Skip to content

feat: non-admin setup flow, a365 setup admin command, and cleanup 403 fixes#320

Open
sellakumaran wants to merge 26 commits intomainfrom
users/sellak/non-admin
Open

feat: non-admin setup flow, a365 setup admin command, and cleanup 403 fixes#320
sellakumaran wants to merge 26 commits intomainfrom
users/sellak/non-admin

Conversation

@sellakumaran
Copy link
Contributor

@sellakumaran sellakumaran commented Mar 16, 2026
edited
Loading

This PR addresses five problems that existed before this change:

1. a365 setup all failed with multiple errors for Agent ID Developers (non-admin)
An Agent ID Developer cannot set inheritable permissions on a blueprint or configure OAuth2
permission grants — those operations require Agent ID Administrator role or higher. Running
setup all as a Developer attempted all of these steps anyway, producing a series of 403 errors
with no explanation of which steps require elevation and no guidance on what to do next.

2. a365 setup all failed with multiple errors for Agent ID Administrators (non-admin)
An Agent ID Administrator can set inheritable permissions and configure OAuth2 grants, but cannot
grant tenant-wide admin consent — that requires Global Administrator. Running setup all as an
Agent ID Admin succeeded on the first two steps but failed on consent, with no clear indication
that the failure was a role boundary and not a bug, and no actionable next step.

3. There was no way for a Global Administrator to complete OAuth2 grants without running the full setup
After setup all by a non-GA user, the GA had no dedicated command to complete the AllPrincipals
oauth2PermissionGrants step. The old summary referenced a365 setup admin but the command did not exist.

4. CLI output was noisy and unclear
Multiple redundant log lines, inconsistent spacing, and unhelpful error messages (e.g., a 60-second
timeout waiting for a browser consent that would never succeed for non-admin users) made it
difficult to understand what the CLI was doing and whether each step succeeded.

5. a365 cleanup failed with 403 errors — three separate root causes

  • Wrong Graph scope: blueprint deletion was using AgentIdentityBlueprint.ReadWrite.All.
    Per the Agent ID permissions reference, ReadWrite.All is not the correct scope for DELETE —
    AgentIdentityBlueprint.DeleteRestore.All is required.
  • Wrong URL pattern: the DELETE request used an incorrect URL shape for the blueprint endpoint,
    which caused Graph to reject the request.
  • Cross-user token contamination on shared machines: PowerShell Connect-MgGraph caches tokens
    by (tenant + clientId + scopes) with no user identity in the key. On a shared machine where a
    developer had previously run a365 setup, a Global Administrator running a365 cleanup silently
    reused the developer's cached token. The token contained the right scope but the wrong user
    identity (oid), so Graph returned 403 — a non-admin cannot delete another user's blueprint.

Behavior after fix

Persona Before After
Agent ID Developer runs a365 setup all Multiple failures; summary unclear Completes the steps it can; immediately outputs a consent URL to share with an admin instead of timing out
Agent ID Admin runs a365 setup all Same failures as Developer; unclear which steps need escalation Completes OAuth2 grants and inheritable permissions; outputs clear guidance to run a365 setup admin for the GA-only step
Global Admin runs a365 setup admin Command did not exist Displays a per-resource consent preview with tenant-wide impact warning, prompts for confirmation, then creates AllPrincipals grants
Global Admin runs a365 setup all Multiple browser prompts, one per resource At most one browser prompt covering all resources; missing client app permissions are auto-patched
Global Admin runs a365 cleanup on a shared machine 403 — wrong user's cached token used Succeeds — MSAL/WAM acquires a token for the current user, not the last user who ran the CLI
Any user on corporate tenant with Conditional Access Browser blocked by CAP policy → auth failure WAM authenticates via OS broker without a browser, satisfying device-trust requirements

Technical details for reviewers

New command: a365 setup admin

src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/AdminSubcommand.cs

Dedicated command for Global Administrators to complete the AllPrincipals oauth2PermissionGrant
step that setup all skips for non-GA users. Features:

  • Displays a preview table of all resources and scopes that will be granted (consentType=AllPrincipals)
    before executing, so the administrator can review the tenant-wide impact
  • Requires explicit confirmation (y/yes) or --yes / -y to skip the prompt (az CLI convention)
  • Accepts --config-dir to point at a config folder shared by the Agent ID Admin
  • Supports --dry-run to preview operations without making changes
  • Uses InvocationContext for proper Ctrl+C cancellation propagation
  • Background: oauth2PermissionGrant creation always requires DelegatedPermissionGrant.ReadWrite.All,
    an admin-only scope. Non-admin users receive HTTP 403/400 for all resource SPs — there is no
    self-service API path.

Example confirmation prompt:

WARNING: The following OAuth2 grants will be created tenant-wide (consentType=AllPrincipals):

  Blueprint : <AgentDisplayName> (<BlueprintAppId>)
  Tenant    : <TenantId>

  - Microsoft Graph      : Mail.ReadWrite, Mail.Send, Chat.ReadWrite, User.Read.All, Sites.Read.All
  - Agent 365 Tools      : McpServers.Mail.All, McpServersMetadata.Read.All
  - Messaging Bot API    : Authorization.ReadWrite, user_impersonation
  - Observability API    : user_impersonation
  - Power Platform API   : Connectivity.Connections.Read

WARNING: This gives the agent delegated consent for ALL users in the tenant.
Do you want to perform this operation? (y/N):

Core orchestration: BatchPermissionsOrchestrator

src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BatchPermissionsOrchestrator.cs

Replaces the per-resource permission loop with a three-phase flow:

  1. Resolve — pre-warm the delegated token; look up all required service principals once
  2. Phase 2a (inheritable permissions) — set inheritable permissions on the blueprint SP; 403s caught silently (insufficient role, not an error)
  3. Phase 2b (AllPrincipals grants, GA only) — create oauth2PermissionGrants; used by both setup all (GA path) and setup admin

GrantAdminPermissionsAsync exposes Phase 2b as a standalone entry point for AdminSubcommand.

The orchestrator does not update requiredResourceAccess on Agent Blueprint service principals — that property is not writable for Agent ID entities.

Cross-user token fix: MicrosoftGraphTokenProvider

src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/MicrosoftGraphTokenProvider.cs

MSAL/WAM is now the primary token path; PowerShell Connect-MgGraph is the fallback. MSAL's token
cache is keyed by HomeAccountId (user identity + tenant), so tokens for different users never
collide. On Windows, WAM uses the OS broker — no browser, CAP-compliant. A loginHint is threaded
through all token acquisition calls to prevent WAM from reusing a cached token for a different account.
A test seam (MsalTokenAcquirerOverride) keeps unit tests free of WAM/browser.

Blueprint deletion scope fix: AgentBlueprintService

src/Microsoft.Agents.A365.DevTools.Cli/Services/AgentBlueprintService.cs

DELETE now uses AgentIdentityBlueprint.DeleteRestore.All (correct per permissions reference) and
the correct URL pattern: /beta/applications/microsoft.graph.agentIdentityBlueprint/{id}.

Summary and output: SetupHelpers, SetupResults, AllSubcommand

SetupResults now tracks batch phase outcomes, the admin consent URL, and FIC status. The summary
shows per-step status ([OK] / [PENDING] / [FAILED]), an overall result line, targeted recovery
commands for failed steps, and a dedicated "Next Steps" section when Global Administrator action is
required.

