microsoft · ITSpecialist111 · Mar 16, 2026
@@ -101,6 +101,8 @@ Required **delegated** Microsoft Graph permissions (all must have **admin consen
 | `DelegatedPermissionGrant.ReadWrite.All` | Grant delegated permissions |
 | `Directory.Read.All` | Read directory data |
 
+> ⚠️ **WARNING — Do NOT use "Grant admin consent" in the Entra portal for this app registration.** The `AgentIdentityBlueprint.*` permissions above are beta-only and are not visible in the Entra admin center UI. If a Global Admin clicks "Grant admin consent" in the portal after these permissions have been granted via Graph API, the portal's consent mechanism will **silently delete** the `AgentIdentityBlueprint.*` grants. All permission grants for this app must be managed exclusively via the Graph API `appRoleAssignments` endpoint. If the permissions are accidentally removed, re-run the Graph API grants to restore them.
+
 If the app does not exist, permissions are missing, or admin consent has not been granted, see "What to do if validation fails" below.
 
 **If validation fails** (app not found, permissions missing, or no admin consent):
@@ -559,12 +561,15 @@ Ask the user: **"Please review and update your manifest.json file with your agen
 
 ### Publish the agent manifest
 
-Run `a365 publish`. This step updates the agent's manifest identifiers and publishes the agent package to Microsoft Online Services (specifically, it registers the agent with the Microsoft 365 admin center under your tenant). What this does:
+Run `a365 publish`. This command updates the agent's manifest identifiers and packages the manifest files into a zip ready for **manual** upload to the Microsoft 365 Admin Center. What this does:
+
+- Updates `manifest.json` and `agenticUserTemplateManifest.json` with your agent blueprint ID.
+- Creates `manifest/manifest.zip` in your project directory.
+- Prints the manual upload URL (Microsoft 365 Admin Center > Agents > All agents > Upload custom agent).
 
-- It takes your project's `manifest.json` (which should define your agent's identity and capabilities) and updates certain identifiers in it (the CLI will inject the Azure AD application blueprint ID where needed).
-- It then publishes the agent manifest/package to your tenant's catalog (so that the agent can be "hired" or installed in Teams and other apps).
+> **Important:** `a365 publish` does **not** automatically upload to the Microsoft 365 Admin Center. After the command completes, you must upload `manifest.zip` manually through the admin center (a browser-only step). Follow the printed instructions or see the post-deployment section below.
 
-Watch for output messages. Successful publish will indicate that the agent manifest is updated and that you can proceed to create an instance of the agent. If there's an error during publish, read it closely. For example, if the CLI complains about being unable to update some manifest or reach the admin center, ensure your account has the necessary privileges and that the custom app registration has the permissions for `Application.ReadWrite.All` (since publish might call Graph to update applications). Also, ensure your internet connectivity is good.
+Watch for output messages indicating the package was created successfully. If there is an error, check that `agentBlueprintId` is populated in your config (run `a365 setup all` first if it is not).
 
 ### Deploy the agent code to Azure
 
@@ -620,9 +625,12 @@ Provide the user with the following instructions:
 
 Provide the user with the following instructions:
 
-1. Open **Teams > Apps** and search for your agent name
-2. Select your agent and click **Request Instance** (or **Create Instance**)
-3. Teams sends the request to your tenant admin for approval
+> **Note (Frontier preview):** During Frontier preview, the blueprint is discoverable via **Microsoft 365 Copilot > Apps**, not Teams > Apps. The "Agents for your team" category in Teams may not be visible even after publishing. Search for your agent in M365 Copilot to Request or Create an instance. After an instance is created, the agent becomes accessible in Teams chat.
+
+1. Open **Microsoft 365 Copilot > Apps** and search for your agent name.
+  *(If not found there, also try Teams > Apps — availability depends on tenant rollout.)*
+2. Select your agent and click **Request Instance** (or **Create Instance**).
+3. Teams sends the request to your tenant admin for approval.
 
