feat: non-DW blueprint setup and config-free provisioning via --agent-name#365
Draft
sellakumaran wants to merge 53 commits intomainfrom
Draft
feat: non-DW blueprint setup and config-free provisioning via --agent-name#365sellakumaran wants to merge 53 commits intomainfrom
sellakumaran wants to merge 53 commits intomainfrom
Conversation
…dmin consent detection - FederatedCredentialService: fix FIC creation/deletion to use Application.ReadWrite.All delegated scope so non-admin app owners can manage their own blueprint credentials - GraphApiService: add IsCurrentUserAdminAsync using Directory.Read.All (already consented) to detect admin role without a separate consent requirement; avoids circular dependency with RoleManagement.Read.Directory - BlueprintSubcommand: non-admin users now skip browser consent immediately and receive actionable consent URLs (blueprint app + optional client app) instead of a 60-second timeout - ClientAppValidator: add self-healing auto-provision for missing client app permissions; EnsurePermissionsConfiguredAsync patches requiredResourceAccess and extends existing OAuth2 grant scopes without requiring manual intervention - AuthenticationConstants: remove RoleManagement.Read.Directory from RequiredClientAppPermissions; Directory.Read.All is sufficient for transitive role membership lookup - SetupResults: add AdminConsentUrl, FederatedCredentialConfigured, FederatedCredentialError fields to support recovery guidance in setup summary - AllSubcommand: track FIC status and admin consent URL in setup results; improve endpoint registration error messages with failure reason detail - SetupHelpers: update DisplaySetupSummary recovery section to show admin consent URL when available instead of generic retry instruction - RequirementsSubcommand/InfrastructureSubcommand: remove Agent365ServiceRoleCheck; clean up prerequisite runner usage Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Introduces BatchPermissionsOrchestrator with a three-phase flow so admin consent is attempted exactly once in 'setup all'. Standalone permission commands (mcp, bot, custom) are refactored as thin spec-builders delegating to the orchestrator. Blueprint consent is deferred via BlueprintCreationOptions(DeferConsent: true). Phase 1 resolves all service principals once (no retry for blueprint SP — Agent Blueprint SPs are not queryable via standard Graph endpoint). Phase 2 sets OAuth2 grants and inheritable permissions; 403 responses are caught silently and treated as insufficient role without logging an error. Phase 3 checks for existing consent before opening a browser and returns a consolidated URL for non-admins. requiredResourceAccess is not updated — it is not supported for Agent Blueprints. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Fix dead command reference in recovery guidance (a365 setup admin -> a365 setup all) - Fix mermaid diagram language tag typo in design.md (mermard -> mermaid) - Fix XML doc for IsCurrentUserAdminAsync to reference Directory.Read.All scope - Fix AuthenticationConstants comment to reference IsCurrentUserAgentIdAdminAsync - Fix BatchPermissionsOrchestrator comment incorrectly claiming Phase 1 updates requiredResourceAccess - Remove unused executor parameter from GetRequirementChecks and GetConfigRequirementChecks - Add debug logging in ReadMcpScopesAsync when no scopes found - Replace per-resource permission flags in setup all summary with batch phase fields - Remove separator lines from setup summary to align with az cli output conventions - Remove FIC from completed steps (only surfaces on failure) - Add JWT token inspection and force-refresh retry for endpoint registration role errors Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…mination PowerShell Connect-MgGraph cached tokens by (tenant + clientId + scopes) with no user identity in the key. On shared machines, sellakdev's cached session was silently reused when sellak (Global Admin) ran cleanup, causing 403 on blueprint DELETE because the token belonged to the wrong user. Fixes: - MicrosoftGraphTokenProvider: MSAL/WAM is now primary; PowerShell is fallback. WAM token cache is keyed by HomeAccountId (user identity), preventing cross-user contamination. On Windows, WAM authenticates via the OS broker without a browser, making it compatible with Conditional Access Policies (fixes #294). - AgentBlueprintService: DELETE uses AgentIdentityBlueprint.DeleteRestore.All scope and the correct URL pattern (/beta/applications/microsoft.graph.agentIdentityBlueprint/{id}) - AuthenticationConstants: add ApplicationReadWriteAllScope, DirectoryReadAllScope constants - FederatedCredentialService: replace magic strings with constants - GraphApiService: HasDirectoryRoleAsync accepts delegatedScope parameter; agent-admin check uses RoleManagement.Read.Directory (lower privilege) - Tests: add MsalTokenAcquirerOverride seam; add 3 new tests for MSAL-primary path Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- GraphApiService: IsCurrentUserAgentIdAdminAsync now uses Directory.Read.All (already consented) instead of RoleManagement.Read.Directory (not consented), fixing silent false-negative for Agent ID Admin role detection - AuthenticationConstants: fix RoleManagementReadDirectoryScope doc (was incorrectly referencing IsCurrentUserAdminAsync); fix AgentIdentityBlueprintAddRemoveCredsAllScope doc to reflect it is not yet used (FIC still uses Application.ReadWrite.All) - BatchPermissionsOrchestrator: fix duplicate XML summary block; add empty-scope filtering before Phase 1/2/3 to prevent HTTP 400 on non-MCP projects - FederatedCredentialService: fix misleading 403 error message — directs user to check blueprint ownership, not to acquire GA/Agent ID Admin role - RequirementsSubcommand: remove unused executor parameter from CreateCommand - BotConfigurator: remove dead TryDecodeJwtPayload method - CHANGELOG: correct FIC scope entry (Application.ReadWrite.All, not AddRemoveCreds.All); narrow per-user isolation claim to Graph token path only Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Changelog now uses Keep a Changelog format. Added early App Service token validation for `a365 deploy`. Enhanced manifest handling and upload instructions for `a365 publish`. Switched to MSAL/WAM for user-isolated Graph token acquisition. `a365 cleanup` uses correct Graph scope and supports Global Admins. `a365 setup all` surfaces admin consent URLs and requests consent once for all resources. Improved device code/MSAL fallbacks for macOS/Linux, admin consent polling, and exception handling for missing config files.
