Skip to content

feat: non-admin setup flow, a365 setup admin command, and cleanup 403 fixes#320

Merged
sellakumaran merged 30 commits intomainfrom
users/sellak/non-admin
Mar 24, 2026
Merged

feat: non-admin setup flow, a365 setup admin command, and cleanup 403 fixes#320
sellakumaran merged 30 commits intomainfrom
users/sellak/non-admin

Conversation

@sellakumaran
Copy link
Copy Markdown
Contributor

@sellakumaran sellakumaran commented Mar 16, 2026
edited
Loading

This PR addresses five problems that existed before this change:

1. a365 setup all failed with multiple errors for Agent ID Developers (non-admin)
An Agent ID Developer cannot set inheritable permissions on a blueprint or configure OAuth2
permission grants — those operations require Agent ID Administrator role or higher. Running
setup all as a Developer attempted all of these steps anyway, producing a series of 403 errors
with no explanation of which steps require elevation and no guidance on what to do next.

2. a365 setup all failed with multiple errors for Agent ID Administrators (non-admin)
An Agent ID Administrator can set inheritable permissions and configure OAuth2 grants, but cannot
grant tenant-wide admin consent — that requires Global Administrator. Running setup all as an
Agent ID Admin succeeded on the first two steps but failed on consent, with no clear indication
that the failure was a role boundary and not a bug, and no actionable next step.

3. There was no way for a Global Administrator to complete OAuth2 grants without running the full setup
After setup all by a non-GA user, the GA had no dedicated command to complete the AllPrincipals
oauth2PermissionGrants step. The old summary referenced a365 setup admin but the command did not exist.

4. CLI output was noisy and unclear
Multiple redundant log lines, inconsistent spacing, and unhelpful error messages (e.g., a 60-second
timeout waiting for a browser consent that would never succeed for non-admin users) made it
difficult to understand what the CLI was doing and whether each step succeeded.

5. a365 cleanup failed with 403 errors — three separate root causes

  • Wrong Graph scope: blueprint deletion was using AgentIdentityBlueprint.ReadWrite.All.
    Per the Agent ID permissions reference, ReadWrite.All is not the correct scope for DELETE —
    AgentIdentityBlueprint.DeleteRestore.All is required.
  • Wrong URL pattern: the DELETE request used an incorrect URL shape for the blueprint endpoint,
    which caused Graph to reject the request.
  • Cross-user token contamination on shared machines: PowerShell Connect-MgGraph caches tokens
    by (tenant + clientId + scopes) with no user identity in the key. On a shared machine where a
    developer had previously run a365 setup, a Global Administrator running a365 cleanup silently
    reused the developer's cached token. The token contained the right scope but the wrong user
    identity (oid), so Graph returned 403 — a non-admin cannot delete another user's blueprint.

Behavior after fix

Persona Before After
Agent ID Developer runs a365 setup all Multiple failures; summary unclear Completes the steps it can; immediately outputs a consent URL to share with an admin instead of timing out
Agent ID Admin runs a365 setup all Same failures as Developer; unclear which steps need escalation Completes OAuth2 grants and inheritable permissions; outputs clear guidance to run a365 setup admin for the GA-only step
Global Admin runs a365 setup admin Command did not exist Displays a per-resource consent preview with tenant-wide impact warning, prompts for confirmation, then creates AllPrincipals grants
Global Admin runs a365 setup all Multiple browser prompts, one per resource At most one browser prompt covering all resources; missing client app permissions are auto-patched
Global Admin runs a365 cleanup on a shared machine 403 — wrong user's cached token used Succeeds — MSAL/WAM acquires a token for the current user, not the last user who ran the CLI
Any user on corporate tenant with Conditional Access Browser blocked by CAP policy → auth failure WAM authenticates via OS broker without a browser, satisfying device-trust requirements

Technical details for reviewers

New command: a365 setup admin

src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/AdminSubcommand.cs

Dedicated command for Global Administrators to complete the AllPrincipals oauth2PermissionGrant
step that setup all skips for non-GA users. Features:

  • Displays a preview table of all resources and scopes that will be granted (consentType=AllPrincipals)
    before executing, so the administrator can review the tenant-wide impact
  • Requires explicit confirmation (y/yes) or --yes / -y to skip the prompt (az CLI convention)
  • Accepts --config-dir to point at a config folder shared by the Agent ID Admin
  • Supports --dry-run to preview operations without making changes
  • Uses InvocationContext for proper Ctrl+C cancellation propagation
  • Background: oauth2PermissionGrant creation always requires DelegatedPermissionGrant.ReadWrite.All,
    an admin-only scope. Non-admin users receive HTTP 403/400 for all resource SPs — there is no
    self-service API path.

Example confirmation prompt:

WARNING: The following OAuth2 grants will be created tenant-wide (consentType=AllPrincipals):

  Blueprint : <AgentDisplayName> (<BlueprintAppId>)
  Tenant    : <TenantId>

  - Microsoft Graph      : Mail.ReadWrite, Mail.Send, Chat.ReadWrite, User.Read.All, Sites.Read.All
  - Agent 365 Tools      : McpServers.Mail.All, McpServersMetadata.Read.All
  - Messaging Bot API    : Authorization.ReadWrite, user_impersonation
  - Observability API    : user_impersonation
  - Power Platform API   : Connectivity.Connections.Read

WARNING: This gives the agent delegated consent for ALL users in the tenant.
Do you want to perform this operation? (y/N):

Core orchestration: BatchPermissionsOrchestrator

src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BatchPermissionsOrchestrator.cs

Replaces the per-resource permission loop with a three-phase flow:

  1. Resolve — pre-warm the delegated token; look up all required service principals once
  2. Phase 2a (inheritable permissions) — set inheritable permissions on the blueprint SP; 403s caught silently (insufficient role, not an error)
  3. Phase 2b (AllPrincipals grants, GA only) — create oauth2PermissionGrants; used by both setup all (GA path) and setup admin

GrantAdminPermissionsAsync exposes Phase 2b as a standalone entry point for AdminSubcommand.

The orchestrator does not update requiredResourceAccess on Agent Blueprint service principals — that property is not writable for Agent ID entities.

Cross-user token fix: MicrosoftGraphTokenProvider

src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/MicrosoftGraphTokenProvider.cs

MSAL/WAM is now the primary token path; PowerShell Connect-MgGraph is the fallback. MSAL's token
cache is keyed by HomeAccountId (user identity + tenant), so tokens for different users never
collide. On Windows, WAM uses the OS broker — no browser, CAP-compliant. A loginHint is threaded
through all token acquisition calls to prevent WAM from reusing a cached token for a different account.
A test seam (MsalTokenAcquirerOverride) keeps unit tests free of WAM/browser.

