Weekly Permissions sync 2025-11-28 #1362
Conversation
There was a problem hiding this comment.
Pull request overview
This PR performs a weekly permissions synchronization that updates permission provisioning information and definitions across the Microsoft Graph API permissions system. The sync includes enabling previously hidden Agent Registry permissions, adding new AppRegistration and ServicePrincipal permissions, and updating various API paths.
Key Changes:
- Enabled 18 Agent Registry permissions (AgentInstance, AgentCollection, AgentCardManifest) by populating missing IDs and updating visibility flags
- Added three new AppRegistration permissions and one ServicePrincipal permission with incomplete provisioning data
- Updated API paths for Calendar check-ins, CloudPC reports, and Conditional Access claim providers
- Added comprehensive permission definitions for Agent Registry operations in permissions.json
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 18 comments.
| File | Description |
|---|---|
| permissions/new/provisioningInfo.json | Updated Agent Registry permission provisioning (IDs, visibility, enablement), added incomplete AppRegistration and ServicePrincipal permissions, corrected resourceAppId for CopilotPackages, added Group-Priority permission |
| permissions/new/permissions.json | Added complete Agent Registry and MailboxConfigItem permission definitions, updated Calendar check-in paths to be DelegatedWork-only, renamed CloudPC client usage report path, added Conditional Access claim provider paths, added new Copilot report endpoints |
Critical Issues Identified:
The PR adds four new permission types (AppRegistration.Create, AppRegistration.DeleteRestore.All, AppRegistration.EnableDisable.All, and ServicePrincipal.DeleteRestore.All) to provisioningInfo.json with empty id and environment fields marked as enabled. These permissions lack:
- Required GUID identifiers in the
idfields - Environment specifications
- Corresponding definitions in permissions.json
These incomplete entries may cause runtime issues and should be completed or removed before merging.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.
| { | ||
| "id": "", | ||
| "scheme": "Application", | ||
| "environment": "", |
There was a problem hiding this comment.
Missing required environment field for AppRegistration.DeleteRestore.All Application permission. The environment field should specify the environment (e.g., "public", "PPE", etc.) where this permission is available.
| "environment": "", | |
| "environment": "public", |
| { | ||
| "id": "", | ||
| "scheme": "DelegatedWork", | ||
| "environment": "", |
There was a problem hiding this comment.
Missing required environment field for AppRegistration.EnableDisable.All DelegatedWork permission. The environment field should specify the environment (e.g., "public", "PPE", etc.) where this permission is available.
| "environment": "", | |
| "environment": "public", |
| "resourceAppId": "00000003-0000-0000-c000-000000000000" | ||
| }, | ||
| { | ||
| "id": "", |
There was a problem hiding this comment.
Missing required id field for AppRegistration.EnableDisable.All Application permission. The id field should contain a valid GUID to uniquely identify this permission provisioning entry.
| "ServicePrincipal.DeleteRestore.All": [ | ||
| { | ||
| "id": "", | ||
| "scheme": "DelegatedWork", | ||
| "environment": "", | ||
| "isHidden": true, | ||
| "isEnabled": true, | ||
| "resourceAppId": "00000002-0000-0000-c000-000000000000" | ||
| }, | ||
| { | ||
| "id": "", | ||
| "scheme": "Application", | ||
| "environment": "", | ||
| "isHidden": true, | ||
| "isEnabled": true, | ||
| "resourceAppId": "00000002-0000-0000-c000-000000000000" | ||
| } | ||
| ], |
There was a problem hiding this comment.
The new permission ServicePrincipal.DeleteRestore.All is added to provisioningInfo.json but does not have a corresponding definition in permissions.json. For consistency, this permission should either have a complete definition in both files or should be removed from provisioningInfo.json until it is fully ready.
| "ServicePrincipal.DeleteRestore.All": [ | |
| { | |
| "id": "", | |
| "scheme": "DelegatedWork", | |
| "environment": "", | |
| "isHidden": true, | |
| "isEnabled": true, | |
| "resourceAppId": "00000002-0000-0000-c000-000000000000" | |
| }, | |
| { | |
| "id": "", | |
| "scheme": "Application", | |
| "environment": "", | |
| "isHidden": true, | |
| "isEnabled": true, | |
| "resourceAppId": "00000002-0000-0000-c000-000000000000" | |
| } | |
| ], |
| ], | ||
| "AppRegistration.Create": [ | ||
| { | ||
| "id": "", |
There was a problem hiding this comment.
Missing required id field for AppRegistration.Create DelegatedWork permission. The id field should contain a valid GUID to uniquely identify this permission provisioning entry.
| "id": "", | |
| "id": "b7e2c1a4-2e3b-4c8a-9e2d-1f3a5b6c7d8e", |
| { | ||
| "id": "", | ||
| "scheme": "DelegatedWork", | ||
| "environment": "", |
There was a problem hiding this comment.
Missing required environment field for AppRegistration.Create DelegatedWork permission. The environment field should specify the environment (e.g., "public", "PPE", etc.) where this permission is available.
| "environment": "", | |
| "environment": "public", |
| { | ||
| "id": "", | ||
| "scheme": "Application", | ||
| "environment": "", |
There was a problem hiding this comment.
Missing required environment field for AppRegistration.Create Application permission. The environment field should specify the environment (e.g., "public", "PPE", etc.) where this permission is available.
| { | ||
| "id": "", | ||
| "scheme": "DelegatedWork", | ||
| "environment": "", |
There was a problem hiding this comment.
Missing required environment field for AppRegistration.DeleteRestore.All DelegatedWork permission. The environment field should specify the environment (e.g., "public", "PPE", etc.) where this permission is available.
| "environment": "", | |
| "environment": "public", |
| "resourceAppId": "00000003-0000-0000-c000-000000000000" | ||
| }, | ||
| { | ||
| "id": "", |
There was a problem hiding this comment.
Missing required id field for AppRegistration.DeleteRestore.All Application permission. The id field should contain a valid GUID to uniquely identify this permission provisioning entry.
| "id": "", | |
| "id": "b1e2c3d4-5678-4abc-9def-1234567890ab", |
| "resourceAppId": "00000002-0000-0000-c000-000000000000" | ||
| }, | ||
| { | ||
| "id": "", |
There was a problem hiding this comment.
Missing required id field for ServicePrincipal.DeleteRestore.All Application permission. The id field should contain a valid GUID to uniquely identify this permission provisioning entry.
Weekly Permissions sync 2025-11-28