Skip to content

Weekly Permissions sync 2026-04-01 #1488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
marabooy wants to merge 2 commits into from
Closed

Weekly Permissions sync 2026-04-01 #1488

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b4d319f
Weekly Permissions sync 2026-04-01
marabooy Apr 1, 2026
f30ee83
Merge branch 'master' into permissions-update/2026-04-01
jasonjoh Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
202 changes: 131 additions & 71 deletions permissions/new/permissions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3491,8 +3491,8 @@
"privilegeLevel": 3
},
"Application": {
"adminDisplayName": "",
"adminDescription": "",
"adminDisplayName": "Read the trusted certificate authority configuration for applications",
"adminDescription": "Allows the app to read the trusted certificate authority configuration which can be used to restrict application certificates based on their issuing authority, without a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 4
}
Expand All @@ -3504,50 +3504,12 @@
"Application"
],
"methods": [
"PATCH"
],
"paths": {
"/certificateauthoritypath/certificatebasedapplicationconfigurations/{id}": "least=DelegatedWork,Application"
}
},
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"GET",
"POST"
],
"paths": {
"/directory/certificateauthorities/certificatebasedapplicationconfigurations": "least=DelegatedWork,Application",
"/directory/certificateauthorities/certificatebasedapplicationconfigurations/{id}/trustedcertificateauthorities": "least=DelegatedWork,Application"
}
},
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"DELETE",
"GET"
],
"paths": {
"/directory/certificateauthorities/certificatebasedapplicationconfigurations/{id}": "least=DelegatedWork,Application"
}
},
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"DELETE",
"GET",
"PATCH"
],
"paths": {
"/directory/certificateauthorities/certificatebasedapplicationconfigurations": "least=DelegatedWork,Application",
"/directory/certificateauthorities/certificatebasedapplicationconfigurations/{id}": "least=DelegatedWork,Application",
"/directory/certificateauthorities/certificatebasedapplicationconfigurations/{id}/trustedcertificateauthorities": "least=DelegatedWork,Application",
"/directory/certificateauthorities/certificatebasedapplicationconfigurations/{id}/trustedcertificateauthorities/{id}": "least=DelegatedWork,Application"
}
}
Expand All @@ -3568,8 +3530,8 @@
"privilegeLevel": 3
},
"Application": {
"adminDisplayName": "",
"adminDescription": "",
"adminDisplayName": "Read and write the trusted certificate authority configuration for applications",
"adminDescription": "Allows the app to create, read, update and delete the trusted certificate authority configuration which can be used to restrict application certificates based on their issuing authority, without a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 4
}
Expand All @@ -3581,24 +3543,13 @@
"Application"
],
"methods": [
"PATCH"
],
"paths": {
"/certificateauthoritypath/certificatebasedapplicationconfigurations/{id}": ""
}
},
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"GET",
"POST"
"GET"
],
"paths": {
"/directory/certificateauthorities/certificatebasedapplicationconfigurations": "",
"/directory/certificateauthorities/certificatebasedapplicationconfigurations/{id}/trustedcertificateauthorities": ""
"/directory/certificateauthorities/certificatebasedapplicationconfigurations/{id}": "",
"/directory/certificateauthorities/certificatebasedapplicationconfigurations/{id}/trustedcertificateauthorities": "",
"/directory/certificateauthorities/certificatebasedapplicationconfigurations/{id}/trustedcertificateauthorities/{id}": ""
}
},
{
Expand All @@ -3607,11 +3558,11 @@
"Application"
],
"methods": [
"DELETE",
"GET"
"POST"
],
"paths": {
"/directory/certificateauthorities/certificatebasedapplicationconfigurations/{id}": ""
"/directory/certificateauthorities/certificatebasedapplicationconfigurations": "least=DelegatedWork,Application",
"/directory/certificateauthorities/certificatebasedapplicationconfigurations/{id}/trustedcertificateauthorities": "least=DelegatedWork,Application"
}
},
{
Expand All @@ -3621,11 +3572,11 @@
],
"methods": [
"DELETE",
"GET",
"PATCH"
],
"paths": {
"/directory/certificateauthorities/certificatebasedapplicationconfigurations/{id}/trustedcertificateauthorities/{id}": ""
"/directory/certificateauthorities/certificatebasedapplicationconfigurations/{id}": "least=DelegatedWork,Application",
"/directory/certificateauthorities/certificatebasedapplicationconfigurations/{id}/trustedcertificateauthorities/{id}": "least=DelegatedWork,Application"
}
}
],
Expand Down Expand Up @@ -5098,11 +5049,11 @@
"/reports/conditionalaccess/protectedapps": "least=DelegatedWork,Application",
"/reports/conditionalaccess/securityalerts": "least=DelegatedWork,Application",
"/reports/conditionalaccess/unprotectedapps": "least=DelegatedWork,Application",
"/reports/correlations": "",
"/reports/correlations/{id}": "",
"/reports/correlations/{id}/identities": "",
"/reports/correlations/{id}/identities/{id}": "",
Comment on lines 5051 to +5055
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The /reports/correlations* endpoints were introduced as replacements for /reports/identityCorrelation* but their path values are now empty strings. Previously these endpoints carried an explicit "least=DelegatedWork,Application" mapping; consider preserving that mapping here as well to avoid changing downstream permission-resolution behavior or documentation.

