Fix blueprint setup consent flow and role accuracy (#403)#405
Open
sellakumaran wants to merge 2 commits intomainfrom
Open
Fix blueprint setup consent flow and role accuracy (#403)#405sellakumaran wants to merge 2 commits intomainfrom
sellakumaran wants to merge 2 commits intomainfrom
Conversation
Contributor
sellakumaran
commented
May 5, 2026
sellakumaran
commented
- DelegatedConsentService: return false on 4xx PATCH failures instead of silently returning true; check return value in caller and surface an actionable error with a v2.0/adminconsent URL when a non-admin cannot update an existing permission grant
- SetupHelpers: fix pendingAdminAction regression (commit 650ebdb) that hid the consent URL for DW agents when S2S grants were also pending
- SetupHelpers: replace removed Maven.ReadWrite.All scope with ObservabilityApiOtelWriteScope in consent URLs
- AuthenticationConstants: correct S2SGrantRequiredRoles — Agent ID Administrator cannot create S2S app role assignments (verified by live testing); role list now matches DelegatedGrantRequiredRoles
- CleanupCommand: surface actionable error message when cleanup is run without --agent-name and no config file is present
- DelegatedConsentService: return false on 4xx PATCH failures instead of silently returning true; check return value in caller and surface an actionable error with a v2.0/adminconsent URL when a non-admin cannot update an existing permission grant - SetupHelpers: fix pendingAdminAction regression (commit 650ebdb) that hid the consent URL for DW agents when S2S grants were also pending - SetupHelpers: replace removed Maven.ReadWrite.All scope with ObservabilityApiOtelWriteScope in consent URLs - AuthenticationConstants: correct S2SGrantRequiredRoles — Agent ID Administrator cannot create S2S app role assignments (verified by live testing); role list now matches DelegatedGrantRequiredRoles - CleanupCommand: surface actionable error message when cleanup is run without --agent-name and no config file is present Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR tightens setup and cleanup handoff flows in the Agent365 CLI by correcting consent/role guidance and improving how setup surfaces manual admin follow-up when automatic permission changes fail.
Changes:
- Updated delegated-consent handling to surface a manual admin-consent path when patching an existing grant fails.
- Fixed setup summary/admin-consent URL generation for DW flows and switched Observability consent URLs to the OtelWrite scope.
- Corrected S2S required-role messaging and improved
cleanupbehavior when no config file is present.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Helpers/SetupHelpersConsentUrlTests.cs |
Updated consent URL assertions for the Observability scope. |
src/Microsoft.Agents.A365.DevTools.Cli/Services/DelegatedConsentService.cs |
Changed existing-grant update behavior and added manual admin-consent fallback logging. |
src/Microsoft.Agents.A365.DevTools.Cli/Constants/ConfigConstants.cs |
Removed the old Observability admin-consent scope constant and repointed comments to OtelWrite. |
src/Microsoft.Agents.A365.DevTools.Cli/Constants/AuthenticationConstants.cs |
Narrowed the documented S2S roles to Application Admin / Global Admin. |
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupHelpers.cs |
Adjusted setup-summary pending-action logic and consent URL construction for Observability. |
src/Microsoft.Agents.A365.DevTools.Cli/Commands/CleanupCommand.cs |
Replaced the missing-config cleanup error with a more direct --agent-name instruction. |
…fixes - Remove PublishBlueprintNonDwAsync: a365 publish was silently calling POST /beta/agentRegistry/agentInstances (old v1 API, no idempotency) for blueprint non-DW agents. Registration belongs in setup all, which already uses the correct copilot/agentRegistrations v2 endpoint. Blueprint path now directs users to a365 setup all. - Fix redirect_uri in DelegatedConsentService fallback consent URL: BlueprintConsentRedirectUri is not registered on customer client apps, causing AADSTS500113. Omit redirect_uri so the URL works for any app. - Fix 5xx treated as success in EnsureScopeOnGrantAsync: transient PATCH failures now return false so the caller surfaces an actionable error rather than silently reporting consent as granted. - Add regression tests for DW pendingAdminAction: consent URL must appear in Action Required when admin consent is pending on the DW path, including when S2S grants are also pending. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.