Weekly Permissions sync 2026-04-15

[marabooy]

Weekly Permissions sync 2026-04-15

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Weekly sync updating the permissions catalog, adding new permission definitions and adjusting endpoint-to-permission mappings.

Changes:

• Added new permission entries for Policy.Read.CrossTenantAccess and PreAuthorizationGrant.Read.All in provisioning metadata.
• Updated multiple Microsoft Graph endpoint permission mappings, including cross-tenant access policy endpoints and FIDO2 authentication endpoints.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
permissions/new/provisioningInfo.json	Adds new permission definitions/metadata entries used for provisioning.
permissions/new/permissions.json	Updates endpoint-to-scheme/permission requirement mappings for cross-tenant policy and authentication (FIDO2) routes.

Comments suppressed due to low confidence (5)

permissions/new/permissions.json:1

• These cross-tenant access policy paths were changed from least=DelegatedWork,Application to empty strings. If an empty string is treated as “no permission required” or “unknown mapping,” this is a significant behavioral change and could either under-enforce or break permission resolution. Replace "" with the intended requirement (e.g., keep least=DelegatedWork,Application, or map to the newly introduced cross-tenant policy permission if that’s the goal) rather than leaving the requirement blank.
  permissions/new/permissions.json:1
• These cross-tenant access policy paths were changed from least=DelegatedWork,Application to empty strings. If an empty string is treated as “no permission required” or “unknown mapping,” this is a significant behavioral change and could either under-enforce or break permission resolution. Replace "" with the intended requirement (e.g., keep least=DelegatedWork,Application, or map to the newly introduced cross-tenant policy permission if that’s the goal) rather than leaving the requirement blank.
  permissions/new/permissions.json:1
• There are now mixed-casing paths for what appears to be the same endpoint (fido2methods vs fido2Methods), and they carry different permission requirements (e.g., empty vs least=Application vs least=DelegatedWork). If path matching is case-sensitive or strictly string-based (as it often is in routing/lookup tables), this can cause inconsistent authorization behavior depending on the exact casing used. Normalize to one canonical path casing throughout the file and ensure the requirement string is consistent for the canonical path.
  permissions/new/permissions.json:1
• There are now mixed-casing paths for what appears to be the same endpoint (fido2methods vs fido2Methods), and they carry different permission requirements (e.g., empty vs least=Application vs least=DelegatedWork). If path matching is case-sensitive or strictly string-based (as it often is in routing/lookup tables), this can cause inconsistent authorization behavior depending on the exact casing used. Normalize to one canonical path casing throughout the file and ensure the requirement string is consistent for the canonical path.
  permissions/new/permissions.json:1
• There are now mixed-casing paths for what appears to be the same endpoint (fido2methods vs fido2Methods), and they carry different permission requirements (e.g., empty vs least=Application vs least=DelegatedWork). If path matching is case-sensitive or strictly string-based (as it often is in routing/lookup tables), this can cause inconsistent authorization behavior depending on the exact casing used. Normalize to one canonical path casing throughout the file and ensure the requirement string is consistent for the canonical path.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

id is an empty string for the newly added Policy.Read.CrossTenantAccess permission entries. If id is used as the authoritative permission GUID (common for permission catalogs), leaving it empty can break lookups, deduplication, or downstream provisioning flows. Populate id with the actual permission ID(s) for both DelegatedWork and Application schemes (or remove the entry entirely if the ID is intentionally unknown and the system supports that explicitly).

Suggested change

	"Policy.Read.CrossTenantAccess": [
	{
	"id": "",
	"scheme": "DelegatedWork",
	"environment": "public",
	"isHidden": true,
	"isEnabled": true,
	"resourceAppId": "00000002-0000-0000-c000-000000000000"
	},
	{
	"id": "",
	"scheme": "Application",
	"environment": "public",
	"isHidden": true,
	"isEnabled": true,
	"resourceAppId": "00000002-0000-0000-c000-000000000000"
	}
	],

[Copilot]

The new PreAuthorizationGrant.Read.All entries have both id and environment set to empty strings. This is inconsistent with the surrounding data (e.g., environment: "public") and can break environment-based filtering or validation. Set environment to the correct value (likely "public" based on nearby entries) and provide the concrete permission id values.

Suggested change

	"id": "",
	"scheme": "DelegatedWork",
	"environment": "",
	"isHidden": true,
	"isEnabled": true,
	"resourceAppId": "00000002-0000-0000-c000-000000000000"
	},
	{
	"id": "",
	"scheme": "Application",
	"environment": "",
	"id": "<REPLACE_WITH_AUTHORITATIVE_DELEGATEDWORK_PERMISSION_GUID>",
	"scheme": "DelegatedWork",
	"environment": "public",
	"isHidden": true,
	"isEnabled": true,
	"resourceAppId": "00000002-0000-0000-c000-000000000000"
	},
	{
	"id": "<REPLACE_WITH_AUTHORITATIVE_APPLICATION_PERMISSION_GUID>",
	"scheme": "Application",
	"environment": "public",