Setup Summary
Completed Steps:
  [OK] Infrastructure configured (already exists)
  [OK] Agent blueprint created (Blueprint ID: <BlueprintAppId>)
  [OK] Inheritable permissions configured and verified
  [PENDING] OAuth2 grants pending — Global Administrator action required (see Next Steps)

Failed Steps:
  [FAILED] Messaging endpoint registration failed: [SETUP_VALIDATION_FAILED] Blueprint messaging endpoint registration failed

Setup completed with errors

Recovery Actions:
  - Messaging Endpoint: Run 'a365 setup blueprint --endpoint-only' to retry
    If there's a conflicting endpoint, delete it first: a365 cleanup blueprint --endpoint-only

Next Steps — Global Administrator action required:
  OAuth2 permission grants require a Global Administrator.
  Option 1 — Run the CLI as a Global Administrator:
    a365 setup admin --config-dir "<path-to-config-folder>"
  Option 2 — Share a single consent URL with your Global Administrator:
    https://login.microsoftonline.com/<TenantId>/v2.0/adminconsent?client_id=<BlueprintAppId>&scope=https%3A%2F%2Fgraph.microsoft.com%2FMail.ReadWrite%20https%3A%2F%2Fgraph.microsoft.com%2FMail.Send%20...&redirect_uri=https%3A%2F%2Fentra.microsoft.com%2FTokenAuthorize

Consolidation: AzCliHelper

src/Microsoft.Agents.A365.DevTools.Cli/Services/Helpers/AzCliHelper.cs

Extracts the repeated az account show + JSON parse pattern into a single static helper used
by both AllSubcommand and AdminSubcommand.

Scope decisions

Operation Scope Rationale
Blueprint deletion AgentIdentityBlueprint.DeleteRestore.All Correct scope per permissions reference; ReadWrite.All does not cover DELETE
FIC create/delete Application.ReadWrite.All Ownership-based — works for app owners without a role requirement
GA and Agent ID Admin role detection Directory.Read.All (already consented) Both role checks use this scope; avoids an additional consent prompt for RoleManagement.Read.Directory
AllPrincipals grants (setup admin) DelegatedPermissionGrant.ReadWrite.All Admin-only scope required by Graph API for oauth2PermissionGrant creation

@sellakumaran @claude
fix: improve non-admin setup flow with self-healing permissions and a…
0c6c974 
…dmin consent detection

- FederatedCredentialService: fix FIC creation/deletion to use Application.ReadWrite.All
  delegated scope so non-admin app owners can manage their own blueprint credentials

- GraphApiService: add IsCurrentUserAdminAsync using Directory.Read.All (already consented)
  to detect admin role without a separate consent requirement; avoids circular dependency
  with RoleManagement.Read.Directory

- BlueprintSubcommand: non-admin users now skip browser consent immediately and receive
  actionable consent URLs (blueprint app + optional client app) instead of a 60-second timeout

- ClientAppValidator: add self-healing auto-provision for missing client app permissions;
  EnsurePermissionsConfiguredAsync patches requiredResourceAccess and extends existing
  OAuth2 grant scopes without requiring manual intervention

- AuthenticationConstants: remove RoleManagement.Read.Directory from RequiredClientAppPermissions;
  Directory.Read.All is sufficient for transitive role membership lookup

- SetupResults: add AdminConsentUrl, FederatedCredentialConfigured, FederatedCredentialError
  fields to support recovery guidance in setup summary

- AllSubcommand: track FIC status and admin consent URL in setup results; improve endpoint
  registration error messages with failure reason detail

- SetupHelpers: update DisplaySetupSummary recovery section to show admin consent URL
  when available instead of generic retry instruction

- RequirementsSubcommand/InfrastructureSubcommand: remove Agent365ServiceRoleCheck;
  clean up prerequisite runner usage

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-actions
Copy link

github-actions bot commented Mar 16, 2026
edited
Loading

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@sellakumaran @claude
feat: batch permissions orchestrator for non-admin setup flow
76983b1 
Introduces BatchPermissionsOrchestrator with a three-phase flow so
admin consent is attempted exactly once in 'setup all'. Standalone
permission commands (mcp, bot, custom) are refactored as thin
spec-builders delegating to the orchestrator. Blueprint consent is
deferred via BlueprintCreationOptions(DeferConsent: true).

Phase 1 resolves all service principals once (no retry for blueprint SP
— Agent Blueprint SPs are not queryable via standard Graph endpoint).
Phase 2 sets OAuth2 grants and inheritable permissions; 403 responses
are caught silently and treated as insufficient role without logging an
error. Phase 3 checks for existing consent before opening a browser and
returns a consolidated URL for non-admins.

requiredResourceAccess is not updated — it is not supported for Agent
Blueprints.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran sellakumaran requested a review from Copilot March 17, 2026 15:51
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Improves the a365 setup flow for non-admin users by introducing a three-phase batch permissions orchestrator, adding admin-role detection via Graph, and enhancing setup result reporting and recovery guidance.

Changes:

  • Added BatchPermissionsOrchestrator + ResourcePermissionSpec to configure Graph/MCP/Bot/Custom permissions in a single consolidated flow and produce an actionable admin consent URL for non-admins.
  • Enhanced setup orchestration and summaries (AllSubcommand, BlueprintSubcommand, SetupHelpers, SetupResults) to track federated credential status and consent URLs, and to reduce non-admin timeouts.
  • Updated Graph/auth utilities and tests (Graph role detection, console formatting, requirement checks) to support the new flow and revised messaging.

Reviewed changes

Copilot reviewed 32 out of 32 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Requirements/FrontierPreviewRequirementCheckTests.cs Updates assertions to match revised Frontier Preview messaging.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Helpers/CleanConsoleFormatterTests.cs Adjusts test expectation for empty-string logging behavior (blank line).
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/GraphApiServiceTests.cs Adds tests for the new Agent ID admin role detection helper.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/FederatedCredentialServiceTests.cs Updates mocks for Graph API scope parameter additions.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Helpers/SetupHelpersVerificationTests.cs New regression tests for verification URL output and JSON casing.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/RequirementsSubcommandTests.cs Updates tests for new GetRequirementChecks signature.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/InfrastructureSubcommandTests.cs Updates tests for role assignment pre-check behavior and logging expectations.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/BatchPermissionsOrchestratorTests.cs New tests for orchestrator phase independence and consent URL behavior.
src/Microsoft.Agents.A365.DevTools.Cli/design.md Updates permissions architecture documentation and diagrams.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Requirements/RequirementChecks/FrontierPreviewRequirementCheck.cs Revises warning message/details for Frontier Preview check.
src/Microsoft.Agents.A365.DevTools.Cli/Services/MsalBrowserCredential.cs Refines log levels/messages to reduce noisy warnings with stack traces.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/MicrosoftGraphTokenProvider.cs Adjusts fallback logging to separate debug exception from warning message.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Helpers/CleanConsoleFormatter.cs Allows empty log messages to emit intentional blank lines.
src/Microsoft.Agents.A365.DevTools.Cli/Services/GraphApiService.cs Adds admin-role detection helpers and supports scoped Graph calls.
src/Microsoft.Agents.A365.DevTools.Cli/Services/FederatedCredentialService.cs Uses delegated Application.ReadWrite.All scopes; improves 403 handling and retry behavior.
src/Microsoft.Agents.A365.DevTools.Cli/Services/DelegatedConsentService.cs Inserts intentional blank line in console output.
src/Microsoft.Agents.A365.DevTools.Cli/Services/ClientAppValidator.cs Adds self-healing permission provisioning and consent grant scope extension.
src/Microsoft.Agents.A365.DevTools.Cli/Services/BotConfigurator.cs Improves endpoint registration error reporting by parsing stable error codes/messages.
src/Microsoft.Agents.A365.DevTools.Cli/Services/AgentBlueprintService.cs Tweaks logging severity for expected 403s; adds optional required scopes to Graph calls.
src/Microsoft.Agents.A365.DevTools.Cli/Constants/AuthenticationConstants.cs Introduces RoleManagementReadDirectoryScope constant and updates required permission lists/comments.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupResults.cs Adds consent URL + federated credential status/error fields for summary/recovery.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupHelpers.cs Updates verification URL generation and recovery summary behavior (consent URL, FIC status).
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/ResourcePermissionSpec.cs New record to describe resource permission configuration inputs.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/RequirementsSubcommand.cs Updates signatures/wiring for requirement check construction.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/README.md Documents new orchestrator/spec types and updated responsibilities.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/PermissionsSubcommand.cs Switches MCP/Bot/Custom flows to batch orchestrator; exposes helpers for reuse.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/InfrastructureSubcommand.cs Adds role assignment pre-check using inherited roles and improves spacing in output.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintSubcommand.cs Adds setup result fields (endpoint failure reason, FIC, consent URL) and non-admin consent detection behavior.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintCreationOptions.cs New options record to defer consent/inheritable permissions in orchestration.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BatchPermissionsOrchestrator.cs New three-phase batch permissions orchestration implementation.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/AllSubcommand.cs Reorders setup-all flow to defer consent, run batch permissions once, and register endpoint last.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupCommand.cs Wires updated RequirementsSubcommand signature.