Blueprint deletion scope fix: AgentBlueprintService

src/Microsoft.Agents.A365.DevTools.Cli/Services/AgentBlueprintService.cs

DELETE now uses AgentIdentityBlueprint.DeleteRestore.All (correct per permissions reference) and
the correct URL pattern: /beta/applications/microsoft.graph.agentIdentityBlueprint/{id}.

Summary and output: SetupHelpers, SetupResults, AllSubcommand

SetupResults now tracks batch phase outcomes, the admin consent URL, and FIC status. The summary
shows per-step status ([OK] / [PENDING] / [FAILED]), an overall result line, targeted recovery
commands for failed steps, and a dedicated "Next Steps" section when Global Administrator action is
required.

Setup Summary
Completed Steps:
  [OK] Infrastructure configured (already exists)
  [OK] Agent blueprint created (Blueprint ID: <BlueprintAppId>)
  [OK] Inheritable permissions configured and verified
  [PENDING] OAuth2 grants pending — Global Administrator action required (see Next Steps)

Failed Steps:
  [FAILED] Messaging endpoint registration failed: [SETUP_VALIDATION_FAILED] Blueprint messaging endpoint registration failed

Setup completed with errors

Recovery Actions:
  - Messaging Endpoint: Run 'a365 setup blueprint --endpoint-only' to retry
    If there's a conflicting endpoint, delete it first: a365 cleanup blueprint --endpoint-only

Next Steps — Global Administrator action required:
  OAuth2 permission grants require a Global Administrator.
  Option 1 — Run the CLI as a Global Administrator:
    a365 setup admin --config-dir "<path-to-config-folder>"
  Option 2 — Share a single consent URL with your Global Administrator:
    https://login.microsoftonline.com/<TenantId>/v2.0/adminconsent?client_id=<BlueprintAppId>&scope=https%3A%2F%2Fgraph.microsoft.com%2FMail.ReadWrite%20https%3A%2F%2Fgraph.microsoft.com%2FMail.Send%20...&redirect_uri=https%3A%2F%2Fentra.microsoft.com%2FTokenAuthorize

Consolidation: AzCliHelper

src/Microsoft.Agents.A365.DevTools.Cli/Services/Helpers/AzCliHelper.cs

Extracts the repeated az account show + JSON parse pattern into a single static helper used
by both AllSubcommand and AdminSubcommand.

Scope decisions

Operation Scope Rationale
Blueprint deletion AgentIdentityBlueprint.DeleteRestore.All Correct scope per permissions reference; ReadWrite.All does not cover DELETE
FIC create/delete Application.ReadWrite.All Ownership-based — works for app owners without a role requirement
GA and Agent ID Admin role detection Directory.Read.All (already consented) Both role checks use this scope; avoids an additional consent prompt for RoleManagement.Read.Directory
AllPrincipals grants (setup admin) DelegatedPermissionGrant.ReadWrite.All Admin-only scope required by Graph API for oauth2PermissionGrant creation

@sellakumaran @claude
fix: improve non-admin setup flow with self-healing permissions and a…
0c6c974 
…dmin consent detection

- FederatedCredentialService: fix FIC creation/deletion to use Application.ReadWrite.All
  delegated scope so non-admin app owners can manage their own blueprint credentials

- GraphApiService: add IsCurrentUserAdminAsync using Directory.Read.All (already consented)
  to detect admin role without a separate consent requirement; avoids circular dependency
  with RoleManagement.Read.Directory

- BlueprintSubcommand: non-admin users now skip browser consent immediately and receive
  actionable consent URLs (blueprint app + optional client app) instead of a 60-second timeout

- ClientAppValidator: add self-healing auto-provision for missing client app permissions;
  EnsurePermissionsConfiguredAsync patches requiredResourceAccess and extends existing
  OAuth2 grant scopes without requiring manual intervention

- AuthenticationConstants: remove RoleManagement.Read.Directory from RequiredClientAppPermissions;
  Directory.Read.All is sufficient for transitive role membership lookup

- SetupResults: add AdminConsentUrl, FederatedCredentialConfigured, FederatedCredentialError
  fields to support recovery guidance in setup summary

- AllSubcommand: track FIC status and admin consent URL in setup results; improve endpoint
  registration error messages with failure reason detail

- SetupHelpers: update DisplaySetupSummary recovery section to show admin consent URL
  when available instead of generic retry instruction

- RequirementsSubcommand/InfrastructureSubcommand: remove Agent365ServiceRoleCheck;
  clean up prerequisite runner usage

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 16, 2026
edited
Loading

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA c6cdaad.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

@sellakumaran @claude
feat: batch permissions orchestrator for non-admin setup flow
76983b1 
Introduces BatchPermissionsOrchestrator with a three-phase flow so
admin consent is attempted exactly once in 'setup all'. Standalone
permission commands (mcp, bot, custom) are refactored as thin
spec-builders delegating to the orchestrator. Blueprint consent is
deferred via BlueprintCreationOptions(DeferConsent: true).

Phase 1 resolves all service principals once (no retry for blueprint SP
— Agent Blueprint SPs are not queryable via standard Graph endpoint).
Phase 2 sets OAuth2 grants and inheritable permissions; 403 responses
are caught silently and treated as insufficient role without logging an
error. Phase 3 checks for existing consent before opening a browser and
returns a consolidated URL for non-admins.

requiredResourceAccess is not updated — it is not supported for Agent
Blueprints.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran sellakumaran requested a review from Copilot March 17, 2026 15:51
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Improves the a365 setup flow for non-admin users by introducing a three-phase batch permissions orchestrator, adding admin-role detection via Graph, and enhancing setup result reporting and recovery guidance.

Changes:

  • Added BatchPermissionsOrchestrator + ResourcePermissionSpec to configure Graph/MCP/Bot/Custom permissions in a single consolidated flow and produce an actionable admin consent URL for non-admins.
  • Enhanced setup orchestration and summaries (AllSubcommand, BlueprintSubcommand, SetupHelpers, SetupResults) to track federated credential status and consent URLs, and to reduce non-admin timeouts.
  • Updated Graph/auth utilities and tests (Graph role detection, console formatting, requirement checks) to support the new flow and revised messaging.

