Conversation
There was a problem hiding this comment.
Pull request overview
Weekly sync of the permission metadata sources that back the repo’s permissions catalog (deployment/provisioning data and permission definitions).
Changes:
- Added new provisioning entries (e.g.,
LifecyclePolicies-Guests.*) and updated visibility/IDs for several existing permission deployments (notablyTenantGovernance-*,WindowsUpdates.Read.All). - Expanded/adjusted Microsoft Graph path mappings for new “inherited*” endpoints and several Network Access + Planner endpoints.
- Added new permission definitions in
permissions.json(e.g.,TenantGovernance-*,WindowsUpdates.Read.All) and updated a couple of permission descriptions.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| permissions/new/provisioningInfo.json | Adds/updates permission deployment records (IDs, hidden flags, new permissions). |
| permissions/new/permissions.json | Updates permission definitions and path mappings; introduces new permission entries. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| "adminDescription": "Allows the app to read, update, create, and delete agent identity blueprints on behalf of the signed-in user.", | ||
| "requiresAdminConsent": true, | ||
| "privilegeLevel": 3 | ||
| }, | ||
| "Application": { | ||
| "adminDisplayName": "Read and write all agent identity blueprints.", | ||
| "adminDescription": "Allows the app to read, update, and delete agent identity blueprints without a signed-in user.", | ||
| "adminDescription": "Allows the app to read, update, create, and delete agent identity blueprints without a signed-in user.", | ||
| "requiresAdminConsent": true, |
There was a problem hiding this comment.
The updated adminDescription now claims this permission can "create" and "delete" agent identity blueprints, but the defined pathSets for AgentIdentityBlueprint.ReadWrite.All only include PATCH (update) operations. Either remove unsupported actions from the description or add the corresponding POST/DELETE paths/methods to match the described capabilities (or rely on the separate Create/DeleteRestore permissions).
| "adminDescription": "Allows the app to read, update, create, and delete agent identity blueprint principals on behalf of the signed-in user.", | ||
| "requiresAdminConsent": true, | ||
| "privilegeLevel": 3 | ||
| }, | ||
| "Application": { | ||
| "adminDisplayName": "Read and write all agent identity blueprint principals.", | ||
| "adminDescription": "Allows the app to read, update, and delete agent identity blueprint principals without a signed-in user.", | ||
| "adminDescription": "Allows the app to read, update, create, and delete agent identity blueprint principals without a signed-in user.", | ||
| "requiresAdminConsent": true, |
There was a problem hiding this comment.
The updated adminDescription now claims this permission can "create" and "delete" agent identity blueprint principals, but the pathSets for AgentIdentityBlueprintPrincipal.ReadWrite.All only include PATCH (update) operations. Please align the description with actual allowed operations, or add POST/DELETE paths/methods if this permission is intended to cover those actions (otherwise keep create/delete covered by the separate Create/DeleteRestore permissions).
Weekly Permissions sync 2026-03-06