Skip to content

Weekly Permissions sync 2026-04-14#1499

Open
marabooy wants to merge 1 commit intomasterfrom
permissions-update/2026-04-14
Open

Weekly Permissions sync 2026-04-14#1499
marabooy wants to merge 1 commit intomasterfrom
permissions-update/2026-04-14

Conversation

@marabooy
Copy link
Copy Markdown
Contributor

@marabooy marabooy commented Apr 14, 2026

Weekly Permissions sync 2026-04-14

@marabooy marabooy requested a review from a team as a code owner April 14, 2026 20:37
Copilot AI review requested due to automatic review settings April 14, 2026 20:37
Copilot AI reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Weekly sync updating the permissions/provisioning metadata, adding new permission entries and adjusting cross-tenant access policy endpoint mappings.

Changes:

  • Added provisioning metadata for Policy.Read.CrossTenantAccess and PreAuthorizationGrant.Read.All.
  • Changed several /policies/crosstenantaccesspolicy* endpoint permission mappings to empty strings and introduced a dedicated GET block for those paths.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
permissions/new/provisioningInfo.json Adds new provisioning entries for cross-tenant access and pre-authorization grant permissions.
permissions/new/permissions.json Updates required-permission mappings for cross-tenant access policy endpoints and splits GET handling into a separate block.
Comments suppressed due to low confidence (3)

permissions/new/permissions.json:1

  • These endpoints previously had values like least=DelegatedWork,Application and are now set to "". If the permissions resolver/parser expects a structured value (e.g., least=...) or expects missing keys to mean “no mapping”, an empty string risks being treated as an invalid permission expression and can break generation/validation. Prefer either (a) restoring a valid permission expression, or (b) removing the keys entirely if the intent is “no permissions mapping / unsupported”.
    permissions/new/permissions.json:1
  • These endpoints previously had values like least=DelegatedWork,Application and are now set to "". If the permissions resolver/parser expects a structured value (e.g., least=...) or expects missing keys to mean “no mapping”, an empty string risks being treated as an invalid permission expression and can break generation/validation. Prefer either (a) restoring a valid permission expression, or (b) removing the keys entirely if the intent is “no permissions mapping / unsupported”.
    permissions/new/permissions.json:1
  • This new GET block introduces path mappings with empty-string permission requirements. Even if the intent is to represent “no permission required” or “unknown”, encoding that as "" is ambiguous and inconsistent with the rest of the file’s schema (least=...). Use the established representation for “no mapping” (typically omitting the path entry) or a schema-supported explicit marker (if one exists) to avoid confusing API consumers and tooling.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

permissions/new/provisioningInfo.json
Comment on lines +11017 to +11034
"Policy.Read.CrossTenantAccess": [
{
"id": "",
"scheme": "DelegatedWork",
"environment": "public",
"isHidden": true,
"isEnabled": true,
"resourceAppId": "00000002-0000-0000-c000-000000000000"
},
{
"id": "",
"scheme": "Application",
"environment": "public",
"isHidden": true,
"isEnabled": true,
"resourceAppId": "00000002-0000-0000-c000-000000000000"
}
],
Copy link

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

id is set to an empty string for the newly added permissions, and environment is also empty for PreAuthorizationGrant.Read.All. If downstream tooling expects a real scope/appRole GUID and a non-empty environment (as it appears to for other entries), these records will be unusable and may cause lookups/exports to fail. Populate the correct id values (scope/appRole IDs) and set environment consistently (e.g., "public"), or omit these entries until the authoritative IDs are available.

Copilot uses AI. Check for mistakes.
permissions/new/provisioningInfo.json
Comment on lines +27642 to 27659
"PreAuthorizationGrant.Read.All": [
{
"id": "",
"scheme": "DelegatedWork",
"environment": "",
"isHidden": true,
"isEnabled": true,
"resourceAppId": "00000002-0000-0000-c000-000000000000"
},
{
"id": "",
"scheme": "Application",
"environment": "",
"isHidden": true,
"isEnabled": true,
"resourceAppId": "00000002-0000-0000-c000-000000000000"
}
]
Copy link

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

id is set to an empty string for the newly added permissions, and environment is also empty for PreAuthorizationGrant.Read.All. If downstream tooling expects a real scope/appRole GUID and a non-empty environment (as it appears to for other entries), these records will be unusable and may cause lookups/exports to fail. Populate the correct id values (scope/appRole IDs) and set environment consistently (e.g., "public"), or omit these entries until the authoritative IDs are available.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@marabooy