Reviewed changes

Copilot reviewed 32 out of 32 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Requirements/FrontierPreviewRequirementCheckTests.cs Updates assertions to match revised Frontier Preview messaging.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Helpers/CleanConsoleFormatterTests.cs Adjusts test expectation for empty-string logging behavior (blank line).
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/GraphApiServiceTests.cs Adds tests for the new Agent ID admin role detection helper.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/FederatedCredentialServiceTests.cs Updates mocks for Graph API scope parameter additions.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Helpers/SetupHelpersVerificationTests.cs New regression tests for verification URL output and JSON casing.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/RequirementsSubcommandTests.cs Updates tests for new GetRequirementChecks signature.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/InfrastructureSubcommandTests.cs Updates tests for role assignment pre-check behavior and logging expectations.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/BatchPermissionsOrchestratorTests.cs New tests for orchestrator phase independence and consent URL behavior.
src/Microsoft.Agents.A365.DevTools.Cli/design.md Updates permissions architecture documentation and diagrams.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Requirements/RequirementChecks/FrontierPreviewRequirementCheck.cs Revises warning message/details for Frontier Preview check.
src/Microsoft.Agents.A365.DevTools.Cli/Services/MsalBrowserCredential.cs Refines log levels/messages to reduce noisy warnings with stack traces.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/MicrosoftGraphTokenProvider.cs Adjusts fallback logging to separate debug exception from warning message.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Helpers/CleanConsoleFormatter.cs Allows empty log messages to emit intentional blank lines.
src/Microsoft.Agents.A365.DevTools.Cli/Services/GraphApiService.cs Adds admin-role detection helpers and supports scoped Graph calls.
src/Microsoft.Agents.A365.DevTools.Cli/Services/FederatedCredentialService.cs Uses delegated Application.ReadWrite.All scopes; improves 403 handling and retry behavior.
src/Microsoft.Agents.A365.DevTools.Cli/Services/DelegatedConsentService.cs Inserts intentional blank line in console output.
src/Microsoft.Agents.A365.DevTools.Cli/Services/ClientAppValidator.cs Adds self-healing permission provisioning and consent grant scope extension.
src/Microsoft.Agents.A365.DevTools.Cli/Services/BotConfigurator.cs Improves endpoint registration error reporting by parsing stable error codes/messages.
src/Microsoft.Agents.A365.DevTools.Cli/Services/AgentBlueprintService.cs Tweaks logging severity for expected 403s; adds optional required scopes to Graph calls.
src/Microsoft.Agents.A365.DevTools.Cli/Constants/AuthenticationConstants.cs Introduces RoleManagementReadDirectoryScope constant and updates required permission lists/comments.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupResults.cs Adds consent URL + federated credential status/error fields for summary/recovery.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupHelpers.cs Updates verification URL generation and recovery summary behavior (consent URL, FIC status).
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/ResourcePermissionSpec.cs New record to describe resource permission configuration inputs.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/RequirementsSubcommand.cs Updates signatures/wiring for requirement check construction.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/README.md Documents new orchestrator/spec types and updated responsibilities.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/PermissionsSubcommand.cs Switches MCP/Bot/Custom flows to batch orchestrator; exposes helpers for reuse.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/InfrastructureSubcommand.cs Adds role assignment pre-check using inherited roles and improves spacing in output.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintSubcommand.cs Adds setup result fields (endpoint failure reason, FIC, consent URL) and non-admin consent detection behavior.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintCreationOptions.cs New options record to defer consent/inheritable permissions in orchestration.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BatchPermissionsOrchestrator.cs New three-phase batch permissions orchestration implementation.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/AllSubcommand.cs Reorders setup-all flow to defer consent, run batch permissions once, and register endpoint last.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupCommand.cs Wires updated RequirementsSubcommand signature.

You can also share your feedback on Copilot code review. Take the survey.

sellakumaran and others added 2 commits March 17, 2026 15:46
@sellakumaran @claude
fix: address PR review comments and align setup summary with batch flow
fa2c0c7 
- Fix dead command reference in recovery guidance (a365 setup admin -> a365 setup all)
- Fix mermaid diagram language tag typo in design.md (mermard -> mermaid)
- Fix XML doc for IsCurrentUserAdminAsync to reference Directory.Read.All scope
- Fix AuthenticationConstants comment to reference IsCurrentUserAgentIdAdminAsync
- Fix BatchPermissionsOrchestrator comment incorrectly claiming Phase 1 updates requiredResourceAccess
- Remove unused executor parameter from GetRequirementChecks and GetConfigRequirementChecks
- Add debug logging in ReadMcpScopesAsync when no scopes found
- Replace per-resource permission flags in setup all summary with batch phase fields
- Remove separator lines from setup summary to align with az cli output conventions
- Remove FIC from completed steps (only surfaces on failure)
- Add JWT token inspection and force-refresh retry for endpoint registration role errors

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran @claude
fix: use MSAL/WAM as primary Graph token path to fix cross-user conta…
9aa34a4 
…mination

PowerShell Connect-MgGraph cached tokens by (tenant + clientId + scopes) with
no user identity in the key. On shared machines, sellakdev's cached session was
silently reused when sellak (Global Admin) ran cleanup, causing 403 on blueprint
DELETE because the token belonged to the wrong user.

Fixes:
- MicrosoftGraphTokenProvider: MSAL/WAM is now primary; PowerShell is fallback.
  WAM token cache is keyed by HomeAccountId (user identity), preventing cross-user
  contamination. On Windows, WAM authenticates via the OS broker without a browser,
  making it compatible with Conditional Access Policies (fixes #294).
- AgentBlueprintService: DELETE uses AgentIdentityBlueprint.DeleteRestore.All scope
  and the correct URL pattern (/beta/applications/microsoft.graph.agentIdentityBlueprint/{id})
- AuthenticationConstants: add ApplicationReadWriteAllScope, DirectoryReadAllScope constants
- FederatedCredentialService: replace magic strings with constants
- GraphApiService: HasDirectoryRoleAsync accepts delegatedScope parameter; agent-admin
  check uses RoleManagement.Read.Directory (lower privilege)
- Tests: add MsalTokenAcquirerOverride seam; add 3 new tests for MSAL-primary path

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran sellakumaran requested a review from Copilot March 18, 2026 19:40
Copilot AI reviewed Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves the non-admin a365 setup experience by restructuring permission configuration into a phased “batch” flow, adding admin-role detection, and introducing several self-healing/diagnostic improvements (Graph permissions, federated credentials, token caching, and setup summaries).

Changes:

  • Introduces BatchPermissionsOrchestrator + ResourcePermissionSpec to run permission setup in three phases with consolidated admin-consent handling and better non-admin recovery output.
  • Updates Graph/auth/token flows (MSAL-first Graph token provider, role detection helpers, per-user token cache key support) and improves logging/error guidance.
  • Adds/updates tests and docs to match the new setup/permissions behavior.

Reviewed changes

Copilot reviewed 36 out of 36 changed files in this pull request and generated 10 comments.