 Admins can review and approve requests from the [Microsoft admin center - Requested Agents](https://admin.cloud.microsoft/#/agents/all/requested) page. After approval, Teams creates the agent instance and makes it available.
 

@@ -22,7 +22,10 @@ public NodeBuildFailedException(string projectDirectory, string? npmErrorOutput)
             {
                 "Run 'npm run build' locally in the project directory and fix any TypeScript/webpack/build errors.",
                 "Verify that the 'build' script is defined correctly in package.json.",
-                "If the build depends on environment variables or private packages, ensure those are configured on the machine running 'a365 deploy'.",
+                    "If the error is 'tsc: not found' or similar, move 'typescript' from 'devDependencies' to " +
+                        "'dependencies' in package.json. Azure App Service Oryx runs 'npm install --production' " +
+                        "which skips devDependencies, so build tools like tsc must be in dependencies.",
+                    "If the build depends on environment variables or private packages, ensure those are configured on the machine running 'a365 deploy'.",
                 "After resolving the build issues, rerun 'a365 deploy'."
             },
             context: new Dictionary<string, string>

@@ -595,8 +595,12 @@ private string PromptForAppServicePlanSku(Agent365Config? existingConfig)
         Console.WriteLine("  4. S1  - Standard (auto-scale, staging slots)");
         Console.WriteLine("  5. P1V3 - Premium V3 (high performance)");
         Console.WriteLine();
-        Console.WriteLine("NOTE: Free tier (F1) is recommended for development and testing.");
-        Console.WriteLine("      Basic tier (B1) often has zero quota by default - may require quota increase.");
+            Console.WriteLine("NOTE: B1 (Basic) is the recommended default. It handles the Node.js/TypeScript");
+            Console.WriteLine("      Oryx remote build (npm install + tsc) within the startup timeout.");
+            Console.WriteLine("      F1 (Free) has a 230s cold-start limit that is routinely exceeded by");
+            Console.WriteLine("      TypeScript agent projects during remote build — avoid F1 for Node.js/TS.");
+            Console.WriteLine("      B1 may have zero quota in new subscriptions — if creation fails, request");
+            Console.WriteLine("      a quota increase or try a different Azure region.");
         Console.WriteLine();
 
         var defaultSku = existingConfig?.AppServicePlanSku ?? ConfigConstants.DefaultAppServicePlanSku;

@@ -249,10 +249,26 @@ public async Task<OryxManifest> CreateManifestAsync(string projectDir, string pu
             var buildValue = buildScript.GetString();
             if (!string.IsNullOrWhiteSpace(buildValue))
             {
-                // We always call through npm so it picks up the script from package.json
-                buildCommand = "npm run build";
-                buildRequired = true;
-                _logger.LogInformation("Detected build script; using Oryx build command: {Command}", buildCommand);
+                    // If a dist/ folder was already produced by the local build, do NOT ask Oryx to
+                    // re-run npm run build on Azure. Azure App Service Oryx runs `npm install --production`
+                    // which skips devDependencies, so tools like `tsc` (commonly in devDependencies) are
+                    // not available, causing the Oryx build to fail with "sh: tsc: not found".
+                    // When dist/ exists the compiled output is already in the publish package.
+                    var distPath = Path.Combine(publishPath, "dist");
+                    if (Directory.Exists(distPath))
+                    {
+                        buildCommand = "";
+                        buildRequired = false;
+                        _logger.LogInformation("dist/ folder found in publish output; skipping Oryx remote build " +
+                            "(TypeScript already compiled locally — avoids tsc-not-found on Azure).");
+                    }
+                    else
+                    {
+                        // We always call through npm so it picks up the script from package.json
+                        buildCommand = "npm run build";
+                        buildRequired = true;
+                        _logger.LogInformation("Detected build script; using Oryx build command: {Command}", buildCommand);
+                    }
             }
         }
         else