feat: add custom blueprint permissions configuration and management#273
Closed
sellakumaran wants to merge 162 commits intomainfrom
Closed
feat: add custom blueprint permissions configuration and management#273sellakumaran wants to merge 162 commits intomainfrom
sellakumaran wants to merge 162 commits intomainfrom
Conversation
* Init Cli for Agent 365 * Remove build artifacts (bin, obj, .vs) from git tracking - these are now properly ignored by .gitignore * Add .gitignore file to properly ignore build artifacts * Use nbgv * restore test dependencies * Add header * fix pack * fix pack * Address PR comments * Addressed PR comments * Handle PR comments. * Handled PR comments. * Handled pr comments * another set of pr comments. * Remove extra non-existent links * Remove related documentation. * Update ci.yml --------- Co-authored-by: Rahul Devikar <radevika@microsoft.com> Co-authored-by: Sellakumaran Kanagarathnam <sellak@microsoft.com>
* Add Deploy mcp sub commands * Resolving comments
* Add MCP server management commands to Agent 365 CLI Introduced the `develop-mcp` command for managing MCP servers in Dataverse environments. Added subcommands for listing environments and servers, publishing, unpublishing, approving, and blocking MCP servers. All commands support `--dry-run` and `--config` options. Updated `README.md` and `DEVELOPER.md` with examples and usage details for the new commands. Refactored the CLI codebase to include a new `DevelopMcpCommand` class and models for environments and servers. Implemented `Agent365ToolingService` for API interactions with detailed logging and error handling. Enhanced configuration and logging in `install-cli.ps1`. Added regression and unit tests to ensure Azure CLI-style parameters, dry-run functionality, and consistent option patterns. Introduced `JsonDeserializationHelper` for handling double-serialized JSON responses. Updated constants and utilities for streamlined configuration. Improved developer experience with better error handling and documentation. Ensured compliance with Azure CLI patterns and added comprehensive logging for debugging and audit trails. * Add verbose logging, input validation, and refactoring Enhanced `a365 develop-mcp` commands with a `--verbose` option for detailed logging and improved input validation via a new `InputValidator` class. Simplified configuration handling by making `--config` optional and defaulting to production. Refactored `Agent365ToolingService` to use constructor-injected environments and adjusted logging levels for better debugging. Improved error handling for API responses and JSON deserialization. Updated documentation to reflect new features and architecture principles. Added tests for `--verbose` and ensured compliance with the MIT License. General code cleanup for consistency and maintainability.
* Refactor Agent365ToolingService for clarity and updates * Update README to reflect Microsoft branding * Update deploy command guide for Microsoft Agent 365 * Update Agent 365 references * Update Agent365 references * Fix Agent365 references * Update summary for IConfigService documentation * Update log messages to reflect Microsoft Agent 365 * Fix Agent365 reference * Update IAgent365ToolingService interface comments
* Git push script * Update scripts/cli/Auth/New-Agent365ToolsServicePrincipalProdPublic.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update scripts/cli/Auth/New-Agent365ToolsServicePrincipalProdPublic.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Add MCP server management commands to Agent 365 CLI Introduced the `develop-mcp` command for managing MCP servers in Dataverse environments. Added subcommands for listing environments and servers, publishing, unpublishing, approving, and blocking MCP servers. All commands support `--dry-run` and `--config` options. Updated `README.md` and `DEVELOPER.md` with examples and usage details for the new commands. Refactored the CLI codebase to include a new `DevelopMcpCommand` class and models for environments and servers. Implemented `Agent365ToolingService` for API interactions with detailed logging and error handling. Enhanced configuration and logging in `install-cli.ps1`. Added regression and unit tests to ensure Azure CLI-style parameters, dry-run functionality, and consistent option patterns. Introduced `JsonDeserializationHelper` for handling double-serialized JSON responses. Updated constants and utilities for streamlined configuration. Improved developer experience with better error handling and documentation. Ensured compliance with Azure CLI patterns and added comprehensive logging for debugging and audit trails. * Add verbose logging, input validation, and refactoring Enhanced `a365 develop-mcp` commands with a `--verbose` option for detailed logging and improved input validation via a new `InputValidator` class. Simplified configuration handling by making `--config` optional and defaulting to production. Refactored `Agent365ToolingService` to use constructor-injected environments and adjusted logging levels for better debugging. Improved error handling for API responses and JSON deserialization. Updated documentation to reflect new features and architecture principles. Added tests for `--verbose` and ensured compliance with the MIT License. General code cleanup for consistency and maintainability. * Enhance a365 CLI with interactive config wizard - Added an interactive configuration wizard (`a365 config init`) with Azure CLI integration, smart defaults, and minimal input requirements. - Introduced `AzureCliService` and `ConfigurationWizardService` to streamline Azure resource