feat: add custom blueprint permissions configuration and management#298
Merged
sellakumaran merged 8 commits intomainfrom Feb 27, 2026
Merged
feat: add custom blueprint permissions configuration and management#298sellakumaran merged 8 commits intomainfrom
sellakumaran merged 8 commits intomainfrom
Conversation
…ity fixes - Add support for custom API permissions in agent blueprints - Auto-resolve resource display names from Azure (eliminates manual "Resource Name" prompt) - New `a365 setup permissions custom` command - New `a365 config init --custom-blueprint-permissions` management commands - Comprehensive validation with GUID format checks and duplicate scope detection - Integration with `a365 setup all` workflow - Fix "Agent Blueprints are not supported on the API version used" error - Change addToRequiredResourceAccess from true to false (matches CopilotStudio/MCP pattern) - Inheritable permissions now configure correctly without Graph API errors Security & Reliability: - Add HttpResponseMessage disposal with using statements - Add GUID validation to prevent OData injection in service principal lookups - Add safe substring operations with null/length checks in fallback name generation - Fix duplicate error logging when re-throwing exceptions Maintainability: - Add WithCustomBlueprintPermissions() helper to eliminate config reconstruction anti-pattern - Add --force flag for non-interactive permission updates - Add early validation for empty/whitespace scope inputs - Fix inconsistent null handling in Scopes property with setter null protection - Extract magic strings to constants in fallback resource names Documentation: - Add complete XML documentation with 10 parameter descriptions - Remove redundant test comments - Add trailing commas for consistency - 7 new/modified documentation files - 12 source files (commands, models, services) - 4 test files with 6 new unit tests - ✅ 992 tests passing (6 new tests for custom permissions) - ✅ Build: 0 warnings, 0 errors - ✅ All critical/high priority issues resolved Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Changed the _scopes field in CustomResourcePermission to a public Scopes property with getter and setter. The setter ensures null values are replaced with an empty list, allowing safe external access and modification of scopes.
Docs clarify that resource name is not prompted or required during `a365 config init --custom-blueprint-permissions`; it is now set to null and auto-resolved during setup. Updated sample config and validation requirements to reflect this. Minor code refactor in ConfigCommand.cs to adjust validation order.
Major overhaul of custom blueprint permissions management: - Adds `a365 config permissions` subcommand for add/update/list/reset - Removes old permission flags from `config init` - Integrates improved permission step into interactive wizard - Updates all docs and tests to use new command/flags - Improves validation, error messages, and config file discovery - Refactors logic into PermissionsSubcommand.cs and adds helper methods - Adds comprehensive unit tests for CLI and wizard flows - Enhances UX: wizard re-prompts only for invalid scopes - CLI suggests next steps after permission changes This modernizes and simplifies custom API permission management for agent blueprints.
Replaced deprecated 'init --custom-blueprint-permissions' usage with 'config permissions' in Readme-Usage.md, including Copilot Studio setup instructions. Added [Collection("ConfigTests")] to ConfigurationWizardServicePermissionsTests.cs for improved test grouping.
Prevents accidental commit of local diagnostic files, code review artifacts, and the Windows NUL device pseudo-file. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
When customBlueprintPermissions are configured in a365.config.json, 'setup blueprint' now automatically calls ConfigureCustomPermissionsAsync instead of showing a hint to run a separate command. This matches the behavior of 'setup all' (Step 5) and ensures developers who run config init → add custom permissions → setup blueprint get a complete setup without extra manual steps. Note: guarded by !isSetupAll to avoid double-applying when called from 'setup all' (which handles custom permissions at its own Step 5). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds end-to-end support in the Agent 365 CLI for configuring and applying “custom blueprint permissions” (additional delegated OAuth scopes for Microsoft Graph and other resource APIs), including config storage, setup-time application, and updated docs/tests.
Changes:
- Introduces
CustomResourcePermissionmodel and wirescustomBlueprintPermissionsintoAgent365Configvalidation and cloning. - Adds
a365 config permissionsto manage custom permissions ina365.config.json, and addsa365 setup permissions custom(plussetup all/setup blueprintintegration) to apply them. - Adds/updates tests and documentation for the new workflow, including auto-lookup of resource display names.
Reviewed changes
Copilot reviewed 23 out of 24 changed files in this pull request and generated 15 comments.
