diff --git a/R/az_app.r b/R/az_app.r
index e22b40e..baf69e8 100644
--- a/R/az_app.r
+++ b/R/az_app.r
@@ -3,6 +3,11 @@
 #' Base class representing an AAD app.
 #'
 #' @docType class
+#' @section Fields:
+#' - `token`: The token used to authenticate with the Graph host.
+#' - `tenant`: The Azure Active Directory tenant for this app.
+#' - `properties`: The app properties.
+#' - `password`: The app password. Note that the Graph API does not return passwords, so this will be NULL for an app retrieved via `az_graph$get_app()`.
 #' @section Methods:
 #' - `new(...)`: Initialize a new app object. Do not call this directly; see 'Initialization' below.
 #' - `delete(confirm=TRUE)`: Delete an app. By default, ask for confirmation first.
@@ -32,7 +37,20 @@
 #' app$update_password()
 #'
 #' # set a redirect URI
-#' app$update(replyUrls=I("http://localhost:1410"))
+#' app$update(publicClient=list(redirectUris=I("http://localhost:1410")))
+#'
+#' # add API permission (access Azure Storage as user)
+#' app$update(requiredResourceAccess=list(
+#'     list(
+#'         resourceAppId="e406a681-f3d4-42a8-90b6-c2b029497af1",
+#'         resourceAccess=list(
+#'             list(
+#'                 id="03e0da56-190b-40ad-a80c-ea378c433f7f",
+#'                 type="Scope"
+#'             )
+#'         )
+#'     )
+#' ))
 #'
 #' # change the app name
 #' app$update(displayName="MyRenamedApp")
@@ -135,7 +153,7 @@ public=list(
         az_service_principal$new(
             self$token,
             self$tenant,
-            private$graph_op(op)
+            private$graph_op(op)$value[[1]]
         )
     },
 
diff --git a/R/az_graph.R b/R/az_graph.R
index 3d2a6bd..b51e4a2 100644
--- a/R/az_graph.R
+++ b/R/az_graph.R
@@ -57,8 +57,6 @@
 #' # create a new app and associated service principal, set password duration to 10 years
 #' app <- gr$create_app("mynewapp", password_duration=10)
 #'
-#' svc <- gr$get_service_principal(app_id=app$properties$appId)
-#'
 #' # delete the app
 #' gr$delete_app(app_id=app$properties$appId)
 #' # ... but better to call the object's delete method directly
diff --git a/R/az_group.R b/R/az_group.R
index ccb26a0..ae9ea5c 100644
--- a/R/az_group.R
+++ b/R/az_group.R
@@ -3,6 +3,10 @@
 #' Base class representing an AAD group.
 #'
 #' @docType class
+#' @section Fields:
+#' - `token`: The token used to authenticate with the Graph host.
+#' - `tenant`: The Azure Active Directory tenant for this group.
+#' - `properties`: The group properties.
 #' @section Methods:
 #' - `new(...)`: Initialize a new group object. Do not call this directly; see 'Initialization' below.
 #' - `delete(confirm=TRUE)`: Delete a group. By default, ask for confirmation first.
diff --git a/R/az_svc_principal.R b/R/az_svc_principal.R
index f51e3bc..2bc0db5 100644
--- a/R/az_svc_principal.R
+++ b/R/az_svc_principal.R
@@ -3,6 +3,10 @@
 #' Base class representing an AAD service principal.
 #'
 #' @docType class
+#' @section Fields:
+#' - `token`: The token used to authenticate with the Graph host.
+#' - `tenant`: The Azure Active Directory tenant for this service principal.
+#' - `properties`: The service principal properties.
 #' @section Methods:
 #' - `new(...)`: Initialize a new service principal object. Do not call this directly; see 'Initialization' below.
 #' - `delete(confirm=TRUE)`: Delete a service principal. By default, ask for confirmation first.
diff --git a/R/az_user.R b/R/az_user.R
index 843ab8c..0dde7c8 100644
--- a/R/az_user.R
+++ b/R/az_user.R
@@ -3,6 +3,10 @@
 #' Base class representing an AAD user account.
 #'
 #' @docType class
+#' @section Fields:
+#' - `token`: The token used to authenticate with the Graph host.
+#' - `tenant`: The Azure Active Directory tenant for this user.
+#' - `properties`: The user properties.
 #' @section Methods:
 #' - `new(...)`: Initialize a new user object. Do not call this directly; see 'Initialization' below.
 #' - `delete(confirm=TRUE)`: Delete a user account. By default, ask for confirmation first.
diff --git a/man/az_app.Rd b/man/az_app.Rd
index d0871f1..91d069d 100644
--- a/man/az_app.Rd
+++ b/man/az_app.Rd
@@ -1,5 +1,5 @@
 % Generated by roxygen2: do not edit by hand
-% Please edit documentation in R/az_app.R
+% Please edit documentation in R/az_app.r
 \docType{class}
 \name{az_app}
 \alias{az_app}
@@ -11,6 +11,16 @@ az_app
 \description{
 Base class representing an AAD app.
 }
+\section{Fields}{
+
+\itemize{
+\item \code{token}: The token used to authenticate with the Graph host.
+\item \code{tenant}: The Azure Active Directory tenant for this app.
+\item \code{properties}: The app properties.
+\item \code{password}: The app password. Note that the Graph API does not return passwords, so this will be NULL for an app retrieved via \code{az_graph$get_app()}.
+}
+}
+
 \section{Methods}{
 