Show a summary per file
File Description
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Requirements/FrontierPreviewRequirementCheckTests.cs Updates expected warning strings for Frontier Preview requirement check.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/MicrosoftGraphTokenProviderTests.cs Adds MSAL-vs-PowerShell behavior tests and a test seam for MSAL override.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Helpers/CleanConsoleFormatterTests.cs Updates formatter expectations for intentional blank lines.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/GraphApiServiceTests.cs Adds tests for IsCurrentUserAgentIdAdminAsync.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/FederatedCredentialServiceTests.cs Updates mocks for new GraphGetAsync signature with optional scopes.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/AgentBlueprintServiceTests.cs Updates expected delete scope to AgentIdentityBlueprint.DeleteRestore.All.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Helpers/SetupHelpersVerificationTests.cs New regression tests for verification URL output and camelCase JSON property handling.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/InfrastructureSubcommandTests.cs Updates role assignment flow assertions; removes log assertions.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/BatchPermissionsOrchestratorTests.cs New tests for orchestrator phase independence and non-admin consent URL behavior.
src/Microsoft.Agents.A365.DevTools.Cli/design.md Updates permissions architecture description to reflect batch flow and blueprint limitations.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Requirements/RequirementChecks/FrontierPreviewRequirementCheck.cs Updates warning wording and details URL text.
src/Microsoft.Agents.A365.DevTools.Cli/Services/MsalBrowserCredential.cs Adjusts exception logging to log stack traces at debug and user-facing messages at warning/error.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/MicrosoftGraphTokenProvider.cs Makes MSAL primary with PowerShell fallback; adds token cache and a unit-test override seam.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Helpers/CleanConsoleFormatter.cs Treats empty-string messages as intentional blank lines.
src/Microsoft.Agents.A365.DevTools.Cli/Services/GraphApiService.cs Adds IsCurrentUserAdminAsync / IsCurrentUserAgentIdAdminAsync and shared role-membership paging helper.
src/Microsoft.Agents.A365.DevTools.Cli/Services/FederatedCredentialService.cs Forces specific delegated scope for FIC operations; improves retry/403 handling and guidance.
src/Microsoft.Agents.A365.DevTools.Cli/Services/DelegatedConsentService.cs Uses blank-line logging to create spacing via the formatter behavior change.
src/Microsoft.Agents.A365.DevTools.Cli/Services/ClientAppValidator.cs Adds self-healing auto-provisioning of missing client app permissions and best-effort oauth2 grant scope extension.
src/Microsoft.Agents.A365.DevTools.Cli/Services/BotConfigurator.cs Adds token refresh retry when backend reports invalid roles; improves disposal and diagnostics helpers.
src/Microsoft.Agents.A365.DevTools.Cli/Services/AuthenticationService.cs Extends cache key format to optionally include user identity.
src/Microsoft.Agents.A365.DevTools.Cli/Services/AgentBlueprintService.cs Updates delete scopes/endpoint patterns; improves 403 handling and Graph response reporting.
src/Microsoft.Agents.A365.DevTools.Cli/Constants/AuthenticationConstants.cs Adds new scope constants and updates required-permissions commentary.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupResults.cs Adds fields for admin consent URL, batch phase results, and federated credential status/error.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupHelpers.cs Fixes verification URL generation and summary/recovery output for batch consent URL flow.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/ResourcePermissionSpec.cs New record describing per-resource permission requirements for the batch orchestrator.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/RequirementsSubcommand.cs Adjusts logging and signature (adds executor param).
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/README.md Documents new batch orchestrator and updated responsibilities.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/PermissionsSubcommand.cs Routes MCP/Bot/Custom permission flows through batch orchestrator; exposes helpers for tests/callers.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/InfrastructureSubcommand.cs Improves role assignment logic and reduces noisy verification steps; adds spacing/log detail.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/CopilotStudioSubcommand.cs Moves exception details to debug logs while keeping user-facing errors concise.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintSubcommand.cs Adds results tracking (FIC/admin consent URL/endpoint failure reason) and defers consent for setup all.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintCreationOptions.cs New options record enabling orchestration flags (e.g., defer consent).
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BatchPermissionsOrchestrator.cs New three-phase permissions orchestrator with consolidated consent handling.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/AllSubcommand.cs Switches setup all to: defer blueprint consent, run batch permissions, then register endpoint and display consolidated summary.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupCommand.cs Wires updated RequirementsSubcommand.CreateCommand signature.
CHANGELOG.md Adds release notes for scopes and token cache behavior.

You can also share your feedback on Copilot code review. Take the survey.

sellakumaran and others added 2 commits March 18, 2026 14:14
@sellakumaran @claude
fix: address Copilot PR review comments
e80c293 
- GraphApiService: IsCurrentUserAgentIdAdminAsync now uses Directory.Read.All
  (already consented) instead of RoleManagement.Read.Directory (not consented),
  fixing silent false-negative for Agent ID Admin role detection
- AuthenticationConstants: fix RoleManagementReadDirectoryScope doc (was
  incorrectly referencing IsCurrentUserAdminAsync); fix AgentIdentityBlueprintAddRemoveCredsAllScope
  doc to reflect it is not yet used (FIC still uses Application.ReadWrite.All)
- BatchPermissionsOrchestrator: fix duplicate XML summary block; add empty-scope
  filtering before Phase 1/2/3 to prevent HTTP 400 on non-MCP projects
- FederatedCredentialService: fix misleading 403 error message — directs user to
  check blueprint ownership, not to acquire GA/Agent ID Admin role
- RequirementsSubcommand: remove unused executor parameter from CreateCommand
- BotConfigurator: remove dead TryDecodeJwtPayload method
- CHANGELOG: correct FIC scope entry (Application.ReadWrite.All, not AddRemoveCreds.All);
  narrow per-user isolation claim to Graph token path only

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran
Improve changelog, auth flows, and admin consent handling
f8c6908 
Changelog now uses Keep a Changelog format. Added early App Service token validation for `a365 deploy`. Enhanced manifest handling and upload instructions for `a365 publish`. Switched to MSAL/WAM for user-isolated Graph token acquisition. `a365 cleanup` uses correct Graph scope and supports Global Admins. `a365 setup all` surfaces admin consent URLs and requests consent once for all resources. Improved device code/MSAL fallbacks for macOS/Linux, admin consent polling, and exception handling for missing config files.
@sellakumaran sellakumaran changed the title fix: improve non-admin setup flow with self-healing permissions and admin consent detection fix: non-admin setup failures, unclear summary, noisy output, and cleanup 403 on shared machines Mar 18, 2026
@sellakumaran @claude
fix: correct user identity for ATG and Graph token acquisition
a270a89 
- Thread az account user as login hint through MsalBrowserCredential so
  WAM/MSAL selects the correct account instead of defaulting to the
  Windows primary account
- Include userId in AuthenticationService file cache key to prevent
  cross-user token reuse on shared machines
- Add 401 retry with forceRefresh in BotConfigurator create and delete
  endpoint paths (previously only retried on 'Invalid roles' 400)
- Remove interpretive error message on ATG 'Invalid roles' — log raw
  API message only
- Add debug log lines for ATG cache key and current user resolution

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran sellakumaran marked this pull request as ready for review March 18, 2026 23:47
@sellakumaran sellakumaran requested review from a team as code owners March 18, 2026 23:47
Copilot AI review requested due to automatic review settings March 18, 2026 23:47
Copilot AI reviewed Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors a365 setup all permission/consent handling to better support non-admin personas, reduces noisy/duplicative console output, and hardens token acquisition to avoid cross-user token reuse (especially on shared machines). It also updates cleanup/setup behaviors, adds new batch-permissions orchestration, and expands tests/documentation accordingly.