- Thread az account user as login hint through MsalBrowserCredential so WAM/MSAL selects the correct account instead of defaulting to the Windows primary account - Include userId in AuthenticationService file cache key to prevent cross-user token reuse on shared machines - Add 401 retry with forceRefresh in BotConfigurator create and delete endpoint paths (previously only retried on 'Invalid roles' 400) - Remove interpretive error message on ATG 'Invalid roles' — log raw API message only - Add debug log lines for ATG cache key and current user resolution Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…Hint parameter Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- BatchPermissionsOrchestrator: consent check now loops all resolved
specs before returning granted=true (was checking only the first)
- BatchPermissionsOrchestrator: use AuthenticationConstants.DirectoryReadAllScope
constant instead of hard-coded string literal
- PermissionsSubcommand: log message now reflects actual consent outcome
("configured successfully" vs "configured; admin consent required")
- InfrastructureSubcommandTests: replace Substitute.For<ILogger> with
TestLogger that captures log entries; add proper assertions for
warning (role assignment failure) and info (role already exists) paths
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ment, and client secret Issue 1 (FIXED): WAM ignores login hint — picks OS default account instead of az-logged-in user - MsalBrowserCredential: use WithAccount(account) when MSAL cache has a match for the login hint; fall back to WithPrompt(SelectAccount) when hint is set but account not in cache - InteractiveGraphAuthService: resolve login hint via `az account show` before constructing MsalBrowserCredential, ensuring Graph client uses the correct user identity Issue 2 (FIXED): Owner assignment fails with Directory.AccessAsUser.All in token - BlueprintSubcommand: skip post-creation owner verification when owners@odata.bind was set during blueprint creation; ownership is set atomically and the post-check token carries Directory.AccessAsUser.All which the Agent Blueprint API explicitly rejects Issue 3 (RESOLVED): Authorization.ReadWrite scope not found on Messaging Bot API - Resolved as a symptom of Issue 1; with the correct user authenticated all inheritable permissions configure successfully with no errors Issue 4 (IN PROGRESS): Client secret creation fails for Agent ID Admin - AuthenticationConstants: add AgentIdentityBlueprintReadWriteAllScope constant; add AgentIdentityBlueprint.AddRemoveCreds.All to RequiredClientAppPermissions - BlueprintSubcommand: use specific AgentIdentityBlueprint.ReadWrite.All scope for addPassword to avoid Directory.AccessAsUser.All bundling from .default; add retry on 404 to handle Entra eventual consistency after new blueprint creation Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add loginHint to MSAL token flow to target Azure CLI user, preventing use of incorrect OS account. Resolve and pass login hint when creating Agent Blueprint secrets. Make ResolveAzLoginHintAsync internal for broader use. Default IMicrosoftGraphTokenProvider to browser/WAM auth. Update comments for scope and login hint usage.
…ss-user reuse AcquireMsalGraphTokenAsync for the blueprint creation httpClient was called without a login hint, causing WAM to silently return a cached token for the OS default account instead of the az-logged-in user. This resulted in Authorization_RequestDenied for identifier URI update and service principal creation when AgentIdentityBlueprint.* scopes were present in the token. Resolves the missing Service Principal for newly created blueprints. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…portal guidance - Include loginHint in MicrosoftGraphTokenProvider cache key to prevent cross-user token reuse - Downgrade speculative auth dialog messages from LogInformation to LogDebug - Update non-Windows log message to reflect that browser or device code may appear - Correct FederatedCredentialService remediation message to reference the right Entra portal blade Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… check, RoleCheckResult tri-state - Fix consent URL to include only Microsoft Graph scopes (AADSTS500011/650053 fix) - Add guard: skip Phase 3 when no Graph scopes in config (AADSTS900144 fix) - Wrap SP creation in retry with exponential backoff for Entra replication lag - Add RoleCheckResult tri-state enum (HasRole, DoesNotHaveRole, Unknown) - Replace HasDirectoryRoleAsync with CheckDirectoryRoleAsync using transitiveMemberOf - Add UserReadScope, GlobalAdminRoleTemplateId, AgentIdAdminRoleTemplateId constants - Remove duplicate diagnostic role-check calls from AllSubcommand - Convert AgentBlueprintService line 179 string literal to constant - Remove redundant noisy log messages from InteractiveGraphAuthService - Add tests for IsCurrentUserAdminAsync (HasRole, DoesNotHaveRole, Unknown) - Update BatchPermissionsOrchestratorTests for RoleCheckResult Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ents) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ants - Add AdminSubcommand that creates AllPrincipals oauth2PermissionGrants for all configured resources, completing the GA-only step after setup all - Add --yes/-y flag to skip confirmation prompt (az CLI convention) - Add DisplayAdminConsentPreview showing blueprint, tenant, and per-resource scopes before executing; uses WARNING: prefix for tenant-wide impact - Add BatchPermissionsOrchestrator.GrantAdminPermissionsAsync for Phase 2b (AllPrincipals grants only, separate from Phase 2a inheritable permissions) - Add AzCliHelper consolidating az account show + JSON parse (DRY fix) - Wire InvocationContext into AdminSubcommand.SetHandler to propagate CancellationToken from Ctrl+C rather than CancellationToken.None - Remove unused blueprintService and clientAppValidator from