Conversation
There was a problem hiding this comment.
Pull request overview
Weekly sync updating the permissions catalog and provisioning metadata used to describe OAuth2 scopes/roles and their least-privileged mappings to API paths.
Changes:
- Added CopilotPolicySettings.Read / CopilotPolicySettings.ReadWrite permission definitions and provisioning IDs.
- Updated policy and authentication-related path mappings (notably CrossTenantAccessPolicy and FIDO2/passkey-related routes).
- Added several new permission deployment entries in
provisioningInfo.json(e.g., InfoProtect ABAC policy permissions, CrossTenantAccess read permission, EntraAppAuthorization variants).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| permissions/new/provisioningInfo.json | Updates permission deployment metadata (ids, hidden/enabled flags, resourceAppId) and adds new permission deployment entries. |
| permissions/new/permissions.json | Adds/updates permission definitions and adjusts least-privileged path mappings for various endpoints. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "InfoProtectABACPolicy.Read.All": [ | ||
| { | ||
| "id": "f8c4e3f1-6b9a-4c2e-8d5a-bcf123456789", | ||
| "scheme": "DelegatedWork", | ||
| "environment": "public", | ||
| "isHidden": true, | ||
| "isEnabled": true, | ||
| "resourceAppId": "f06db492-d3b8-4e06-9586-db69232ec12a" | ||
| }, | ||
| { | ||
| "id": "a2d4f7c9-3e8b-4a1f-9d6c-def987654321", | ||
| "scheme": "Application", | ||
| "environment": "public", | ||
| "isHidden": true, | ||
| "isEnabled": true, | ||
| "resourceAppId": "f06db492-d3b8-4e06-9586-db69232ec12a" | ||
| } | ||
| ], | ||
| "InfoProtectABACPolicy.ReadWrite.All": [ | ||
| { | ||
| "id": "e5b0a9c7-1f4d-4e8c-b3a2-acde13579246", |
There was a problem hiding this comment.
The new InfoProtectABACPolicy.* entries are indented differently than surrounding permission keys (extra leading spaces on the key lines), breaking the repo’s consistent JSON indentation/alignment. Please reformat these lines to match the neighboring keys/arrays so diffs stay stable and automated formatting/validation doesn’t fail.
| "Policy.Read.CrossTenantAccess": [ | ||
| { | ||
| "id": "", | ||
| "scheme": "DelegatedWork", | ||
| "environment": "public", | ||
| "isHidden": true, | ||
| "isEnabled": true, | ||
| "resourceAppId": "00000002-0000-0000-c000-000000000000" | ||
| }, | ||
| { | ||
| "id": "", | ||
| "scheme": "Application", | ||
| "environment": "public", | ||
| "isHidden": true, | ||
| "isEnabled": true, | ||
| "resourceAppId": "00000002-0000-0000-c000-000000000000" |
There was a problem hiding this comment.
Policy.Read.CrossTenantAccess is introduced with resourceAppId set to "00000002-0000-0000-c000-000000000000", but the existing Policy.ReadWrite.CrossTenantAccess entry uses an empty resourceAppId in this file. If these permissions target the same resource, this mismatch will cause incorrect deployment metadata. Please confirm the correct resourceAppId and align it with the related Policy.* entries.
| @@ -37515,9 +37602,9 @@ | |||
| "/policies/crosstenantaccesspolicy/default/m365Capabilities/crossTenantOpenProfileCard": "least=DelegatedWork,Application", | |||
| "/policies/crosstenantaccesspolicy/default/m365Capabilities/crossTenantPlacesDeskBooking": "least=DelegatedWork,Application", | |||
| "/policies/crosstenantaccesspolicy/default/m365Capabilities/crossTenantPlacesRoomBooking": "least=DelegatedWork,Application", | |||
| "/policies/crosstenantaccesspolicy/partners": "least=DelegatedWork,Application", | |||
| "/policies/crosstenantaccesspolicy/partners/{id}": "least=DelegatedWork,Application", | |||
| "/policies/crosstenantaccesspolicy/partners/{id}/identitysynchronization": "least=DelegatedWork,Application", | |||
| "/policies/crosstenantaccesspolicy/partners": "", | |||
| "/policies/crosstenantaccesspolicy/partners/{id}": "", | |||
| "/policies/crosstenantaccesspolicy/partners/{id}/identitysynchronization": "", | |||
There was a problem hiding this comment.
These CrossTenantAccessPolicy GET paths are now mapped to "" under Policy.Read.All, but there is no other permission in this file that maps them as least-privileged (searching shows only "" for GET and "least=..." only for PATCH/POST). That leaves GET /policies/crosstenantaccesspolicy* without a least-permission mapping. If the intent is to move GET to a new read-only permission (e.g., Policy.Read.CrossTenantAccess), that permission definition/pathSet needs to be added and these paths should point to it as the least scope.
| "GET" | ||
| ], | ||
| "paths": { | ||
| "/policies/crosstenantaccesspolicy": "", | ||
| "/policies/crosstenantaccesspolicy/default": "", | ||
| "/policies/crosstenantaccesspolicy/partners": "", | ||
| "/policies/crosstenantaccesspolicy/partners/{id}": "", | ||
| "/policies/crosstenantaccesspolicy/partners/{id}/identitysynchronization": "" | ||
| } |
There was a problem hiding this comment.
Policy.ReadWrite.CrossTenantAccess now has a GET pathSet where the CrossTenantAccessPolicy endpoints are all mapped to "". As with Policy.Read.All, there does not appear to be any permission that marks these GET endpoints as least-privileged, so least-scope resolution for GET is currently undefined. Please add/restore the read-only permission mapping for GET (or revert these "" mappings) so every exposed GET path has a clear least permission.
Weekly Permissions sync 2026-04-17