Skip to content

fix: set CustomClientAppId in BlueprintSubcommand to fix inheritable permissions#272

Merged
sellakumaran merged 3 commits intomicrosoft:mainfrom
pratapladhani:fix/blueprint-missing-custom-client-app-id
Feb 18, 2026
Merged

fix: set CustomClientAppId in BlueprintSubcommand to fix inheritable permissions#272
sellakumaran merged 3 commits intomicrosoft:mainfrom
pratapladhani:fix/blueprint-missing-custom-client-app-id

Conversation

@pratapladhani
Copy link
Contributor

@pratapladhani pratapladhani commented Feb 18, 2026

Summary

BlueprintSubcommand.SetHandler is missing the assignment of graphApiService.CustomClientAppId, causing a365 setup blueprint to fail when setting inheritable permissions. Every other command handler (AllSubcommand, PermissionsSubcommand, DeployCommand, CleanupCommand) already sets this property correctly.

Fixes #271

Root Cause

When CustomClientAppId is null, MicrosoftGraphTokenProvider omits the -ClientId parameter from the Connect-MgGraph PowerShell command, causing it to fall back to the default SDK client app (14d82eec-204b-4c2f-b7e8-296a70dab67e). This default app lacks the AgentIdentityBlueprint.UpdateAuthProperties.All permission required by SetInheritablePermissionsAsync.

Call chain

BlueprintSubcommand.SetHandler
  → graphApiService.CustomClientAppId is NEVER set (null)
  → SetupHelpers.EnsureResourcePermissionsAsync
    → blueprintService.SetInheritablePermissionsAsync
      → graphApiService.EnsureGraphHeadersAsync(requiredScopes: ["AgentIdentityBlueprint.UpdateAuthProperties.All", ...])
        → _tokenProvider.GetMgGraphAccessTokenAsync(tenantId, scopes, false, customClientAppId: null, ct)
          → Connect-MgGraph WITHOUT -ClientId → uses default SDK app → permission denied

Platform impact

Platform Behavior
macOS/Linux Always fails — no WAM broker, must use -ClientId for interactive browser auth
Windows Intermittent — WAM broker may resolve correct tokens from cache, masking the bug until tokens expire

Fix

One-line addition after config load, matching the exact pattern used in AllSubcommand.cs (line 138):

var setupConfig = await configService.LoadAsync(config.FullName);

// Configure GraphApiService with custom client app ID if available
// This ensures inheritable permissions operations use the validated custom app
// Fixes: https://github.com/microsoft/Agent365-devTools/issues/271
if (!string.IsNullOrWhiteSpace(setupConfig.ClientAppId))
{
    graphApiService.CustomClientAppId = setupConfig.ClientAppId;
}

Testing

  • Build: dotnet build -c Release — 0 warnings, 0 errors
  • Unit tests: All 17 CleanConsoleFormatterTests pass; no existing tests for BlueprintSubcommand SetHandler path
  • Manual verification: The fix ensures Connect-MgGraph -ClientId '<custom-app-id>' is emitted, matching behavior of a365 setup all

Workaround (for users on current release)

Use a365 setup all --skip-infrastructure instead of a365 setup blueprint, as AllSubcommand correctly sets the property.

@pratapladhani
fix: set CustomClientAppId in BlueprintSubcommand to fix inheritable …
4e4ccfc 
…permissions (microsoft#271)

BlueprintSubcommand.SetHandler was missing the assignment of
graphApiService.CustomClientAppId = setupConfig.ClientAppId, causing
Connect-MgGraph to omit -ClientId and fall back to the default SDK
client app (14d82eec) which lacks the required
AgentIdentityBlueprint.UpdateAuthProperties.All permission.

This always fails on macOS/Linux (no WAM broker) and intermittently
fails on Windows when cached tokens expire.

Every other command handler (AllSubcommand, PermissionsSubcommand,
DeployCommand, CleanupCommand) already sets this property correctly.

Fixes microsoft#271
Copilot AI review requested due to automatic review settings February 18, 2026 05:49
@pratapladhani pratapladhani requested review from a team as code owners February 18, 2026 05:49
Copilot AI reviewed Feb 18, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a critical bug where a365 setup blueprint fails to configure inheritable permissions because graphApiService.CustomClientAppId is never set in the command handler. Without this assignment, the Graph API authentication falls back to the default SDK client app which lacks the required AgentIdentityBlueprint.UpdateAuthProperties.All permission. This bug affects all platforms but manifests most consistently on macOS/Linux where WAM (Web Account Manager) is unavailable.

Changes:

  • Added graphApiService.CustomClientAppId assignment in BlueprintSubcommand.SetHandler after loading configuration, matching the pattern used in all other command handlers (AllSubcommand, PermissionsSubcommand, DeployCommand, CleanupCommand)

sellakumaran and others added 2 commits February 18, 2026 08:58
@sellakumaran @claude
chore: align comment style with codebase pattern
081b698 
Remove issue reference from inline comment to match the pattern used
in other command handlers (AllSubcommand, PermissionsSubcommand, etc.)

The issue reference is already documented in git history and PR
description, so the inline comment doesn't need to duplicate it.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@sellakumaran @claude
test: add coverage for CustomClientAppId configuration in BlueprintSu…
cad0dd0 
…bcommand

Add unit and integration tests to prevent regression of issue microsoft#271 where
CustomClientAppId was not being set, causing inheritable permissions to fail.

Unit Tests (BlueprintSubcommandTests.cs):
- SetHandler_WithClientAppId_ShouldConfigureGraphApiService
- SetHandler_WithoutClientAppId_ShouldNotConfigureGraphApiService
- SetHandler_WithWhitespaceClientAppId_ShouldNotConfigureGraphApiService

Integration Test (integration-test-workflow.md):
- Test 4.1a: Verify CustomClientAppId configuration via trace logs
- Validates Connect-MgGraph uses correct -ClientId parameter
- Prevents regression where SDK default app is used instead

These tests would have caught the bug fixed in PR microsoft#272 where the missing
CustomClientAppId assignment caused authentication to fail on macOS/Linux.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@sellakumaran sellakumaran enabled auto-merge (squash) February 18, 2026 17:29
@sellakumaran sellakumaran merged commit 5e589b4 into microsoft:main Feb 18, 2026
4 checks passed
@pratapladhani pratapladhani deleted the fix/blueprint-missing-custom-client-app-id branch February 20, 2026 02:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ajmfehr ajmfehr ajmfehr approved these changes

@sellakumaran sellakumaran sellakumaran approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: "a365 setup blueprint" missing CustomClientAppId — inheritable permissions fail (especially macOS/Linux)

4 participants

@pratapladhani @ajmfehr @sellakumaran