Skip to content

Weekly Permissions sync 2026-04-25 #1511

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
marabooy wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Weekly Permissions sync 2026-04-25 #1511

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
144 changes: 131 additions & 13 deletions permissions/new/permissions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1314,7 +1314,7 @@
},
"Application": {
"adminDisplayName": "Read and write all agent identities",
"adminDescription": "Allows the app read, update, and delete agent identities without a signed-in user.",
"adminDescription": "Allows the app to read, update, and delete agent identities without a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 4
}
Expand Down Expand Up @@ -1649,16 +1649,16 @@
"authorizationType": "oAuth2",
"schemes": {
"DelegatedWork": {
"adminDisplayName": "Add or remove sponsors for agent identity blueprint",
"adminDescription": "Allows the app to add or remove sponsors for agent identity blueprint on behalf of the signed-in user.",
"adminDisplayName": "Add or remove sponsors for agent identity blueprints",
"adminDescription": "Allows the app to add or remove sponsors for agent identity blueprints on behalf of the signed-in user.",
"userDisplayName": "Update agent identity blueprint authorization related properties",
"userDescription": "Update agent identity blueprint authorization related properties on user's' behalf",
"requiresAdminConsent": true,
"privilegeLevel": 3
},
"Application": {
"adminDisplayName": "Add or remove sponsors for agent identity blueprint",
"adminDescription": "Allows the app to add or remove sponsors for agent identity blueprint without a signed-in user.",
"adminDisplayName": "Add or remove sponsors for agent identity blueprints",
"adminDescription": "Allows the app to add or remove sponsors for agent identity blueprints without a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 4
}
Expand Down Expand Up @@ -1697,13 +1697,13 @@
"authorizationType": "oAuth2",
"schemes": {
"DelegatedWork": {
"adminDisplayName": "Create agent identity blueprint service principals.",
"adminDisplayName": "Create agent identity blueprint principals.",
"adminDescription": "Allows creating new agent identity blueprint principals with a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 4
},
"Application": {
"adminDisplayName": "Create agent identity blueprint service principals.",
"adminDisplayName": "Create agent identity blueprint principals.",
"adminDescription": "Allows creating new agent identity blueprint principals without a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 5
Expand Down Expand Up @@ -1732,14 +1732,14 @@
"authorizationType": "oAuth2",
"schemes": {
"DelegatedWork": {
"adminDisplayName": "Delete and restore agent identity blueprints.",
"adminDescription": "Allows deleting or restoring agent identity blueprints with a signed-in user.",
"adminDisplayName": "Delete and restore agent identity blueprint principals.",
"adminDescription": "Allows deleting or restoring agent identity blueprint principals with a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 4
},
"Application": {
"adminDisplayName": "Delete and restore agent identity blueprints.",
"adminDescription": "Allows deleting or restoring agent identity blueprints without a signed-in user.",
"adminDisplayName": "Delete and restore agent identity blueprint principals.",
"adminDescription": "Allows deleting or restoring agent identity blueprint principals without a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 4
}
Expand Down Expand Up @@ -1814,7 +1814,7 @@
"authorizationType": "oAuth2",
"schemes": {
"DelegatedWork": {
"adminDisplayName": "Read agent identity blueprints principals.",
"adminDisplayName": "Read agent identity blueprint principals.",
"adminDescription": "Allows reading agent identity blueprint principals with a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 3
Expand Down Expand Up @@ -3106,6 +3106,114 @@
"ownerSecurityGroup": "agentregistrydevs"
}
},
"AgentRegistration.Read.All": {
"authorizationType": "oAuth2",
"schemes": {
"DelegatedWork": {
"adminDisplayName": "Read all agent registrations",
"adminDescription": "Allows the user to read all agent registration information",
"userDisplayName": "Read all agent registrations",
"userDescription": "Allows the app to read agent registration information.",
Comment on lines +3113 to +3116
Copy link

Copilot AI Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the DelegatedWork scheme, adminDescription says "Allows the user to read..." but these consent descriptions elsewhere describe what the app/client can do (typically "Allows the app/client to ... on behalf of the signed-in user"). This wording is inconsistent and may confuse consent UX; please update adminDescription to match the established phrasing pattern (e.g., like AuditLog.Read.All / AgentIdentity.Read.All).

