Skip to content

Weekly Permissions sync 2026-04-24 #1510

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
marabooy wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Weekly Permissions sync 2026-04-24 #1510

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
15b3975
Weekly Permissions sync 2026-04-24
marabooy Apr 24, 2026
84579be
Weekly Permissions sync 2026-04-24
marabooy Apr 24, 2026
adceb5d
Weekly Permissions sync 2026-04-24
marabooy Apr 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
135 changes: 123 additions & 12 deletions permissions/new/permissions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1314,7 +1314,7 @@
},
"Application": {
"adminDisplayName": "Read and write all agent identities",
"adminDescription": "Allows the app read, update, and delete agent identities without a signed-in user.",
"adminDescription": "Allows the app to read, update, and delete agent identities without a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 4
}
Expand Down Expand Up @@ -1649,16 +1649,16 @@
"authorizationType": "oAuth2",
"schemes": {
"DelegatedWork": {
"adminDisplayName": "Add or remove sponsors for agent identity blueprint",
"adminDescription": "Allows the app to add or remove sponsors for agent identity blueprint on behalf of the signed-in user.",
"adminDisplayName": "Add or remove sponsors for agent identity blueprints",
"adminDescription": "Allows the app to add or remove sponsors for agent identity blueprints on behalf of the signed-in user.",
"userDisplayName": "Update agent identity blueprint authorization related properties",
"userDescription": "Update agent identity blueprint authorization related properties on user's' behalf",
"requiresAdminConsent": true,
"privilegeLevel": 3
},
"Application": {
"adminDisplayName": "Add or remove sponsors for agent identity blueprint",
"adminDescription": "Allows the app to add or remove sponsors for agent identity blueprint without a signed-in user.",
"adminDisplayName": "Add or remove sponsors for agent identity blueprints",
"adminDescription": "Allows the app to add or remove sponsors for agent identity blueprints without a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 4
}
Expand Down Expand Up @@ -1697,13 +1697,13 @@
"authorizationType": "oAuth2",
"schemes": {
"DelegatedWork": {
"adminDisplayName": "Create agent identity blueprint service principals.",
"adminDisplayName": "Create agent identity blueprint principals.",
"adminDescription": "Allows creating new agent identity blueprint principals with a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 4
},
"Application": {
"adminDisplayName": "Create agent identity blueprint service principals.",
"adminDisplayName": "Create agent identity blueprint principals.",
"adminDescription": "Allows creating new agent identity blueprint principals without a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 5
Expand Down Expand Up @@ -1732,14 +1732,14 @@
"authorizationType": "oAuth2",
"schemes": {
"DelegatedWork": {
"adminDisplayName": "Delete and restore agent identity blueprints.",
"adminDescription": "Allows deleting or restoring agent identity blueprints with a signed-in user.",
"adminDisplayName": "Delete and restore agent identity blueprint principals.",
"adminDescription": "Allows deleting or restoring agent identity blueprint principals with a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 4
},
"Application": {
"adminDisplayName": "Delete and restore agent identity blueprints.",
"adminDescription": "Allows deleting or restoring agent identity blueprints without a signed-in user.",
"adminDisplayName": "Delete and restore agent identity blueprint principals.",
"adminDescription": "Allows deleting or restoring agent identity blueprint principals without a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 4
}
Expand Down Expand Up @@ -1814,7 +1814,7 @@
"authorizationType": "oAuth2",
"schemes": {
"DelegatedWork": {
"adminDisplayName": "Read agent identity blueprints principals.",
"adminDisplayName": "Read agent identity blueprint principals.",
"adminDescription": "Allows reading agent identity blueprint principals with a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 3
Expand Down Expand Up @@ -3106,6 +3106,114 @@
"ownerSecurityGroup": "agentregistrydevs"
}
},
"AgentRegistration.Read.All": {
"authorizationType": "oAuth2",
"schemes": {
"DelegatedWork": {
"adminDisplayName": "Read all agent registrations",
"adminDescription": "Allows the user to read all agent registration information",
"userDisplayName": "Read all agent registrations",
"userDescription": "Allows the app to read agent registration information.",
"requiresAdminConsent": false,
"privilegeLevel": 3
Comment on lines +3113 to +3118
Copy link

Copilot AI Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the new AgentRegistration.Read.All delegated scheme, adminDescription says "Allows the user…" (and lacks a trailing period) while userDescription says "Allows the app…". Elsewhere in this file delegated permissions consistently describe the calling app/client (e.g., Agreement.Read.All at ~3222-3224). Consider aligning the wording (app/client vs user) and punctuation, and ensure the delegated descriptions clearly indicate "on behalf of the signed-in user" when applicable.

