Skip to content

Weekly Permissions sync 2026-01-30 #1423

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
marabooy wants to merge 2 commits into from
Closed

Weekly Permissions sync 2026-01-30 #1423

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e2ab4d5
Weekly Permissions sync 2026-01-30
marabooy Jan 30, 2026
ae4c876
Merge branch 'master' into permissions-update/2026-01-30
jasonjoh Feb 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
150 changes: 25 additions & 125 deletions permissions/new/permissions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1258,7 +1258,7 @@
"DelegatedWork": {
"adminDisplayName": "Read all agent identities",
"adminDescription": "Allows the client to read all agent identities.",
"requiresAdminConsent": false,
"requiresAdminConsent": true,
"privilegeLevel": 3
Comment on lines +1261 to 1262
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AgentIdentity.Read.All (DelegatedWork) now requires admin consent. This is a behavior change (users can no longer self-consent) and may break existing consent flows; please confirm this is intentional and ensure any downstream docs/release notes or callers are updated accordingly.

Copilot uses AI. Check for mistakes.
},
"Application": {
Expand Down Expand Up @@ -1447,7 +1447,7 @@
"DelegatedWork": {
"adminDisplayName": "Read all agent identity blueprints",
"adminDescription": "Allows the client to read all agent identity blueprints.",
"requiresAdminConsent": false,
"requiresAdminConsent": true,
"privilegeLevel": 3
Comment on lines +1450 to 1451
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AgentIdentityBlueprint.Read.All (DelegatedWork) now requires admin consent. This is a breaking change for apps relying on user-consentable delegated permissions; please confirm intent and ensure the change is communicated to consumers.

Copilot uses AI. Check for mistakes.
},
"Application": {
Expand Down Expand Up @@ -1706,7 +1706,7 @@
"DelegatedWork": {
"adminDisplayName": "Read agent identity blueprints principals.",
"adminDescription": "Allows reading agent identity blueprint principals with a signed-in user.",
"requiresAdminConsent": false,
"requiresAdminConsent": true,
"privilegeLevel": 3
Comment on lines +1709 to 1710
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AgentIdentityBlueprintPrincipal.Read.All (DelegatedWork) now requires admin consent. Since this changes who can grant the permission, please confirm this matches the product/security decision and that any dependent tooling/tests/documentation are aligned.

Copilot uses AI. Check for mistakes.
},
"Application": {
Expand Down Expand Up @@ -42448,42 +42448,34 @@
"userDescription": "Allows the app to read your organization's risk prevention providers, on your behalf.",
"requiresAdminConsent": true,
"privilegeLevel": 3
},
"Application": {
"adminDisplayName": "Read all identity risk prevention providers",
"adminDescription": "Allows the app to read your organization's risk prevention providers, without a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 4
}
},
Comment on lines 42448 to 42452
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RiskPreventionProviders.Read.All now appears to be delegated-only (the Application scheme was removed in this hunk). This is a breaking change for daemon/service apps; please confirm the removal is intended and that migration guidance (or an alternative app-only permission) exists for app-only scenarios.

Copilot uses AI. Check for mistakes.
"pathSets": [
{
"schemeKeys": [
"DelegatedWork",
"Application"
"DelegatedWork"
],
"methods": [
"GET"
],
"paths": {
"/identity/riskPrevention/fraudProtectionProviders": "least=DelegatedWork,Application",
"/identity/riskPrevention/fraudProtectionProviders/{id}": "least=DelegatedWork,Application",
"/identity/riskPrevention/webApplicationFirewallProviders": "least=DelegatedWork,Application",
"/identity/riskPrevention/webApplicationFirewallProviders/{id}": "least=DelegatedWork,Application",
"/identity/riskPrevention/webApplicationFirewallVerifications": "least=DelegatedWork,Application",
"/identity/riskPrevention/webApplicationFirewallVerifications/{id}": "least=DelegatedWork,Application"
"/identity/riskPrevention/fraudProtectionProviders": "least=DelegatedWork",
"/identity/riskPrevention/fraudProtectionProviders/{id}": "least=DelegatedWork",
"/identity/riskPrevention/webApplicationFirewallProviders": "least=DelegatedWork",
"/identity/riskPrevention/webApplicationFirewallProviders/{id}": "least=DelegatedWork",
"/identity/riskPrevention/webApplicationFirewallVerifications": "least=DelegatedWork",
"/identity/riskPrevention/webApplicationFirewallVerifications/{id}": "least=DelegatedWork"
}
},
{
"schemeKeys": [
"DelegatedWork",
"Application"
"DelegatedWork"
],
"methods": [
"POST"
],
"paths": {
"/identity/riskPrevention/webApplicationFirewalls/verify": "least=DelegatedWork,Application"
"/identity/riskPrevention/webApplicationFirewalls/verify": "least=DelegatedWork"
}
}
],
Expand All @@ -42501,67 +42493,57 @@
"userDescription": "Allows the app to read and write your organization's risk prevention providers, on your behalf.",
"requiresAdminConsent": true,
"privilegeLevel": 3
},
"Application": {
"adminDisplayName": "Read and write all identity risk prevention providers",
"adminDescription": "Allows the app to read and write your organization's risk prevention providers, without a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 4
}
},
Comment on lines 42493 to 42497
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RiskPreventionProviders.ReadWrite.All is now delegated-only (the Application scheme was removed in this change). If app-only write access is still needed for automation scenarios, please confirm there is a supported replacement to avoid breaking existing integrations.

