Conversation
There was a problem hiding this comment.
Pull request overview
Weekly permissions sync updating Microsoft Graph permission metadata, primarily aligning AdministrativeUnit routes’ scheme availability and removing deprecated hidden permission entries from provisioning info.
Changes:
- Removed hidden, disabled AdministrativeUnit* (Basic/Member) application-scheme entries from
provisioningInfo.json. - Expanded
/directory/administrativeunits*routes underAdministrativeUnit.Read.All/AdministrativeUnit.ReadWrite.Allto allowApplicationscheme (previouslyDelegatedWorkonly). - Refactored
AdministrativeUnit.ReadWrite.Allmethod grouping by foldingDELETEinto the existing{id}pathSet.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| permissions/new/provisioningInfo.json | Removes hidden/disabled AdministrativeUnit* application entries from provisioning metadata. |
| permissions/new/permissions.json | Broadens /directory/administrativeunits* to include Application scheme under AdministrativeUnit permissions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "/administrativeunits/delta": "least=DelegatedWork,Application", | ||
| "/directory/administrativeunits": "least=DelegatedWork", | ||
| "/directory/administrativeunits/{id}": "least=DelegatedWork", | ||
| "/directory/administrativeunits": "least=DelegatedWork,Application", | ||
| "/directory/administrativeunits/{id}": "least=DelegatedWork,Application", | ||
| "/directory/administrativeunits/{id}/members": "least=DelegatedWork,Application", | ||
| "/directory/administrativeunits/{id}/members/{id}": "least=DelegatedWork,Application" |
There was a problem hiding this comment.
This change expands AdministrativeUnit.Read.All to allow the Application scheme on the /directory/administrativeunits* aliases (previously DelegatedWork-only). Since this broadens app-only access to directory administrative unit data, please confirm this is intentional and aligns with the service's authorization model/source-of-truth for these endpoints.
| "/administrativeunits": "least=DelegatedWork,Application", | ||
| "/administrativeunits/{id}/members": "least=DelegatedWork,Application", | ||
| "/directory/administrativeunits": "least=DelegatedWork", | ||
| "/directory/administrativeunits/{id}/members": "least=DelegatedWork" | ||
| } | ||
| }, | ||
| { | ||
| "schemeKeys": [ | ||
| "DelegatedWork", | ||
| "Application" | ||
| ], | ||
| "methods": [ | ||
| "DELETE" | ||
| ], | ||
| "paths": { | ||
| "/administrativeunits/{id}": "least=DelegatedWork,Application", | ||
| "/directory/administrativeunits/{id}": "least=DelegatedWork,Application" | ||
| "/directory/administrativeunits": "least=DelegatedWork,Application", | ||
| "/directory/administrativeunits/{id}/members": "least=DelegatedWork,Application" | ||
| } |
There was a problem hiding this comment.
AdministrativeUnit.ReadWrite.All: /directory/administrativeunits* paths were changed from DelegatedWork-only to DelegatedWork,Application. This broadens app-only access on the directory alias endpoints; please confirm this is intentional and matches the upstream authorization contract for these routes.
Weekly Permissions sync 2026-03-24