Weekly Permissions sync 2026-02-01 #1425
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request implements a weekly permissions synchronization that updates permission configurations across two JSON files. The changes include adding new permissions, modifying access control requirements, adjusting security group ownership, and deprecating certain permission scopes.
Changes:
- Added new "AgentIdentityBlueprint.UpdateSponsors.All" permission (currently disabled) in provisioningInfo.json
- Updated three agent identity permissions to require admin consent (security enhancement)
- Removed Application scheme support from RiskPreventionProviders permissions (Read.All and ReadWrite.All)
- Deprecated ThreatSubmission.Read and ThreatSubmission.ReadWrite permissions by hiding them in provisioningInfo.json and removing them from permissions.json
- Updated security group ownership from "privacymanagementDSR" to "PrivacySolutionAdmin" for SubjectRightsRequest permissions
- Added new API path for moving teamwork items
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| permissions/new/provisioningInfo.json | Added new AgentIdentityBlueprint.UpdateSponsors.All permission entry; renamed TeamworkTargetedMessage permission; marked ThreatSubmission.Read and ThreatSubmission.ReadWrite as hidden |
| permissions/new/permissions.json | Updated admin consent requirements for agent identity permissions; removed Application scheme from RiskPreventionProviders permissions; removed ThreatSubmission.Read and ThreatSubmission.ReadWrite definitions; updated security group ownership; added new teamwork API path |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "AgentIdentityBlueprint.UpdateSponsors.All": [ | ||
| { | ||
| "id": "", | ||
| "scheme": "Application", | ||
| "environment": "PPE;public", | ||
| "isHidden": true, | ||
| "isEnabled": false, | ||
| "resourceAppId": "00000002-0000-0000-c000-000000000000" | ||
| }, | ||
| { | ||
| "id": "", | ||
| "scheme": "DelegatedWork", | ||
| "environment": "PPE;public", | ||
| "isHidden": true, | ||
| "isEnabled": false, | ||
| "resourceAppId": "00000002-0000-0000-c000-000000000000" | ||
| } | ||
| ], |
There was a problem hiding this comment.
The new permission "AgentIdentityBlueprint.UpdateSponsors.All" is being added to provisioningInfo.json but does not have a corresponding definition in permissions.json. While this may be intentional for a permission that is not yet enabled (isEnabled: false), it's inconsistent with similar permissions like "AgentIdentityBlueprint.UpdateAuthProperties.All" and "AgentIdentityBlueprint.AddRemoveCreds.All" which exist in both files. Consider adding the permission definition to permissions.json to maintain consistency, or verify this is intentionally staged for future activation.
| "AgentIdentityBlueprint.UpdateSponsors.All": [ | |
| { | |
| "id": "", | |
| "scheme": "Application", | |
| "environment": "PPE;public", | |
| "isHidden": true, | |
| "isEnabled": false, | |
| "resourceAppId": "00000002-0000-0000-c000-000000000000" | |
| }, | |
| { | |
| "id": "", | |
| "scheme": "DelegatedWork", | |
| "environment": "PPE;public", | |
| "isHidden": true, | |
| "isEnabled": false, | |
| "resourceAppId": "00000002-0000-0000-c000-000000000000" | |
| } | |
| ], |
Weekly Permissions sync 2026-02-01