Conversation
There was a problem hiding this comment.
Pull request overview
Weekly permissions sync updating the permissions catalog and provisioning metadata, primarily to expose previously-hidden permissions and to align path/permission mappings with updated Graph endpoints.
Changes:
- Unhides and/or adds metadata for several permissions (e.g., AppCertTrustConfiguration., EntraBackup.) in
provisioningInfo.json. - Updates permission definitions and endpoint path mappings in
permissions.json(certificate authority configuration endpoints, correlations reporting endpoints, backup/restore protection unit endpoints, and new EntraBackup permissions).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| permissions/new/provisioningInfo.json | Updates permission visibility flags, renames AppGalleryIntegrationRequest permissions + resourceAppId, and adds IdentityNotifications permissions. |
| permissions/new/permissions.json | Updates permission descriptions and pathSets (certificate authority config, correlations endpoints), adds EntraBackup permissions, and adjusts backup/restore + content processing endpoints. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "IdentityNotifications.Read.All": [ | ||
| { | ||
| "scheme": "DelegatedWork", | ||
| "environment": "PPE;public", | ||
| "isHidden": true, | ||
| "isEnabled": false, | ||
| "resourceAppId": "00000002-0000-0000-c000-000000000000" | ||
| }, | ||
| { | ||
| "scheme": "Application", | ||
| "environment": "PPE;public", | ||
| "isHidden": true, | ||
| "isEnabled": false, | ||
| "resourceAppId": "00000002-0000-0000-c000-000000000000" | ||
| } |
There was a problem hiding this comment.
The newly added IdentityNotifications.* entries are missing the required "id" field (other permission entries include an "id" key even when the value is empty). This will likely break consumers expecting a consistent schema; add an "id" property for each scheme entry (use the correct GUIDs if known, or an empty string placeholder if not yet assigned).
| "/reports/conditionalaccess/unprotectedapps": "least=DelegatedWork,Application", | ||
| "/reports/correlations": "", | ||
| "/reports/correlations/{id}": "", | ||
| "/reports/correlations/{id}/identities": "", | ||
| "/reports/correlations/{id}/identities/{id}": "", |
There was a problem hiding this comment.
The /reports/correlations* endpoints were introduced as replacements for /reports/identityCorrelation* but their path values are now empty strings. Previously these endpoints carried an explicit "least=DelegatedWork,Application" mapping; consider preserving that mapping here as well to avoid changing downstream permission-resolution behavior or documentation.
| "POST" | ||
| ], | ||
| "paths": { | ||
| "/me/dataSecurityAndGovernance/contentUploadSession": "", | ||
| "/me/dataSecurityAndGovernance/processContent": "", | ||
| "/security/dataSecurityAndGovernance/processContentAsync": "least=Application,DelegatedWork", | ||
| "/users/{userId}/dataSecurityAndGovernance/contentUploadSession": "", | ||
| "/users/{userId}/dataSecurityAndGovernance/processContent": "" | ||
| } |
There was a problem hiding this comment.
In Content.Process.All and Content.Process.User, the new "/me/dataSecurityAndGovernance/contentUploadSession" path is in a pathSet whose schemeKeys include "Application" and the path value is empty (i.e., not restricted). Since /me endpoints are delegated-only in practice, restrict these /me paths to DelegatedWork (e.g., by setting least=DelegatedWork or moving them into a DelegatedWork-only pathSet) to avoid implying app-only support.
| "Application": { | ||
| "adminDisplayName": "Read Preview jobs and snapshots", | ||
| "adminDescription": "Allows the app to list the all the snapshots, jobs and enumerate the changes of a specific preview job, on behalf of the signed-in user.", | ||
| "userDisplayName": "Read Preview jobs and snapshots", | ||
| "userDescription": "Allows the app to list the all the snapshots, jobs and enumerate the changes of a specific preview job, on your behalf.", | ||
| "requiresAdminConsent": true, | ||
| "privilegeLevel": 4 |
There was a problem hiding this comment.
The Application-scheme descriptions for EntraBackup.Read.All reference a signed-in user ("on behalf of the signed-in user" / "on your behalf"), which is inconsistent with other Application permissions and misleading for app-only flows. Update the Application admin/user description fields to reflect app-only behavior (e.g., "without a signed-in user") or remove user-facing fields if not applicable.
Weekly Permissions sync 2026-04-01