Copilot uses AI. Check for mistakes.
"requiresAdminConsent": false,
"privilegeLevel": 3
},
"Application": {
"adminDisplayName": "Read all agent registrations",
"adminDescription": "Allows the app to read agent registration information without a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 4
}
},
"pathSets": [
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"GET"
],
"paths": {
"/copilot/agentRegistrations/{agentId}": "least=DelegatedWork,Application"
}
}
],
"ownerInfo": {
"ownerSecurityGroup": "m365adminsvcdevteam"
}
},
"AgentRegistration.ReadWrite.All": {
"authorizationType": "oAuth2",
"schemes": {
"DelegatedWork": {
"adminDisplayName": "Read and write all agent registrations",
"adminDescription": "Allows the user to read and write all agent registration information",
"userDisplayName": "Read and write all agent registrations",
"userDescription": "Allows the app to read and write agent registration information.",
Comment on lines +3149 to +3152
Copy link

Copilot AI Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same issue as AgentRegistration.Read.All: DelegatedWork adminDescription says "Allows the user to read and write..." rather than describing what the app can do on behalf of the signed-in user. Please align the wording with the surrounding permission descriptions to avoid confusing consent text.

Copilot uses AI. Check for mistakes.
"requiresAdminConsent": true,
"privilegeLevel": 3
},
"Application": {
"adminDisplayName": "Read and write all agent registrations",
"adminDescription": "Allows the app to read and write agent registration information without a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 4
}
},
"pathSets": [
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"GET"
],
"paths": {
"/copilot/agentRegistrations/{agentId}": "least=DelegatedWork,Application"
}
Comment on lines +3169 to +3174
Copy link

Copilot AI Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AgentRegistration.ReadWrite.All marks the GET /copilot/agentRegistrations/{agentId} route as least-privileged for both schemes. Since AgentRegistration.Read.All is introduced specifically for read access, the ReadWrite scope should typically not be the least-privileged permission for GET (many other *.ReadWrite.* permissions map GET paths to an empty string to avoid recommending an over-privileged scope). Consider changing this GET path mapping to "" and letting AgentRegistration.Read.All be the least-privileged permission for GET.

