Skip to content

Fix #460: skip redundant agent-identity S2S grant when role is inherited#461

Merged
sellakumaran merged 3 commits into
mainfrom
users/sellak/460-agent-identity-redundant-grant
Jun 15, 2026
Merged

Fix #460: skip redundant agent-identity S2S grant when role is inherited#461
sellakumaran merged 3 commits into
mainfrom
users/sellak/460-agent-identity-redundant-grant

Conversation

@sellakumaran

@sellakumaran sellakumaran commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Closes #460

When inheritable permissions are configured (allAllowed) and the blueprint SP holds the app roles, the agent identity inherits them automatically — the same basis the OBO/delegated path already relies on. The direct grant on the agent identity SP was therefore redundant and, when the CLI token cannot write app roles, produced a spurious "Action Required" PowerShell block on an otherwise successful Global Admin run.

Verified live: setup completes cleanly with no PowerShell block, and query-entra reports the Observability app role granted on the blueprint SP with effective inheritance OK.

When inheritable permissions are configured (allAllowed) and the blueprint SP
holds the app roles, the agent identity inherits them automatically — the same
basis the OBO/delegated path already relies on. The direct grant on the agent
identity SP was therefore redundant and, when the CLI token cannot write app
roles, produced a spurious "Action Required" PowerShell block on an otherwise
successful Global Admin run.

- Skip the per-identity grant (and the PowerShell prompt) when the blueprint
  grant and inheritance both succeeded; report the inherited grant as Granted.
- When a direct grant is still needed (developer / non-inherited path), retry
  via az rest before falling back to PowerShell, matching the blueprint grant.
- Correct stale README/CHANGELOG claim that Phase 2a/2b are always skipped for
  non-DW agents (untrue since #421).
- Add review-time checks for comment-essay and CHANGELOG crispness
  (pr-code-reviewer #30/#31, review-pr SKILL) and codify both in CLAUDE.md and
  copilot-instructions.

Verified live: setup completes cleanly with no PowerShell block, and
query-entra reports the Observability app role granted on the blueprint SP with
effective inheritance OK.
Copilot AI review requested due to automatic review settings June 15, 2026 16:37
@sellakumaran sellakumaran requested review from a team as code owners June 15, 2026 16:37
@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@github-actions github-actions Bot added bug Something isn't working documentation Improvements or additions to documentation labels Jun 15, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the non-DW setup flow to avoid redundant S2S app-role grants on the agent identity when those roles are already inherited from the blueprint, preventing unnecessary “Action Required” manual steps for Global Admin runs while preserving the developer/non-inherited path.

Changes:

  • Skip the per-agent-identity S2S app-role assignment when Phase 2 inheritance is configured and the blueprint S2S grant succeeded; report the effective result as Granted.
  • When a direct grant is still needed, retry S2S assignment via az rest before falling back to PowerShell instructions.
  • Refresh setup documentation/release notes and codify review-time standards for crisp comments and release-note-ready CHANGELOG entries.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 10 comments.

Show a summary per file
File Description
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/NonDwBlueprintSetupOrchestrator.cs Adds inheritance gate to skip redundant S2S grant; adds az rest retry before PowerShell fallback.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/NonDwBlueprintSetupOrchestratorExecuteTests.cs Expands test coverage for az rest fallback and inheritance-based skip behavior.
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/README.md Updates non-DW setup flow docs to reflect inheritance + fallback behavior.
CHANGELOG.md Corrects stale non-DW Phase 2 wording; adds fix entry for issue #460 behavior.
CLAUDE.md Codifies repo guidance for crisp code comments and consumer-facing CHANGELOG entries.
.github/copilot-instructions.md Mirrors the crisp-comment and CHANGELOG guidance for Copilot usage.
.claude/skills/review-pr/SKILL.md Updates review-pr skill principles to enforce crisp comments and CHANGELOG quality.
.claude/agents/pr-code-reviewer.md Adds explicit reviewer checks for “comment essays” and non-release-note-ready CHANGELOG entries.

… GET stub in test

- Collapse multi-line XML <summary>/inline comment blocks to a one-line why plus issue ref (pr-code-reviewer #30).

- Stub the initial GET appRoleAssignments call explicitly in the Graph-and-az-rest-both-fail test so it no longer relies on BuildMockExecutor's default.
…terminism rule

- pr-code-reviewer #30: mandatory-emit so the comment-density sweep is reported every run, not dropped as low-severity noise.

- pr-code-reviewer #32: flag a test that relies on a shared mock-builder default instead of stubbing the call explicitly.

- review-pr SKILL: read the working-tree copy of the rule files so a PR that adds a review rule is checked by that rule in the same run.
@sellakumaran sellakumaran merged commit 90c4448 into main Jun 15, 2026
9 checks passed
@sellakumaran sellakumaran deleted the users/sellak/460-agent-identity-redundant-grant branch June 15, 2026 17:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Question: setup all --authmode s2s --> observations on agent identity app role assignment (fallback strategy and inheritance overlap)

4 participants