using update.latest of visual studio, I published a website. It is in fact the service from the azure AD samples, for the net client/service.
I happened to set the azure sites publication wizard to update the permissions - wanting graph write (in addition to SSO).
It gave an error...saying could not update the identity model section (of the app/web.config) - which doesnt exist of course - in an pure OWN based project.
may be an assumption issue here. I had expected the tool merely to update the AAD config for the app, rather than write anything locally.