Changes:

  • Introduces a 3-phase BatchPermissionsOrchestrator to resolve service principals once, apply grants/inheritable permissions in bulk, and surface a single admin-consent flow/URL.
  • Makes MSAL/WAM the primary Graph token path (PowerShell fallback), adds login-hint plumbing to target the correct user identity, and adjusts console/log formatting.
  • Updates setup summary/verification output, role-detection helpers, and adds/updates unit tests and design docs.

Reviewed changes

Copilot reviewed 36 out of 36 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Requirements/FrontierPreviewRequirementCheckTests.cs Updates assertions for revised Frontier preview warning text.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/MicrosoftGraphTokenProviderTests.cs Adds MSAL-vs-PowerShell path tests and caching behavior tests.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Helpers/CleanConsoleFormatterTests.cs Updates behavior expectation for empty log messages to emit a blank line.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/GraphApiServiceTests.cs Adds unit tests for new Agent ID admin role detection method.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/FederatedCredentialServiceTests.cs Adapts to GraphGetAsync signature changes (scopes parameter).
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/AgentBlueprintServiceTests.cs Updates deletion-scope assertions for agent identity deletion.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Helpers/SetupHelpersVerificationTests.cs New regression tests for verification URL output and JSON casing.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/InfrastructureSubcommandTests.cs Updates role-assignment flow expectations (pre-check with include-inherited).
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/BatchPermissionsOrchestratorTests.cs New tests covering batch orchestrator empty-spec and non-admin consent URL behavior.
src/Microsoft.Agents.A365.DevTools.Cli/design.md Updates docs to describe the batch permissions architecture and supported layers.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Requirements/RequirementChecks/FrontierPreviewRequirementCheck.cs Revises user-facing warning message/details.
src/Microsoft.Agents.A365.DevTools.Cli/Services/MsalBrowserCredential.cs Adds login-hint support and improves logging granularity (debug vs warning/error).
src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/MicrosoftGraphTokenProvider.cs Makes MSAL/WAM primary auth with PowerShell fallback; adds optional login hint and test seam.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/IMicrosoftGraphTokenProvider.cs Extends token provider interface to accept an optional login hint.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Helpers/CleanConsoleFormatter.cs Treats empty-string messages as intentional blank lines; null still suppresses output.
src/Microsoft.Agents.A365.DevTools.Cli/Services/GraphApiService.cs Adds role-detection helpers and resolves login hint via az account show for MSAL targeting.
src/Microsoft.Agents.A365.DevTools.Cli/Services/FederatedCredentialService.cs Adds explicit scopes for FIC operations and improves 403 handling/noise.
src/Microsoft.Agents.A365.DevTools.Cli/Services/DelegatedConsentService.cs Adds a blank line to improve readability of consent-related output.
src/Microsoft.Agents.A365.DevTools.Cli/Services/ClientAppValidator.cs Adds self-healing: auto-provision missing permissions and best-effort consent-grant extension.
src/Microsoft.Agents.A365.DevTools.Cli/Services/BotConfigurator.cs Adds token refresh retry logic for ATG calls; uses az-derived user identity for token caching.
src/Microsoft.Agents.A365.DevTools.Cli/Services/AuthenticationService.cs Updates token cache keying to optionally include user identity to prevent cross-user reuse.
src/Microsoft.Agents.A365.DevTools.Cli/Services/AgentBlueprintService.cs Adjusts deletion scope usage for agent identity deletion; tweaks logging around 403s and grants.
src/Microsoft.Agents.A365.DevTools.Cli/Constants/AuthenticationConstants.cs Adds constants for role scopes and AgentIdentityBlueprint Delete/AddRemove scopes; documents scope choices.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupResults.cs Tracks batch phase outcomes, admin consent URL, and FIC status for improved summaries.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupHelpers.cs Improves verification URL output and revises setup summary/recovery actions for new batch flow.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/ResourcePermissionSpec.cs New record describing a single resource’s permission needs for batch orchestration.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/RequirementsSubcommand.cs Splits error vs debug logging for exceptions; updates inline comment for client app validation.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/README.md Documents new batch orchestrator, specs, and updated helper responsibilities.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/PermissionsSubcommand.cs Switches MCP/Bot/custom permissions flows to use batch orchestrator; exposes helper(s) for scope reading.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/InfrastructureSubcommand.cs Adds role pre-check via include-inherited and reduces redundant verification/log noise.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/CopilotStudioSubcommand.cs Adjusts exception logging to avoid noisy stack traces at error level.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintSubcommand.cs Adds richer result fields (endpoint failure reason, FIC status, consent URL) and supports consent deferral.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintCreationOptions.cs New options record to control blueprint creation orchestration behavior (e.g., defer consent).
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BatchPermissionsOrchestrator.cs New orchestrator implementing the multi-phase permissions + consent flow.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/AllSubcommand.cs Reorders setup flow to defer consent and run a consolidated permissions batch, then register endpoint.
CHANGELOG.md Adds unreleased “Fixed” entries describing the cleanup/setup improvements.

You can also share your feedback on Copilot code review. Take the survey.

sellakumaran and others added 2 commits March 18, 2026 17:06
@sellakumaran @claude
fix: update test override signature for CreateBrowserCredential login…
b5be53e 
…Hint parameter

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran @claude
fix: address remaining Copilot PR review comments (#2-5)
4820d73 
- BatchPermissionsOrchestrator: consent check now loops all resolved
  specs before returning granted=true (was checking only the first)
- BatchPermissionsOrchestrator: use AuthenticationConstants.DirectoryReadAllScope
  constant instead of hard-coded string literal
- PermissionsSubcommand: log message now reflects actual consent outcome
  ("configured successfully" vs "configured; admin consent required")
- InfrastructureSubcommandTests: replace Substitute.For<ILogger> with
  TestLogger that captures log entries; add proper assertions for
  warning (role assignment failure) and info (role already exists) paths

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 19, 2026 00:34
Copilot AI reviewed Mar 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves the a365 setup all and a365 cleanup experience across non-admin and admin personas by batching permission configuration/consent, reducing noisy output, and switching Microsoft Graph delegated auth to an MSAL/WAM-first flow to avoid cross-user token reuse on shared machines.