Copilot uses AI. Check for mistakes.
},
"Application": {
"adminDisplayName": "Read all agent registrations",
"adminDescription": "Allows the app to read agent registration information without a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 4
}
},
"pathSets": [
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"GET"
],
"paths": {
"/copilot/agentRegistrations/{agentId}": "least=DelegatedWork,Application"
}
}
],
"ownerInfo": {
"ownerSecurityGroup": "m365adminsvcdevteam"
}
},
"AgentRegistration.ReadWrite.All": {
"authorizationType": "oAuth2",
"schemes": {
"DelegatedWork": {
"adminDisplayName": "Read and write all agent registrations",
"adminDescription": "Allows the user to read and write all agent registration information",
"userDisplayName": "Read and write all agent registrations",
"userDescription": "Allows the app to read and write agent registration information.",
"requiresAdminConsent": true,
Comment on lines +3148 to +3153
Copy link

Copilot AI Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similarly for AgentRegistration.ReadWrite.All delegated scheme, adminDescription uses "Allows the user…" (no period) while userDescription uses "Allows the app…". For consistency with other delegated permissions in this file, update the delegated descriptions to consistently refer to the calling app/client and end sentences with periods.

Copilot uses AI. Check for mistakes.
"privilegeLevel": 3
},
"Application": {
"adminDisplayName": "Read and write all agent registrations",
"adminDescription": "Allows the app to read and write agent registration information without a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 4
}
},
"pathSets": [
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"GET"
],
"paths": {
"/copilot/agentRegistrations/{agentId}": "least=DelegatedWork,Application"
}
},
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"POST"
],
"paths": {
"/copilot/agentRegistrations": "least=DelegatedWork,Application"
}
},
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"PATCH"
],
"paths": {
"/copilot/agentRegistrations/{agentId}": "least=DelegatedWork,Application"
}
},
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"DELETE"
],
"paths": {
"/copilot/agentRegistrations/{agentId}": "least=DelegatedWork,Application"
}
}
],
"ownerInfo": {
"ownerSecurityGroup": "m365adminsvcdevteam"
}
},
"Agreement.Read.All": {
"authorizationType": "oAuth2",
"schemes": {
Expand Down Expand Up @@ -33987,6 +34095,7 @@
"/networkaccess/reports/getCrossTenantSummary": "least=DelegatedWork,Application",
"/networkaccess/reports/getDestinationSummaries": "least=DelegatedWork,Application",
"/networkaccess/reports/getDeviceUsageSummary": "least=DelegatedWork,Application",
"/networkaccess/reports/getDiscoveredAIAgentReport(startDateTime={startDateTime},endDateTime={endDateTime})": "least=DelegatedWork,Application",
"/networkaccess/reports/getDiscoveredApplicationSegmentReport(startDateTime={startDateTime},endDateTime={endDateTime})": "least=DelegatedWork,Application",
"/networkaccess/reports/getEnterpriseApplicationReport(startDateTime={startDateTime},endDateTime={endDateTime})": "least=DelegatedWork,Application",
"/networkaccess/reports/getUserThreatReport": "least=DelegatedWork,Application",
Expand Down Expand Up @@ -34187,6 +34296,7 @@
"/networkaccess/reports/getCrossTenantSummary": "",
"/networkaccess/reports/getDestinationSummaries": "",
"/networkaccess/reports/getDeviceUsageSummary": "",
"/networkaccess/reports/getDiscoveredAIAgentReport(startDateTime={startDateTime},endDateTime={endDateTime})": "",
"/networkaccess/reports/getDiscoveredApplicationSegmentReport(startDateTime={startDateTime},endDateTime={endDateTime})": "",
"/networkaccess/reports/getEnterpriseApplicationReport(startDateTime={startDateTime},endDateTime={endDateTime})": "",
"/networkaccess/reports/getUserThreatReport": "",
Expand Down Expand Up @@ -42823,6 +42933,7 @@
"/reports/getSharePointApiUsage(period={value})": "least=DelegatedWork",
"/reports/getuserarchivedprintjobs": "least=DelegatedWork",
"/reports/getuserarchivedprintjobs(userid={value},startdatetime={value},enddatetime={value})": "least=DelegatedWork",
"/reports/microsoftappsfilestoragecontainerusagesummary": "least=DelegatedWork",
"/reports/monthlyprintusagebyprinter": "least=DelegatedWork",
"/reports/monthlyprintusagebyprinter/{id}": "least=DelegatedWork",
"/reports/monthlyprintusagebyuser": "least=DelegatedWork",
Expand Down
Loading