Show a summary per file
| File | Description |
|---|---|
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Helpers/EndpointHelperTests.cs | Minor test-file change (but currently breaks compilation due to missing Xunit import). |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/GraphApiServiceTests.cs | Adds unit tests for service-principal display-name lookup (needs handler disposal consistency). |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/ConfigurationWizardServicePermissionsTests.cs | New tests for interactive custom-permissions wizard step (currently missing Xunit import). |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Models/CustomResourcePermissionTests.cs | New tests for permission validation and add/update (currently missing Xunit import). |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Models/Agent365ConfigTests.cs | Adds config validation + JSON roundtrip tests for customBlueprintPermissions. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/PermissionsSubcommandTests.cs | Updates command composition expectations and adds tests for skipping custom permissions. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/ConfigPermissionsSubcommandTests.cs | New tests for a365 config permissions behavior (currently missing Xunit import). |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/GraphApiService.cs | Disposes GET responses; adds GetServicePrincipalDisplayNameAsync with GUID validation. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/ConfigurationWizardService.cs | Adds wizard step to collect optional custom permissions and includes count in summary. |
| src/Microsoft.Agents.A365.DevTools.Cli/Models/CustomResourcePermission.cs | New model for resource appId + scopes, with validation and add/update helper. |
| src/Microsoft.Agents.A365.DevTools.Cli/Models/Agent365Config.cs | Adds validation and init-only CustomBlueprintPermissions; adds cloning helper. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupResults.cs | Adds custom-permissions result flags for setup summary. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupHelpers.cs | Extends setup summary and recovery hints for custom permissions. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/PermissionsSubcommand.cs | Adds setup permissions custom + core configuration logic with auto-lookup and fallback names. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintSubcommand.cs | Applies custom permissions after blueprint setup when configured. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/AllSubcommand.cs | Adds “Step 5” in setup all to apply custom permissions when configured. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/ConfigSubcommands/PermissionsSubcommand.cs | New a365 config permissions subcommand to view/add/update/reset custom permissions. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/ConfigCommand.cs | Registers the new config permissions subcommand. |
| docs/design.md | Documents the feature (currently contains outdated command examples). |
| docs/commands/setup-permissions-custom.md | New guide for a365 setup permissions custom (needs clarification on persistence of resolved names). |
| docs/commands/config-init.md | Documents the new wizard step for custom permissions. |
| docs/ai-workflows/integration-test-workflow.md | Adds integration-test steps for custom permissions (currently claims persistence that doesn’t happen). |
| Readme-Usage.md | Adds usage examples and “custom permissions” section. |
| .gitignore | Ignores local diagnostics / review artifacts. |
Comments suppressed due to low confidence (1)
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Helpers/EndpointHelperTests.cs:13
using Xunit;was removed, but this file still uses[Fact]/[Theory]. There’s noglobal using Xunit;in the test project, so this will not compile. Re-add theusing Xunit;(or add a single global using for the test project) to restore compilation.
using FluentAssertions;
using Microsoft.Agents.A365.DevTools.Cli.Exceptions;
using Microsoft.Agents.A365.DevTools.Cli.Services.Helpers;
namespace Microsoft.Agents.A365.DevTools.Cli.Tests.Services.Helpers;
public class EndpointHelperTests
{
[Fact]
public void GetEndpointName_WhenNameIsUnder42Chars_ReturnsOriginalName()
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupHelpers.cs
Show resolved
Hide resolved
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/ConfigPermissionsSubcommandTests.cs
Show resolved
Hide resolved
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/PermissionsSubcommand.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/PermissionsSubcommand.cs
Show resolved
Hide resolved
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupHelpers.cs
Outdated
Show resolved
Hide resolved
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/GraphApiServiceTests.cs
Outdated
Show resolved
Hide resolved
...rosoft.Agents.A365.DevTools.Cli.Tests/Services/ConfigurationWizardServicePermissionsTests.cs
Show resolved
Hide resolved
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Models/CustomResourcePermissionTests.cs
Show resolved
Hide resolved
Implements full reconciliation for custom blueprint permissions in the CLI. When running `a365 setup permissions custom` (or as part of `setup all`), the CLI now removes any custom permissions from Azure AD that are no longer present in the config file, including both inheritable permissions and OAuth2 grants (excluding standard/required permissions). Reconciliation runs even if the config is empty, ensuring stale permissions are cleaned up. Documentation and CLI output are updated to clarify that resource display names are resolved in-memory for logging only and not persisted. Adds new methods to list and remove inheritable permissions. Switches test mocking to NSubstitute and improves test resource cleanup. Also normalizes scope strings and enhances summary/error reporting.