Changes:

  • Introduces a three-phase batch permissions flow (BatchPermissionsOrchestrator) and updates setup all to use it (including improved summary/recovery guidance).
  • Adds MSAL/WAM-first Microsoft Graph token acquisition with optional login-hint routing and PowerShell fallback; updates Graph API callers and tests accordingly.
  • Adjusts scopes, logging/output formatting, and infrastructure role assignment behavior; updates docs and changelog entries.

Reviewed changes

Copilot reviewed 37 out of 37 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Requirements/FrontierPreviewRequirementCheckTests.cs Updates assertions to match new Frontier Preview warning text.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/MicrosoftGraphTokenProviderTests.cs Adds MSAL/PS fallback and caching tests via override seam.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Helpers/CleanConsoleFormatterTests.cs Updates behavior expectation for empty-string messages to emit a blank line.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/GraphApiServiceTests.cs Adds tests for Agent ID admin role detection logic.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/FederatedCredentialServiceTests.cs Updates mocks for GraphGetAsync signature/scopes changes.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/AuthenticationServiceTests.cs Updates test override for browser credential creation signature (login hint).
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/AgentBlueprintServiceTests.cs Updates scope expectations for Agent Identity deletion.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Helpers/SetupHelpersVerificationTests.cs New regression tests for verification URL output + JSON casing.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/InfrastructureSubcommandTests.cs Updates role-assignment pre-check flow assertions and logging verification.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/BatchPermissionsOrchestratorTests.cs New unit tests for batch permissions phase independence + consent URL behavior.
src/Microsoft.Agents.A365.DevTools.Cli/design.md Updates documented permissions architecture to reflect batch flow and constraints.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Requirements/RequirementChecks/FrontierPreviewRequirementCheck.cs Adjusts warning message/details wording for Frontier Preview requirement.
src/Microsoft.Agents.A365.DevTools.Cli/Services/MsalBrowserCredential.cs Adds optional login hint handling and reduces noisy exception logging.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/MicrosoftGraphTokenProvider.cs Implements MSAL-first token acquisition + PS fallback, caching, and login-hint plumbing.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/IMicrosoftGraphTokenProvider.cs Extends token provider contract with optional loginHint.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Helpers/CleanConsoleFormatter.cs Allows empty string messages to intentionally emit blank lines.
src/Microsoft.Agents.A365.DevTools.Cli/Services/GraphApiService.cs Adds login-hint resolution, role detection helpers, and passes hint to token provider.
src/Microsoft.Agents.A365.DevTools.Cli/Services/FederatedCredentialService.cs Adds explicit scopes for FIC operations and improves error handling/retry signaling.
src/Microsoft.Agents.A365.DevTools.Cli/Services/DelegatedConsentService.cs Adds intentional spacing in output (blank line).
src/Microsoft.Agents.A365.DevTools.Cli/Services/ClientAppValidator.cs Adds self-healing auto-provisioning for missing permissions + best-effort consent extension.
src/Microsoft.Agents.A365.DevTools.Cli/Services/BotConfigurator.cs Adds token refresh retry logic and user-scoped token caching for endpoint calls.
src/Microsoft.Agents.A365.DevTools.Cli/Services/AuthenticationService.cs Extends token cache key to include user identity (prevents cross-user reuse).
src/Microsoft.Agents.A365.DevTools.Cli/Services/AgentBlueprintService.cs Updates deletion/permission grant handling, logging, and adds scope plumbing to Graph calls.
src/Microsoft.Agents.A365.DevTools.Cli/Constants/AuthenticationConstants.cs Adds constants for Directory role read scopes and AgentIdentityBlueprint DeleteRestore/AddRemoveCreds scopes.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupResults.cs Adds batch phase outcome tracking + admin consent URL + FIC status fields.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupHelpers.cs Improves verification URL generation and summary/recovery output; adjusts permission helper call signature.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/ResourcePermissionSpec.cs New spec record used by batch permissions orchestrator.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/RequirementsSubcommand.cs Adjusts exception logging (error summary + debug details) and clarifies comments.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/README.md Documents new batch orchestrator and related setup components.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/PermissionsSubcommand.cs Refactors permissions setup to use batch orchestrator; exposes helper methods for tests/orchestration.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/InfrastructureSubcommand.cs Changes Website Contributor assignment to pre-check inherited roles and reduces noisy verification.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/CopilotStudioSubcommand.cs Adjusts exception logging style (error + debug details).
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintSubcommand.cs Adds FIC/admin-consent result tracking, endpoint failure reason, and DeferConsent option for setup-all orchestration.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintCreationOptions.cs New options record to control orchestration (e.g., defer consent).
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BatchPermissionsOrchestrator.cs New three-phase batch permissions/consent implementation.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/AllSubcommand.cs Updates setup all to defer consent in blueprint step, batch all permissions, then register endpoint.
CHANGELOG.md Adds unreleased fixed entries for cleanup and setup-all behavior improvements.

You can also share your feedback on Copilot code review. Take the survey.

sellakumaran and others added 2 commits March 18, 2026 19:34
@sellakumaran @claude
fix: resolve Agent ID Admin setup failures for WAM auth, owner assign…
40fe88f 
…ment, and client secret

Issue 1 (FIXED): WAM ignores login hint — picks OS default account instead of az-logged-in user
- MsalBrowserCredential: use WithAccount(account) when MSAL cache has a match for the login hint;
  fall back to WithPrompt(SelectAccount) when hint is set but account not in cache
- InteractiveGraphAuthService: resolve login hint via `az account show` before constructing
  MsalBrowserCredential, ensuring Graph client uses the correct user identity

Issue 2 (FIXED): Owner assignment fails with Directory.AccessAsUser.All in token
- BlueprintSubcommand: skip post-creation owner verification when owners@odata.bind was set
  during blueprint creation; ownership is set atomically and the post-check token carries
  Directory.AccessAsUser.All which the Agent Blueprint API explicitly rejects

Issue 3 (RESOLVED): Authorization.ReadWrite scope not found on Messaging Bot API
- Resolved as a symptom of Issue 1; with the correct user authenticated all inheritable
  permissions configure successfully with no errors

Issue 4 (IN PROGRESS): Client secret creation fails for Agent ID Admin
- AuthenticationConstants: add AgentIdentityBlueprintReadWriteAllScope constant; add
  AgentIdentityBlueprint.AddRemoveCreds.All to RequiredClientAppPermissions
- BlueprintSubcommand: use specific AgentIdentityBlueprint.ReadWrite.All scope for addPassword
  to avoid Directory.AccessAsUser.All bundling from .default; add retry on 404 to handle
  Entra eventual consistency after new blueprint creation

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran
Support login hint for MSAL Graph token acquisition
1576643 
Add loginHint to MSAL token flow to target Azure CLI user, preventing use of incorrect OS account. Resolve and pass login hint when creating Agent Blueprint secrets. Make ResolveAzLoginHintAsync internal for broader use. Default IMicrosoftGraphTokenProvider to browser/WAM auth. Update comments for scope and login hint usage.
Copilot AI review requested due to automatic review settings March 19, 2026 03:31
Copilot AI reviewed Mar 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves the a365 setup all and a365 cleanup experience by making permission/configuration steps role-aware, reducing noisy output, and hardening authentication behavior on shared machines (notably by preferring MSAL/WAM and adding login-hint support).

