Weekly Permissions sync 2025-11-29 #1363
Conversation
There was a problem hiding this comment.
Pull request overview
This is a weekly permissions synchronization that updates permission definitions and provisioning information across the Microsoft Graph API permissions system. The changes enable new agent-related permissions, fix inconsistencies, and add new API endpoints.
- Enables and populates IDs for multiple Agent Registry permissions (AgentInstance, AgentCardManifest, AgentCollection, MailboxConfigItem)
- Adds comprehensive metadata for new agent-related permissions in the permissions registry
- Introduces placeholder entries for three new permissions (AppRegistration.Create, AppRegistration.DeleteRestore.All, AppRegistration.EnableDisable.All, ServicePrincipal.DeleteRestore.All)
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| permissions/new/provisioningInfo.json | Updates provisioning info for Agent* permissions (enabling and adding IDs), adds placeholder entries for new AppRegistration.* and ServicePrincipal.* permissions, updates MailboxConfigItem.Read with IDs, adds Group-Priority.ReadWrite.All, corrects resourceAppId for CopilotConversation.Delete |
| permissions/new/permissions.json | Adds comprehensive definitions for Agent* permissions with display names, descriptions, and API paths; adds MailboxConfigItem.Read definition; reorganizes Calendar.Read paths; updates CloudPC and Policy paths; adds new Copilot reporting endpoints |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.
| "AppRegistration.EnableDisable.All": [ | ||
| { | ||
| "id": "", | ||
| "scheme": "DelegatedWork", | ||
| "environment": "", | ||
| "isHidden": true, | ||
| "isEnabled": true, | ||
| "resourceAppId": "00000003-0000-0000-c000-000000000000" | ||
| }, | ||
| { | ||
| "id": "", | ||
| "scheme": "Application", | ||
| "environment": "", | ||
| "isHidden": true, | ||
| "isEnabled": true, | ||
| "resourceAppId": "00000003-0000-0000-c000-000000000000" | ||
| } | ||
| ], |
There was a problem hiding this comment.
The permission AppRegistration.EnableDisable.All has provisioning info with empty id and environment fields. These should be populated with valid values before the permission can be used. Additionally, this permission appears in provisioningInfo.json but has no corresponding entry in permissions.json, which means it lacks the required metadata (display names, descriptions, paths, etc.).
| "ServicePrincipal.DeleteRestore.All": [ | ||
| { | ||
| "id": "", | ||
| "scheme": "DelegatedWork", | ||
| "environment": "", | ||
| "isHidden": true, | ||
| "isEnabled": true, | ||
| "resourceAppId": "00000002-0000-0000-c000-000000000000" | ||
| }, | ||
| { | ||
| "id": "", | ||
| "scheme": "Application", | ||
| "environment": "", | ||
| "isHidden": true, | ||
| "isEnabled": true, | ||
| "resourceAppId": "00000002-0000-0000-c000-000000000000" | ||
| } | ||
| ], |
There was a problem hiding this comment.
The permission ServicePrincipal.DeleteRestore.All has provisioning info with empty id and environment fields. These should be populated with valid values before the permission can be used. Additionally, this permission appears in provisioningInfo.json but has no corresponding entry in permissions.json, which means it lacks the required metadata (display names, descriptions, paths, etc.).
| "isEnabled": false, | ||
| "isHidden": false, | ||
| "isEnabled": true, | ||
| "resourceAppId": "c999ed3e-27ae-4cb3-b3a2-46b056af63d3" |
There was a problem hiding this comment.
The MailboxConfigItem.Read permission definition in permissions.json includes a DelegatedPersonal scheme (lines 30343-30350), but the corresponding provisioningInfo.json entry only has provisioning info for DelegatedWork and Application schemes. A provisioning info entry for the DelegatedPersonal scheme should be added to maintain consistency between the two files.
| "resourceAppId": "c999ed3e-27ae-4cb3-b3a2-46b056af63d3" | |
| "resourceAppId": "c999ed3e-27ae-4cb3-b3a2-46b056af63d3" | |
| }, | |
| { | |
| "id": "", | |
| "scheme": "DelegatedPersonal", | |
| "environment": "public", | |
| "isHidden": false, | |
| "isEnabled": true, | |
| "resourceAppId": "c999ed3e-27ae-4cb3-b3a2-46b056af63d3" |
| "schemes": { | ||
| "DelegatedWork": { | ||
| "adminDisplayName": "Read user's UserConfiguration objects", | ||
| "adminDescription": "Allows the app to read user's UserConfiguration objects, on behalf of the the signed-in user.", |
There was a problem hiding this comment.
There's a double "the" in the adminDescription: "on behalf of the the signed-in user" should be "on behalf of the signed-in user".
| }, | ||
| "DelegatedPersonal": { | ||
| "adminDisplayName": "Read user's UserConfiguration objects", | ||
| "adminDescription": "Allows the app to read user's UserConfiguration objects, on behalf of the the signed-in user.", |
There was a problem hiding this comment.
There's a double "the" in the adminDescription: "on behalf of the the signed-in user" should be "on behalf of the signed-in user".
| "AppRegistration.Create": [ | ||
| { | ||
| "id": "", | ||
| "scheme": "DelegatedWork", | ||
| "environment": "", | ||
| "isHidden": true, | ||
| "isEnabled": true, | ||
| "resourceAppId": "00000003-0000-0000-c000-000000000000" | ||
| }, | ||
| { | ||
| "id": "", | ||
| "scheme": "Application", | ||
| "environment": "", | ||
| "isHidden": true, | ||
| "isEnabled": true, | ||
| "resourceAppId": "00000003-0000-0000-c000-000000000000" | ||
| } | ||
| ], |
There was a problem hiding this comment.
The permission AppRegistration.Create has provisioning info with empty id and environment fields. These should be populated with valid values before the permission can be used. Additionally, this permission appears in provisioningInfo.json but has no corresponding entry in permissions.json, which means it lacks the required metadata (display names, descriptions, paths, etc.).
| "AppRegistration.DeleteRestore.All": [ | ||
| { | ||
| "id": "", | ||
| "scheme": "DelegatedWork", | ||
| "environment": "", | ||
| "isHidden": true, | ||
| "isEnabled": true, | ||
| "resourceAppId": "00000003-0000-0000-c000-000000000000" | ||
| }, | ||
| { | ||
| "id": "", | ||
| "scheme": "Application", | ||
| "environment": "", | ||
| "isHidden": true, | ||
| "isEnabled": true, | ||
| "resourceAppId": "00000003-0000-0000-c000-000000000000" | ||
| } | ||
| ], |
There was a problem hiding this comment.
The permission AppRegistration.DeleteRestore.All has provisioning info with empty id and environment fields. These should be populated with valid values before the permission can be used. Additionally, this permission appears in provisioningInfo.json but has no corresponding entry in permissions.json, which means it lacks the required metadata (display names, descriptions, paths, etc.).
Weekly Permissions sync 2025-11-29