From d031b67f3c9faf44c3d9e9285b565e8fccb783b8 Mon Sep 17 00:00:00 2001 From: David <1511024+marabooy@users.noreply.github.com> Date: Wed, 13 May 2026 03:43:10 +0300 Subject: [PATCH] Weekly Permissions sync 2026-05-13 --- permissions/new/permissions.json | 218 +++++++++++++++++++++++++- permissions/new/provisioningInfo.json | 52 +++++- 2 files changed, 258 insertions(+), 12 deletions(-) diff --git a/permissions/new/permissions.json b/permissions/new/permissions.json index 851dcee0..0258f54b 100644 --- a/permissions/new/permissions.json +++ b/permissions/new/permissions.json @@ -1145,7 +1145,7 @@ "POST" ], "paths": { - "/servicePrincipals/microsoft.graph.agentIdentity": "least=DelegatedWork" + "/servicePrincipals/microsoft.graph.agentIdentity": "least=Application,DelegatedWork" } } ], @@ -1172,8 +1172,6 @@ "POST" ], "paths": { - "/servicePrincipals(appid={value})/microsoft.graph.agentIdentityBlueprintPrincipal/identities": "least=Application", - "/servicePrincipals/{id}/microsoft.graph.agentIdentityBlueprintPrincipal/identities": "least=Application", "/servicePrincipals/microsoft.graph.agentIdentity": "" } } @@ -17742,6 +17740,18 @@ "/devicemanagement/manageddevices/{id}/wipe": "", "/devicemanagement/manageddevices/executeaction": "" } + }, + { + "schemeKeys": [ + "DelegatedWork", + "Application" + ], + "methods": [ + "GET" + ], + "paths": { + "/devicemanagement/manageddevices/{id}/getsyncstatus": "least=DelegatedWork,Application" + } } ], "ownerInfo": { @@ -28227,6 +28237,56 @@ "ownerSecurityGroup": "GroupsIDCSG" } }, + "Group-NestingSupport.ReadWrite.All": { + "authorizationType": "oAuth2", + "schemes": { + "DelegatedWork": { + "adminDisplayName": "Read and write groups' disableNesting property", + "adminDescription": "Allows the app to read and write groups' disableNesting property on behalf of the signed-in user.", + "userDisplayName": "Read and write groups' disableNesting property", + "userDescription": "Allows the app to read and write the disableNesting property on your behalf.", + "requiresAdminConsent": true, + "privilegeLevel": 2 + }, + "Application": { + "adminDisplayName": "Read and write groups' disableNesting property", + "adminDescription": "Allows the app to read and write groups' disableNesting property without a signed-in user.", + "requiresAdminConsent": true, + "privilegeLevel": 4 + } + }, + "pathSets": [ + { + "schemeKeys": [ + "DelegatedWork", + "Application" + ], + "methods": [ + "GET" + ], + "paths": { + "/groups": "least=DelegatedWork,Application", + "/groups/{id}": "least=DelegatedWork,Application", + "/groups/delta": "least=DelegatedWork,Application" + } + }, + { + "schemeKeys": [ + "DelegatedWork", + "Application" + ], + "methods": [ + "PATCH" + ], + "paths": { + "/groups/{id}": "least=DelegatedWork,Application" + } + } + ], + "ownerInfo": { + "ownerSecurityGroup": "AADGroupsPreAuth" + } + }, "Group-OnPremisesSyncBehavior.ReadWrite.All": { "authorizationType": "oAuth2", "schemes": { @@ -32026,7 +32086,7 @@ "/identitygovernance/lifecycleworkflows/workflows": "", "/identitygovernance/lifecycleworkflows/workflows({id})/previewscope": "least=DelegatedWork,Application", "/identitygovernance/lifecycleworkflows/workflows({id})/previewtaskfailures": "least=DelegatedWork,Application", - "/identitygovernance/lifecycleworkflows/workflows/{id}": "least=DelegatedWork,Application", + "/identitygovernance/lifecycleworkflows/workflows/{id}": "", "/identitygovernance/lifecycleworkflows/workflows/{id}/executionscope": "least=DelegatedWork,Application", "/identitygovernance/lifecycleworkflows/workflows/{id}/tasks": "least=DelegatedWork,Application", "/identitygovernance/lifecycleworkflows/workflows/{id}/tasks/{id}": "least=DelegatedWork,Application", @@ -32069,7 +32129,8 @@ "GET" ], "paths": { - "/identitygovernance/lifecycleworkflows/workflows": "least=DelegatedWork,Application" + "/identitygovernance/lifecycleworkflows/workflows": "least=DelegatedWork,Application", + "/identitygovernance/lifecycleworkflows/workflows/{id}": "least=DelegatedWork,Application" } } ], @@ -33568,6 +33629,72 @@ "ownerSecurityGroup": "stisaprvc" } }, + "MailTips.ReadBasic.All": { + "authorizationType": "oAuth2", + "schemes": { + "Application": { + "adminDisplayName": "Read mail tips for all users", + "adminDescription": "Allows the app to read mail tips for all users in the organization without a signed-in user. Mail tips include automatic replies, mailbox status, custom tips, and delivery information.", + "requiresAdminConsent": true, + "privilegeLevel": 4 + } + }, + "pathSets": [ + { + "schemeKeys": [ + "Application" + ], + "methods": [ + "POST" + ], + "paths": { + "/users/{id}/getmailtips": "" + } + } + ], + "ownerInfo": { + "ownerSecurityGroup": "stisaprvc" + } + }, + "MailTips.ReadBasic.Shared": { + "authorizationType": "oAuth2", + "schemes": { + "DelegatedWork": { + "adminDisplayName": "Read mail tips for accessible mailboxes", + "adminDescription": "Allows the app to read mail tips on behalf of the signed-in user for mailboxes they have access to, including their own mailbox and shared mailboxes. Mail tips include automatic replies, mailbox status, custom tips, and delivery information.", + "userDisplayName": "Read mail tips for mailboxes you can access", + "userDescription": "Allows the app to read mail tips on your behalf for mailboxes you have access to, including your own mailbox and shared mailboxes.", + "requiresAdminConsent": false, + "privilegeLevel": 3 + }, + "DelegatedPersonal": { + "adminDisplayName": "Read mail tips for accessible mailboxes", + "adminDescription": "Allows the app to read mail tips on behalf of the signed-in user for mailboxes they have access to. Mail tips include automatic replies, mailbox status, custom tips, and delivery information.", + "userDisplayName": "Read mail tips for mailboxes you can access", + "userDescription": "Allows the app to read mail tips on your behalf for mailboxes you have access to, including your own mailbox.", + "requiresAdminConsent": false, + "privilegeLevel": 2 + } + }, + "pathSets": [ + { + "schemeKeys": [ + "DelegatedWork", + "DelegatedPersonal" + ], + "methods": [ + "POST" + ], + "paths": { + "/me/getmailtips": "", + "/users/{id}/getmailtips": "" + } + } + ], + "ownerInfo": { + "ownerSecurityGroup": "stisaprvc" + } + }, "ManagedTenants.Read.All": { "authorizationType": "oAuth2", "schemes": { @@ -34236,6 +34363,19 @@ "/networkAccess/tlsInspectionPolicies/{id}/policyRules/{id}": "least=DelegatedWork,Application", "/networkAccess/tlsPolicies": "least=DelegatedWork,Application" } + }, + { + "schemeKeys": [ + "DelegatedWork", + "Application" + ], + "methods": [ + "POST" + ], + "paths": { + "/networkAccess/classifyMcpTools": "least=DelegatedWork,Application", + "/networkAccess/discoverMcpTools": "least=DelegatedWork,Application" + } } ], "ownerInfo": { @@ -34364,12 +34504,14 @@ "POST" ], "paths": { + "/networkAccess/classifyMcpTools": "", "/networkAccess/cloudFirewallPolicies": "least=DelegatedWork,Application", "/networkAccess/cloudFirewallPolicies/{id}/policyRules": "least=DelegatedWork,Application", "/networkAccess/connectivity/branches": "least=DelegatedWork,Application", "/networkAccess/connectivity/branches/{id}/deviceLinks": "least=DelegatedWork,Application", "/networkAccess/contentPolicies": "least=DelegatedWork,Application", "/networkAccess/contentPolicies/{id}/policyRules": "least=DelegatedWork,Application", + "/networkAccess/discoverMcpTools": "", "/networkAccess/fileDlpPolicies": "least=DelegatedWork,Application", "/networkAccess/filteringPolicies": "least=DelegatedWork,Application", "/networkAccess/filteringPolicies/{id}/policyRules": "least=DelegatedWork,Application", @@ -37780,6 +37922,7 @@ "/applications/{id}/tokenissuancepolicies": "AlsoRequires=Application.ReadWrite.All", "/applications/{id}/tokenlifetimepolicies": "AlsoRequires=Application.ReadWrite.All", "/identity/conditionalaccess/namedlocations": "least=DelegatedWork,Application", + "/identity/conditionalaccess/plans": "least=DelegatedWork,Application", "/identity/conditionalaccess/policies": "least=DelegatedWork,Application", "/serviceprincipals(appid={value})/claimsmappingpolicies": "AlsoRequires=Application.ReadWrite.All", "/serviceprincipals(appid={value})/homerealmdiscoverypolicies": "AlsoRequires=Application.ReadWrite.All", @@ -37905,6 +38048,7 @@ "/policies/crosstenantaccesspolicy/partners/{id}/m365Capabilities/crossTenantPlacesRoomBooking": "least=DelegatedWork,Application", "/policies/defaultappmanagementpolicy": "least=DelegatedWork,Application", "/policies/externalidentitiespolicy": "least=DelegatedWork,Application", + "/policies/federatedtokenvalidationpolicy": "least=DelegatedWork,Application", "/policies/homerealmdiscoverypolicies": "least=DelegatedWork,Application", "/policies/homerealmdiscoverypolicies/{id}": "least=DelegatedWork,Application", "/policies/homerealmdiscoverypolicies/{id}/appliesto": "least=DelegatedWork,Application", @@ -37931,6 +38075,9 @@ ], "paths": { "/identity/conditionalaccess/namedlocations/{id}": "least=DelegatedWork,Application", + "/identity/conditionalaccess/plans/{id}": "least=DelegatedWork,Application", + "/identity/conditionalaccess/plans/{id}/rules": "least=DelegatedWork,Application", + "/identity/conditionalaccess/plans/{id}/rules/{id}": "least=DelegatedWork,Application", "/identity/conditionalaccess/policies/{id}": "least=DelegatedWork,Application" } }, @@ -38364,6 +38511,10 @@ ], "paths": { "/identity/conditionalaccess/authenticationcontextclassreferences": "", + "/identity/conditionalaccess/plans": "least=DelegatedWork,Application", + "/identity/conditionalaccess/plans/{id}": "least=DelegatedWork,Application", + "/identity/conditionalaccess/plans/{id}/rules": "least=DelegatedWork,Application", + "/identity/conditionalaccess/plans/{id}/rules/{id}": "least=DelegatedWork,Application", "/identity/conditionalaccess/settings": "least=DelegatedWork,Application" } }, @@ -38822,6 +38973,20 @@ "paths": { "/policies/authenticationflowspolicy": "least=DelegatedWork,Application" } + }, + { + "schemeKeys": [ + "DelegatedWork", + "Application" + ], + "methods": [ + "DELETE", + "GET", + "PATCH" + ], + "paths": { + "/policies/federatedtokenvalidationpolicy": "least=DelegatedWork,Application" + } } ], "ownerInfo": { @@ -39215,6 +39380,10 @@ "/identity/conditionalaccess/authenticationstrength/authenticationmethodmodes/{id}": "", "/identity/conditionalaccess/authenticationstrength/combinations": "", "/identity/conditionalaccess/authenticationstrength/policies/{id}/combinationconfigurations": "", + "/identity/conditionalaccess/plans": "least=DelegatedWork,Application", + "/identity/conditionalaccess/plans/{id}": "least=DelegatedWork,Application", + "/identity/conditionalaccess/plans/{id}/rules": "least=DelegatedWork,Application", + "/identity/conditionalaccess/plans/{id}/rules/{id}": "least=DelegatedWork,Application", "/policies/authenticationstrengthpolicies": "", "/policies/authenticationstrengthpolicies/{id}/usage": "", "/policies/authenticationstrengthpolicies/findbymethodmode(authenticationmethodmodes={value})": "" @@ -39259,6 +39428,8 @@ "paths": { "/identity/conditionalaccess/evaluate": "", "/identity/conditionalaccess/namedlocations": "", + "/identity/conditionalaccess/plans": "least=DelegatedWork,Application", + "/identity/conditionalaccess/plans/{id}/rules": "least=DelegatedWork,Application", "/identity/conditionalaccess/policies": "", "/policies/authenticationstrengthpolicies/{id}/updateallowedcombinations": "least=DelegatedWork,Application" } @@ -39274,6 +39445,8 @@ ], "paths": { "/identity/conditionalaccess/namedlocations/{id}": "", + "/identity/conditionalaccess/plans/{id}": "least=DelegatedWork,Application", + "/identity/conditionalaccess/plans/{id}/rules/{id}": "least=DelegatedWork,Application", "/identity/conditionalaccess/policies/{id}": "" } }, @@ -43182,6 +43355,17 @@ "paths": { "/admin/reportsettings": "least=DelegatedWork,Application" } + }, + { + "schemeKeys": [ + "DelegatedWork" + ], + "methods": [ + "GET" + ], + "paths": { + "/admin/reportsettings/sharepoint/apiusagereportmetrics": "least=DelegatedWork" + } } ], "ownerInfo": { @@ -43219,6 +43403,18 @@ "paths": { "/admin/reportsettings": "least=DelegatedWork,Application" } + }, + { + "schemeKeys": [ + "DelegatedWork" + ], + "methods": [ + "POST" + ], + "paths": { + "/admin/reportsettings/sharepoint/disableapiusagereport": "least=DelegatedWork", + "/admin/reportsettings/sharepoint/enableapiusagereport": "least=DelegatedWork" + } } ], "ownerInfo": { @@ -45282,6 +45478,18 @@ "paths": { "/security/alerts_v2/{id}/comments": "least=DelegatedWork,Application" } + }, + { + "schemeKeys": [ + "DelegatedWork", + "Application" + ], + "methods": [ + "POST" + ], + "paths": { + "/security/alerts_v2": "least=DelegatedWork,Application" + } } ], "ownerInfo": { diff --git a/permissions/new/provisioningInfo.json b/permissions/new/provisioningInfo.json index 2a36d5af..5113311d 100644 --- a/permissions/new/provisioningInfo.json +++ b/permissions/new/provisioningInfo.json @@ -677,6 +677,16 @@ "isEnabled": false, "resourceAppId": "00000002-0000-0000-c000-000000000000" } + ], + "AgentIdentityBlueprintPrincipal.UpdateLcpComplianceProperty.All": [ + { + "id": "", + "scheme": "Application", + "environment": "PPE;public", + "isHidden": true, + "isEnabled": false, + "resourceAppId": "00000002-0000-0000-c000-000000000000" + } ], "AgentRegistration.Read.All": [ { @@ -7483,7 +7493,7 @@ "id": "e7f8a3b2-9c1d-4e5f-8a7b-2c3d4e5f6a7b", "scheme": "DelegatedWork", "environment": "public", - "isHidden": true, + "isHidden": false, "isEnabled": true, "resourceAppId": "65d91a3d-ab74-42e6-8a2f-0add61688c74" }, @@ -7491,7 +7501,7 @@ "id": "b4c7d8e9-f2a5-4b6c-9d8e-1f2a3b4c5d6e", "scheme": "Application", "environment": "public", - "isHidden": true, + "isHidden": false, "isEnabled": true, "resourceAppId": "65d91a3d-ab74-42e6-8a2f-0add61688c74" } @@ -9389,7 +9399,7 @@ "id": "", "scheme": "Application", "environment": "", - "isHidden": true, + "isHidden": false, "isEnabled": true, "resourceAppId": "00000002-0000-0ff1-ce00-000000000000" } @@ -9399,7 +9409,7 @@ "id": "", "scheme": "DelegatedWork", "environment": "", - "isHidden": true, + "isHidden": false, "isEnabled": true, "resourceAppId": "00000002-0000-0ff1-ce00-000000000000" }, @@ -9407,7 +9417,7 @@ "id": "", "scheme": "DelegatedPersonal", "environment": "public", - "isHidden": true, + "isHidden": false, "isEnabled": true, "resourceAppId": "00000002-0000-0ff1-ce00-000000000000" } @@ -13931,6 +13941,24 @@ "resourceAppId": "" } ], + "SecurityAlert.Create.All": [ + { + "id": "", + "scheme": "DelegatedWork", + "environment": "public", + "isHidden": true, + "isEnabled": true, + "resourceAppId": "fc780465-2017-40d4-a0c5-307022471b92" + }, + { + "id": "", + "scheme": "Application", + "environment": "public", + "isHidden": true, + "isEnabled": true, + "resourceAppId": "fc780465-2017-40d4-a0c5-307022471b92" + } + ], "SecurityAnalyzedMessage.Read.All": [ { "id": "53e6783e-b127-4a35-ab3a-6a52d80a9077", @@ -14857,6 +14885,16 @@ "resourceAppId": "00000002-0000-0000-c000-000000000000" } ], + "AgentIdentity.UpdateLcpComplianceProperty.All": [ + { + "id": "", + "scheme": "Application", + "environment": "PPE;public", + "isHidden": true, + "isEnabled": false, + "resourceAppId": "00000002-0000-0000-c000-000000000000" + } + ], "AgentIdentity.ReadWrite.ManagedBy": [ { "id": "", @@ -14885,7 +14923,7 @@ "resourceAppId": "00000002-0000-0000-c000-000000000000" } ], - "ServicePrincipal.MigrateToAgentIdentity.OwnedBy": [ + "ServicePrincipal.ConvertToAgentIdentity.OwnedBy": [ { "id": "", "scheme": "Application", @@ -14895,7 +14933,7 @@ "resourceAppId": "00000002-0000-0000-c000-000000000000" } ], - "AgentIdentity.RollBackMigration.OwnedBy": [ + "AgentIdentity.ConvertToApplicationSP.OwnedBy": [ { "id": "", "scheme": "Application",