AdminSubcommand - Fix GetMgGraphAccessTokenAsync NSubstitute mocks (missing 6th loginHint arg) - Add guard in ConfigureBotPermissionsAsync for empty AgentBlueprintId - Update PermissionsSubcommand test: missing manifest returns true because McpServersMetadata.Read.All is always seeded before manifest is read Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Consent URL generation (setup all, non-GA path): - Populate resourceConsents[].consentUrl in a365.generated.config.json for all 5 resources when the current user lacks the GA role - Terminal output now shows resource names and file path instead of printing raw encoded URLs; find them under resourceConsents[].consentUrl - Fix \u0026 encoding: use JavaScriptEncoder.UnsafeRelaxedJsonEscaping so consent URLs in the JSON file keep literal '&' for direct copy-paste - Remove duplicate admin consent warning from Warnings section (Next Steps block already covers it); remove orphaned config folder hint line SP creation reliability: - Extend retry predicate to catch 403 Forbidden in addition to 400 BadRequest (Agent Blueprint replication lag can surface as either status code) - Increase maxRetries 8->10, baseDelaySeconds 5->8 for longer replication window - LogWarning -> LogError after all retries exhausted - Surface SP creation failure in SetupResults.Warnings when AgentBlueprintServicePrincipalObjectId is null after blueprint step Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Use scope constants for admin consent URL generation; ensure scopes are percent-encoded and joined with %20, not raw ampersands - Add unit tests for consent URL construction and config population - Enhance retry logic for service principal creation: distinguish transient 403 errors and retry only for replication lag - Add async retry helper overload for operations needing async predicates - Make GraphApiService login hint resolution injectable for test isolation - Update tests to use full mocks and no-op login hint resolvers, preventing real CLI processes - Use relaxed JSON encoder for config serialization to preserve literal '&' in URLs - Update comments and docs for clarity
…, and tests - Fix Task.Delay missing CancellationToken (AllSubcommand) - Fix Environment.Exit -> ExceptionHandler.ExitWithCleanup (AdminSubcommand) - Fix pipe buffer deadlock in AzCliHelper by reading stderr concurrently - Fix GA role detection: use DirectoryReadAllScope for transitiveMemberOf query - Fix blueprint auth message: remove incorrect 'Global Administrator' requirement - Add combined single adminconsent URL as Option 2 in Next Steps output - Add BuildCombinedConsentUrl helper and SetupResults.CombinedConsentUrl property - Add unit tests for BuildCombinedConsentUrl in SetupHelpersConsentUrlTests - Update pr-code-reviewer.md with anti-patterns 7-9 (Task.Delay, stderr deadlock, Environment.Exit) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add optional injectable parameters (commandRunner, loginHintResolver, executor, retryDelayMsOverride) to production code with backward- compatible defaults so tests can bypass real az/pwsh process spawns, HTTPS calls, and Task.Delay waits. All production call sites are unaffected when the parameters are omitted. Also fixes a behavioral bug in BatchPermissionsOrchestrator: when Phase 1 auth fails the admin-check now defaults to DoesNotHaveRole instead of Unknown, preventing a spurious browser open and poll. GrantAdminConsentAsync logs a distinct message distinguishing auth failure from a confirmed non-GA-role result. EnsureAppServicePlanExistsAsync gains a CancellationToken parameter so Ctrl+C can cancel the plan-verification retry loop. Test suite: 1224 tests, 0 failures, ~6 s (down from ~32 s). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Pass login hint (UPN/email) to all token acquisition calls to ensure correct account selection, especially with WAM on Windows. - Always include a fixed, registered redirect URI in admin consent URLs to prevent AADSTS500113; encode all scope values and assert encoding in tests. - Suppress exception details from console output; log full details to file only. Update tests to assert this behavior. - Demote many internal log messages to LogDebug for cleaner CLI output. - Temporarily disable blueprint messaging endpoint registration in CLI; direct users to Teams Developer Portal. - Clarify setup summary output, separating completed, pending, and failed steps. - Update copilot-instructions.md to require `because:` clauses for non-obvious test assertions and flag tests changed to match implementation. - Improve exception handling in Program.cs for startup errors. - Minor log message and formatting improvements throughout.
- Cache 'az account show' result process-wide in AzCliHelper.ResolveLoginHintAsync using a volatile Task<string?>? field. All services that resolve the login hint share one subprocess call per CLI invocation. Expected savings: ~60-80s. - Cache 'az account get-access-token' result process-wide in AzCliHelper.AcquireAzCliTokenAsync using ConcurrentDictionary<string, Task<string?>> keyed by (resource, tenantId). ClientAppValidator, GraphApiService, and DelegatedConsentService all share one token acquisition per key. Expected savings: ~40s. - Remove GraphApiService instance-level 5-min TTL cache (AzCliTokenCacheDuration, _cachedAzCliToken fields) — superseded by the process-level cache, which is shared across all GraphApiService instances and therefore more effective. - CAE and forced re-auth paths call AzCliHelper.InvalidateAzCliTokenCache() before re-acquiring so stale tokens are never served from cache after revocation. - Both caches use injectable test seams (LoginHintResolverOverride, AzCliTokenAcquirerOverride) so unit tests never spawn real az processes. Tests updated accordingly; GraphApiServiceTokenCacheTests rewritten to assert process-level caching behavior including the cross-instance scenario.