detection and configuration. - Updated `README.md` and `DEVELOPER.md` to document new features and usage. - Refactored `ConfigCommand` to support file imports, global configurations, and improved logging. - Added models for Azure resources (`AzureAccountInfo`, `AzureResourceGroup`, etc.) to enhance data handling. - Improved test coverage with new tests for configuration import, Azure CLI interactions, and error handling. - Enhanced logging, validation, and error messages for better user experience. - Updated `ProjectSettingsSyncHelper` and added utility methods for resource name generation and validation. * Refactor namespaces and simplify logic Refactored `AzureAccountInfo` and `ConfigDerivedNames` classes to the `Models` namespace for better organization. Updated `using` directives in `AzureCliService` and `IAzureCliService` to reflect the namespace changes. Removed unused `userName` variable from `GenerateDerivedNames` in `ConfigurationWizardService` to simplify the method logic. * Refactor `a365 config init` for usability and clarity Enhanced the `a365 config init` command with improved documentation, smarter defaults, and better user guidance. Key updates include: - Updated documentation to emphasize interactive wizard features, Azure CLI integration, and smart defaults. - Added detailed validation for inputs like project paths, resource groups, and manager emails. - Introduced a configuration summary and optional name customization step. - Improved logging for success, errors, and user cancellations. - Enhanced Azure CLI integration with better error handling and resource discovery. - Streamlined setup and deployment instructions, removing redundant steps. - Standardized error messages and improved user feedback throughout the wizard. These changes improve the overall user experience and robustness of the configuration process. * fix: Add retry logic for federated identity credential creation Resolves Request_ResourceNotFound errors during blueprint setup by implementing exponential backoff retry (5 attempts: 2s, 4s, 8s, 16s, 32s) to handle Azure AD application object propagation delays. Previously, the code attempted FIC creation immediately after a 10s delay, which was insufficient for Azure AD eventual consistency. Now automatically retries with clear user feedback when propagation errors are detected. * Update AgentDescription to remove "Demo" designation The `AgentDescription` property in the `ConfigurationWizardService` class was updated to remove the word "Demo" from the description. The new value is `"Agent 365 Agent"`, reflecting a shift in naming convention or branding to make the description more general or production-ready.
#12) * Adding a command to generate MCP server package for submission on Microsoft admin center * addressing copilot comments --------- Co-authored-by: Nakul Gupta <nakulgupta@microsoft.com>
* Improve SetupCommand logging, error handling, and tests Enhanced logging with detailed summaries, actionable error messages, and refined log levels. Improved resilience by wrapping critical operations in try-catch blocks and adding fallback instructions. Enhanced validation for Service Principals and OAuth2 permissions with clearer error messages. Added comprehensive test coverage for dry-run execution, error handling, and setup summaries. Refactored repetitive logging patterns and improved code readability. Updated test framework to use FluentAssertions and better mock dependencies. * Improve a365 CLI robustness and config handling Enhanced error handling for installation issues, including fixes for PATH configuration. Updated `ConfigCommand` to enforce strict separation of static and dynamic properties in `a365.config.json`. Improved `SetupCommand` with better logging, inheritable permissions checks, and clearer user guidance. Refactored `SetupResults` to include new properties for tracking setup status. Adjusted logging levels in `A365SetupRunner` and `InteractiveGraphAuthService` for better clarity. Added regression tests to ensure static/dynamic property separation and validated `GetStaticConfig()` and `GetGeneratedConfig()` methods. Improved inline documentation and logging for maintainability. * Enhance immutability, error handling, and config resolution - Made `AgentUserPrincipalName` immutable in `Agent365Config.cs`. - Updated `CleanupCommand` to accept `graphApiService` in `Program.cs`. - Refactored `CreateFederatedIdentityCredentialAsync` in `A365SetupRunner.cs`: - Made `graphToken` a required parameter. - Added fallback for multiple Graph API endpoints. - Introduced exponential backoff for retries. - Improved error handling and logging. - Added `ConsistencyLevel` header for eventual consistency. - Replaced `LocalAppData` with a global config directory in `ConfigService.cs`. - Adjusted logging level for transient errors in `DelegatedConsentService.cs`. * Refactor commands and improve logging/test coverage Refactored `ConfigCommand` to always include the `init` subcommand, simplifying logic and enhancing error handling. Updated `SetupCommand` to support test invokers, improve logging for inheritable permissions, and streamline configuration steps. Simplified `SetupResults` class structure for consistency. Adjusted `Program` to remove unused `graphApiService` dependency in `CleanupCommand`. Improved retry logic in `A365SetupRunner` for better readability and maintained exponential backoff. Enhanced `SetupCommandTests` by replacing static flags with dynamic logging assertions, improving test coverage and readability. General cleanup included formatting, comment adjustments, and removal of redundant code.