Copilot uses AI. Check for mistakes.
"/reports/getAppManagementAuditSummary": "least=DelegatedWork,Application",
"/reports/identityCorrelation": "least=DelegatedWork,Application",
"/reports/identityCorrelation/{id}": "least=DelegatedWork,Application",
"/reports/identityCorrelation/{id}/identities": "least=DelegatedWork,Application",
"/reports/identityCorrelation/{id}/identities/{id}": "least=DelegatedWork,Application",
"/reports/reconciliations/provisioning": "least=DelegatedWork,Application",
"/reports/reconciliations/provisioning/{id}": "least=DelegatedWork,Application",
"/reports/reconciliations/provisioning/{id}/identities": "least=DelegatedWork,Application",
Expand Down Expand Up @@ -5942,7 +5893,9 @@
"PATCH"
],
"paths": {
"/backupRestore/protectionUnits/{protectionUnitId}": "least=DelegatedWork"
"/backupRestore/driveProtectionUnits/{driveProtectionUnitId}": "least=DelegatedWork",
"/backupRestore/mailboxProtectionUnits/{mailboxProtectionUnitId}": "least=DelegatedWork",
"/backupRestore/siteProtectionUnits/{siteProtectionUnitId}": "least=DelegatedWork"
}
},
{
Expand Down Expand Up @@ -12471,8 +12424,10 @@
"POST"
],
"paths": {
"/me/dataSecurityAndGovernance/contentUploadSession": "",
"/me/dataSecurityAndGovernance/processContent": "",
"/security/dataSecurityAndGovernance/processContentAsync": "least=Application,DelegatedWork",
"/users/{userId}/dataSecurityAndGovernance/contentUploadSession": "",
"/users/{userId}/dataSecurityAndGovernance/processContent": ""
}
Comment on lines 12424 to 12432
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In Content.Process.All and Content.Process.User, the new "/me/dataSecurityAndGovernance/contentUploadSession" path is in a pathSet whose schemeKeys include "Application" and the path value is empty (i.e., not restricted). Since /me endpoints are delegated-only in practice, restrict these /me paths to DelegatedWork (e.g., by setting least=DelegatedWork or moving them into a DelegatedWork-only pathSet) to avoid implying app-only support.