Eliminate slow az CLI subprocesses in infra and client app validation by introducing ArmApiService and refactoring ClientAppValidator to use GraphApiService for all Graph calls. All resource, RBAC, and app registration checks now use direct HTTP, falling back to az CLI only if needed. Performance impact: - a365 setup all: 8m12s -> 2m12s (6-minute reduction) - Per-check latency: 15-35s -> ~0.5s (ARM) / ~200ms (Graph) - Test suite: ~3 minutes -> 7 seconds (1230 tests) Also: - Removes token-in-CLI-arg security risk in ClientAppValidator - Adds AzCliHelper process-level caches for login hint and token acquisition, shared across all services in a single CLI invocation - CR fixes: CancellationToken from InvocationContext, IDisposable on ArmApiService, InvalidateLoginHintCache for production login path - Test classes pre-warm AzCliHelper token cache; GraphApiService instances use loginHintResolver injection to bypass az subprocesses - Review skill updated with anti-pattern for test performance regressions
Introduce --field/-f to query single config fields from static or generated config. Standardize generated config to use "messagingEndpoint" (not "botMessagingEndpoint") and update all code/tests accordingly. Add TryGetConfigField helper and unit tests. Ensure backward compatibility by migrating legacy keys in MergeDynamicProperties.
Harden consent URLs, fix resource leaks, improve tests - Replace hardcoded OAuth2 `state` in admin consent URLs with random GUIDs for CSRF protection; centralize URL construction in `SetupHelpers.BuildAdminConsentUrl` - Dispose overwritten `JsonDocument` in `FederatedCredentialService` to prevent resource leaks - Improve retry logic to propagate cancellation immediately on user-initiated cancel (Ctrl+C) - Remove unused CLI option variable (`verbose`) to avoid dead code - Enhance tests: assert random state in consent URLs and add `because:` documentation to clarify test requirements
Fix ARM API error handling, exit cleanup, and test isolation - Replace direct Environment.Exit calls with ExceptionHandler.ExitWithCleanup for proper shutdown and cleanup. - Update ARM API existence methods to return null (not false) for non-404 errors (e.g., 401/403/5xx), ensuring callers fall back to az CLI and don't misinterpret auth errors as missing resources. - Add unit tests for 401 handling in ARM existence checks. - Isolate AzCliHelper token cache in tests using xUnit collection and IDisposable to prevent parallel test interference and slow subprocess spawns. - Clarify comments on [JsonIgnore] usage in Agent365Config. - Update PR review rules to require reporting on ARM bool? existence method pattern in test-related PRs.
Adds --aiteammate false support to setup all and publish commands, implementing the Agent Identity Blueprint pattern for Custom Engine Agents: - Setup: creates blueprint in Entra, assigns Graph + Agent 365 Tools delegated permissions, provisions blueprint SP with consent, and registers agent instance via POST /beta/agentRegistry/agentInstances - Publish: re-registers agent instance independently of setup - SetupContext refactor: bundles mutable step state and services to eliminate scattered locals across the DW orchestration steps - NonDwBlueprintSetupOrchestrator, NonDwSetupOrchestrator (app-based, dry-run only — Phase B deferred), GraphApiService.RegisterAgentInstanceAsync - Config: AiTeammate, UseBlueprint, IsNonDwBlueprint, AgentInstanceId fields Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add --agent-instance-only flag to 'setup all' for non-DW blueprints, allowing direct agent instance registration without re-running requirements or blueprint steps. - Prompt for missing admin consent on required permissions during non-DW setup, with interactive grant support. - Update summary output to distinguish recovery actions for agent instance vs. messaging endpoint. - Support agent instance deletion in cleanup for non-DW blueprints, using new GraphApiService.DeleteAgentInstanceAsync. - Enhance GraphApiService with robust agent instance registration and deletion, including retry logic and detailed logging. - Extend ClientAppValidator with methods for consent gap detection and granting. - Add Azure CLI app ID and .default scope to AuthenticationConstants; require AgentInstance.ReadWrite.All. - Add AzCliHelper method to acquire Graph tokens by scope, ensuring fresh tokens after consent/role changes. - Update SetupContext, SetupResults, and command registration to support new flows and improved UX.
- Move agent identity creation logic to GraphApiService for reuse and robustness; now used by both CLI and instance runner - Cleanup deletes agent identity if AgenticAppId is present (data-driven, not flag-based) - Admin setup auto-detects required OAuth2 grants and attempts agent instance registration for non-DW blueprints, with improved role guidance - Standardize log messages for clarity; remove bracketed status tags ([SUCCESS], [WARN], etc.) - Improve OAuth2 grant robustness and error reporting; handle partial failures with actionable warnings - Add exponential backoff for blueprint client secret propagation (AADSTS7000215) - Update tests and help text to match new flows and output - Enhance documentation and recovery guidance for both DW and non-DW flows
Integrates main branch changes (non-admin setup flow, a365 setup admin command, GraphApiConstants URL constants, AzCliHelper ArgumentList injection safety, retry improvements, AzCliTokenCache reset for tests) with branch additions (non-DW blueprint setup, agent instance registration, NonDwBlueprintSetupOrchestrator). Key merge decisions: - URL hardcoding replaced with GraphApiConstants constants (from main) - AzCliHelper rewrites to use ArgumentList for shell-injection safety (from main) - OAuth2 grant retry with exponential backoff for Directory_ObjectNotFound (from main) - BotConfigurator 'Invalid roles' retry block (from main) - addPassword retry kept on NotFound || Forbidden for owner propagation lag (from branch) - Non-DW methods in GraphApiService, A365CreateInstanceRunner retained (from branch) - hasActionRequired includes ClientSecretManualActionRequired (from main) - [OK]/[FAILED]/[WARN] log prefixes in SetupHelpers (from main) - Fix NonDwBlueprintSetupOrchestratorExecuteTests to pass graphBaseUrl null arg Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add AgentX Agent Registration API V2 support for setup/cleanup - Track AgentRegistrationId in config; update orchestrator logic - Prefer delegated agent identity creation (AgentIdentity.Create.All) - Improve error handling, logging, and token claim diagnostics - Update naming, dry-run, and execution plan outputs for clarity - Enhance blueprint secret retry logic for permanent errors - Add AgentX resource constants and JWT claim decoding utility - Update documentation and comments for new flows and permissions
Refactor setup flows to use a shared, dynamic permission spec builder for both DW and non-DW blueprints, eliminating hardcoded permission lists and branching logic. The non-DW flow now mirrors DW, including infrastructure when needed, and both use the same step structure and logging. Remove messaging endpoint registration from non-DW. Update tests for new dynamic permission handling and improved dry-run output. Fix blueprint deletion to use the correct delegated permission. Update comments and documentation for clarity.
