Conversation
There was a problem hiding this comment.
Pull request overview
Weekly permissions metadata sync updating the permissions/new/* artifacts to reflect newly introduced scopes/roles and revised least-privilege path mappings.
Changes:
- Added new permission definitions for
CopilotPolicySettings.ReadandCopilotPolicySettings.ReadWrite(including pathSets/ownership metadata). - Updated cross-tenant access policy path mappings and refactored
Policy.ReadWrite.CrossTenantAccessGET handling. - Extended
provisioningInfo.jsonwith additional permission deployment entries and updated CopilotPolicySettings variant IDs/visibility.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| permissions/new/provisioningInfo.json | Updates permission deployment variants (new permissions + updated CopilotPolicySettings IDs/visibility). |
| permissions/new/permissions.json | Adds CopilotPolicySettings permissions and adjusts endpoint-to-permission path mappings (notably cross-tenant access policy and authentication policy paths). |
Comments suppressed due to low confidence (1)
permissions/new/permissions.json:37597
- These crosstenantaccesspolicy GET paths are now mapped to an empty string, and there is no remaining "least=..." mapping anywhere in permissions.json for GET on these endpoints. If the intent is to introduce a new least-privileged permission (e.g., Policy.Read.CrossTenantAccess), that permission needs to be added here with these GET paths marked as least; otherwise revert one existing permission to be least for GET so least-privilege resolution doesn’t regress.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "paths": { | ||
| "/policies/crosstenantaccesspolicy": "", | ||
| "/policies/crosstenantaccesspolicy/default": "", | ||
| "/policies/crosstenantaccesspolicy/partners": "", | ||
| "/policies/crosstenantaccesspolicy/partners/{id}": "", | ||
| "/policies/crosstenantaccesspolicy/partners/{id}/identitysynchronization": "" |
There was a problem hiding this comment.
In Policy.ReadWrite.CrossTenantAccess, the new GET pathSet lists the crosstenantaccesspolicy endpoints but marks them all as "". Combined with the related changes elsewhere, this leaves GET on these endpoints without any least-privileged permission mapping in the file. Please add/restore a least mapping for these GET endpoints (likely via a dedicated read permission) so least-privilege selection remains deterministic.
| "resourceAppId": "f06db492-d3b8-4e06-9586-db69232ec12a" | ||
| } | ||
| ], | ||
| "InfoProtectABACPolicy.Read.All": [ |
There was a problem hiding this comment.
The new "InfoProtectABACPolicy.Read.All" permission block is indented differently than neighboring permission keys (extra leading spaces) and the array items are not aligned with the surrounding style. Please reformat this block to match the established 2-space-per-level indentation used in this file so future diffs stay minimal.
| "InfoProtectABACPolicy.Read.All": [ | |
| "InfoProtectABACPolicy.Read.All": [ |
| ], | ||
| "InfoProtectABACPolicy.ReadWrite.All": [ | ||
| { | ||
| "id": "e5b0a9c7-1f4d-4e8c-b3a2-acde13579246", |
There was a problem hiding this comment.
The new "InfoProtectABACPolicy.ReadWrite.All" permission block is mis-indented compared to adjacent permission keys (extra leading spaces) and doesn’t follow the file’s consistent 2-space nesting indentation. Please reformat this section to align with surrounding entries.
Weekly Permissions sync 2026-04-20