Changes:

  • Introduces a three-phase batch permission flow (BatchPermissionsOrchestrator) to avoid per-resource consent loops and to surface a single admin-consent URL for non-admin users.
  • Updates Graph auth/token acquisition to prefer MSAL/WAM (with login hints) and fall back to PowerShell when needed; adjusts several services to request more precise scopes.
  • Refines setup summary/output formatting, role detection, and adds/updates unit tests for the new flows and messaging.

Reviewed changes

Copilot reviewed 38 out of 38 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
CHANGELOG.md Documents setup/cleanup fixes and consent prompting improvements.
src/Microsoft.Agents.A365.DevTools.Cli/design.md Updates permissions architecture notes to reflect batch flow and Agent Blueprint limitations.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/README.md Documents new orchestrator/spec types and updated responsibilities.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BatchPermissionsOrchestrator.cs New orchestrator implementing resolve/grant/consent phases.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/ResourcePermissionSpec.cs New spec record describing resource permissions for batch flow.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintCreationOptions.cs Adds orchestration flag to defer consent/graph inheritable permissions.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/AllSubcommand.cs Reworks setup all to defer consent then run batch permissions and register endpoint after.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupHelpers.cs Fixes verification URL JSON casing; simplifies summary output and recovery actions.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupResults.cs Adds batch phase fields, consent URL tracking, and FIC status fields for summary/recovery.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/PermissionsSubcommand.cs Switches MCP/Bot/custom permission config to batch orchestrator; adds MCP scope reader helper.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/RequirementsSubcommand.cs Cleans error logging and clarifies required permission validation context.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/InfrastructureSubcommand.cs Reduces noise and improves role assignment logic (pre-check inherited roles).
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/CopilotStudioSubcommand.cs Adjusts exception logging to avoid noisy stack traces at Error level.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintSubcommand.cs Adds consent deferral, improves endpoint failure reporting, FIC retry behavior, and login-hint usage.
src/Microsoft.Agents.A365.DevTools.Cli/Constants/AuthenticationConstants.cs Adds constants for directory scopes and Agent Blueprint granular scopes.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/IMicrosoftGraphTokenProvider.cs Adds loginHint to token provider API; adjusts defaults.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/MicrosoftGraphTokenProvider.cs Makes MSAL/WAM primary auth path with PowerShell fallback and adds test seam.
src/Microsoft.Agents.A365.DevTools.Cli/Services/MsalBrowserCredential.cs Adds login-hint handling and improves log noise by separating Debug vs Warning/Error.
src/Microsoft.Agents.A365.DevTools.Cli/Services/GraphApiService.cs Adds login-hint resolution and role checks (GA + Agent ID Admin) via /me/memberOf paging.
src/Microsoft.Agents.A365.DevTools.Cli/Services/InteractiveGraphAuthService.cs Adds az-based login-hint resolution for MSAL/WAM targeting.
src/Microsoft.Agents.A365.DevTools.Cli/Services/AuthenticationService.cs Makes token cache key user-aware and passes login hint into browser credential.
src/Microsoft.Agents.A365.DevTools.Cli/Services/BotConfigurator.cs Adds retry behavior for ATG calls (401 + “Invalid roles”) and passes user identity for token caching.
src/Microsoft.Agents.A365.DevTools.Cli/Services/AgentBlueprintService.cs Tightens/clarifies scope usage for agent identity deletion and refines logging on 403 paths.
src/Microsoft.Agents.A365.DevTools.Cli/Services/FederatedCredentialService.cs Ensures explicit scopes for FIC operations; improves 403 handling and retry semantics.
src/Microsoft.Agents.A365.DevTools.Cli/Services/DelegatedConsentService.cs Adjusts spacing output (blank line) for readability.
src/Microsoft.Agents.A365.DevTools.Cli/Services/ClientAppValidator.cs Adds self-healing permission provisioning and best-effort consent grant extension.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Helpers/CleanConsoleFormatter.cs Allows intentional blank lines via empty log messages.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Requirements/RequirementChecks/FrontierPreviewRequirementCheck.cs Updates warning text to be clearer and more actionable.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/BatchPermissionsOrchestratorTests.cs New tests for orchestrator empty-spec and phase-independence behavior.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Helpers/SetupHelpersVerificationTests.cs New regression tests for verification URL JSON casing and header suppression.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/MicrosoftGraphTokenProviderTests.cs Adds coverage for MSAL-primary and PS-fallback behavior + caching behavior.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/GraphApiServiceTests.cs Adds tests for Agent ID Admin role detection behavior.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/FederatedCredentialServiceTests.cs Updates mocks for new GraphGetAsync signature changes (scopes param).
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/AgentBlueprintServiceTests.cs Updates expected scope for agent identity deletion.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/AuthenticationServiceTests.cs Updates test seam signature for browser credential creation (loginHint).
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Helpers/CleanConsoleFormatterTests.cs Updates expectations for empty-message behavior (blank line).
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Requirements/FrontierPreviewRequirementCheckTests.cs Updates assertions for revised warning text.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/InfrastructureSubcommandTests.cs Updates tests to reflect role pre-check behavior and new logger assertions.

You can also share your feedback on Copilot code review. Take the survey.

@sellakumaran sellakumaran marked this pull request as draft March 19, 2026 03:47
sellakumaran and others added 2 commits March 18, 2026 21:16
@sellakumaran @claude
fix: pass login hint to blueprint httpClient token to prevent WAM cro…
f37d1aa 
…ss-user reuse

AcquireMsalGraphTokenAsync for the blueprint creation httpClient was called
without a login hint, causing WAM to silently return a cached token for the
OS default account instead of the az-logged-in user. This resulted in
Authorization_RequestDenied for identifier URI update and service principal
creation when AgentIdentityBlueprint.* scopes were present in the token.