* Add `publish` command and manifest template management Introduced a new `publish` command to streamline packaging and publishing of agent manifests to the MOS Titles service. Key features include embedded templates, automatic ID updates, interactive customization, and Graph API integration. Added `ManifestTemplateService` for managing embedded manifest templates, enabling extraction, customization, and packaging of manifest files. Updated dependency injection to include this service. Enhanced error handling in `PublishCommand` to manage network issues, timeouts, and authorization errors, with fallback instructions for manual uploads. Updated `manifest.json` and `agenticUserTemplateManifest.json` schemas with detailed metadata and new fields. Embedded templates and icons as resources in the CLI binary for portability. Refactored `PublishCommand` for improved modularity and logging. Added comprehensive unit tests for the new `ManifestTemplateService`. Updated documentation with detailed instructions for the `publish` command. * Improve resource management and update agent metadata Refactored `PublishCommand` to use `using` statements for `StringContent` objects, ensuring proper disposal and better resource management. Updated `manifest.json` to revise the agent's name and description: - Changed `name.short` to "Your Agent Name" and `name.full` to "Your Agent Full Name." - Replaced `description.short` and `description.full` with more generic and comprehensive descriptions of the agent's purpose and capabilities.
* Improve error handling, logging, and maintainability Enhanced error handling across multiple components, including `PublishCommand` and `SetupCommand`, with better logging and detailed troubleshooting steps. Introduced a centralized `ErrorCodes` class for consistent error management. Refactored exceptions to use `ErrorCodes` and improved user guidance in `AzureExceptions` and `PythonLocatorException`. Removed redundant console color manipulation in `Program.cs` for cleaner output. Added `PythonLocator` utility for robust Python environment detection and integrated it into `PythonBuilder`. Updated `InteractiveGraphAuthService` to include new permissions for inheritable configurations. Enhanced `ConfigurationWizardService` with domain extraction and stricter validation for web app names. Removed deprecated methods and tests, focusing on `CreateOrUpdateBotWithAgentBlueprintAsync`. Added unit tests for new utilities and validation logic. Performed general code cleanup, improving clarity and maintainability. * Fix test failures * Refactor and enhance deployment and configuration logic Removed unused methods `ConvertToDeploymentConfig` and `GetWellKnownResourceName` to streamline `SetupCommand`. Introduced `DeployAppException` for improved error handling during app deployment, replacing generic exceptions. Added a new error code `DeploymentAppFailed` to support this. Updated `A365SetupRunner` to use a centralized documentation message for better maintainability. Modified default domain handling in `ConfigurationWizardService` to return an empty string instead of `"onmicrosoft.com"`. Standardized UPN format with `UPN.` prefix. Reordered imports in `DeploymentService` for consistency. Removed redundant comments in `InteractiveGraphAuthService`. Updated test cases to align with domain handling changes.