You can also share your feedback on Copilot code review. Take the survey.

sellakumaran and others added 2 commits March 17, 2026 15:46
@sellakumaran @claude
fix: address PR review comments and align setup summary with batch flow
fa2c0c7 
- Fix dead command reference in recovery guidance (a365 setup admin -> a365 setup all)
- Fix mermaid diagram language tag typo in design.md (mermard -> mermaid)
- Fix XML doc for IsCurrentUserAdminAsync to reference Directory.Read.All scope
- Fix AuthenticationConstants comment to reference IsCurrentUserAgentIdAdminAsync
- Fix BatchPermissionsOrchestrator comment incorrectly claiming Phase 1 updates requiredResourceAccess
- Remove unused executor parameter from GetRequirementChecks and GetConfigRequirementChecks
- Add debug logging in ReadMcpScopesAsync when no scopes found
- Replace per-resource permission flags in setup all summary with batch phase fields
- Remove separator lines from setup summary to align with az cli output conventions
- Remove FIC from completed steps (only surfaces on failure)
- Add JWT token inspection and force-refresh retry for endpoint registration role errors

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran @claude
fix: use MSAL/WAM as primary Graph token path to fix cross-user conta…
9aa34a4 
…mination

PowerShell Connect-MgGraph cached tokens by (tenant + clientId + scopes) with
no user identity in the key. On shared machines, sellakdev's cached session was
silently reused when sellak (Global Admin) ran cleanup, causing 403 on blueprint
DELETE because the token belonged to the wrong user.

Fixes:
- MicrosoftGraphTokenProvider: MSAL/WAM is now primary; PowerShell is fallback.
  WAM token cache is keyed by HomeAccountId (user identity), preventing cross-user
  contamination. On Windows, WAM authenticates via the OS broker without a browser,
  making it compatible with Conditional Access Policies (fixes #294).
- AgentBlueprintService: DELETE uses AgentIdentityBlueprint.DeleteRestore.All scope
  and the correct URL pattern (/beta/applications/microsoft.graph.agentIdentityBlueprint/{id})
- AuthenticationConstants: add ApplicationReadWriteAllScope, DirectoryReadAllScope constants
- FederatedCredentialService: replace magic strings with constants
- GraphApiService: HasDirectoryRoleAsync accepts delegatedScope parameter; agent-admin
  check uses RoleManagement.Read.Directory (lower privilege)
- Tests: add MsalTokenAcquirerOverride seam; add 3 new tests for MSAL-primary path

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran sellakumaran requested a review from Copilot March 18, 2026 19:40
Copilot AI reviewed Mar 18, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves the non-admin a365 setup experience by restructuring permission configuration into a phased “batch” flow, adding admin-role detection, and introducing several self-healing/diagnostic improvements (Graph permissions, federated credentials, token caching, and setup summaries).

Changes:

  • Introduces BatchPermissionsOrchestrator + ResourcePermissionSpec to run permission setup in three phases with consolidated admin-consent handling and better non-admin recovery output.
  • Updates Graph/auth/token flows (MSAL-first Graph token provider, role detection helpers, per-user token cache key support) and improves logging/error guidance.
  • Adds/updates tests and docs to match the new setup/permissions behavior.

Reviewed changes

Copilot reviewed 36 out of 36 changed files in this pull request and generated 10 comments.

Show a summary per file
File Description
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Requirements/FrontierPreviewRequirementCheckTests.cs Updates expected warning strings for Frontier Preview requirement check.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/MicrosoftGraphTokenProviderTests.cs Adds MSAL-vs-PowerShell behavior tests and a test seam for MSAL override.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Helpers/CleanConsoleFormatterTests.cs Updates formatter expectations for intentional blank lines.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/GraphApiServiceTests.cs Adds tests for IsCurrentUserAgentIdAdminAsync.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/FederatedCredentialServiceTests.cs Updates mocks for new GraphGetAsync signature with optional scopes.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/AgentBlueprintServiceTests.cs Updates expected delete scope to AgentIdentityBlueprint.DeleteRestore.All.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Helpers/SetupHelpersVerificationTests.cs New regression tests for verification URL output and camelCase JSON property handling.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/InfrastructureSubcommandTests.cs Updates role assignment flow assertions; removes log assertions.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/BatchPermissionsOrchestratorTests.cs New tests for orchestrator phase independence and non-admin consent URL behavior.
src/Microsoft.Agents.A365.DevTools.Cli/design.md Updates permissions architecture description to reflect batch flow and blueprint limitations.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Requirements/RequirementChecks/FrontierPreviewRequirementCheck.cs Updates warning wording and details URL text.
src/Microsoft.Agents.A365.DevTools.Cli/Services/MsalBrowserCredential.cs Adjusts exception logging to log stack traces at debug and user-facing messages at warning/error.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/MicrosoftGraphTokenProvider.cs Makes MSAL primary with PowerShell fallback; adds token cache and a unit-test override seam.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Helpers/CleanConsoleFormatter.cs Treats empty-string messages as intentional blank lines.
src/Microsoft.Agents.A365.DevTools.Cli/Services/GraphApiService.cs Adds IsCurrentUserAdminAsync / IsCurrentUserAgentIdAdminAsync and shared role-membership paging helper.
src/Microsoft.Agents.A365.DevTools.Cli/Services/FederatedCredentialService.cs Forces specific delegated scope for FIC operations; improves retry/403 handling and guidance.
src/Microsoft.Agents.A365.DevTools.Cli/Services/DelegatedConsentService.cs Uses blank-line logging to create spacing via the formatter behavior change.
src/Microsoft.Agents.A365.DevTools.Cli/Services/ClientAppValidator.cs Adds self-healing auto-provisioning of missing client app permissions and best-effort oauth2 grant scope extension.
src/Microsoft.Agents.A365.DevTools.Cli/Services/BotConfigurator.cs Adds token refresh retry when backend reports invalid roles; improves disposal and diagnostics helpers.
src/Microsoft.Agents.A365.DevTools.Cli/Services/AuthenticationService.cs Extends cache key format to optionally include user identity.
src/Microsoft.Agents.A365.DevTools.Cli/Services/AgentBlueprintService.cs Updates delete scopes/endpoint patterns; improves 403 handling and Graph response reporting.
src/Microsoft.Agents.A365.DevTools.Cli/Constants/AuthenticationConstants.cs Adds new scope constants and updates required-permissions commentary.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupResults.cs Adds fields for admin consent URL, batch phase results, and federated credential status/error.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupHelpers.cs Fixes verification URL generation and summary/recovery output for batch consent URL flow.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/ResourcePermissionSpec.cs New record describing per-resource permission requirements for the batch orchestrator.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/RequirementsSubcommand.cs Adjusts logging and signature (adds executor param).
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/README.md Documents new batch orchestrator and updated responsibilities.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/PermissionsSubcommand.cs Routes MCP/Bot/Custom permission flows through batch orchestrator; exposes helpers for tests/callers.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/InfrastructureSubcommand.cs Improves role assignment logic and reduces noisy verification steps; adds spacing/log detail.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/CopilotStudioSubcommand.cs Moves exception details to debug logs while keeping user-facing errors concise.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintSubcommand.cs Adds results tracking (FIC/admin consent URL/endpoint failure reason) and defers consent for setup all.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintCreationOptions.cs New options record enabling orchestration flags (e.g., defer consent).
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BatchPermissionsOrchestrator.cs New three-phase permissions orchestrator with consolidated consent handling.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/AllSubcommand.cs Switches setup all to: defer blueprint consent, run batch permissions, then register endpoint and display consolidated summary.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupCommand.cs Wires updated RequirementsSubcommand.CreateCommand signature.
CHANGELOG.md Adds release notes for scopes and token cache behavior.