Resolved conflicts in ClientAppValidator, GraphApiService, AzCliHelper, RequirementCheck, and FrontierPreviewRequirementCheckTests by taking origin/main's MSAL-based auth refactor while preserving nondw-branch additions (AgentX V2 registration, agent identity, non-DW flow methods). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add AgentXAppId constant and use it in AgentX resource/scope strings - Suppress noisy SP resolution warnings for non-admin users (debug level) - Fix setup summary not printing when errors occur in catch blocks - Wire ClientSecretManualActionRequired into setup summary - Remove debug logs (token scope/body) from blueprint client secret flow - Redesign summary output to AZ CLI standards: remove Option A/B blocks, fold consent URL into Action Required item, suppress empty Next steps header - Remove suggestion of disabled --endpoint-only flag from output and Next steps - Fix AgentX 403 error message to reflect backend service issue, not permissions - Fix Environment.Exit(1) → ExceptionHandler.ExitWithCleanup(1) in AllSubcommand - Add --skip-requirements hint to NonDwBlueprintSetupOrchestrator requirements catch - Add because: clauses to ClientAppValidationExceptionTests count assertions - Remove string-output tests (SetupHelpersDisplaySummaryTests) — no assertion value - Add User.Read to required client app permissions for blueprint owner assignment
Add step to grant OAuth2 permissions to Agent Identity SP in non-DW setup, ensuring app-only token acquisition for all required APIs. Sync Agent365Observability settings (including AgentId, AgentName, etc.) to project config files for .NET, Python, and Node.js. Improve logging for AgentX registration failures. Expand tests to cover new permission grant logic and observability config output.
AgentBlueprintId is now included as a distinct field in all Agent365Observability configuration outputs (JSON, Python .env, Node .env), using the correct naming conventions for each format. ClientId continues to mirror AgentBlueprintId, but both are now present for clarity. Unit tests have been updated to verify the new field in all outputs. This improves configuration consistency and clarity.
- Add LogIndentScope/LoggerExtensions for structured indent via logger.BeginScope() - Update CleanConsoleFormatter to prepend level * 4 spaces per indent scope - Wrap sub-item log messages in indent scopes across Infrastructure, Blueprint, BatchPermissions, and NonDwBlueprintSetupOrchestrator - Demote pre-emptive auth messages to LogDebug (shown only when browser/WAM actually opens) - Pass outer DI logger to InteractiveGraphAuthService and DelegatedConsentService so indent scopes flow correctly - Fix command line display: show "Running \"a365 <args>\"..." instead of full DLL path - Remove noise: delete SP resolution log, demote "Verifying blueprint service principal..." to LogDebug - Rename "Service principal ID" to "Blueprint service principal ID" for clarity - Fix OperationCanceledException swallowing in BatchPermissions and AllSubcommand catch blocks - Fix Ctrl+C during Console.ReadLine by calling ThrowIfCancellationRequested after ReadLine - Remove double blank lines throughout setup output Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Implements a new config-free bootstrap path for non-DW (blueprint) agent setup via `setup all --agent-name <name>`, requiring no a365.config.json. TenantId is auto-detected (or overridden with --tenant-id), and ClientAppId is resolved by searching Entra for "Agent 365 CLI". This path always skips Azure infra steps and uses minimal config validation. Also: - setup all now defaults to blueprint flow unless --aiteammate true is set - Dry-run output is more detailed and stepwise, showing actual names/IDs and skipped/reused steps - Added --agent-name and --tenant-id options to setup all - Improved logging: some info logs moved to debug - Added GraphApiService.FindApplicationByDisplayNameAsync (with OData escaping and ConsistencyLevel header) and tests - Added unit tests for minimal config validation, Graph API lookup, and bootstrap/dry-run behaviors - Updated CHANGELOG.md with these changes
Resolved conflict in AllSubcommand.cs: kept the ctx-based DW orchestration (our branch refactoring) over the old imperative DW path from origin/main. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add `--agent-name` and `--tenant-id` to `a365 cleanup` for config-free resource deletion using generated config; auto-detect tenant or allow override. - Write minimal `a365.config.json` on `setup all --agent-name` to anchor generated config locally, enabling seamless cleanup. - Overhaul dry-run output for both DW and non-DW setup: column-aligned, context-aware, and consistent; update tests to assert on required info. - Default `setup infrastructure` project path to current directory if unspecified. - Improve Microsoft Graph token provider: detect PowerShell interactive browser failures (e.g., in embedded terminals) and auto-retry with device code; add tests for this flow. - Fix Observability API admin consent scope to use only `Maven.ReadWrite.All` for admin consent URLs; update related tests. - Refactor for maintainability and improve logging throughout setup/cleanup flows. - Update documentation and changelogs to reflect new options and behaviors.
