtestnodel"
PS /home/jose> $apim.Sku = "Premium"
PS /home/jose> $apim.Capacity = 1
PS /home/jose> Set-AzApiManagement -InputObject $apim
Set-AzApiManagement: Operation returned an invalid status code 'Forbidden'
PS /home/jose> Set-AzApiManagement -InputObject $apim -Verbose
VERBOSE: Performing the operation "Set an API Management service." on target "apimtestnodel".
Set-AzApiManagement: Operation returned an invalid status code 'Forbidden'
PS /home/jose> Set-AzApiManagement -InputObject $apim -Verbose -Debug
DEBUG: 2:42:38 PM - SetAzureApiManagement begin processing with ParameterSet '__AllParameterSets'.
DEBUG: 2:42:38 PM - using account id 'xxxxx@xxxx'...
DEBUG: 2:42:38 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].

Confirm
Are you sure you want to perform this action?
Performing the operation "Set an API Management service." on target "apimtestnodel".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A
DEBUG: [Common.Authentication]: Authenticating using Account: 'xxxxx@xxxx', environment: 'AzureCloud', tenant: 'xxxxx-xxxx-xxxx-xxxx-xxx'
DEBUG: 2:42:41 PM - [ManagedServiceIdentityAuthenticator] Calling ManagedIdentityCredential.GetTokenAsync - TenantId:'xxxxx-xxxx-xxxx-xxxx-xxx', Scopes:'https://management.core.windows.net/', UserId:''
DEBUG: ManagedIdentityCredential.GetToken invoked. Scopes: [ https://management.core.windows.net/ ] ParentRequestId:
DEBUG: Request [2aefb352-9043-4982-984c-7bd86be1e32b] POST http://localhost:50342/oauth2/token
Metadata:REDACTED
x-ms-client-request-id:2aefb352-9043-4982-984c-7bd86be1e32b
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.6.0,(.NET 6.0.6; Linux 5.4.0-1086-azure #91~18.04.1-Ubuntu SMP Thu Jun 23 20:33:05 UTC 2022)
Content-Type:application/x-www-form-urlencoded
client assembly: Azure.Identity
DEBUG: Response [2aefb352-9043-4982-984c-7bd86be1e32b] 200 OK (00.0s)
X-Powered-By:REDACTED
ETag:W/"8f6-xxxxxxxxxxxxxxxxx"
Date:Wed, 03 Aug 2022 14:42:41 GMT
Connection:keep-alive
Content-Type:application/json; charset=utf-8
Content-Length:2294

DEBUG: ManagedIdentityCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net/ ] ParentRequestId: ExpiresOn: 2022-08-03T15:48:58.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: 'xxxxx-xxxx-xxxx-xxxx-xxx', UserId: 'xxxxx@xxxx'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://management.azure.com/subscriptions/xxxxxx-xxxxxx-xxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.ApiManagement/service/apimtestnodel?api-version=2021-08-01

Headers:
x-ms-client-request-id : 64cd2370-39ba-4230-aaf3-55606fdc1972
Accept-Language : en-US

Body:
{
"properties": {
"notificationSenderEmail": "apimgmt-noreply@mail.windowsazure.com",
"hostnameConfigurations": [
{
"type": "Proxy",
"hostName": "apimtestnodel.azure-api.net",
"defaultSslBinding": true,
"negotiateClientCertificate": false,
"certificateSource": "BuiltIn"
}
],
"publicIpAddressId": "/subscriptions/xxxxxx-xxxxxx-xxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.Network/publicIPAddresses/apimtestnodel",
"publicNetworkAccess": "Enabled",
"virtualNetworkConfiguration": {
"subnetResourceId": "/subscriptions/xxxxxx-xxxxxx-xxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.Network/virtualNetworks/moftest-vnet/subnets/apimsub"
},
"customProperties": {
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168": "false",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2": "false"
},
"disableGateway": false,
"virtualNetworkType": "External",
"publisherEmail": "louay@louay.com",
"publisherName": "louay"
},
"sku": {
"name": "Premium",
"capacity": 1
},
"location": "West US",
"tags": {}
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Cache-Control : no-cache
Pragma : no-cache
x-ms-failure-cause : gateway
x-ms-request-id : 91a682d1-f2a7-4c21-a29c-48f1a6f3ec86
x-ms-correlation-request-id : 91a682d1-f2a7-4c21-a29c-48f1a6f3ec86
x-ms-routing-request-id : WESTEUROPE:20220803T144241Z:91a682d1-f2a7-4c21-a29c-48f1a6f3ec86
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
Date : Wed, 03 Aug 2022 14:42:41 GMT
Connection : close

Body:
{
"error": {
"code": "LinkedAuthorizationFailed",
"message": "The client 'xxxx@xxx.com' with object id 'xxxx-xxxx-xxxxx-xxxxxxx' has permission to perform action 'Microsoft.ApiManagement/service/write' on scope '/subscriptions/xxxxxx-xxxxxx-xxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.ApiManagement/service/apimtestnodel'; however, it does not have permission to perform action 'join/action' on the linked scope(s) '/subscriptions/xxxxxx-xxxxxx-xxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.Network/virtualNetworks/moftest-vnet/subnets/apimsub' or the linked scope(s) are invalid."
}
}

DEBUG: 2:42:41 PM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
Set-AzApiManagement: Operation returned an invalid status code 'Forbidden'
DEBUG: 2:42:41 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent: Module: Az.ApiManagement:3.0.0; CommandName: Set-AzApiManagement; PSVersion: 7.2.5; IsSuccess: False; Duration: 00:00:02.4164112; Exception: Operation returned an invalid status code 'Forbidden';
DEBUG: Finish sending metric.
DEBUG: 2:42:41 PM - SetAzureApiManagement end processing.`

Author:	jdoblams
Assignees:	-
Labels:	API Management, feature-request, Service Attention, customer-reported
Milestone:	-