You can also share your feedback on Copilot code review. Take the survey.

sellakumaran and others added 2 commits March 18, 2026 14:14
@sellakumaran @claude
fix: address Copilot PR review comments
e80c293 
- GraphApiService: IsCurrentUserAgentIdAdminAsync now uses Directory.Read.All
  (already consented) instead of RoleManagement.Read.Directory (not consented),
  fixing silent false-negative for Agent ID Admin role detection
- AuthenticationConstants: fix RoleManagementReadDirectoryScope doc (was
  incorrectly referencing IsCurrentUserAdminAsync); fix AgentIdentityBlueprintAddRemoveCredsAllScope
  doc to reflect it is not yet used (FIC still uses Application.ReadWrite.All)
- BatchPermissionsOrchestrator: fix duplicate XML summary block; add empty-scope
  filtering before Phase 1/2/3 to prevent HTTP 400 on non-MCP projects
- FederatedCredentialService: fix misleading 403 error message — directs user to
  check blueprint ownership, not to acquire GA/Agent ID Admin role
- RequirementsSubcommand: remove unused executor parameter from CreateCommand
- BotConfigurator: remove dead TryDecodeJwtPayload method
- CHANGELOG: correct FIC scope entry (Application.ReadWrite.All, not AddRemoveCreds.All);
  narrow per-user isolation claim to Graph token path only

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran
Improve changelog, auth flows, and admin consent handling
f8c6908 
Changelog now uses Keep a Changelog format. Added early App Service token validation for `a365 deploy`. Enhanced manifest handling and upload instructions for `a365 publish`. Switched to MSAL/WAM for user-isolated Graph token acquisition. `a365 cleanup` uses correct Graph scope and supports Global Admins. `a365 setup all` surfaces admin consent URLs and requests consent once for all resources. Improved device code/MSAL fallbacks for macOS/Linux, admin consent polling, and exception handling for missing config files.
@sellakumaran sellakumaran changed the title fix: improve non-admin setup flow with self-healing permissions and admin consent detection fix: non-admin setup failures, unclear summary, noisy output, and cleanup 403 on shared machines Mar 18, 2026
@sellakumaran @claude
fix: correct user identity for ATG and Graph token acquisition
a270a89 
- Thread az account user as login hint through MsalBrowserCredential so
  WAM/MSAL selects the correct account instead of defaulting to the
  Windows primary account
- Include userId in AuthenticationService file cache key to prevent
  cross-user token reuse on shared machines
- Add 401 retry with forceRefresh in BotConfigurator create and delete
  endpoint paths (previously only retried on 'Invalid roles' 400)
- Remove interpretive error message on ATG 'Invalid roles' — log raw
  API message only
- Add debug log lines for ATG cache key and current user resolution

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran sellakumaran marked this pull request as ready for review March 18, 2026 23:47
@sellakumaran sellakumaran requested review from a team as code owners March 18, 2026 23:47
Copilot AI review requested due to automatic review settings March 18, 2026 23:47
Copilot AI reviewed Mar 18, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors a365 setup all permission/consent handling to better support non-admin personas, reduces noisy/duplicative console output, and hardens token acquisition to avoid cross-user token reuse (especially on shared machines). It also updates cleanup/setup behaviors, adds new batch-permissions orchestration, and expands tests/documentation accordingly.

Changes:

  • Introduces a 3-phase BatchPermissionsOrchestrator to resolve service principals once, apply grants/inheritable permissions in bulk, and surface a single admin-consent flow/URL.
  • Makes MSAL/WAM the primary Graph token path (PowerShell fallback), adds login-hint plumbing to target the correct user identity, and adjusts console/log formatting.
  • Updates setup summary/verification output, role-detection helpers, and adds/updates unit tests and design docs.