- Only grant Observability API and Power Platform API to non-DW blueprints; exclude Graph, MCP, and Messaging Bot API - Standardize agent identity display name to "<name> Agent Identity" - Update dry-run output and consent URL logic to reflect non-DW permissions - Improve logging, output clarity, and config merging - Fallback to config directory for project settings sync if deploymentProjectPath is unset - Add display names to SetupResults and verification summary - Update tests to validate non-DW permission/resource output
Distinguish between Graph and non-Graph scopes when building the admin consent URL, prompting for 'a365 setup admin' when only non-Graph APIs are present. Add blueprint display name to results and logging for better clarity. Update SetupResults to store display name. Adjust test expectations for MCP blueprints with no Graph scopes. Improve comments and code clarity around consent flows.
The admin subcommand now supports a config-free mode using --blueprint-id, allowing a Global Administrator to complete required OAuth2 grants with just the blueprint (client) ID. In this mode, only Observability API and Power Platform API grants are created, and the tenant is auto-detected from the current Azure CLI account. The command help, dry-run output, and handoff instructions have been updated to clarify both config-free and full-config modes. Agent instance registration is now only attempted in config-dir mode. Error handling and user guidance have been improved for missing config files and blueprint IDs.
Enable non-admin (developer) setup of non-DW blueprints by creating Principal-scoped oauth2PermissionGrants for the agent identity when tenant-wide admin consent is not available. Track admin consent status and, if missing, resolve the current user's object ID to grant permissions scoped to the developer. Only attempt to grant scopes that are available in the tenant. Update SetupResults and summary output to reflect developer-scoped consent. Refactor Observability API permission specs and extend GraphApiService to support these changes. Update tests for new user object ID resolution. This improves developer experience and removes admin bottlenecks for agent testing.
- Unify dry-run and summary output for DW and non-DW setup using a consistent, numbered step format for all major phases. - Refactor SetupHelpers and related logging to use step numbers and aligned columns for clarity. - Update SetupResults with new properties to track skipped steps and project settings writes. - Clarify permission grant steps: split into "Inheritable Permissions" and "Permission Grants" with improved admin consent instructions. - Introduce PermissionType enum to distinguish delegated vs. application permissions (future-proofing). - Update Observability API delegated scopes to include "user_impersonation" and "Otel.Write". - Adjust admin consent URL logic: non-DW path now excludes APIs that may cause AADSTS650053. - Add user guidance for S2S agent permissions and improve log clarity and indentation.
Initial commit of the Agent 365 VS Code extension project, including: - Skill prompt files and detailed SKILL.md docs for /provision, /cleanup, and /add-observability (with .NET, Python, Node.js support) - Extension activation logic to sync prompts and skills into the workspace for Copilot Chat and Claude Code - Skill sync script to ensure prompt/skill consistency across extension and .github/prompts - GitHub Actions workflow for automated packaging and publishing to the VS Marketplace - Enhanced a365 cleanup command with --yes flag, improved resource ID resolution, and clearer log output - Improved admin consent instructions and review/test standards in skill docs - TypeScript config and supporting files for extension build and packaging This enables guided provisioning, cleanup, and observability setup for Agent 365 agents directly from VS Code, with robust review and publishing workflows.
- Major overhaul of Agent 365 CLI setup flow and permissions: - Setup instructions now path-dependent (AI Teammate vs. Standard). - Client app ID is auto-resolved by display name, never user-supplied. - Blueprint creation now uses minimal required Graph scopes (AgentIdentityBlueprintPrincipal.Create). - Improved error handling, user prompts, and setup summary output. - Federated credential operations now use AddRemoveCreds.All. - All tests updated for new permission model. - Removed all VS Code extension files, metadata, and docs. - Deleted obsolete tsconfig.json and Node.js project files. - These changes align the CLI with latest Microsoft Agent ID guidance, reduce required permissions, and improve reliability.
Removed logic for app-only flow with client credentials in agent identity creation. Now always uses delegated flow, requiring only Agent ID Developer or Administrator role. Updated comments and warnings to reflect this change.
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. Scanned FilesNone |
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds config-free non-DW provisioning via --agent-name, expands non-DW blueprint setup/publish flows, and improves auth/consent + CLI logging output consistency.
Changes:
- Adds non-DW blueprint orchestration (dry-run + execution), agent instance registration, and related setup results/context plumbing.
- Updates authentication/consent handling (WAM/admin-consent detection, device-code fallbacks) and adjusts permission requirements across services/tests.
- Extends project settings stamping (Agent365Observability), updates docs/design notes, and adds GitHub workflows/prompts/skills for provisioning/cleanup.
