Skip to content

Commit 3e62451

Browse files
authored
Add blueprint permissions for non-DW agents and fix inheritance configuration (#421)
* Add query-entra inheritance subcommand, wids auto-fix, and non-DW Phase 2 grants Blueprint inheritance was silently broken in two ways: the inheritablePermissions entries used kind=enumerated instead of kind=allAllowed (agent identities inherited nothing), and the non-DW (--aiteammate false) setup flow never ran the AllPrincipals OAuth2 grant phase at all (issue #417). Changes: - Migrate all inheritablePermissions writes to kind=allAllowed on both inheritableScopes and inheritableRoles; remove EnumeratedScopes. - Non-DW setup all now executes BatchPermissionsOrchestrator and ApplyConsentUrlsIfNeeded (parity with the DW flow). - New `a365 query-entra inheritance` subcommand: per-resource OK/WARN/NONE output showing config state and actual grants on the blueprint SP, with effective-count summary and exit code 1 on any gap. - `setup requirements` detects and auto-repairs missing wids optional claim on the client app (missing wids silently collapses role detection to Unknown, which skips Phase 2 grants). - New WidsOptionalClaimRequirementCheck with portal + az rest remediation. - Add GrantOutcome, DeclaredResourcePermissions models; delete EnumeratedScopes; add GetBlueprintSpGrantsAsync, GetServicePrincipalDisplayNameByAppIdAsync, ClearTokenCacheAsync. - 44 new unit tests covering the above (1525 passing, 0 failing). * Address Copilot review comments on PR #421 - Models/README.md: remove stale DeclaredResourcePermissions row (file was deleted in mid-session pivot); add AuthMode and GrantOutcome rows. - ConfigService.cs: add millisecond precision to backup timestamp to prevent file collision if InvalidateGeneratedConfigAsync is called twice within the same second. - QueryEntraCommand.cs: correct XML doc on CreateInheritanceSubcommand — the subcommand does acquire a Graph token; previous comment was misleading. - SetupHelpersDisplaySetupSummaryTests.cs: update two stale references to renamed fields (AdminConsentGranted/S2SAppRoleGranted → TenantWideConsentOutcome/BlueprintS2SOutcome) in because: clauses and summary comments.
1 parent 1893e52 commit 3e62451

45 files changed

Lines changed: 4429 additions & 755 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

CHANGELOG.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,8 +43,14 @@ Agents provisioned before this release need `Agent365.Observability.OtelWrite` g
4343
- Defensive fallback when the server rejects the new request with a known contract-mismatch signature — the CLI logs `"Automated messaging endpoint registration is not available for this tenant yet. You'll need to configure it manually."` and directs the user to the Teams Developer Portal. Same user-facing path is reused when registration fails because the signed-in user is not a blueprint owner.
4444
- `--yes` / `-y` option on `cleanup blueprint`, `cleanup azure`, and `cleanup instance` — skips confirmation prompts.
4545
- `--dry-run` option on top-level `a365 cleanup` — previews resources that would be deleted across blueprint, Azure, and instance steps without making changes.
46+
- `a365 query-entra inheritance` subcommand — reports per-resource **effective** inheritance state on an agent blueprint. `OK` only when `kind=allAllowed` AND permissions are actually granted on the blueprint service principal; `WARN` / `Effective inheritance: NONE` when the inheritability policy is set but nothing is granted to inherit. Lists the actual delegated scopes and app role names that agent identities will inherit. Exits non-zero when any resource lacks effective inheritance so the command can be used in scripts and CI pre-flight checks.
47+
- `setup requirements` now detects and auto-repairs the **`wids` optional claim** on the CLI client app's access tokens. Without this claim, the CLI cannot read the signed-in user's directory roles from the token and silently skips the tenant-wide consent step on the agent blueprint — the user-visible symptom is a blueprint with `inheritablePermissions.kind=allAllowed` but no permissions actually granted on the blueprint service principal. When the running user has admin authority over the app registration, the CLI patches `optionalClaims.accessToken` to include `wids` and clears the local MSAL token cache so the next acquisition carries the new claim. The well-known CLI app is also now created with `wids` already configured. Non-admin users get explicit Azure portal click-path remediation.
48+
- `setup requirements` now auto-provisions the `Application.Read.All` consented permission when it is declared on the CLI client app but missing from the tenant's OAuth2 consent grant. Required by the wids check (which queries `/v1.0/applications`) and the existing redirect-URI / public-client validators.
4649

4750
### Changed
51+
- `a365 setup all --aiteammate false` (blueprint agents) now stamps permissions on the **blueprint** in addition to the agent identity, so the Microsoft Admin Center and other downstream systems can discover an agent's permissions. Inheritable permissions are configured with `kind=allAllowed` on both `inheritableScopes` and `inheritableRoles` for every configured resource (Observability, Power Platform, Messaging Bot, custom). When the caller is a Global Administrator, tenant-wide OAuth2 consent is granted on the blueprint service principal automatically; otherwise a per-resource admin-consent URL is printed so a Global Administrator can complete the hand-off out-of-band. Agent identities still receive their principal-scoped grants as before. Fixes [issue #417](https://github.com/microsoft/Agent365-devTools/issues/417).
52+
- All POST/PATCH calls to `/applications/{id}/inheritablePermissions` now use the `allAllowed` wire form for both `inheritableScopes` and `inheritableRoles` per [the public schema](https://learn.microsoft.com/en-us/entra/agent-id/configure-inheritable-permissions-blueprints). The legacy `enumeratedScopes` form is no longer emitted; existing entries written by older CLI versions are reconciled to `allAllowed` on next run via PATCH. Partial-migration entries (only one side at `allAllowed`) are also reconciled.
53+
- `a365 query-entra blueprint-scopes` now lists the delegated and application permissions currently **granted** on the agent blueprint service principal (`oauth2PermissionGrants` + `appRoleAssignments`) - the same view shown by the Entra portal "API permissions" blade. Previously it printed the inheritable-permissions policy metadata (`Scopes Kind` / `Roles Kind`), which overlapped with `a365 query-entra inheritance` and did not tell the operator what the blueprint actually held. The blueprint application's `requiredResourceAccess` is deliberately left empty by setup, so reading it would be misleading; the granted-grants view is the authoritative answer to "what permissions does the blueprint have?". Use `a365 query-entra inheritance` to see whether agent identities created from this blueprint will inherit those grants (policy + reconciliation verdict).
4854
- Agent identity creation now uses Blueprint app-only credentials (`AgentIdentity.CreateAsManager`, auto-granted to all Blueprint apps). The custom CLI app no longer requires `AgentIdentity.Create.All` or `DelegatedPermissionGrant.ReadWrite.All`. Administrators can remove these permissions from the CLI app registration. See [Custom client app registration](https://learn.microsoft.com/microsoft-agent-365/developer/custom-client-app-registration) for the updated permission list.
4955
- `setup all` now retries agent identity creation and blueprint token acquisition with exponential back-off (delay doubles up to a 60-second cap; agent identity retries up to 5 times, blueprint token up to 12 times — worst case is several minutes per call when Entra replication lag is severe) when Entra replication lag causes transient 401/AADSTS errors on fresh blueprint setups. Retry progress is logged at `Debug` level only.
5056
- `setup blueprint --m365` now prints a note when passed alone — the flag only takes effect with `--endpoint-only` or `--update-endpoint`; otherwise use `setup all --m365`.

0 commit comments

Comments
 (0)