Reviewed changes

Copilot reviewed 36 out of 36 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Requirements/FrontierPreviewRequirementCheckTests.cs Updates assertions for revised Frontier preview warning text.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/MicrosoftGraphTokenProviderTests.cs Adds MSAL-vs-PowerShell path tests and caching behavior tests.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Helpers/CleanConsoleFormatterTests.cs Updates behavior expectation for empty log messages to emit a blank line.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/GraphApiServiceTests.cs Adds unit tests for new Agent ID admin role detection method.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/FederatedCredentialServiceTests.cs Adapts to GraphGetAsync signature changes (scopes parameter).
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/AgentBlueprintServiceTests.cs Updates deletion-scope assertions for agent identity deletion.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Helpers/SetupHelpersVerificationTests.cs New regression tests for verification URL output and JSON casing.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/InfrastructureSubcommandTests.cs Updates role-assignment flow expectations (pre-check with include-inherited).
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/BatchPermissionsOrchestratorTests.cs New tests covering batch orchestrator empty-spec and non-admin consent URL behavior.
src/Microsoft.Agents.A365.DevTools.Cli/design.md Updates docs to describe the batch permissions architecture and supported layers.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Requirements/RequirementChecks/FrontierPreviewRequirementCheck.cs Revises user-facing warning message/details.
src/Microsoft.Agents.A365.DevTools.Cli/Services/MsalBrowserCredential.cs Adds login-hint support and improves logging granularity (debug vs warning/error).
src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/MicrosoftGraphTokenProvider.cs Makes MSAL/WAM primary auth with PowerShell fallback; adds optional login hint and test seam.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/IMicrosoftGraphTokenProvider.cs Extends token provider interface to accept an optional login hint.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Helpers/CleanConsoleFormatter.cs Treats empty-string messages as intentional blank lines; null still suppresses output.
src/Microsoft.Agents.A365.DevTools.Cli/Services/GraphApiService.cs Adds role-detection helpers and resolves login hint via az account show for MSAL targeting.
src/Microsoft.Agents.A365.DevTools.Cli/Services/FederatedCredentialService.cs Adds explicit scopes for FIC operations and improves 403 handling/noise.
src/Microsoft.Agents.A365.DevTools.Cli/Services/DelegatedConsentService.cs Adds a blank line to improve readability of consent-related output.
src/Microsoft.Agents.A365.DevTools.Cli/Services/ClientAppValidator.cs Adds self-healing: auto-provision missing permissions and best-effort consent-grant extension.
src/Microsoft.Agents.A365.DevTools.Cli/Services/BotConfigurator.cs Adds token refresh retry logic for ATG calls; uses az-derived user identity for token caching.
src/Microsoft.Agents.A365.DevTools.Cli/Services/AuthenticationService.cs Updates token cache keying to optionally include user identity to prevent cross-user reuse.
src/Microsoft.Agents.A365.DevTools.Cli/Services/AgentBlueprintService.cs Adjusts deletion scope usage for agent identity deletion; tweaks logging around 403s and grants.
src/Microsoft.Agents.A365.DevTools.Cli/Constants/AuthenticationConstants.cs Adds constants for role scopes and AgentIdentityBlueprint Delete/AddRemove scopes; documents scope choices.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupResults.cs Tracks batch phase outcomes, admin consent URL, and FIC status for improved summaries.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupHelpers.cs Improves verification URL output and revises setup summary/recovery actions for new batch flow.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/ResourcePermissionSpec.cs New record describing a single resource’s permission needs for batch orchestration.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/RequirementsSubcommand.cs Splits error vs debug logging for exceptions; updates inline comment for client app validation.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/README.md Documents new batch orchestrator, specs, and updated helper responsibilities.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/PermissionsSubcommand.cs Switches MCP/Bot/custom permissions flows to use batch orchestrator; exposes helper(s) for scope reading.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/InfrastructureSubcommand.cs Adds role pre-check via include-inherited and reduces redundant verification/log noise.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/CopilotStudioSubcommand.cs Adjusts exception logging to avoid noisy stack traces at error level.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintSubcommand.cs Adds richer result fields (endpoint failure reason, FIC status, consent URL) and supports consent deferral.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintCreationOptions.cs New options record to control blueprint creation orchestration behavior (e.g., defer consent).
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BatchPermissionsOrchestrator.cs New orchestrator implementing the multi-phase permissions + consent flow.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/AllSubcommand.cs Reorders setup flow to defer consent and run a consolidated permissions batch, then register endpoint.
CHANGELOG.md Adds unreleased “Fixed” entries describing the cleanup/setup improvements.

You can also share your feedback on Copilot code review. Take the survey.

sellakumaran and others added 2 commits March 18, 2026 17:06
@sellakumaran @claude
fix: update test override signature for CreateBrowserCredential login…
b5be53e 
…Hint parameter

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran @claude
fix: address remaining Copilot PR review comments (#2-5)
4820d73 
- BatchPermissionsOrchestrator: consent check now loops all resolved
  specs before returning granted=true (was checking only the first)
- BatchPermissionsOrchestrator: use AuthenticationConstants.DirectoryReadAllScope
  constant instead of hard-coded string literal
- PermissionsSubcommand: log message now reflects actual consent outcome
  ("configured successfully" vs "configured; admin consent required")
- InfrastructureSubcommandTests: replace Substitute.For<ILogger> with
  TestLogger that captures log entries; add proper assertions for
  warning (role assignment failure) and info (role already exists) paths

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 19, 2026 00:34
Copilot AI reviewed Mar 19, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves the a365 setup all and a365 cleanup experience across non-admin and admin personas by batching permission configuration/consent, reducing noisy output, and switching Microsoft Graph delegated auth to an MSAL/WAM-first flow to avoid cross-user token reuse on shared machines.

Changes:

  • Introduces a three-phase batch permissions flow (BatchPermissionsOrchestrator) and updates setup all to use it (including improved summary/recovery guidance).
  • Adds MSAL/WAM-first Microsoft Graph token acquisition with optional login-hint routing and PowerShell fallback; updates Graph API callers and tests accordingly.
  • Adjusts scopes, logging/output formatting, and infrastructure role assignment behavior; updates docs and changelog entries.

Reviewed changes

Copilot reviewed 37 out of 37 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Requirements/FrontierPreviewRequirementCheckTests.cs Updates assertions to match new Frontier Preview warning text.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/MicrosoftGraphTokenProviderTests.cs Adds MSAL/PS fallback and caching tests via override seam.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Helpers/CleanConsoleFormatterTests.cs Updates behavior expectation for empty-string messages to emit a blank line.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/GraphApiServiceTests.cs Adds tests for Agent ID admin role detection logic.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/FederatedCredentialServiceTests.cs Updates mocks for GraphGetAsync signature/scopes changes.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/AuthenticationServiceTests.cs Updates test override for browser credential creation signature (login hint).
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/AgentBlueprintServiceTests.cs Updates scope expectations for Agent Identity deletion.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Helpers/SetupHelpersVerificationTests.cs New regression tests for verification URL output + JSON casing.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/InfrastructureSubcommandTests.cs Updates role-assignment pre-check flow assertions and logging verification.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/BatchPermissionsOrchestratorTests.cs New unit tests for batch permissions phase independence + consent URL behavior.
src/Microsoft.Agents.A365.DevTools.Cli/design.md Updates documented permissions architecture to reflect batch flow and constraints.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Requirements/RequirementChecks/FrontierPreviewRequirementCheck.cs Adjusts warning message/details wording for Frontier Preview requirement.
src/Microsoft.Agents.A365.DevTools.Cli/Services/MsalBrowserCredential.cs Adds optional login hint handling and reduces noisy exception logging.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/MicrosoftGraphTokenProvider.cs Implements MSAL-first token acquisition + PS fallback, caching, and login-hint plumbing.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/IMicrosoftGraphTokenProvider.cs Extends token provider contract with optional loginHint.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Helpers/CleanConsoleFormatter.cs Allows empty string messages to intentionally emit blank lines.
src/Microsoft.Agents.A365.DevTools.Cli/Services/GraphApiService.cs Adds login-hint resolution, role detection helpers, and passes hint to token provider.
src/Microsoft.Agents.A365.DevTools.Cli/Services/FederatedCredentialService.cs Adds explicit scopes for FIC operations and improves error handling/retry signaling.
src/Microsoft.Agents.A365.DevTools.Cli/Services/DelegatedConsentService.cs Adds intentional spacing in output (blank line).
src/Microsoft.Agents.A365.DevTools.Cli/Services/ClientAppValidator.cs Adds self-healing auto-provisioning for missing permissions + best-effort consent extension.
src/Microsoft.Agents.A365.DevTools.Cli/Services/BotConfigurator.cs Adds token refresh retry logic and user-scoped token caching for endpoint calls.
src/Microsoft.Agents.A365.DevTools.Cli/Services/AuthenticationService.cs Extends token cache key to include user identity (prevents cross-user reuse).
src/Microsoft.Agents.A365.DevTools.Cli/Services/AgentBlueprintService.cs Updates deletion/permission grant handling, logging, and adds scope plumbing to Graph calls.
src/Microsoft.Agents.A365.DevTools.Cli/Constants/AuthenticationConstants.cs Adds constants for Directory role read scopes and AgentIdentityBlueprint DeleteRestore/AddRemoveCreds scopes.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupResults.cs Adds batch phase outcome tracking + admin consent URL + FIC status fields.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupHelpers.cs Improves verification URL generation and summary/recovery output; adjusts permission helper call signature.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/ResourcePermissionSpec.cs New spec record used by batch permissions orchestrator.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/RequirementsSubcommand.cs Adjusts exception logging (error summary + debug details) and clarifies comments.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/README.md Documents new batch orchestrator and related setup components.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/PermissionsSubcommand.cs Refactors permissions setup to use batch orchestrator; exposes helper methods for tests/orchestration.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/InfrastructureSubcommand.cs Changes Website Contributor assignment to pre-check inherited roles and reduces noisy verification.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/CopilotStudioSubcommand.cs Adjusts exception logging style (error + debug details).
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintSubcommand.cs Adds FIC/admin-consent result tracking, endpoint failure reason, and DeferConsent option for setup-all orchestration.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintCreationOptions.cs New options record to control orchestration (e.g., defer consent).
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BatchPermissionsOrchestrator.cs New three-phase batch permissions/consent implementation.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/AllSubcommand.cs Updates setup all to defer consent in blueprint step, batch all permissions, then register endpoint.
CHANGELOG.md Adds unreleased fixed entries for cleanup and setup-all behavior improvements.

