Weekly Permissions sync 2026-01-30 #1423
Conversation
There was a problem hiding this comment.
Pull request overview
Weekly sync updating the permissions catalog and deployment metadata.
Changes:
- Added/updated permission deployment metadata in
provisioningInfo.json(including a newAgentIdentityBlueprint.UpdateSponsors.Allentry and hidingThreatSubmission.Read*). - Updated several permission definitions in
permissions.json(admin consent requirements, scheme availability, ownership group). - Adjusted paths and removed deprecated threat submission delegated permissions from
permissions.json.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| permissions/new/provisioningInfo.json | Adds a new deployment entry and changes visibility for threat submission permissions. |
| permissions/new/permissions.json | Updates consent requirements, removes certain schemes/permissions, changes ownership group, and adds a new Teams migration path. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "userDescription": "Allows the app to read and write your organization's risk prevention providers, on your behalf.", | ||
| "requiresAdminConsent": true, | ||
| "privilegeLevel": 3 | ||
| }, | ||
| "Application": { | ||
| "adminDisplayName": "Read and write all identity risk prevention providers", | ||
| "adminDescription": "Allows the app to read and write your organization's risk prevention providers, without a signed-in user.", | ||
| "requiresAdminConsent": true, | ||
| "privilegeLevel": 4 | ||
| } | ||
| }, |
There was a problem hiding this comment.
RiskPreventionProviders.ReadWrite.All is now delegated-only (the Application scheme was removed in this change). If app-only write access is still needed for automation scenarios, please confirm there is a supported replacement to avoid breaking existing integrations.
| "ThreatSubmission.Read.All": { | ||
| "authorizationType": "oAuth2", | ||
| "schemes": { |
There was a problem hiding this comment.
This PR removes the ThreatSubmission.Read / ThreatSubmission.ReadWrite delegated permissions (non-.All) from permissions.json. Since this is a breaking change for any clients currently requesting those scopes, please confirm deprecation/migration guidance exists (e.g., move to .Read.All / .ReadWrite.All) before removing the entries.
| "isHidden": true, | ||
| "isEnabled": true, | ||
| "resourceAppId": "" |
There was a problem hiding this comment.
ThreatSubmission.Read is now marked isHidden: true but remains isEnabled: true. If the intent is to fully retire this scope (it was removed from permissions.json in this PR), consider also disabling it here to prevent new assignments/consents while keeping existing ones grandfathered (or document why it should remain enabled).
| "isHidden": true, | ||
| "isEnabled": true, | ||
| "resourceAppId": "" |
There was a problem hiding this comment.
ThreatSubmission.ReadWrite is now marked isHidden: true but remains isEnabled: true. If this scope is being retired (it was removed from permissions.json in this PR), consider disabling it here as well to prevent new assignments/consents, or add rationale for keeping it enabled while hidden.
| "requiresAdminConsent": true, | ||
| "privilegeLevel": 3 |
There was a problem hiding this comment.
AgentIdentity.Read.All (DelegatedWork) now requires admin consent. This is a behavior change (users can no longer self-consent) and may break existing consent flows; please confirm this is intentional and ensure any downstream docs/release notes or callers are updated accordingly.
| "requiresAdminConsent": true, | ||
| "privilegeLevel": 3 |
There was a problem hiding this comment.
AgentIdentityBlueprint.Read.All (DelegatedWork) now requires admin consent. This is a breaking change for apps relying on user-consentable delegated permissions; please confirm intent and ensure the change is communicated to consumers.
| "requiresAdminConsent": true, | ||
| "privilegeLevel": 3 |
There was a problem hiding this comment.
AgentIdentityBlueprintPrincipal.Read.All (DelegatedWork) now requires admin consent. Since this changes who can grant the permission, please confirm this matches the product/security decision and that any dependent tooling/tests/documentation are aligned.
| "userDescription": "Allows the app to read your organization's risk prevention providers, on your behalf.", | ||
| "requiresAdminConsent": true, | ||
| "privilegeLevel": 3 | ||
| }, | ||
| "Application": { | ||
| "adminDisplayName": "Read all identity risk prevention providers", | ||
| "adminDescription": "Allows the app to read your organization's risk prevention providers, without a signed-in user.", | ||
| "requiresAdminConsent": true, | ||
| "privilegeLevel": 4 | ||
| } | ||
| }, |
There was a problem hiding this comment.
RiskPreventionProviders.Read.All now appears to be delegated-only (the Application scheme was removed in this hunk). This is a breaking change for daemon/service apps; please confirm the removal is intended and that migration guidance (or an alternative app-only permission) exists for app-only scenarios.
Weekly Permissions sync 2026-01-30