Resolves the missing Service Principal for newly created blueprints.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran @claude
fix: address Copilot review comments on token cache, log levels, and …
80bf137 
…portal guidance

- Include loginHint in MicrosoftGraphTokenProvider cache key to prevent cross-user token reuse
- Downgrade speculative auth dialog messages from LogInformation to LogDebug
- Update non-Windows log message to reflect that browser or device code may appear
- Correct FederatedCredentialService remediation message to reference the right Entra portal blade

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran
Add --field option to config command and standardize endpoint key
9366a5f 
Introduce --field/-f to query single config fields from static or generated config.
Standardize generated config to use "messagingEndpoint" (not "botMessagingEndpoint") and update all code/tests accordingly.
Add TryGetConfigField helper and unit tests.
Ensure backward compatibility by migrating legacy keys in MergeDynamicProperties.
@sellakumaran
Handle PR comments
78a70e0 
Harden consent URLs, fix resource leaks, improve tests

- Replace hardcoded OAuth2 `state` in admin consent URLs with random GUIDs for CSRF protection; centralize URL construction in `SetupHelpers.BuildAdminConsentUrl`
- Dispose overwritten `JsonDocument` in `FederatedCredentialService` to prevent resource leaks
- Improve retry logic to propagate cancellation immediately on user-initiated cancel (Ctrl+C)
- Remove unused CLI option variable (`verbose`) to avoid dead code
- Enhance tests: assert random state in consent URLs and add `because:` documentation to clarify test requirements
@sellakumaran
Copy link
Copy Markdown
Contributor Author

sellakumaran commented Mar 22, 2026

the Graph access token is passed as a command-line argument to az rest. This exposes the full token in the OS process table for the lifetime of the subprocess, visible to all local users via Task Manager, ps aux, ETW process creation events, and crash dumps. GraphApiService already exists in this codebase and makes all Graph calls via HttpClient entirely in-process. ClientAppValidator should inject it and delegate to GraphGetAsync / GraphPatchAsync instead of spawning az rest. inject GraphApiService into ClientAppValidator.cs

Fixed in commit 5b05e37. ClientAppValidator now injects GraphApiService and delegates to GraphGetAsync/GraphPatchAsync for all Graph calls. az rest is no longer used — the token is never exposed in the process table.

@sellakumaran sellakumaran reopened this Mar 22, 2026
@sellakumaran sellakumaran requested a review from Copilot March 22, 2026 17:39
Copilot AI reviewed Mar 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 83 out of 84 changed files in this pull request and generated 5 comments.

@sellakumaran
Fix PR comments.
8af956b 
Fix ARM API error handling, exit cleanup, and test isolation

- Replace direct Environment.Exit calls with ExceptionHandler.ExitWithCleanup for proper shutdown and cleanup.
- Update ARM API existence methods to return null (not false) for non-404 errors (e.g., 401/403/5xx), ensuring callers fall back to az CLI and don't misinterpret auth errors as missing resources.
- Add unit tests for 401 handling in ARM existence checks.
- Isolate AzCliHelper token cache in tests using xUnit collection and IDisposable to prevent parallel test interference and slow subprocess spawns.
- Clarify comments on [JsonIgnore] usage in Agent365Config.
- Update PR review rules to require reporting on ARM bool? existence method pattern in test-related PRs.
@sellakumaran
Add sovereign cloud support and stderr filtering improvements
7a3b4b7 
- Make Microsoft Graph API base URL fully configurable via graphBaseUrl in a365.config.json, enabling GCC High/DoD and China 21Vianet support
- Refactor all Graph API calls, token acquisition, and scopes to use the configured base URL
- Update GraphApiConstants and GraphApiService for cloud-agnostic operation
- Add documentation and example config for sovereign cloud usage; rename example config to a365.config.example.jsonc
- Filter non-actionable Azure CLI/Python warnings from stderr in user output; add regression tests for stderr filtering and process cancellation
- Improve error handling and retry logic for service principal creation and OAuth2 grants
- Minor logging, resource cleanup, and documentation improvements
Copilot AI review requested due to automatic review settings March 24, 2026 02:19
Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 91 out of 92 changed files in this pull request and generated 8 comments.

Comments suppressed due to low confidence (2)

src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Helpers/RetryHelperTests.cs:167

  • This test is now effectively a no-op: it sets baseDelaySeconds: 0, doesn’t record delays, and asserts only callCount. That no longer verifies the exponential backoff requirement and provides little regression protection. Either restore a small non-zero delay with a measurable assertion (like the DotNetSdkValidation tests) or test the delay calculation directly (e.g., by exposing/injecting a delay provider).
    src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Requirements/PowerShellModulesRequirementCheckTests.cs:89
  • These tests mutate the process-wide WSL_DISTRO_NAME environment variable. They’re currently only tagged with [Collection("EnvTests")] but there’s no CollectionDefinition disabling parallelization, so they can still run concurrently with other env-mutating tests and become flaky. Add a [CollectionDefinition("EnvTests", DisableParallelization = true)] (or similar) and ensure all env-var tests use it.

@biswapm biswapm self-requested a review March 24, 2026 04:10
@sellakumaran
Improve cancellation, exit handling, and test isolation
6c117db 
- Introduce CleanExitException to avoid deadlocks on process exit; ExceptionHandler.ExitWithCleanup now throws this instead of calling Environment.Exit().
- All az CLI subprocesses now support cancellation and are killed on cancel, preventing zombies and hangs.
- Use ArgumentList for az CLI invocations for safety and cross-platform support.
- Subcommands now use InvocationContext for option parsing and cancellation token support.
- Blueprint setup now surfaces client secret manual action as "Action Required" in summaries.
- GraphApiService.GraphBaseUrl is now settable for sovereign cloud support.
- Requirement checks and AzureAuthValidator now propagate cancellation.
- Tests using AzCliHelper token cache are serialized to prevent race conditions; CommandExecutorTests disables parallelization.
- Example config renamed to .json; design.md and config sample updated.
- Improved logging for manual client secret creation and updated test mocks for new signatures.
@sellakumaran
Use dynamic GraphBaseUrl for scope URL construction
60fd2e0 
Replaced hardcoded "https://graph.microsoft.com/" with graph.GraphBaseUrl when building Microsoft Graph scope URLs. This improves flexibility and allows support for different Graph API base URLs.
Copilot AI review requested due to automatic review settings March 24, 2026 04:48
Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 98 out of 99 changed files in this pull request and generated 3 comments.

@biswapm biswapm self-requested a review March 24, 2026 05:23
biswapm
biswapm previously approved these changes Mar 24, 2026
View reviewed changes
@sellakumaran
Refactor AzCliHelper process handling; clarify test comment
c6cdaad 
Refactored AzCliHelper to read process output and error streams concurrently and await process exit for better cancellation handling and to prevent pipe blocking. Updated a test comment in RetryHelperTests to clarify that only retry count is asserted, not backoff timing.
@sellakumaran sellakumaran merged commit f719a1e into main Mar 24, 2026
8 checks passed
@sellakumaran sellakumaran deleted the users/sellak/non-admin branch March 24, 2026 17:12
@sellakumaran sellakumaran mentioned this pull request Mar 24, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@biswapm biswapm biswapm approved these changes

@ajmfehr ajmfehr ajmfehr approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sellakumaran @biswapm @ajmfehr