You can also share your feedback on Copilot code review. Take the survey.

sellakumaran and others added 2 commits March 18, 2026 19:34
@sellakumaran @claude
fix: resolve Agent ID Admin setup failures for WAM auth, owner assign…
40fe88f 
…ment, and client secret

Issue 1 (FIXED): WAM ignores login hint — picks OS default account instead of az-logged-in user
- MsalBrowserCredential: use WithAccount(account) when MSAL cache has a match for the login hint;
  fall back to WithPrompt(SelectAccount) when hint is set but account not in cache
- InteractiveGraphAuthService: resolve login hint via `az account show` before constructing
  MsalBrowserCredential, ensuring Graph client uses the correct user identity

Issue 2 (FIXED): Owner assignment fails with Directory.AccessAsUser.All in token
- BlueprintSubcommand: skip post-creation owner verification when owners@odata.bind was set
  during blueprint creation; ownership is set atomically and the post-check token carries
  Directory.AccessAsUser.All which the Agent Blueprint API explicitly rejects

Issue 3 (RESOLVED): Authorization.ReadWrite scope not found on Messaging Bot API
- Resolved as a symptom of Issue 1; with the correct user authenticated all inheritable
  permissions configure successfully with no errors

Issue 4 (IN PROGRESS): Client secret creation fails for Agent ID Admin
- AuthenticationConstants: add AgentIdentityBlueprintReadWriteAllScope constant; add
  AgentIdentityBlueprint.AddRemoveCreds.All to RequiredClientAppPermissions
- BlueprintSubcommand: use specific AgentIdentityBlueprint.ReadWrite.All scope for addPassword
  to avoid Directory.AccessAsUser.All bundling from .default; add retry on 404 to handle
  Entra eventual consistency after new blueprint creation

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran
Support login hint for MSAL Graph token acquisition
1576643 
Add loginHint to MSAL token flow to target Azure CLI user, preventing use of incorrect OS account. Resolve and pass login hint when creating Agent Blueprint secrets. Make ResolveAzLoginHintAsync internal for broader use. Default IMicrosoftGraphTokenProvider to browser/WAM auth. Update comments for scope and login hint usage.
Copilot AI review requested due to automatic review settings March 19, 2026 03:31
Copilot AI reviewed Mar 19, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves the a365 setup all and a365 cleanup experience by making permission/configuration steps role-aware, reducing noisy output, and hardening authentication behavior on shared machines (notably by preferring MSAL/WAM and adding login-hint support).

Changes:

  • Introduces a three-phase batch permission flow (BatchPermissionsOrchestrator) to avoid per-resource consent loops and to surface a single admin-consent URL for non-admin users.
  • Updates Graph auth/token acquisition to prefer MSAL/WAM (with login hints) and fall back to PowerShell when needed; adjusts several services to request more precise scopes.
  • Refines setup summary/output formatting, role detection, and adds/updates unit tests for the new flows and messaging.

Reviewed changes

Copilot reviewed 38 out of 38 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
CHANGELOG.md Documents setup/cleanup fixes and consent prompting improvements.
src/Microsoft.Agents.A365.DevTools.Cli/design.md Updates permissions architecture notes to reflect batch flow and Agent Blueprint limitations.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/README.md Documents new orchestrator/spec types and updated responsibilities.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BatchPermissionsOrchestrator.cs New orchestrator implementing resolve/grant/consent phases.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/ResourcePermissionSpec.cs New spec record describing resource permissions for batch flow.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintCreationOptions.cs Adds orchestration flag to defer consent/graph inheritable permissions.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/AllSubcommand.cs Reworks setup all to defer consent then run batch permissions and register endpoint after.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupHelpers.cs Fixes verification URL JSON casing; simplifies summary output and recovery actions.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupResults.cs Adds batch phase fields, consent URL tracking, and FIC status fields for summary/recovery.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/PermissionsSubcommand.cs Switches MCP/Bot/custom permission config to batch orchestrator; adds MCP scope reader helper.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/RequirementsSubcommand.cs Cleans error logging and clarifies required permission validation context.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/InfrastructureSubcommand.cs Reduces noise and improves role assignment logic (pre-check inherited roles).
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/CopilotStudioSubcommand.cs Adjusts exception logging to avoid noisy stack traces at Error level.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintSubcommand.cs Adds consent deferral, improves endpoint failure reporting, FIC retry behavior, and login-hint usage.
src/Microsoft.Agents.A365.DevTools.Cli/Constants/AuthenticationConstants.cs Adds constants for directory scopes and Agent Blueprint granular scopes.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/IMicrosoftGraphTokenProvider.cs Adds loginHint to token provider API; adjusts defaults.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/MicrosoftGraphTokenProvider.cs Makes MSAL/WAM primary auth path with PowerShell fallback and adds test seam.
src/Microsoft.Agents.A365.DevTools.Cli/Services/MsalBrowserCredential.cs Adds login-hint handling and improves log noise by separating Debug vs Warning/Error.
src/Microsoft.Agents.A365.DevTools.Cli/Services/GraphApiService.cs Adds login-hint resolution and role checks (GA + Agent ID Admin) via /me/memberOf paging.
src/Microsoft.Agents.A365.DevTools.Cli/Services/InteractiveGraphAuthService.cs Adds az-based login-hint resolution for MSAL/WAM targeting.
src/Microsoft.Agents.A365.DevTools.Cli/Services/AuthenticationService.cs Makes token cache key user-aware and passes login hint into browser credential.
src/Microsoft.Agents.A365.DevTools.Cli/Services/BotConfigurator.cs Adds retry behavior for ATG calls (401 + “Invalid roles”) and passes user identity for token caching.
src/Microsoft.Agents.A365.DevTools.Cli/Services/AgentBlueprintService.cs Tightens/clarifies scope usage for agent identity deletion and refines logging on 403 paths.
src/Microsoft.Agents.A365.DevTools.Cli/Services/FederatedCredentialService.cs Ensures explicit scopes for FIC operations; improves 403 handling and retry semantics.
src/Microsoft.Agents.A365.DevTools.Cli/Services/DelegatedConsentService.cs Adjusts spacing output (blank line) for readability.
src/Microsoft.Agents.A365.DevTools.Cli/Services/ClientAppValidator.cs Adds self-healing permission provisioning and best-effort consent grant extension.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Helpers/CleanConsoleFormatter.cs Allows intentional blank lines via empty log messages.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Requirements/RequirementChecks/FrontierPreviewRequirementCheck.cs Updates warning text to be clearer and more actionable.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/BatchPermissionsOrchestratorTests.cs New tests for orchestrator empty-spec and phase-independence behavior.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Helpers/SetupHelpersVerificationTests.cs New regression tests for verification URL JSON casing and header suppression.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/MicrosoftGraphTokenProviderTests.cs Adds coverage for MSAL-primary and PS-fallback behavior + caching behavior.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/GraphApiServiceTests.cs Adds tests for Agent ID Admin role detection behavior.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/FederatedCredentialServiceTests.cs Updates mocks for new GraphGetAsync signature changes (scopes param).
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/AgentBlueprintServiceTests.cs Updates expected scope for agent identity deletion.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/AuthenticationServiceTests.cs Updates test seam signature for browser credential creation (loginHint).
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Helpers/CleanConsoleFormatterTests.cs Updates expectations for empty-message behavior (blank line).
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Requirements/FrontierPreviewRequirementCheckTests.cs Updates assertions for revised warning text.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/InfrastructureSubcommandTests.cs Updates tests to reflect role pre-check behavior and new logger assertions.

