This adds a query method to return the IDs of the application roles that
should be provisioned as users in Azure. We will provision one Azure
Active Directory user per ATAT user in a portfolio, meaning that one AAD
user might correspond to multiple application roles under a single
portfolio. The query method returns IDs in a nested list grouped by
portfolio and user because of this.
add method for getting app roles that are pending creation
update application_roles query to group by portfolio
check for user existing and role status correct when filtering ApplicationRole for creation