Conversation
There was a problem hiding this comment.
Pull request overview
Weekly permissions metadata sync updating the permissions catalog and provisioning metadata to reflect newly available scopes, updated resource app IDs, and newly exposed API routes.
Changes:
- Adds new
AgentRegistration.Read.AllandAgentRegistration.ReadWrite.Allpermission definitions and enables them in provisioning metadata (with populated GUID IDs). - Updates
AppGalleryIntegrationRequest.*entries in provisioning metadata to use a newresourceAppId. - Extends several existing permissions’
pathSetswith new API routes (e.g., agent sign-in sessions, Cloud PC set device name, new report functions) and includes minor text fixes.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| permissions/new/provisioningInfo.json | Populates/enables AgentRegistration permission variants and updates resourceAppId for multiple AppGalleryIntegrationRequest permissions. |
| permissions/new/permissions.json | Introduces new AgentRegistration permission blocks, adjusts some permission descriptions, and adds new method/path mappings for newly supported endpoints. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "adminDisplayName": "Read all agent registrations", | ||
| "adminDescription": "Allows the user to read all agent registration information", | ||
| "userDisplayName": "Read all agent registrations", | ||
| "userDescription": "Allows the app to read agent registration information.", |
There was a problem hiding this comment.
In the DelegatedWork scheme, adminDescription says "Allows the user to read..." but these consent descriptions elsewhere describe what the app/client can do (typically "Allows the app/client to ... on behalf of the signed-in user"). This wording is inconsistent and may confuse consent UX; please update adminDescription to match the established phrasing pattern (e.g., like AuditLog.Read.All / AgentIdentity.Read.All).
| "adminDisplayName": "Read and write all agent registrations", | ||
| "adminDescription": "Allows the user to read and write all agent registration information", | ||
| "userDisplayName": "Read and write all agent registrations", | ||
| "userDescription": "Allows the app to read and write agent registration information.", |
There was a problem hiding this comment.
Same issue as AgentRegistration.Read.All: DelegatedWork adminDescription says "Allows the user to read and write..." rather than describing what the app can do on behalf of the signed-in user. Please align the wording with the surrounding permission descriptions to avoid confusing consent text.
| "methods": [ | ||
| "GET" | ||
| ], | ||
| "paths": { | ||
| "/copilot/agentRegistrations/{agentId}": "least=DelegatedWork,Application" | ||
| } |
There was a problem hiding this comment.
AgentRegistration.ReadWrite.All marks the GET /copilot/agentRegistrations/{agentId} route as least-privileged for both schemes. Since AgentRegistration.Read.All is introduced specifically for read access, the ReadWrite scope should typically not be the least-privileged permission for GET (many other *.ReadWrite.* permissions map GET paths to an empty string to avoid recommending an over-privileged scope). Consider changing this GET path mapping to "" and letting AgentRegistration.Read.All be the least-privileged permission for GET.
Weekly Permissions sync 2026-04-25