Reviewed changes
Copilot reviewed 79 out of 80 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/Requirements/FrontierPreviewRequirementCheckTests.cs | Updates warning-message assertion to align with new formatter strings. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/MicrosoftGraphTokenProviderTests.cs | Adds coverage for interactive-browser failure → device-code retry. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/InteractiveGraphAuthServiceTests.cs | Updates expected Graph scopes to new least-privileged set. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/GraphApiServiceTests.cs | Adds tests for resolving client app by display name. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/GraphApiServiceRegisterAgentInstanceTests.cs | New tests for registering agent instances via Graph Agent Registry. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/ClientAppValidatorTests.cs | Updates permission GUID/scopes and adds consent-grant fallback coverage. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/AgentBlueprintServiceTests.cs | Aligns expected delete scope for agent identity deletion. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Models/Agent365ConfigTests.cs | Adds serialization/validation tests for non-DW + bootstrap minimal config. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Helpers/SetupHelpersDisplaySummaryTests.cs | Removes summary-display tests (behavior likely moved/changed). |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Helpers/SetupHelpersConsentUrlTests.cs | Updates Observability consent URL reasoning/expectations. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Helpers/ProjectSettingsSyncHelperTests.cs | Adds tests for Agent365Observability stamping across platforms. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Exceptions/ClientAppValidationExceptionTests.cs | Updates MissingAdminConsent expectations (details + steps). |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/SetupCommandTests.cs | Changes dry-run behavior expectations and adds bootstrap dry-run test. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/PermissionsSubcommandTests.cs | Adjusts MCP permission config expectation under missing manifest. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/NonDwSetupOrchestratorDryRunTests.cs | New tests for non-DW setup dry-run output. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/NonDwPublishCommandDryRunTests.cs | New tests for non-DW publish dry-run behavior. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/NonDwBlueprintSetupOrchestratorExecuteTests.cs | New tests for non-DW blueprint setup execution and grant logic. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/NonDwBlueprintSetupOrchestratorDryRunTests.cs | New tests for non-DW blueprint dry-run output. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/CleanupCommandTests.cs | Updates cleanup behavior for deleting agent identity when AgenticAppId is present. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/BlueprintSubcommandTests.cs | Updates expected progress log text casing. |
| src/Microsoft.Agents.A365.DevTools.Cli/design.md | Updates architecture documentation for System.CommandLine + setup flows. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/Requirements/RequirementCheck.cs | Changes CLI-style PASS/WARN/FAIL output and severity usage. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/NonInteractiveConfirmationProvider.cs | Adds always-yes confirmation provider for --yes. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/MsalBrowserCredential.cs | Adds consent-required detection + admin-consent URL logging and refined cancellation handling. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/MicrosoftGraphTokenProvider.cs | Adds interactive-browser failure detection and improves cancellation logging behavior. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/InteractiveGraphAuthService.cs | Switches to shared scope constants and refines cancellation/error logging. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/IConfigService.cs | Adds TryResolveClientAppIdAsync for pre-flight clientAppId resolution. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/IClientAppValidator.cs | Adds consent-grant query/update APIs to validator interface. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/Helpers/RetryHelper.cs | Lowers retry logging from Information to Debug. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/Helpers/LoggerExtensions.cs | Adds indent scope helper for console formatting. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/Helpers/LogIndentScope.cs | Adds scope marker type for indenting console logs. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/Helpers/CleanConsoleFormatter.cs | Implements scope-based indentation in clean console output. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/FederatedCredentialService.cs | Updates required scopes for federated-credential operations. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/DeploymentService.cs | Treats EOF on confirmation as cancel. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/DelegatedConsentService.cs | Adjusts logging verbosity and phrasing. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/ConfigurationWizardService.cs | Adds EOF cancel behavior and changes derived identity display name. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/ConfigService.cs | Implements config file clientAppId resolution/patching. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/ClientAppValidator.cs | Adds per-user→tenant-wide consent upgrade logic and improves consent verification UX. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/AuthenticationService.cs | Fixes Graph /.default double-slash and adds JWT UPN consistency checks for caching. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/AgentBlueprintService.cs | Fixes agent identity deletion scope to AgentIdentity.DeleteRestore.All. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/A365CreateInstanceRunner.cs | Switches agent identity creation to GraphApiService path. |
| src/Microsoft.Agents.A365.DevTools.Cli/Properties/launchSettings.json | Adds a local debug profile for setup all. |
| src/Microsoft.Agents.A365.DevTools.Cli/Program.cs | Passes GraphApiService into cleanup/publish and adds startup clientAppId resolution. |
| src/Microsoft.Agents.A365.DevTools.Cli/Models/Agent365Config.cs | Adds non-DW flags/state, Azure OpenAI config/state fields, and minimal bootstrap validation. |
| src/Microsoft.Agents.A365.DevTools.Cli/Microsoft.Agents.A365.DevTools.Cli.csproj | Adjusts embedded resource entry formatting. |
| src/Microsoft.Agents.A365.DevTools.Cli/Helpers/ProjectSettingsSyncHelper.cs | Adds config overload + Agent365Observability stamping and project-path fallback logic. |
| src/Microsoft.Agents.A365.DevTools.Cli/Exceptions/ClientAppValidationException.cs | Adds tenant-aware MissingAdminConsent with admin-consent URL generation. |
| src/Microsoft.Agents.A365.DevTools.Cli/Exceptions/AzureExceptions.cs | Updates required-permission guidance text. |
| src/Microsoft.Agents.A365.DevTools.Cli/Constants/ConfigConstants.cs | Clarifies Observability consent/adminconsent scope semantics. |
| src/Microsoft.Agents.A365.DevTools.Cli/Constants/AuthenticationConstants.cs | Adds new required scopes/constants for non-DW flows, AgentX, and WAM errors. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupResults.cs | Adds non-DW-specific fields and richer per-step status tracking. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupContext.cs | Adds shared setup context object for orchestration. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/ResourcePermissionSpec.cs | Adds permission type metadata (delegated vs app role). |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/RequirementsSubcommand.cs | Removes redundant failure message before exiting. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/NonDwSetupOrchestrator.cs | Adds non-DW setup dry-run plan output. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/InfrastructureSubcommand.cs | Improves dry-run detection defaults and log structure/indent. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BatchPermissionsOrchestrator.cs | Refines consent URL logic and improves logging/indentation behavior. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/AdminSubcommand.cs | Adds blueprint-id mode, adjusts dry-run, and attempts agent instance registration in non-DW path. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/PublishCommand.cs | Adds non-DW publish plans and blueprint non-DW agent instance registration. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/DevelopSubcommands/GetTokenSubcommand.cs | Updates success/failure wording to match new formatter conventions. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/DevelopSubcommands/AddPermissionsSubcommand.cs | Updates output wording to remove bracketed status tags. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/DeployCommand.cs | Updates permission guidance message to least-privileged scope set. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/CreateInstanceCommand.cs | Expands consent-grant logic for agent identity and resource APIs. |
| CHANGELOG.md | Documents new bootstrap setup/cleanup behavior and auth fixes. |
| .github/workflows/publish-vscode-extension.yml | Adds CI job to package/publish VS Code extension on tags. |
| .github/prompts/provision.prompt.md | Adds provisioning prompt/skill documentation. |
| .github/prompts/cleanup.prompt.md | Adds cleanup prompt/skill documentation. |
| .claude/skills/review-staged/SKILL.md | Updates review-staged skill to always sync skills and read full staged files. |
| .claude/skills/review-staged/README.md | Documents full-file reading behavior for staged-file review. |
| .claude/skills/provision/SKILL.md | Adds provision skill (source-of-truth) definition. |
| .claude/skills/cleanup/SKILL.md | Adds cleanup skill (source-of-truth) definition. |
Comments suppressed due to low confidence (3)
src/Microsoft.Agents.A365.DevTools.Cli/Properties/launchSettings.json:1
- This launch profile hard-codes a machine/user-specific absolute path, which is likely to break debugging for other contributors and can leak local environment details. Consider removing this file from the repo, or replacing
workingDirectorywith a repo-relative path (or omit it so defaults apply).
