agentBlueprintClientSecret in a365.generated.config.json gets overwritten on subsequent runs of a365 setup blueprint

[pdwarf]

Description

When you first run a365 setup all for the very first time with a new blueprint, the client secret for the Blueprint app registration will appear in the a365.generated.config.json, but if you ever run a365 setup blueprint on the same blueprint again, this value will get overwritten to null and then the Blueprint is basically lost and useless, because you can never generate a new Client Secret (UI says insufficient privileges eventho the listed Owner on the app registration is me, the user who created the blueprint via CLI)

Expected behavior

the client secret stays in the generated config AND (even better) owner user should be able to create new client secret via the UI in Azure portal: https://www.loom.com/share/970faccc56fd45789ed0a42d8444b3e3

SDK Version

1.1.94-preview+61107da00a

Language/Runtime

Node

OS

macOS 15.7.3 (24G419)

How to Reproduce

1. create a new blueprint via a365 config init
2. then run a365 setup all
3. notice how agentBlueprintClientSecret in a365.generated.config.json is visible as string (at least on Mac, as documented)
4. run a365 setup blueprint again
5. notice how agentBlueprintClientSecret is now null

Output

No response

Screenshots

No response

Code of Conduct

• I agree to follow the Microsoft Open Source Code of Conduct.

[github-actions]

[AUTO-TRIAGE] Team Assistant Triage

This issue has been automatically analyzed and triaged.

AI Decision Reasoning: Type: Classified as 'bug' because the issue describes unexpected behavior where the client secret is overwritten to null, rendering the blueprint unusable.
Priority: Assigned P1 because this bug critically impacts functionality, making the blueprint unusable and blocking further progress without a workaround. [Security issue detected: The issue involves the overwriting of a client secret in a configuration file, which could lead to the exposure or loss of sensitive information and potentially render the application unusable, raising security concerns related to credential management and secure configuration.]
Copilot: Security issues require human review and should not be auto-fixed
Assignment: Security issue assigned to security lead. The issue involves the overwriting of a client secret in a configuration file, which could lead to the exposure or loss of sensitive information and potentially render the application unusable, raising security concerns related to credential management and secure configuration.
Labels: Applied labels bug, P1, security based on issue type and priority

Labels and assignee have been applied based on this analysis.

[github-actions]

[AUTO-TRIAGE] Results

Classification: bug
Priority: P1
Confidence: 95.0%

Recommended Assignee: @sellakumaran

Analysis:
type rationale: Classified as 'bug' because the issue describes unexpected behavior where the client secret is overwritten to null, rendering the blueprint unusable.

priority rationale: Assigned P1 because this bug critically impacts functionality, making the blueprint unusable and blocking further progress without a workaround. [Security issue detected: The issue involves the overwriting of a client secret in a configuration file, which could lead to the exposure or loss of sensitive information and potentially render the application unusable, raising security concerns related to credential management and secure configuration.]

copilot rationale: Security issues require human review and should not be auto-fixed

assignment rationale: Security issue assigned to security lead. The issue involves the overwriting of a client secret in a configuration file, which could lead to the exposure or loss of sensitive information and potentially render the application unusable, raising security concerns related to credential management and secure configuration.

labels rationale: Applied labels bug, P1, security based on issue type and priority

[SUGGESTION] Suggested Approach

1. Investigate the code handling a365.generated.config.json updates during the a365 setup blueprint command. Focus on the logic in src/Commands/SetupBlueprintCommand.cs or similar files in src/Microsoft.Agents.A365.DevTools.Cli.Commands. Look for conditions or overwrites that set agentBlueprintClientSecret to null.
2. Add a safeguard in the a365 setup blueprint logic to check if agentBlueprintClientSecret already exists in a365.generated.config.json. If it does, prevent overwriting it unless explicitly requested by the user. This could involve adding a flag like --force-update to the CLI command.
3. Implement unit tests in src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands to validate the behavior of a365 setup blueprint. Specifically, test scenarios where agentBlueprintClientSecret is present and ensure it is not overwritten unless intended.
4. Update the Azure app registration handling logic in the CLI to ensure proper permissions for creating new client secrets via the UI. Verify that the CLI correctly assigns ownership and privileges during the blueprint setup process. This may require reviewing Azure API interactions in the codebase, particularly in files related to Azure SDK usage.
5. Document the expected behavior of agentBlueprintClientSecret in the docs directory, including edge cases and troubleshooting steps for users encountering this issue. Highlight how to manually regenerate client secrets if needed and ensure the documentation aligns with the CLI's functionality.

---

Generated by TeamAssistant Auto-Triage powered by GitHub Models

[github-actions]

SLA Escalation Alert

This P1 issue has exceeded its SLA threshold.

Metric	Value
Priority	P1
SLA Threshold	48 hours
Time Since Update	57.6 hours
Current Assignees	@sellakumaran

Action: This issue is already assigned to a Tech Lead but remains unresolved.

Escalating to Engineering Manager @ajmfehr for visibility.

Tech Leads: @sellakumaran

---

Generated by AutoTriage SLA Escalation