You can also share your feedback on Copilot code review. Take the survey.

@sellakumaran sellakumaran marked this pull request as draft March 19, 2026 03:47
sellakumaran and others added 2 commits March 18, 2026 21:16
@sellakumaran @claude
fix: pass login hint to blueprint httpClient token to prevent WAM cro…
f37d1aa 
…ss-user reuse

AcquireMsalGraphTokenAsync for the blueprint creation httpClient was called
without a login hint, causing WAM to silently return a cached token for the
OS default account instead of the az-logged-in user. This resulted in
Authorization_RequestDenied for identifier URI update and service principal
creation when AgentIdentityBlueprint.* scopes were present in the token.

Resolves the missing Service Principal for newly created blueprints.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran @claude
fix: address Copilot review comments on token cache, log levels, and …
80bf137 
…portal guidance

- Include loginHint in MicrosoftGraphTokenProvider cache key to prevent cross-user token reuse
- Downgrade speculative auth dialog messages from LogInformation to LogDebug
- Update non-Windows log message to reflect that browser or device code may appear
- Correct FederatedCredentialService remediation message to reference the right Entra portal blade

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran @claude
feat: add a365 setup admin command for Global Administrator OAuth2 gr…
4cc1c30 
…ants

- Add AdminSubcommand that creates AllPrincipals oauth2PermissionGrants
  for all configured resources, completing the GA-only step after setup all
- Add --yes/-y flag to skip confirmation prompt (az CLI convention)
- Add DisplayAdminConsentPreview showing blueprint, tenant, and per-resource
  scopes before executing; uses WARNING: prefix for tenant-wide impact
- Add BatchPermissionsOrchestrator.GrantAdminPermissionsAsync for Phase 2b
  (AllPrincipals grants only, separate from Phase 2a inheritable permissions)
- Add AzCliHelper consolidating az account show + JSON parse (DRY fix)
- Wire InvocationContext into AdminSubcommand.SetHandler to propagate
  CancellationToken from Ctrl+C rather than CancellationToken.None
- Remove unused blueprintService and clientAppValidator from AdminSubcommand
- Fix GetMgGraphAccessTokenAsync NSubstitute mocks (missing 6th loginHint arg)
- Add guard in ConfigureBotPermissionsAsync for empty AgentBlueprintId
- Update PermissionsSubcommand test: missing manifest returns true because
  McpServersMetadata.Read.All is always seeded before manifest is read

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran sellakumaran changed the title fix: non-admin setup failures, unclear summary, noisy output, and cleanup 403 on shared machines feat: non-admin setup flow, a365 setup admin command, and cleanup 403 fixes Mar 20, 2026
sellakumaran and others added 2 commits March 19, 2026 19:54
@sellakumaran @claude
feat: add consent URL generation, fix SP retry, and improve setup output
6a19be9 
Consent URL generation (setup all, non-GA path):
- Populate resourceConsents[].consentUrl in a365.generated.config.json
  for all 5 resources when the current user lacks the GA role
- Terminal output now shows resource names and file path instead of
  printing raw encoded URLs; find them under resourceConsents[].consentUrl
- Fix \u0026 encoding: use JavaScriptEncoder.UnsafeRelaxedJsonEscaping so
  consent URLs in the JSON file keep literal '&' for direct copy-paste
- Remove duplicate admin consent warning from Warnings section (Next Steps
  block already covers it); remove orphaned config folder hint line

SP creation reliability:
- Extend retry predicate to catch 403 Forbidden in addition to 400 BadRequest
  (Agent Blueprint replication lag can surface as either status code)
- Increase maxRetries 8->10, baseDelaySeconds 5->8 for longer replication window
- LogWarning -> LogError after all retries exhausted
- Surface SP creation failure in SetupResults.Warnings when
  AgentBlueprintServicePrincipalObjectId is null after blueprint step

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran
Improve admin consent URLs, retry logic, and testability
7430bff 
- Use scope constants for admin consent URL generation; ensure scopes are percent-encoded and joined with %20, not raw ampersands
- Add unit tests for consent URL construction and config population
- Enhance retry logic for service principal creation: distinguish transient 403 errors and retry only for replication lag
- Add async retry helper overload for operations needing async predicates
- Make GraphApiService login hint resolution injectable for test isolation
- Update tests to use full mocks and no-op login hint resolvers, preventing real CLI processes
- Use relaxed JSON encoder for config serialization to preserve literal '&' in URLs
- Update comments and docs for clarity
Copilot AI review requested due to automatic review settings March 20, 2026 03:53
Copilot AI reviewed Mar 20, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 59 out of 60 changed files in this pull request and generated 4 comments.

@biswapm biswapm self-requested a review March 20, 2026 12:45
@sellakumaran @claude
fix: Copilot review comments, GA role detection, combined consent URL…
960517a 
…, and tests

- Fix Task.Delay missing CancellationToken (AllSubcommand)
- Fix Environment.Exit -> ExceptionHandler.ExitWithCleanup (AdminSubcommand)
- Fix pipe buffer deadlock in AzCliHelper by reading stderr concurrently
- Fix GA role detection: use DirectoryReadAllScope for transitiveMemberOf query
- Fix blueprint auth message: remove incorrect 'Global Administrator' requirement
- Add combined single adminconsent URL as Option 2 in Next Steps output
- Add BuildCombinedConsentUrl helper and SetupResults.CombinedConsentUrl property
- Add unit tests for BuildCombinedConsentUrl in SetupHelpersConsentUrlTests
- Update pr-code-reviewer.md with anti-patterns 7-9 (Task.Delay, stderr deadlock, Environment.Exit)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ajmfehr
ajmfehr previously approved these changes Mar 20, 2026
View reviewed changes
sellakumaran and others added 4 commits March 21, 2026 13:13
@sellakumaran @claude
perf: eliminate real process/network/delay costs in test paths
3dc1e2e 
Add optional injectable parameters (commandRunner, loginHintResolver,
executor, retryDelayMsOverride) to production code with backward-
compatible defaults so tests can bypass real az/pwsh process spawns,
HTTPS calls, and Task.Delay waits. All production call sites are
unaffected when the parameters are omitted.