src/Microsoft.Agents.A365.DevTools.Cli/Services/ConfigService.cs:1 - The XML doc states this preserves formatting, but the implementation deserializes into a dictionary and re-serializes with
WriteIndented = true, which will change ordering/whitespace and drop any custom formatting. Either update the doc to reflect that formatting may change, or implement a targeted JSON edit that preserves the original formatting (e.g., parse as JsonNode and write back with the original serializer options used elsewhere, or do a minimal token replacement).
src/Microsoft.Agents.A365.DevTools.Cli/Services/Requirements/RequirementCheck.cs:1 - In
LogCheckFailure, the resolution guidance lines are no longer indented, while the error detail lines above are indented (and the blank line is retained). This will make failure output harder to scan and inconsistent with the rest of the CLI formatting. Consider restoring a consistent prefix/indent for steps (e.g.,\" {Step}\") or using the newlogger.Indent()scope for the guidance block.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
- Removed `goto` in `ExecuteAsync` by extracting agent identity creation, permission grants, AgentX registration, and settings sync into `ExecuteAgentIdentityAndRegistrationAsync`; both the normal path and `--agent-instance-only` now call the shared method. - Introduced `IConfirmationProvider` in `SetupContext` for the admin consent prompt; replaces direct `Console.Write/ReadLine`, enabling test and non-interactive scenarios. - Fixed admin consent detection in `ValidateAdminConsentAsync` to accumulate scopes across all `AllPrincipals` grants instead of requiring a single grant to cover all permissions. - Agent registry 403 retry now waits 30s before retrying to allow role propagation. - `PatchClientAppIdInConfigFileAsync` now uses targeted regex replacement to preserve JSON property order and comments. - Corrected contradictory `AgentIdentity.Create.All` comment — it is a delegated scope, not app-only; updated `AgentIdentityBlueprintPrincipal` scope to `.Create` (lower privilege than `.ReadWrite.All`). - Downgraded `RegisterAgentInstanceAsync` POST body log to `LogDebug` to avoid exposing user object IDs in terminal output. - Added "not yet implemented" warning to `NonDwSetupOrchestrator.PrintDryRunPlan`. - Added `because:` documentation to flipped assertion in `CleanupCommandTests`. - Removed `launchSettings.json` (hardcoded developer path) and `publish-vscode-extension.yml` from source; updated `.gitignore`.
- Resolves 4-file conflict: ResourcePermissionSpec, SetupHelpers, ConfigConstants, SetupHelpersConsentUrlTests - Keeps ObservabilityApiAdminConsentScope (Maven.ReadWrite.All) for /adminconsent URLs (OtelWrite causes AADSTS650053) - Adopts main's AppRoleScopes field on ResourcePermissionSpec (replaces our PermissionType enum) - Incorporates S2SAppRoleGranted tracking and PowerShell S2S instructions in DisplaySetupSummary - Adds S2S app role step to DisplayAdminSetupSummary numbered steps - Messaging Bot API remains DW-only in BuildAdminConsentUrls; Observability API added for non-DW path Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds the full Standard agent (non-AI Teammate) setup path and config-free provisioning
via
--agent-name, so developers can provision a blueprint, agent identity, and AgentRegistry entry without a pre-existing
a365.config.json.What changed
a365 setup all --agent-name <name>: end-to-end Standard agent provisioning withno config file required — resolves client app by well-known display name "Agent 365 CLI"
(
AgentIdentity.Create.All). Agent ID Developer role is sufficient — blueprint clientcredentials are not required
setup without Global Administrator for every step
https://graph.microsoft.com//.default)that caused WAM
IncorrectConfigurationin cross-tenant scenariosApplication.ReadWrite.AllwithAgentIdentityBlueprintPrincipal.Createfor blueprint SP creation per Agent ID team guidance —
ReadWrite.Allis higher privilegethan needed
a365-setup-instructions.mdandcustom-client-app-registration.mdupdatedto reflect the Standard vs AI Teammate setup paths and revised permission list
Test plan
a365 setup all --agent-name <name> --dry-run— verify plan outputa365 setup all --agent-name <name>in a non-admin dev tenant — verify blueprint,identity (
<name> Identity), and registry entry (<name> Agent) created correctlydotnet test— 1344 passing, 16 skipped