You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add blueprint permissions for non-DW agents and fix inheritance configuration (#421)
* Add query-entra inheritance subcommand, wids auto-fix, and non-DW Phase 2 grants
Blueprint inheritance was silently broken in two ways: the inheritablePermissions
entries used kind=enumerated instead of kind=allAllowed (agent identities inherited
nothing), and the non-DW (--aiteammate false) setup flow never ran the AllPrincipals
OAuth2 grant phase at all (issue #417).
Changes:
- Migrate all inheritablePermissions writes to kind=allAllowed on both
inheritableScopes and inheritableRoles; remove EnumeratedScopes.
- Non-DW setup all now executes BatchPermissionsOrchestrator and
ApplyConsentUrlsIfNeeded (parity with the DW flow).
- New `a365 query-entra inheritance` subcommand: per-resource OK/WARN/NONE
output showing config state and actual grants on the blueprint SP, with
effective-count summary and exit code 1 on any gap.
- `setup requirements` detects and auto-repairs missing wids optional claim
on the client app (missing wids silently collapses role detection to Unknown,
which skips Phase 2 grants).
- New WidsOptionalClaimRequirementCheck with portal + az rest remediation.
- Add GrantOutcome, DeclaredResourcePermissions models; delete EnumeratedScopes;
add GetBlueprintSpGrantsAsync, GetServicePrincipalDisplayNameByAppIdAsync,
ClearTokenCacheAsync.
- 44 new unit tests covering the above (1525 passing, 0 failing).
* Address Copilot review comments on PR #421
- Models/README.md: remove stale DeclaredResourcePermissions row (file
was deleted in mid-session pivot); add AuthMode and GrantOutcome rows.
- ConfigService.cs: add millisecond precision to backup timestamp to
prevent file collision if InvalidateGeneratedConfigAsync is called
twice within the same second.
- QueryEntraCommand.cs: correct XML doc on CreateInheritanceSubcommand
— the subcommand does acquire a Graph token; previous comment was
misleading.
- SetupHelpersDisplaySetupSummaryTests.cs: update two stale references
to renamed fields (AdminConsentGranted/S2SAppRoleGranted →
TenantWideConsentOutcome/BlueprintS2SOutcome) in because: clauses
and summary comments.
Copy file name to clipboardExpand all lines: CHANGELOG.md
+6Lines changed: 6 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -43,8 +43,14 @@ Agents provisioned before this release need `Agent365.Observability.OtelWrite` g
43
43
- Defensive fallback when the server rejects the new request with a known contract-mismatch signature — the CLI logs `"Automated messaging endpoint registration is not available for this tenant yet. You'll need to configure it manually."` and directs the user to the Teams Developer Portal. Same user-facing path is reused when registration fails because the signed-in user is not a blueprint owner.
44
44
-`--yes` / `-y` option on `cleanup blueprint`, `cleanup azure`, and `cleanup instance` — skips confirmation prompts.
45
45
-`--dry-run` option on top-level `a365 cleanup` — previews resources that would be deleted across blueprint, Azure, and instance steps without making changes.
46
+
-`a365 query-entra inheritance` subcommand — reports per-resource **effective** inheritance state on an agent blueprint. `OK` only when `kind=allAllowed` AND permissions are actually granted on the blueprint service principal; `WARN` / `Effective inheritance: NONE` when the inheritability policy is set but nothing is granted to inherit. Lists the actual delegated scopes and app role names that agent identities will inherit. Exits non-zero when any resource lacks effective inheritance so the command can be used in scripts and CI pre-flight checks.
47
+
-`setup requirements` now detects and auto-repairs the **`wids` optional claim** on the CLI client app's access tokens. Without this claim, the CLI cannot read the signed-in user's directory roles from the token and silently skips the tenant-wide consent step on the agent blueprint — the user-visible symptom is a blueprint with `inheritablePermissions.kind=allAllowed` but no permissions actually granted on the blueprint service principal. When the running user has admin authority over the app registration, the CLI patches `optionalClaims.accessToken` to include `wids` and clears the local MSAL token cache so the next acquisition carries the new claim. The well-known CLI app is also now created with `wids` already configured. Non-admin users get explicit Azure portal click-path remediation.
48
+
-`setup requirements` now auto-provisions the `Application.Read.All` consented permission when it is declared on the CLI client app but missing from the tenant's OAuth2 consent grant. Required by the wids check (which queries `/v1.0/applications`) and the existing redirect-URI / public-client validators.
46
49
47
50
### Changed
51
+
-`a365 setup all --aiteammate false` (blueprint agents) now stamps permissions on the **blueprint** in addition to the agent identity, so the Microsoft Admin Center and other downstream systems can discover an agent's permissions. Inheritable permissions are configured with `kind=allAllowed` on both `inheritableScopes` and `inheritableRoles` for every configured resource (Observability, Power Platform, Messaging Bot, custom). When the caller is a Global Administrator, tenant-wide OAuth2 consent is granted on the blueprint service principal automatically; otherwise a per-resource admin-consent URL is printed so a Global Administrator can complete the hand-off out-of-band. Agent identities still receive their principal-scoped grants as before. Fixes [issue #417](https://github.com/microsoft/Agent365-devTools/issues/417).
52
+
- All POST/PATCH calls to `/applications/{id}/inheritablePermissions` now use the `allAllowed` wire form for both `inheritableScopes` and `inheritableRoles` per [the public schema](https://learn.microsoft.com/en-us/entra/agent-id/configure-inheritable-permissions-blueprints). The legacy `enumeratedScopes` form is no longer emitted; existing entries written by older CLI versions are reconciled to `allAllowed` on next run via PATCH. Partial-migration entries (only one side at `allAllowed`) are also reconciled.
53
+
-`a365 query-entra blueprint-scopes` now lists the delegated and application permissions currently **granted** on the agent blueprint service principal (`oauth2PermissionGrants` + `appRoleAssignments`) - the same view shown by the Entra portal "API permissions" blade. Previously it printed the inheritable-permissions policy metadata (`Scopes Kind` / `Roles Kind`), which overlapped with `a365 query-entra inheritance` and did not tell the operator what the blueprint actually held. The blueprint application's `requiredResourceAccess` is deliberately left empty by setup, so reading it would be misleading; the granted-grants view is the authoritative answer to "what permissions does the blueprint have?". Use `a365 query-entra inheritance` to see whether agent identities created from this blueprint will inherit those grants (policy + reconciliation verdict).
48
54
- Agent identity creation now uses Blueprint app-only credentials (`AgentIdentity.CreateAsManager`, auto-granted to all Blueprint apps). The custom CLI app no longer requires `AgentIdentity.Create.All` or `DelegatedPermissionGrant.ReadWrite.All`. Administrators can remove these permissions from the CLI app registration. See [Custom client app registration](https://learn.microsoft.com/microsoft-agent-365/developer/custom-client-app-registration) for the updated permission list.
49
55
-`setup all` now retries agent identity creation and blueprint token acquisition with exponential back-off (delay doubles up to a 60-second cap; agent identity retries up to 5 times, blueprint token up to 12 times — worst case is several minutes per call when Entra replication lag is severe) when Entra replication lag causes transient 401/AADSTS errors on fresh blueprint setups. Retry progress is logged at `Debug` level only.
50
56
-`setup blueprint --m365` now prints a note when passed alone — the flag only takes effect with `--endpoint-only` or `--update-endpoint`; otherwise use `setup all --m365`.
0 commit comments