Also fixes a behavioral bug in BatchPermissionsOrchestrator: when
Phase 1 auth fails the admin-check now defaults to DoesNotHaveRole
instead of Unknown, preventing a spurious browser open and poll.
GrantAdminConsentAsync logs a distinct message distinguishing auth
failure from a confirmed non-GA-role result.

EnsureAppServicePlanExistsAsync gains a CancellationToken parameter
so Ctrl+C can cancel the plan-verification retry loop.

Test suite: 1224 tests, 0 failures, ~6 s (down from ~32 s).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran
Improve auth reliability, logging, and test rigor
a688b6a 
- Pass login hint (UPN/email) to all token acquisition calls to ensure correct account selection, especially with WAM on Windows.
- Always include a fixed, registered redirect URI in admin consent URLs to prevent AADSTS500113; encode all scope values and assert encoding in tests.
- Suppress exception details from console output; log full details to file only. Update tests to assert this behavior.
- Demote many internal log messages to LogDebug for cleaner CLI output.
- Temporarily disable blueprint messaging endpoint registration in CLI; direct users to Teams Developer Portal.
- Clarify setup summary output, separating completed, pending, and failed steps.
- Update copilot-instructions.md to require `because:` clauses for non-obvious test assertions and flag tests changed to match implementation.
- Improve exception handling in Program.cs for startup errors.
- Minor log message and formatting improvements throughout.
@sellakumaran
perf: eliminate repeated az CLI subprocess spawns across setup phases
da6f750 
- Cache 'az account show' result process-wide in AzCliHelper.ResolveLoginHintAsync
  using a volatile Task<string?>? field. All services that resolve the login hint
  share one subprocess call per CLI invocation. Expected savings: ~60-80s.

- Cache 'az account get-access-token' result process-wide in AzCliHelper.AcquireAzCliTokenAsync
  using ConcurrentDictionary<string, Task<string?>> keyed by (resource, tenantId).
  ClientAppValidator, GraphApiService, and DelegatedConsentService all share one token
  acquisition per key. Expected savings: ~40s.

- Remove GraphApiService instance-level 5-min TTL cache (AzCliTokenCacheDuration,
  _cachedAzCliToken fields) — superseded by the process-level cache, which is shared
  across all GraphApiService instances and therefore more effective.

- CAE and forced re-auth paths call AzCliHelper.InvalidateAzCliTokenCache() before
  re-acquiring so stale tokens are never served from cache after revocation.

- Both caches use injectable test seams (LoginHintResolverOverride,
  AzCliTokenAcquirerOverride) so unit tests never spawn real az processes.
  Tests updated accordingly; GraphApiServiceTokenCacheTests rewritten to assert
  process-level caching behavior including the cross-instance scenario.
@sellakumaran
Refactor infra/client validation: direct ARM/Graph HTTP
5b05e37 
Eliminate slow az CLI subprocesses in infra and client app validation by
introducing ArmApiService and refactoring ClientAppValidator to use
GraphApiService for all Graph calls. All resource, RBAC, and app
registration checks now use direct HTTP, falling back to az CLI only
if needed.

Performance impact:
- a365 setup all: 8m12s -> 2m12s (6-minute reduction)
- Per-check latency: 15-35s -> ~0.5s (ARM) / ~200ms (Graph)
- Test suite: ~3 minutes -> 7 seconds (1230 tests)

Also:
- Removes token-in-CLI-arg security risk in ClientAppValidator
- Adds AzCliHelper process-level caches for login hint and token
  acquisition, shared across all services in a single CLI invocation
- CR fixes: CancellationToken from InvocationContext, IDisposable on
  ArmApiService, InvalidateLoginHintCache for production login path
- Test classes pre-warm AzCliHelper token cache; GraphApiService
  instances use loginHintResolver injection to bypass az subprocesses
- Review skill updated with anti-pattern for test performance regressions
Copilot AI review requested due to automatic review settings March 22, 2026 03:48
Copilot AI reviewed Mar 22, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 80 out of 81 changed files in this pull request and generated 6 comments.

biswapm
biswapm requested changes Mar 22, 2026
View reviewed changes
Copy link

@biswapm biswapm left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the Graph access token is passed as a command-line argument to az rest. This exposes the full token in the OS process table for the lifetime of the subprocess, visible to all local users via Task Manager, ps aux, ETW process creation events, and crash dumps. GraphApiService already exists in this codebase and makes all Graph calls via HttpClient entirely in-process. ClientAppValidator should inject it and delegate to GraphGetAsync / GraphPatchAsync instead of spawning az rest. inject GraphApiService into ClientAppValidator.cs

@sellakumaran
Add --field option to config command and standardize endpoint key
9366a5f 
Introduce --field/-f to query single config fields from static or generated config.
Standardize generated config to use "messagingEndpoint" (not "botMessagingEndpoint") and update all code/tests accordingly.
Add TryGetConfigField helper and unit tests.
Ensure backward compatibility by migrating legacy keys in MergeDynamicProperties.
@sellakumaran
Handle PR comments
78a70e0 
Harden consent URLs, fix resource leaks, improve tests

- Replace hardcoded OAuth2 `state` in admin consent URLs with random GUIDs for CSRF protection; centralize URL construction in `SetupHelpers.BuildAdminConsentUrl`
- Dispose overwritten `JsonDocument` in `FederatedCredentialService` to prevent resource leaks
- Improve retry logic to propagate cancellation immediately on user-initiated cancel (Ctrl+C)
- Remove unused CLI option variable (`verbose`) to avoid dead code
- Enhance tests: assert random state in consent URLs and add `because:` documentation to clarify test requirements
@sellakumaran
Copy link
Contributor Author

sellakumaran commented Mar 22, 2026

the Graph access token is passed as a command-line argument to az rest. This exposes the full token in the OS process table for the lifetime of the subprocess, visible to all local users via Task Manager, ps aux, ETW process creation events, and crash dumps. GraphApiService already exists in this codebase and makes all Graph calls via HttpClient entirely in-process. ClientAppValidator should inject it and delegate to GraphGetAsync / GraphPatchAsync instead of spawning az rest. inject GraphApiService into ClientAppValidator.cs

Fixed in commit 5b05e37. ClientAppValidator now injects GraphApiService and delegates to GraphGetAsync/GraphPatchAsync for all Graph calls. az rest is no longer used — the token is never exposed in the process table.

@sellakumaran sellakumaran reopened this Mar 22, 2026
@sellakumaran sellakumaran requested a review from Copilot March 22, 2026 17:39
Copilot AI reviewed Mar 22, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 83 out of 84 changed files in this pull request and generated 5 comments.

@sellakumaran
Fix PR comments.
8af956b 
Fix ARM API error handling, exit cleanup, and test isolation

- Replace direct Environment.Exit calls with ExceptionHandler.ExitWithCleanup for proper shutdown and cleanup.
- Update ARM API existence methods to return null (not false) for non-404 errors (e.g., 401/403/5xx), ensuring callers fall back to az CLI and don't misinterpret auth errors as missing resources.
- Add unit tests for 401 handling in ARM existence checks.
- Isolate AzCliHelper token cache in tests using xUnit collection and IDisposable to prevent parallel test interference and slow subprocess spawns.
- Clarify comments on [JsonIgnore] usage in Agent365Config.
- Update PR review rules to require reporting on ARM bool? existence method pattern in test-related PRs.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@biswapm biswapm biswapm requested changes

Copilot code review Copilot Copilot left review comments

@ajmfehr ajmfehr ajmfehr left review comments

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sellakumaran @biswapm @ajmfehr