Dear Cloudflare Support

Since yesterday we are observing a new behavior when working with Applications and Zone Level Application Policies.
Before yesterday it seems that the update of an application did not remove the attached policies of the app.
Now it seems that performing a PUT on an application to update non-policy related fields, removes the policy as well.

Example flow with dummy values:

1. Create Application
   POST /client/v4/zones/xxxxxxxxxx/access/apps
2. Create Application Level Policy
   POST /client/v4/zones/xxxxxxxxxx/access/apps/yyyyyyyyyyyy/policies
3. Update Application
   PUT /client/v4/zones/xxxxxxxxxx/access/apps/yyyyyyyyyyyy
4. Fetch Application Policies
   GET /client/v4/zones/xxxxxxxxxx/access/apps/yyyyyyyyyyyy/policies

After step 4, the policy is now empty.
It seems this behavior has changed? Has anybody else noticed this?

A sample call for update can be found here:
PUT /client/v4/zones/xxxxxxxxxx/access/apps/yyyyyyyyyyyy
{
“name”: “example/”,
“domain”: “example/”,
“app_launcher_visible”: true,
“allowed_idps”: [
“UUID”
],
“auto_redirect_to_identity”: true
}

Unforunately I cannot put the full links in the post, due to them not being allowed.

Best regards

To answer this for anybody else looking for the same, got a reply from the support:

There was a temporary issue with a change, but it’s now reverted to the before behavior.
So this should not happen again for now.