Copilot uses AI. Check for mistakes.
},
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"POST"
],
"paths": {
"/copilot/agentRegistrations": "least=DelegatedWork,Application"
}
},
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"PATCH"
],
"paths": {
"/copilot/agentRegistrations/{agentId}": "least=DelegatedWork,Application"
}
},
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"DELETE"
],
"paths": {
"/copilot/agentRegistrations/{agentId}": "least=DelegatedWork,Application"
}
}
],
"ownerInfo": {
"ownerSecurityGroup": "m365adminsvcdevteam"
}
},
"Agreement.Read.All": {
"authorizationType": "oAuth2",
"schemes": {
Expand Down Expand Up @@ -5155,7 +5263,9 @@
"/reports/reconciliations/provisioning": "least=DelegatedWork,Application",
"/reports/reconciliations/provisioning/{id}": "least=DelegatedWork,Application",
"/reports/reconciliations/provisioning/{id}/identities": "least=DelegatedWork,Application",
"/reports/reconciliations/provisioning/{id}/identities/{id}": "least=DelegatedWork,Application"
"/reports/reconciliations/provisioning/{id}/identities/{id}": "least=DelegatedWork,Application",
"/users/{id}/agentSignInSessions": "least=DelegatedWork,Application",
"/users/{id}/agentSignInSessions/{id}": "least=DelegatedWork,Application"
}
},
{
Expand Down Expand Up @@ -11644,6 +11754,7 @@
"/devicemanagement/virtualendpoint/cloudpcs/{id}/resize": "least=DelegatedWork,Application",
"/devicemanagement/virtualendpoint/cloudpcs/{id}/restore": "least=DelegatedWork,Application",
"/devicemanagement/virtualendpoint/cloudpcs/{id}/retrypartneragentinstallation": "least=DelegatedWork,Application",
"/devicemanagement/virtualendpoint/cloudpcs/{id}/setdevicename": "least=DelegatedWork,Application",
"/devicemanagement/virtualendpoint/cloudpcs/{id}/start": "least=DelegatedWork,Application",
"/devicemanagement/virtualendpoint/cloudpcs/{id}/stop": "least=DelegatedWork,Application",
"/devicemanagement/virtualendpoint/cloudpcs/{id}/troubleshoot": "least=DelegatedWork,Application",
Expand Down Expand Up @@ -33987,6 +34098,7 @@
"/networkaccess/reports/getCrossTenantSummary": "least=DelegatedWork,Application",
"/networkaccess/reports/getDestinationSummaries": "least=DelegatedWork,Application",
"/networkaccess/reports/getDeviceUsageSummary": "least=DelegatedWork,Application",
"/networkaccess/reports/getDiscoveredAIAgentReport(startDateTime={startDateTime},endDateTime={endDateTime})": "least=DelegatedWork,Application",
"/networkaccess/reports/getDiscoveredApplicationSegmentReport(startDateTime={startDateTime},endDateTime={endDateTime})": "least=DelegatedWork,Application",
"/networkaccess/reports/getEnterpriseApplicationReport(startDateTime={startDateTime},endDateTime={endDateTime})": "least=DelegatedWork,Application",
"/networkaccess/reports/getUserThreatReport": "least=DelegatedWork,Application",
Expand Down Expand Up @@ -34187,6 +34299,7 @@
"/networkaccess/reports/getCrossTenantSummary": "",
"/networkaccess/reports/getDestinationSummaries": "",
"/networkaccess/reports/getDeviceUsageSummary": "",
"/networkaccess/reports/getDiscoveredAIAgentReport(startDateTime={startDateTime},endDateTime={endDateTime})": "",
"/networkaccess/reports/getDiscoveredApplicationSegmentReport(startDateTime={startDateTime},endDateTime={endDateTime})": "",
"/networkaccess/reports/getEnterpriseApplicationReport(startDateTime={startDateTime},endDateTime={endDateTime})": "",
"/networkaccess/reports/getUserThreatReport": "",
Expand Down Expand Up @@ -42823,6 +42936,7 @@
"/reports/getSharePointApiUsage(period={value})": "least=DelegatedWork",
"/reports/getuserarchivedprintjobs": "least=DelegatedWork",
"/reports/getuserarchivedprintjobs(userid={value},startdatetime={value},enddatetime={value})": "least=DelegatedWork",
"/reports/microsoftappsfilestoragecontainerusagesummary": "least=DelegatedWork",
"/reports/monthlyprintusagebyprinter": "least=DelegatedWork",
"/reports/monthlyprintusagebyprinter/{id}": "least=DelegatedWork",
"/reports/monthlyprintusagebyuser": "least=DelegatedWork",
Expand Down Expand Up @@ -56653,6 +56767,8 @@
"/admin/people/itemInsights": "least=DelegatedWork",
"/education/me/user": "",
"/education/users/{id}/user": "",
"/me/agentSignInSessions": "least=DelegatedWork",
"/me/agentSignInSessions/{id}": "least=DelegatedWork",
"/me/analytics/settings": "least=DelegatedWork",
"/me/cloudLicensing/assignmentErrors": "",
"/me/cloudLicensing/assignmentErrors/{id}": "",
Expand Down Expand Up @@ -58348,8 +58464,10 @@
"POST"
],
"paths": {
"/me/agentSignInSessions/{id}/revoke": "least=DelegatedWork,Application",
"/me/invalidateAllRefreshTokens": "least=DelegatedWork,Application",
"/me/revokesigninsessions": "least=DelegatedWork,Application",
"/users/{id}/agentSignInSessions/{id}/revoke": "least=DelegatedWork,Application",
"/users/{id}/invalidateAllRefreshTokens": "least=DelegatedWork,Application",
"/users/{id}/revokeSignInSessions": "least=DelegatedWork,Application"
}
Expand Down
Loading