Refined exception handling across the application: - Replaced generic `catch` blocks with specific exceptions. - Introduced `DeployAppPythonCompileException` for Python syntax errors. - Added a new error code `DeploymentAppCompileFailed`. Enhanced user feedback and logging: - Updated error message formatting to align with Azure CLI style. - Improved deployment error handling with detailed troubleshooting steps. - Added deployment summaries for both success and failure cases. Integrated Python syntax validation: - Added `python -m py_compile` checks in `PythonBuilder` to catch syntax errors early. Performed code cleanup and refactoring: - Removed redundant code and comments. - Reorganized `using` directives for better structure.
* Initial commit of endpoint registration migration * Add bot configurator interface, fix tests, and apply suggestions * Update src/Microsoft.Agents.A365.DevTools.Cli/Services/BotConfigurator.cs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Respond to comments * Remove test env vars * Update src/Microsoft.Agents.A365.DevTools.Cli/Services/BotConfigurator.cs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update src/Microsoft.Agents.A365.DevTools.Cli/Models/Agent365Config.cs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Add message for API errors * Respond to comments * Update default location * Revert default location update for now This reverts commit f05818ce4274f8086c953ed750e5437ade8af7ca. * Update src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/CleanupCommandTests.cs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update src/Microsoft.Agents.A365.DevTools.Cli/Services/BotConfigurator.cs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update src/DEVELOPER.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update error message * Temporarily set westus as default region * Respond to comments --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
… Deploy commands. (#22) * Improve resilience, logging, and code maintainability - Added `Polly` for retry and resilience policies. - Refactored `PublishCommand.cs` with modular manifest updates and retry logic for title access using exponential backoff. - Enhanced error handling in `DeployCommand.cs` with broader exception handling and a new `DeployAppException`. - Updated `DeployAppException` to support inner exceptions. - Adjusted log levels in `ConfigService.cs` for less intrusive stale config warnings. - Optimized `PythonBuilder.cs` by reordering publish directory cleanup and limiting Python syntax checks to the top-level. - Cleaned up `Directory.Packages.props` for better readability. - General code cleanup for improved readability and maintainability. * Fix log message and clarify Python build comment Updated a log message in `PublishCommand.cs` to correct a grammatical issue for improved clarity. Revised a comment in `PythonBuilder.cs` to specify that `python -m py_compile` targets `.py` files only in the project root directory, enhancing the precision of the documentation.
Added IsPackable property to prevent packing.
* Remove README.md references from csproj file Removed README.md references as they are included via Directory.Build.props. * Modify Directory.Build.props for packable project conditions Updated the Directory.Build.props file to include conditions for packing LICENSE and README files only in packable projects.
Updated build properties and suppressed additional NuGet warnings.
* Exception Handling * code review * nit --------- Co-authored-by: Josina Joy <josjoy@microsoft.com>
* Refactor deploy command and add scopes subcommand Simplified the `deploy` command to focus solely on application deployment. Introduced new subcommands: `a365 deploy scopes` for non-mcp scopes. Updated the README to document these changes and the new flags (`--dry-run`, `--inspect`, `--restart`, `--verbose`). Enhanced error handling with `DeployMcpException` and `DeployScopesException` for structured diagnostics. Added new error codes for `mcp` and `scopes` deployment failures. Refactored `GraphApiService` to improve handling of inheritable permissions, added the `GraphPostWithResponseAsync` method, and introduced dependency injection for better testability. Added unit tests for `GraphApiService` to validate new functionality. Improved logging, modularized code, and aligned the CLI structure with the updated `deploy` command behavior. * Refactor and enhance Graph API integration - Added `GraphApiService` as a dependency in `DeployCommand` and subcommands for modular Graph API interactions. - Introduced `IMicrosoftGraphTokenProvider` for delegated token acquisition, supporting dynamic scope requests. - Refactored `SetInheritablePermissionsAsync` to `SetInheritablePermissionsAsyncV2` with additional scope support. - Added `EnsureApplicationHasRequiredPermissionsAsync` to manage app resource access declarations. - Introduced `AdminConsentHelper` for reusable admin consent polling logic. - Updated `A365SetupRunner` to use `AdminConsentHelper` for consistency. - Enhanced dependency injection in `Program.cs` to register new services. - Added unit tests for `AdminConsentHelper` and updated tests for `DeployCommand`. - Improved error handling, logging, and modularity across the codebase. - Reorganized dependency registration and improved test coverage for new features. * Fix test issue
* quick readme update * fix
* Remove deploy command behavior in README Removed detailed deploy command behavior section from README. * Update build status badge in README.md
- Added `GraphApiService` as a dependency in `SetupCommand` and replaced inline instantiations with dependency injection. - Introduced `GraphTokenScopeException` to handle disallowed high-privilege scopes in Graph tokens. - Implemented `ValidateGraphToken` in `A365SetupRunner` to enforce least-privilege principles during token validation. - Refactored `GetTokenFromGraphClient` to use `Azure.Identity` for token retrieval and validation. - Added new error code `HighPrivilegeScopeDetected` to `ErrorCodes` for better error categorization. - Updated `Program.cs` to inject `GraphApiService` at runtime. - Enhanced unit tests to mock `GraphApiService` and ensure coverage of new functionality. - Removed redundant code and improved exception handling to exclude `Agent365Exception` from generic catch blocks. - Performed general code cleanup and added licensing information to new files.