Copilot uses AI. Check for mistakes.
"pathSets": [
{
"schemeKeys": [
"DelegatedWork",
"Application"
"DelegatedWork"
],
"methods": [
"GET",
"POST"
],
"paths": {
"/identity/riskPrevention/fraudProtectionProviders": "least=DelegatedWork,Application",
"/identity/riskPrevention/webApplicationFirewallProviders": "least=DelegatedWork,Application"
"/identity/riskPrevention/fraudProtectionProviders": "least=DelegatedWork",
"/identity/riskPrevention/webApplicationFirewallProviders": "least=DelegatedWork"
}
},
{
"schemeKeys": [
"DelegatedWork",
"Application"
"DelegatedWork"
],
"methods": [
"DELETE",
"GET",
"PATCH"
],
"paths": {
"/identity/riskPrevention/fraudProtectionProviders/{id}": "least=DelegatedWork,Application",
"/identity/riskPrevention/webApplicationFirewallProviders/{id}": "least=DelegatedWork,Application"
"/identity/riskPrevention/fraudProtectionProviders/{id}": "least=DelegatedWork",
"/identity/riskPrevention/webApplicationFirewallProviders/{id}": "least=DelegatedWork"
}
},
{
"schemeKeys": [
"DelegatedWork",
"Application"
"DelegatedWork"
],
"methods": [
"POST"
],
"paths": {
"/identity/riskPrevention/webApplicationFirewallProviders/{id}/verify": "least=DelegatedWork,Application"
"/identity/riskPrevention/webApplicationFirewallProviders/{id}/verify": "least=DelegatedWork"
}
},
{
"schemeKeys": [
"DelegatedWork",
"Application"
"DelegatedWork"
],
"methods": [
"DELETE",
"GET"
],
"paths": {
"/identity/riskPrevention/webApplicationFirewallVerifications/{id}": "least=DelegatedWork,Application"
"/identity/riskPrevention/webApplicationFirewallVerifications/{id}": "least=DelegatedWork"
}
}
],
Expand Down Expand Up @@ -47970,7 +47952,7 @@
}
],
"ownerInfo": {
"ownerSecurityGroup": "privacymanagementDSR"
"ownerSecurityGroup": "PrivacySolutionAdmin"
}
},
"SubjectRightsRequest.ReadWrite.All": {
Expand Down Expand Up @@ -48030,7 +48012,7 @@
}
],
"ownerInfo": {
"ownerSecurityGroup": "privacymanagementDSR"
"ownerSecurityGroup": "PrivacySolutionAdmin"
}
},
"Synchronization.Read.All": {
Expand Down Expand Up @@ -53248,6 +53230,7 @@
"/teams/{id}/completemigration": "least=Application",
"/users/{id}/teamwork/sections": "",
"/users/{id}/teamwork/sections/{id}/items": "",
"/users/{id}/teamwork/sections/{id}/items/{id}/move": "",
"/users/{id}/teamwork/sections/{id}/items/reorder": "",
"/users/{id}/teamwork/sections/reorder": ""
}
Expand Down Expand Up @@ -54115,42 +54098,6 @@
"ownerSecurityGroup": "riskiq-dev"
}
},
"ThreatSubmission.Read": {
"authorizationType": "oAuth2",
"schemes": {
"DelegatedWork": {
"adminDisplayName": "Read threat submissions",
"adminDescription": "Allows the app to read the threat submissions and threat submission policies owned by the signed-in user.",
"userDisplayName": "Read threat submissions",
"userDescription": "Allows the app to read the threat submissions and threat submission policies that you own on your behalf.",
"requiresAdminConsent": true,
"privilegeLevel": 2
}
},
"pathSets": [
{
"schemeKeys": [
"DelegatedWork"
],
"methods": [
"GET"
],
"paths": {
"/security/threatsubmission/emailthreats": "least=DelegatedWork",
"/security/threatsubmission/emailthreats/{id}": "least=DelegatedWork",
"/security/threatsubmission/emailthreatsubmissionpolicies": "least=DelegatedWork",
"/security/threatsubmission/emailthreatsubmissionpolicies/{id}": "least=DelegatedWork",
"/security/threatsubmission/filethreats": "least=DelegatedWork",
"/security/threatsubmission/filethreats/{id}": "least=DelegatedWork",
"/security/threatsubmission/urlthreats": "least=DelegatedWork",
"/security/threatsubmission/urlthreats/{id}": "least=DelegatedWork"
}
}
],
"ownerInfo": {
"ownerSecurityGroup": "IdentityReq"
}
},
"ThreatSubmission.Read.All": {
"authorizationType": "oAuth2",
"schemes": {
Comment on lines 54101 to 54103
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR removes the ThreatSubmission.Read / ThreatSubmission.ReadWrite delegated permissions (non-.All) from permissions.json. Since this is a breaking change for any clients currently requesting those scopes, please confirm deprecation/migration guidance exists (e.g., move to .Read.All / .ReadWrite.All) before removing the entries.

