Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR represents the weekly permissions sync for 2025-11-20, updating API endpoint permissions configurations in the Microsoft Graph permissions file.
Key Changes:
- Refined permissions for
/places/{id}/checkInsendpoints by separating them into dedicated DelegatedWork-only permission blocks - Added new claim providers API endpoints under
Policy.Read.AllandPolicy.ReadWrite.ConditionalAccesspermissions
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| { | ||
| "schemeKeys": [ | ||
| "DelegatedWork" | ||
| ], | ||
| "methods": [ | ||
| "POST" | ||
| ], | ||
| "paths": { | ||
| "/identity/conditionalaccess/claimProviders": "", | ||
| "/identity/conditionalaccess/claimProviders/validate": "" | ||
| } | ||
| }, | ||
| { | ||
| "schemeKeys": [ | ||
| "DelegatedWork" | ||
| ], | ||
| "methods": [ | ||
| "DELETE", | ||
| "PATCH" | ||
| ], | ||
| "paths": { | ||
| "/identity/conditionalaccess/claimProviders/{name}": "" | ||
| } |
There was a problem hiding this comment.
The claim providers endpoints are added for POST (lines 35600-35610), DELETE, and PATCH (lines 35612-35622) methods in the Policy.ReadWrite.ConditionalAccess permission, but there's no corresponding GET method block for these endpoints. This is inconsistent with the pattern in Policy.Read.All (lines 34387-34397) which includes GET method support for /identity/conditionalaccess/claimProviders and /identity/conditionalaccess/claimProviders/getControls.
If Policy.ReadWrite.ConditionalAccess is meant to provide both read and write access to claim providers, a GET method block should be added similar to:
{
"schemeKeys": [
"DelegatedWork"
],
"methods": [
"GET"
],
"paths": {
"/identity/conditionalaccess/claimProviders": "",
"/identity/conditionalaccess/claimProviders/getControls": "",
"/identity/conditionalaccess/claimProviders/{name}": ""
}
}
Weekly Permissions sync 2025-11-20