* Add non-Azure hosting support to a365 setup * resolveing comments * resolveing comments * fix failed tests * fix typos * Add SetupValidationException * Add non-Azure hosting support to a365 setup * resolveing comments * resolveing comments * fix failed tests * fix typos * Add SetupValidationException * Change needDeploy to bool --------- Co-authored-by: Mengyi Xu <mengyixu@microsoft.com>
* fix: MOS token cache timezone comparison bug and error message path (#277) Fix DateTime timezone comparison in TryGetCachedToken that caused expired MOS tokens to be reused on machines with timezones ahead of UTC (IST, JST, AEST, etc.). The bug caused persistent HTTP 401 errors from titles.prod.mos.microsoft.com after the initial token expired. Root cause: DateTime.TryParse with UTC 'Z' suffix converts to local time by default, then raw tick comparison against DateTime.UtcNow skips timezone conversion - making expired tokens appear valid for N extra hours where N equals the UTC offset. Changes: - MosTokenService.TryGetCachedToken: Add CultureInfo.InvariantCulture and DateTimeStyles.AdjustToUniversal to DateTime.TryParse to ensure the parsed expiry stays in UTC for correct comparison with DateTime.UtcNow - PublishCommand 401 troubleshooting: Show full cache file path (~/.a365/mos-token-cache.json) instead of just the filename, so users can find and delete the correct cache file - Add 6 regression tests (MosTokenServiceCacheTests) covering: valid cached token, expired cached token, UTC timezone parsing, 2-minute safety buffer, cross-environment isolation, missing cache file Fixes #277 * Add CI-reliable UTC parsing regression test for #277 Add TryParseUtcTimestamp_WithAdjustToUniversal test to ensure UTC "Z" timestamps are parsed as DateTimeKind.Utc, preventing timezone-related token cache bugs from regressing undetected in CI. Clarify comments in existing regression test. Mark MosTokenServiceTests with [Collection("MosTokenCacheTests")] for test coordination. --------- Co-authored-by: Sellakumaran Kanagarathnam <sellak@microsoft.com>
gwharris7
previously approved these changes
Feb 24, 2026
…on (#281) * fix: validate location before calling endpoint registration API Users with needDeployment:false do not require location in a365.config.json, but the endpoint registration API (both create and delete) requires the Location field. This caused a confusing BadRequest from the server when location was empty. Add early guards in BotConfigurator.CreateEndpointWithAgentBlueprintAsync and DeleteEndpointWithAgentBlueprintAsync that return a clear error message before making the API call. Add a matching guard in CleanupCommand.DeleteMessagingEndpointAsync so the error surfaces at the command layer with actionable instructions. Update CleanupBlueprint_WithEndpointOnlyAndInvalidLocation test to assert the corrected behavior: the API must not be called when location is missing. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Require location for endpoint registration & cleanup Enforce presence of the location field for Bot Framework endpoint registration and deletion, including for external hosting scenarios. - Added LocationRequirementCheck and integrated it into requirements validation. - Updated commands and BotConfigurator to check for missing location and provide clear, actionable error messages. - Centralized error messages for location requirements. - Improved IBotConfigurator documentation regarding location. - Added and updated unit tests to cover location validation logic. * fix(config): always prompt for location in config init wizard regardless of needDeployment For external hosting (needDeployment: false), the wizard was silently deriving location from the resource group without asking the user. The Bot Framework endpoint registration API requires location in all cases, so the wizard now explicitly prompts for it in both paths, matching the same interactive region-selection UX used for new app service plans. Also removes the dead PromptForLocation(AzureAccountInfo) overload that was never called. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: fall back to device code when browser auth fails on macOS MsalBrowserCredential.GetTokenAsync now catches PlatformNotSupportedException (thrown by MSAL on macOS 15.x) and wraps it as MsalAuthenticationFailedException so it is properly classified rather than appearing as an unexpected error. AuthenticateInteractivelyAsync detects this platform exception at the token acquisition site and automatically falls back to device code flow, allowing a365 setup to complete on macOS without manual workarounds. Extracts CreateDeviceCodeCredential helper to eliminate the duplicated DeviceCodeCredential setup between the normal device code path and the fallback. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Improve device code auth logging and error handling Moved device code authentication info logs to calling sites so they're only shown when relevant. Changed platform-not-supported log level in MsalBrowserCredential from Error to Warning to better reflect recoverable conditions. * Refactor CLI install: delegate to Bash script Replaced PowerShell install logic with a Bash script (install-cli.sh) that handles cleaning, building, packing, and installing the Agent 365 CLI from a local NuGet package. PowerShell now locates bash and invokes the script, unifying installation across platforms and simplifying maintenance. --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
ajmfehr
previously approved these changes
Feb 25, 2026
Major overhaul of custom blueprint permissions management: - Adds `a365 config permissions` subcommand for add/update/list/reset - Removes old permission flags from `config init` - Integrates improved permission step into interactive wizard - Updates all docs and tests to use new command/flags - Improves validation, error messages, and config file discovery - Refactors logic into PermissionsSubcommand.cs and adds helper methods - Adds comprehensive unit tests for CLI and wizard flows - Enhances UX: wizard re-prompts only for invalid scopes - CLI suggests next steps after permission changes This modernizes and simplifies custom API permission management for agent blueprints.
Resolve add/add conflict in EndpointHelperTests.cs: keep our version without redundant `using Xunit;` (xUnit is a global using in this project). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
...rosoft.Agents.A365.DevTools.Cli.Tests/Services/ConfigurationWizardServicePermissionsTests.cs
Show resolved
Hide resolved
Replaced deprecated 'init --custom-blueprint-permissions' usage with 'config permissions' in Readme-Usage.md, including Copilot Studio setup instructions. Added [Collection("ConfigTests")] to ConfigurationWizardServicePermissionsTests.cs for improved test grouping.
gwharris7
previously approved these changes
Feb 26, 2026
…revent accidental deletion or naming collisions. (#289) * fix: use blueprint ID suffix for non-Azure endpoint name uniqueness Host-only endpoint name derivation caused Azure Bot Service name collisions when multiple blueprints shared the same webhook hostname (e.g. n8n, Zapier, or any shared-domain platform). The first 8 non-hyphen characters of the agentBlueprintId are now appended as a suffix, guaranteeing per-blueprint uniqueness within the global Azure Bot Service namespace while staying within the 42-character limit. - EndpointHelper: add GetEndpointNameFromHost(host, blueprintId) with legacy fallback when blueprintId is null - SetupHelpers: switch both non-Azure paths (normal + override URL) to the new method - Agent365Config.BotName: apply same suffix logic so cleanup uses the same name as registration - EndpointHelperTests: 8 new tests covering the uniqueness guarantee, fallback behaviour, truncation, and length constraint Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Refactor endpoint name logic for consistency & reliability Centralize endpoint name generation using EndpointHelper. BotName now returns a fully validated name; all usages updated. Add ExtractBlueprintIdSuffix for robust uniqueness handling. Improve debug logging for legacy endpoint migration hints. Expand unit tests for BotName and endpoint name edge cases. Enhances correctness and maintainability of endpoint management. * Update BotName logic and improve endpoint naming tests - BotName now uses WebAppName only if NeedDeployment is true; otherwise, it derives from MessagingEndpoint and AgentBlueprintId - Updated XML docs to clarify endpoint naming logic - Logging in SetupHelpers now uses LogInformation and clarifies manual cleanup of legacy endpoints - Added unit tests for BotName routing and invalid MessagingEndpoint cases - Added test for short blueprint ID suffix handling in endpoint names * Remove legacy endpoint migration hint logging Removed LogLegacyEndpointMigrationHint method and all related calls from SetupHelpers. The setup process no longer logs information about endpoint name changes or orphaned Azure Bot Services registrations after CLI upgrades. * Validate MessagingEndpoint URI host before use Added