Copilot uses AI. Check for mistakes.
}
Expand Down Expand Up @@ -12509,7 +12464,9 @@
"POST"
],
"paths": {
"/me/dataSecurityAndGovernance/contentUploadSession": "",
"/me/dataSecurityAndGovernance/processContent": "least=Application,DelegatedWork",
"/users/{userId}/dataSecurityAndGovernance/contentUploadSession": "",
"/users/{userId}/dataSecurityAndGovernance/processContent": "least=Application,DelegatedWork"
}
}
Expand Down Expand Up @@ -23095,6 +23052,105 @@
"ownerSecurityGroup": "igaelmlivesite"
}
},
"EntraBackup.Read.All": {
"authorizationType": "oAuth2",
"schemes": {
"DelegatedWork": {
"adminDisplayName": "Read Preview jobs and snapshots",
"adminDescription": "Allows the app to list the all the snapshots, jobs and enumerate the changes of a specific preview job, on behalf of the signed-in user.",
"userDisplayName": "Read Preview jobs and snapshots",
"userDescription": "Allows the app to list the all the snapshots, jobs and enumerate the changes of a specific preview job, on your behalf.",
"requiresAdminConsent": true,
"privilegeLevel": 4
},
"Application": {
"adminDisplayName": "Read Preview jobs and snapshots",
"adminDescription": "Allows the app to list the all the snapshots, jobs and enumerate the changes of a specific preview job, on behalf of the signed-in user.",
"userDisplayName": "Read Preview jobs and snapshots",
"userDescription": "Allows the app to list the all the snapshots, jobs and enumerate the changes of a specific preview job, on your behalf.",
"requiresAdminConsent": true,
"privilegeLevel": 4
Comment on lines +23066 to +23072
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Application-scheme descriptions for EntraBackup.Read.All reference a signed-in user ("on behalf of the signed-in user" / "on your behalf"), which is inconsistent with other Application permissions and misleading for app-only flows. Update the Application admin/user description fields to reflect app-only behavior (e.g., "without a signed-in user") or remove user-facing fields if not applicable.

Copilot uses AI. Check for mistakes.
}
},
"pathSets": [
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"GET"
],
"paths": {
"/directory/recovery/snapshots": "least=Application,DelegatedWork",
"/directory/recovery/snapshots/{id}": "least=Application,DelegatedWork",
"/directory/recovery/snapshots/{id}/recoveryJobs/{id}/getFailedChanges": "least=Application,DelegatedWork",
"/directory/recovery/snapshots/{id}/recoveryPreviewJobs/{id}/getChanges": "least=Application,DelegatedWork"
}
}
],
"ownerInfo": {
"ownerSecurityGroup": "xtenantex"
}
},
"EntraBackup.ReadWrite.Preview": {
"authorizationType": "oAuth2",
"schemes": {
"DelegatedWork": {
"adminDisplayName": "Create a preview job, read preview job and snapshots",
"adminDescription": "Allows the app to list the all the snapshots, create a preview job and enumerate the changes of a specific preview job, on behalf of the signed-in user.",
"userDisplayName": "Create a preview job, read preview job and snapshots",
"userDescription": "Allows the app to list the all the snapshots, create a preview job and enumerate the changes of a specific preview job, on your behalf.",
"requiresAdminConsent": true,
"privilegeLevel": 4
}
},
"pathSets": [
{
"schemeKeys": [
"DelegatedWork"
],
"methods": [
"POST"
],
"paths": {
"/directory/recovery/snapshots/{id}/recoveryPreviewJobs": "least=DelegatedWork"
}
}
],
"ownerInfo": {
"ownerSecurityGroup": "xtenantex"
}
},
"EntraBackup.ReadWrite.Recovery": {
"authorizationType": "oAuth2",
"schemes": {
"DelegatedWork": {
"adminDisplayName": "Create preview and recovery job, read recovery job and snapshots",
"adminDescription": "Allows the app to list the all the snapshots, create a recovery job and enumerate the changes of a specific recovery job, on behalf of the signed-in user.",
"userDisplayName": "Create preview and recovery job, read recovery job and snapshots",
"userDescription": "Allows the app to list the all the snapshots, create a recovery job and enumerate the changes of a specific recovery job, on your behalf.",
"requiresAdminConsent": true,
"privilegeLevel": 4
}
},
"pathSets": [
{
"schemeKeys": [
"DelegatedWork"
],
"methods": [
"POST"
],
"paths": {
"/directory/recovery/snapshots/{id}/recoveryJobs": "least=DelegatedWork"
}
}
],
"ownerInfo": {
"ownerSecurityGroup": "xtenantex"
}
},
"EventListener.Read.All": {
"authorizationType": "oAuth2",
"schemes": {
Expand Down Expand Up @@ -42070,7 +42126,11 @@
"GET"
],
"paths": {
"/auditlogs/provisioning": "least=DelegatedWork"
"/auditlogs/provisioning": "least=DelegatedWork",
"/reports/correlations": "least=DelegatedWork",
"/reports/correlations/{id}": "least=DelegatedWork",
"/reports/correlations/{id}/identities": "least=DelegatedWork",
"/reports/correlations/{id}/identities/{id}": "least=DelegatedWork"
}
}
],
Expand Down
Loading
Loading