 \itemize{
@@ -43,7 +53,20 @@ app <- gr$create_app("MyNewApp")
 app$update_password()
 
 # set a redirect URI
-app$update(replyUrls=I("http://localhost:1410"))
+app$update(publicClient=list(redirectUris=I("http://localhost:1410")))
+
+# add API permission (access Azure Storage as user)
+app$update(requiredResourceAccess=list(
+    list(
+        resourceAppId="e406a681-f3d4-42a8-90b6-c2b029497af1",
+        resourceAccess=list(
+            list(
+                id="03e0da56-190b-40ad-a80c-ea378c433f7f",
+                type="Scope"
+            )
+        )
+    )
+))
 
 # change the app name
 app$update(displayName="MyRenamedApp")
diff --git a/man/az_graph.Rd b/man/az_graph.Rd
index 4c08c95..85b2f02 100644
--- a/man/az_graph.Rd
+++ b/man/az_graph.Rd
@@ -67,8 +67,6 @@ gr$get_app(app_id="myappid")
 # create a new app and associated service principal, set password duration to 10 years
 app <- gr$create_app("mynewapp", password_duration=10)
 
-svc <- gr$get_service_principal(app_id=app$properties$appId)
-
 # delete the app
 gr$delete_app(app_id=app$properties$appId)
 # ... but better to call the object's delete method directly
diff --git a/man/az_group.Rd b/man/az_group.Rd
index a06f51b..33513c8 100644
--- a/man/az_group.Rd
+++ b/man/az_group.Rd
@@ -11,6 +11,15 @@ az_group
 \description{
 Base class representing an AAD group.
 }
+\section{Fields}{
+
+\itemize{
+\item \code{token}: The token used to authenticate with the Graph host.
+\item \code{tenant}: The Azure Active Directory tenant for this group.
+\item \code{properties}: The group properties.
+}
+}
+
 \section{Methods}{
 
 \itemize{
diff --git a/man/az_service_principal.Rd b/man/az_service_principal.Rd
index a4caf98..29dea26 100644
--- a/man/az_service_principal.Rd
+++ b/man/az_service_principal.Rd
@@ -11,6 +11,15 @@ az_service_principal
 \description{
 Base class representing an AAD service principal.
 }
+\section{Fields}{
+
+\itemize{
+\item \code{token}: The token used to authenticate with the Graph host.
+\item \code{tenant}: The Azure Active Directory tenant for this service principal.
+\item \code{properties}: The service principal properties.
+}
+}
+
 \section{Methods}{
 
 \itemize{
diff --git a/man/az_user.Rd b/man/az_user.Rd
index a198fe3..b7d7f3e 100644
--- a/man/az_user.Rd
+++ b/man/az_user.Rd
@@ -11,6 +11,15 @@ az_user
 \description{
 Base class representing an AAD user account.
 }
+\section{Fields}{
+
+\itemize{
+\item \code{token}: The token used to authenticate with the Graph host.
+\item \code{tenant}: The Azure Active Directory tenant for this user.
+\item \code{properties}: The user properties.
+}
+}
+
 \section{Methods}{
 
 \itemize{