Copilot uses AI. Check for mistakes.
Expand Down Expand Up @@ -54194,53 +54141,6 @@
"ownerSecurityGroup": "IdentityReq"
}
},
"ThreatSubmission.ReadWrite": {
"authorizationType": "oAuth2",
"schemes": {
"DelegatedWork": {
"adminDisplayName": "Read and write threat submissions",
"adminDescription": "Allows the app to read the threat submissions and threat submission policies owned by the signed-in user. Also allows the app to create new threat submissions on behalf of the signed-in user.",
"userDisplayName": "Read and write threat submissions",
"userDescription": "Allows the app to read the threat submissions and threat submission policies that you own. Also allows the app to create new threat submissions on your behalf.",
"requiresAdminConsent": true,
"privilegeLevel": 2
}
},
"pathSets": [
{
"schemeKeys": [
"DelegatedWork"
],
"methods": [
"GET"
],
"paths": {
"/security/threatsubmission/emailthreats/{id}": "",
"/security/threatsubmission/emailthreatsubmissionpolicies": "",
"/security/threatsubmission/emailthreatsubmissionpolicies/{id}": "",
"/security/threatsubmission/filethreats/{id}": "",
"/security/threatsubmission/urlthreats/{id}": ""
}
},
{
"schemeKeys": [
"DelegatedWork"
],
"methods": [
"GET",
"POST"
],
"paths": {
"/security/threatsubmission/emailthreats": "least=DelegatedWork",
"/security/threatsubmission/filethreats": "least=DelegatedWork",
"/security/threatsubmission/urlthreats": "least=DelegatedWork"
}
}
],
"ownerInfo": {
"ownerSecurityGroup": "IdentityReq"
}
},
"ThreatSubmission.ReadWrite.All": {
"authorizationType": "oAuth2",
"schemes": {
Expand Down
22 changes: 20 additions & 2 deletions permissions/new/provisioningInfo.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -486,6 +486,24 @@
"resourceAppId": "00000002-0000-0000-c000-000000000000"
}
],
"AgentIdentityBlueprint.UpdateSponsors.All": [
{
"id": "",
"scheme": "Application",
"environment": "PPE;public",
"isHidden": true,
"isEnabled": false,
"resourceAppId": "00000002-0000-0000-c000-000000000000"
},
{
"id": "",
"scheme": "DelegatedWork",
"environment": "PPE;public",
"isHidden": true,
"isEnabled": false,
"resourceAppId": "00000002-0000-0000-c000-000000000000"
}
],
"AgentIdentityBlueprintPrincipal.CreateAsManager": [
{
"id": "c50c596a-6889-4460-acb1-3ed7c5fc142a",
Expand Down Expand Up @@ -16112,7 +16130,7 @@
"id": "fd5353c6-26dd-449f-a565-c4e16b9fce78",
"scheme": "DelegatedWork",
"environment": "public",
"isHidden": false,
"isHidden": true,
"isEnabled": true,
"resourceAppId": ""
Comment on lines +16133 to 16135
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ThreatSubmission.Read is now marked isHidden: true but remains isEnabled: true. If the intent is to fully retire this scope (it was removed from permissions.json in this PR), consider also disabling it here to prevent new assignments/consents while keeping existing ones grandfathered (or document why it should remain enabled).

Copilot uses AI. Check for mistakes.
}
Expand Down Expand Up @@ -16140,7 +16158,7 @@
"id": "68a3156e-46c9-443c-b85c-921397f082b5",
"scheme": "DelegatedWork",
"environment": "public",
"isHidden": false,
"isHidden": true,
"isEnabled": true,
"resourceAppId": ""
Comment on lines +16161 to 16163
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ThreatSubmission.ReadWrite is now marked isHidden: true but remains isEnabled: true. If this scope is being retired (it was removed from permissions.json in this PR), consider disabling it here as well to prevent new assignments/consents, or add rationale for keeping it enabled while hidden.

Copilot uses AI. Check for mistakes.
}
Expand Down