gwharris7
approved these changes
Feb 27, 2026
ajmfehr
approved these changes
Feb 27, 2026
pratapladhani
pushed a commit
to pratapladhani/Agent365-devTools
that referenced
this pull request
Mar 4, 2026
…icrosoft#298) * feat: add custom blueprint permissions with auto-lookup and code quality fixes - Add support for custom API permissions in agent blueprints - Auto-resolve resource display names from Azure (eliminates manual "Resource Name" prompt) - New `a365 setup permissions custom` command - New `a365 config init --custom-blueprint-permissions` management commands - Comprehensive validation with GUID format checks and duplicate scope detection - Integration with `a365 setup all` workflow - Fix "Agent Blueprints are not supported on the API version used" error - Change addToRequiredResourceAccess from true to false (matches CopilotStudio/MCP pattern) - Inheritable permissions now configure correctly without Graph API errors Security & Reliability: - Add HttpResponseMessage disposal with using statements - Add GUID validation to prevent OData injection in service principal lookups - Add safe substring operations with null/length checks in fallback name generation - Fix duplicate error logging when re-throwing exceptions Maintainability: - Add WithCustomBlueprintPermissions() helper to eliminate config reconstruction anti-pattern - Add --force flag for non-interactive permission updates - Add early validation for empty/whitespace scope inputs - Fix inconsistent null handling in Scopes property with setter null protection - Extract magic strings to constants in fallback resource names Documentation: - Add complete XML documentation with 10 parameter descriptions - Remove redundant test comments - Add trailing commas for consistency - 7 new/modified documentation files - 12 source files (commands, models, services) - 4 test files with 6 new unit tests - ✅ 992 tests passing (6 new tests for custom permissions) - ✅ Build: 0 warnings, 0 errors - ✅ All critical/high priority issues resolved Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * Expose scopes as public property with null protection Changed the _scopes field in CustomResourcePermission to a public Scopes property with getter and setter. The setter ensures null values are replaced with an empty list, allowing safe external access and modification of scopes. * Update custom permissions: resource name now auto-resolved Docs clarify that resource name is not prompted or required during `a365 config init --custom-blueprint-permissions`; it is now set to null and auto-resolved during setup. Updated sample config and validation requirements to reflect this. Minor code refactor in ConfigCommand.cs to adjust validation order. * Refactor custom permissions: new 'config permissions' cmd Major overhaul of custom blueprint permissions management: - Adds `a365 config permissions` subcommand for add/update/list/reset - Removes old permission flags from `config init` - Integrates improved permission step into interactive wizard - Updates all docs and tests to use new command/flags - Improves validation, error messages, and config file discovery - Refactors logic into PermissionsSubcommand.cs and adds helper methods - Adds comprehensive unit tests for CLI and wizard flows - Enhances UX: wizard re-prompts only for invalid scopes - CLI suggests next steps after permission changes This modernizes and simplifies custom API permission management for agent blueprints. * Update docs for new 'a365 config permissions' command Replaced deprecated 'init --custom-blueprint-permissions' usage with 'config permissions' in Readme-Usage.md, including Copilot Studio setup instructions. Added [Collection("ConfigTests")] to ConfigurationWizardServicePermissionsTests.cs for improved test grouping. * chore: ignore diagnostics/, .codereviews/, and nul artifacts Prevents accidental commit of local diagnostic files, code review artifacts, and the Windows NUL device pseudo-file. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: auto-apply custom blueprint permissions in 'setup blueprint' When customBlueprintPermissions are configured in a365.config.json, 'setup blueprint' now automatically calls ConfigureCustomPermissionsAsync instead of showing a hint to run a separate command. This matches the behavior of 'setup all' (Step 5) and ensures developers who run config init → add custom permissions → setup blueprint get a complete setup without extra manual steps. Note: guarded by !isSetupAll to avoid double-applying when called from 'setup all' (which handles custom permissions at its own Step 5). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Reconcile custom blueprint permissions in setup command Implements full reconciliation for custom blueprint permissions in the CLI. When running `a365 setup permissions custom` (or as part of `setup all`), the CLI now removes any custom permissions from Azure AD that are no longer present in the config file, including both inheritable permissions and OAuth2 grants (excluding standard/required permissions). Reconciliation runs even if the config is empty, ensuring stale permissions are cleaned up. Documentation and CLI output are updated to clarify that resource display names are resolved in-memory for logging only and not persisted. Adds new methods to list and remove inheritable permissions. Switches test mocking to NSubstitute and improves test resource cleanup. Also normalizes scope strings and enhances summary/error reporting. --------- Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces comprehensive support for configuring and managing custom API permissions ("custom blueprint permissions") for agent blueprints in Agent 365. The changes add new CLI options, update documentation, and enhance integration test coverage to enable users to specify, view, and reset custom permissions for both Microsoft Graph and custom APIs. The implementation ensures validation, idempotency, and user-friendly feedback throughout the workflow.
Key changes include:
CLI Enhancements for Custom Blueprint Permissions
a365 config initcommand:--custom-blueprint-permissions,--resourceAppId,--scopes,--reset, and--force, allowing users to add, update, view, or clear custom API permissions directly from the CLI.Documentation Updates
Readme-Usage.mdto cover custom blueprint permissions configuration, setup, and reset workflows, with CLI command examples and links to detailed guides. [1] [2]Integration Test Workflow Improvements
integration-test-workflow.mdfor configuring, applying, and verifying custom blueprint permissions, including auto-lookup of resource names, Azure Portal validation, and Graph API verification of inheritable permissions. [1] [2] [3]Other Improvements
These changes provide a robust and user-friendly workflow for managing custom API permissions, supporting advanced agent scenarios and improving overall configuration transparency.
Closes #194