a check to ensure MessagingEndpoint's parsed URI has a non-empty Host property before using it. This improves validation and prevents issues with invalid or missing hosts. --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…urface exceptions properly (#296) For non-Azure-hosted agents (dev tunnels, external endpoints), the endpoint name used at deletion time could differ from the name used at registration when WebAppName was also present in config. BotName prioritizes WebAppName, while RegisterBlueprintMessagingEndpointAsync always derives the name from the MessagingEndpoint URL host. This mismatch caused the delete to return "not found", the CLI to proceed, and the subsequent create to fail with "MsaAppId is already in use". - Add EndpointHelper.GetEndpointNameFromUrl() to derive endpoint names from URLs consistently - Use it in UpdateEndpointAsync (BlueprintSubcommand) and CleanupCommand for needsDeployment=false - Extract ResolveEndpointName() helper in CleanupCommand to avoid duplication - Fix --update-endpoint catch block to route Agent365Exception through ExceptionHandler (suppresses stack trace for user errors, honors correct exit code) Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add mandatory "Verification Rules" to pr-code-reviewer.md to prevent false positives and require concrete, actionable, and idiomatic review feedback. - Refactor Graph token acquisition to always use MSAL interactive auth (never Azure CLI), ensuring client secret creation works for any user with a properly configured custom client app. - Enhance fallback logic for app registration: retry without sponsors first, then without owners only as a last resort, preserving ownership when possible and logging clear warnings. - Improve error handling and user guidance for manual client secret creation, including explicit permission requirements, documentation links, and step-by-step instructions. - Ensure HTTP responses are disposed after use. - Add regression tests for Issue #279 to verify correct logging, guidance, and that Azure CLI tokens are never used for secret creation. - Overall, increases reliability, user support, and test coverage for blueprint registration and secret management. Fix MSAL token usage, error handling, and test reliability - Switch BlueprintSubcommand to MSAL token for Graph API (fixes #279) - Add robust error handling for app registration creation (retry sponsors/owners removal) - Improve client secret creation logging and manual guidance - Refactor tests for thread safety and sequential execution - Prevent blocking prompts in PublishCommand for non-interactive environments - Add mandatory verification rules to pr-code-reviewer.md
Resolved merge conflict in Agent365ConfigTests.cs by retaining both the CustomBlueprintPermissions validation tests from this branch and the BotName derived property tests that were added in main. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ajmfehr
previously approved these changes
Feb 27, 2026
gwharris7
requested changes
Feb 27, 2026
sellakumaran
force-pushed
the
users/sellak/customBPPermissions
branch
from
883e513 to
2eea133
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces comprehensive support for configuring and managing custom API permissions ("custom blueprint permissions") for agent blueprints in Agent 365. The changes add new CLI options, update documentation, and enhance integration test coverage to enable users to specify, view, and reset custom permissions for both Microsoft Graph and custom APIs. The implementation ensures validation, idempotency, and user-friendly feedback throughout the workflow.
Key changes include:
CLI Enhancements for Custom Blueprint Permissions
a365 config initcommand:--custom-blueprint-permissions,--resourceAppId,--scopes,--reset, and--force, allowing users to add, update, view, or clear custom API permissions directly from the CLI.Documentation Updates
Readme-Usage.mdto cover custom blueprint permissions configuration, setup, and reset workflows, with CLI command examples and links to detailed guides. [1] [2]Integration Test Workflow Improvements
integration-test-workflow.mdfor configuring, applying, and verifying custom blueprint permissions, including auto-lookup of resource names, Azure Portal validation, and Graph API verification of inheritable permissions. [1] [2] [3]Other Improvements
These changes provide a robust and user-friendly workflow for managing custom API permissions, supporting advanced agent scenarios and improving overall configuration transparency.
Closes #194