Weekly Permissions sync 2026-04-19

[marabooy]

Weekly Permissions sync 2026-04-19

[Copilot]

Pull request overview

Weekly permissions sync updating permission metadata and path mappings for newly added/updated scopes.

Changes:

• Added new CopilotPolicySettings.Read and CopilotPolicySettings.ReadWrite permission definitions and endpoint mappings.
• Updated provisioningInfo.json permission deployment entries (IDs/visibility) and added new permission deployments.
• Adjusted multiple policy/authentication-related path mappings (notably cross-tenant access policy GET mappings and FIDO2/passkey-related paths).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File	Description
permissions/new/provisioningInfo.json	Updates/adds permission deployment entries (IDs, visibility, new scopes).
permissions/new/permissions.json	Adds Copilot policy settings scopes and updates numerous endpoint-to-scope mappings.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The new InfoProtectABACPolicy.* entries are mis-indented compared to surrounding keys (extra leading spaces before the permission name and the following objects). This breaks the established 2-space-per-level formatting used in this file and makes diffs/automation harder to reason about. Please align these keys and array/object indentation to match adjacent permissions (e.g., InfoProtectAttributeDefinition.*).

[Copilot]

Policy.Read.CrossTenantAccess uses resourceAppId "00000002-0000-0000-c000-000000000000", whereas the related Policy.ReadWrite.CrossTenantAccess entry uses an empty resourceAppId (default) like most other Policy.* scopes nearby. Can you confirm this read scope is intended to target a different resource app? If not, align resourceAppId with the other Policy.Read*/ReadWrite* entries for cross-tenant access to avoid mis-provisioning the scope.

[Copilot]

These /policies/crosstenantaccesspolicy* GET paths were changed from "least=DelegatedWork,Application" to "" under Policy.Read.All. After this change, there no longer appears to be any permission in permissions.json that declares the least-privileged scope for GET on these endpoints (they're also "" under Policy.ReadWrite.CrossTenantAccess). If the intent is to move GET least-privilege to a new scope (e.g., Policy.Read.CrossTenantAccess), that scope needs to be added here with the appropriate path mappings; otherwise, please restore the least mappings for GET.

[Copilot]

Policy.ReadWrite.CrossTenantAccess now has a dedicated GET pathSet where all crosstenantaccesspolicy* paths map to "". Given Policy.Read.All also maps these GET paths to "", this leaves GET without any least-privileged scope mapping in the file. Consider mapping these GET paths to the intended read scope (or adding a new Policy.Read.CrossTenantAccess permission definition and referencing it as least) rather than leaving them blank in both places.

[Copilot]

Within this path map, the FIDO2 creationOptions path uses a different casing ("/users/{id}/authentication/fido2Methods/creationOptions") than the surrounding FIDO2 entries ("fido2methods"). Having both casings in the same file can create duplicate keys for what is likely the same endpoint and lead to inconsistent permission evaluation by downstream tooling. Please standardize the casing for this endpoint to match the canonical form used for the rest of the FIDO2 paths in this section.