Weekly Permissions sync 2025-11-29

[marabooy]

Weekly Permissions sync 2025-11-29

[Copilot]

Pull request overview

This is a weekly permissions synchronization that updates permission definitions and provisioning information across the Microsoft Graph API permissions system. The changes enable new agent-related permissions, fix inconsistencies, and add new API endpoints.

• Enables and populates IDs for multiple Agent Registry permissions (AgentInstance, AgentCardManifest, AgentCollection, MailboxConfigItem)
• Adds comprehensive metadata for new agent-related permissions in the permissions registry
• Introduces placeholder entries for three new permissions (AppRegistration.Create, AppRegistration.DeleteRestore.All, AppRegistration.EnableDisable.All, ServicePrincipal.DeleteRestore.All)

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.

File	Description
permissions/new/provisioningInfo.json	Updates provisioning info for Agent* permissions (enabling and adding IDs), adds placeholder entries for new AppRegistration.* and ServicePrincipal.* permissions, updates MailboxConfigItem.Read with IDs, adds Group-Priority.ReadWrite.All, corrects resourceAppId for CopilotConversation.Delete
permissions/new/permissions.json	Adds comprehensive definitions for Agent* permissions with display names, descriptions, and API paths; adds MailboxConfigItem.Read definition; reorganizes Calendar.Read paths; updates CloudPC and Policy paths; adds new Copilot reporting endpoints

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

[Copilot]

The permission AppRegistration.EnableDisable.All has provisioning info with empty id and environment fields. These should be populated with valid values before the permission can be used. Additionally, this permission appears in provisioningInfo.json but has no corresponding entry in permissions.json, which means it lacks the required metadata (display names, descriptions, paths, etc.).

[Copilot]

The permission ServicePrincipal.DeleteRestore.All has provisioning info with empty id and environment fields. These should be populated with valid values before the permission can be used. Additionally, this permission appears in provisioningInfo.json but has no corresponding entry in permissions.json, which means it lacks the required metadata (display names, descriptions, paths, etc.).

[Copilot]

The MailboxConfigItem.Read permission definition in permissions.json includes a DelegatedPersonal scheme (lines 30343-30350), but the corresponding provisioningInfo.json entry only has provisioning info for DelegatedWork and Application schemes. A provisioning info entry for the DelegatedPersonal scheme should be added to maintain consistency between the two files.

Suggested change

	"resourceAppId": "c999ed3e-27ae-4cb3-b3a2-46b056af63d3"
	"resourceAppId": "c999ed3e-27ae-4cb3-b3a2-46b056af63d3"
	},
	{
	"id": "",
	"scheme": "DelegatedPersonal",
	"environment": "public",
	"isHidden": false,
	"isEnabled": true,
	"resourceAppId": "c999ed3e-27ae-4cb3-b3a2-46b056af63d3"

[Copilot]

There's a double "the" in the adminDescription: "on behalf of the the signed-in user" should be "on behalf of the signed-in user".

[Copilot]

There's a double "the" in the adminDescription: "on behalf of the the signed-in user" should be "on behalf of the signed-in user".

[Copilot]

The permission AppRegistration.Create has provisioning info with empty id and environment fields. These should be populated with valid values before the permission can be used. Additionally, this permission appears in provisioningInfo.json but has no corresponding entry in permissions.json, which means it lacks the required metadata (display names, descriptions, paths, etc.).

[Copilot]

The permission AppRegistration.DeleteRestore.All has provisioning info with empty id and environment fields. These should be populated with valid values before the permission can be used. Additionally, this permission appears in provisioningInfo.json but has no corresponding entry in permissions.json, which means it lacks the required metadata (display names, descriptions, paths, etc.).