Add Agent365ToolsServicePrincipalProdPublic script#10
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds a new PowerShell script to create the Agent 365 Tools Service Principal in an Azure tenant. This is a one-time administrative operation that enables regular users to create their own app registrations without requiring admin rights.
Key Changes:
- New administrative script for Service Principal creation with comprehensive error handling
- Automatic Microsoft.Graph module installation and validation
- User-friendly output with color-coded status messages and detailed instructions
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
gattimassimo
approved these changes
Nov 14, 2025
rahuldevikar761
approved these changes
Nov 14, 2025
sellakumaran
pushed a commit
that referenced
this pull request
Feb 27, 2026
* Git push script * Update scripts/cli/Auth/New-Agent365ToolsServicePrincipalProdPublic.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update scripts/cli/Auth/New-Agent365ToolsServicePrincipalProdPublic.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
sellakumaran
added a commit
that referenced
this pull request
Mar 8, 2026
…aph, tests) Exit codes (#7, #8/#9): - Set Environment.ExitCode = 1 in ValidateDeploymentPrerequisitesAsync before each null return so callers exit non-zero on config/Web App validation failure - Replace deploy-mcp guard `return` with ExceptionHandler.ExitWithCleanup(1) for AgentBlueprintId, AgenticAppId, and TenantId missing-config cases Log severity (#15, #16, #17): - LogCheckWarning: LogInformation -> LogWarning - LogCheckFailure: all three LogInformation -> LogError - ExecuteCheckWithLoggingAsync warning path: log ErrorMessage ?? Details so the primary warning message is no longer silently dropped skip-graph regressions (#21, #22): - Guard RunChecksOrExitAsync(MOS checks) behind if (!skipGraph) - Guard clientAppId null check behind !skipGraph in PublishCommand Unused parameter (#14): - Remove IPrerequisiteRunner from BlueprintSubcommand.CreateCommand signature - Update SetupCommand.cs call site and BlueprintSubcommandTests accordingly InfrastructureRequirementCheck (#5, #6): - Add I1/I2/I3/I1V2/I2V2/I3V2 (Isolated) SKUs to validation error message - Wrap CheckAsync with ExecuteCheckWithLoggingAsync so [PASS]/[FAIL] is printed PrerequisiteRunner warning message (#3): - Log ErrorMessage ?? Details, log even when both are empty IsCaeError gap (#18): - Add InvalidAuthenticationToken to IsCaeError in ClientAppValidator Stale comment (#10): - Update ValidateDeploymentPrerequisitesAsync doc to remove "environment" Tests (#19, #20): - Add AppServiceAuthRequirementCheckTests (success, failure, metadata, null guard) - Add MosPrerequisitesRequirementCheckTests (exception->failure, metadata, null guards) - Update FrontierPreviewRequirementCheckTests: [WARN] now at LogWarning not LogInformation Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
sellakumaran
added a commit
that referenced
this pull request
Mar 10, 2026
…siteRunner (#106) (#312) * feat: unify prerequisite validation via IRequirementCheck + IPrerequisiteRunner (#106) Commands now declare prerequisites using IRequirementCheck and fail early with actionable messages before any side effects occur. Phase 1 - pure reorganization (zero behavioral change): - Add AzureAuthRequirementCheck and InfrastructureRequirementCheck adapters - Add IPrerequisiteRunner / PrerequisiteRunner to run checks in order - Route AllSubcommand, BlueprintSubcommand, InfrastructureSubcommand, and DeployCommand through the shared runner instead of ad-hoc validators - Delete dead code: ISubCommand.ValidateAsync, IAzureValidator/AzureValidator - Make AzureAuthValidator.ValidateAuthenticationAsync virtual for testability Phase 2 - minimal early-fail additions: - cleanup azure: auth check before preview display - deploy mcp: explicit early guards for agentBlueprintId and agenticAppId before any Graph/network calls Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: three CLI polish fixes - ConfigFileNotFoundException now extends Agent365Exception so missing config errors surface as clean user messages (no stack trace) on all commands, not just those with local catch blocks. Removes ad-hoc FileNotFoundException catches in CleanupCommand and CreateInstanceCommand. - config init: expand relative/dot deployment paths to absolute before saving so the stored value is portable across directories. Update help text to clarify relative paths are accepted. - config init: drop platform-specific parenthetical from 'Allow public client flows' log message -- the setting is required on all platforms. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Polish CLI output: reduce noise, fix ordering, add TraceId - Move "Running all setup steps..." to after requirements check output - Remove redundant "Agent 365 Setup" header (user already knows the command) - Change CorrelationId log to LogDebug for setup all and blueprint; surface as TraceId inline on the action line ("Running all setup steps... (TraceId: ...)") so it is always captured in setup.log as [INF] and visible on console - Demote PlatformDetector internal logs to LogDebug; single "Detected project platform: X" line remains as the user-facing output - Add AzureAuthRequirementCheck to GetConfigRequirementChecks so Azure auth appears in requirements output for all setup subcommands - Remove redundant mid-execution auth gate from BlueprintSubcommand that caused duplicate [PASS] Azure Authentication output - Fix RequirementCheck base class: use LogInformation for all check result lines to avoid WARNING:/ERROR: prefix doubling from logger formatter - Collapse verbose requirements summary to single line: "Requirements: X passed, Y warnings, Z failed" - Update tests to match new message text and log level assertions Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: add fail-early requirement checks to remaining commands Extends fail-early validation to setup infrastructure, setup permissions, setup copilot-studio, cleanup azure, deploy, and publish commands. Each command now runs targeted IRequirementCheck-based pre-flight checks with formatted [PASS]/[FAIL] output before executing destructive or slow operations, surfacing auth and config failures immediately. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * refactor: structured requirement check composition + fix CAE token revocation UX Phase 1 (zero behavioral change): - Add GetBaseChecks() to SetupCommand and CleanupCommand for explicit check composition - Add GetChecks() to each setup subcommand so check lists are co-located with their command - Add RunChecksOrExitAsync() helper to RequirementsSubcommand to eliminate four-line boilerplate - Guard all requirement check calls with if (!dryRun) to avoid spurious network calls - Update RequirementsSubcommandTests to use public API after making internal helpers private Fix CAE token revocation UX: - Add ClientAppValidationException.TokenRevoked() factory for clear re-auth guidance - Detect server-side CAE token revocation in GetClientAppInfoAsync and throw TokenRevoked instead of returning null (which was misreported as "app not found") - Pass suppressErrorLogging: true to all az CLI calls in ClientAppValidator so raw error output no longer leaks to console before the formatted [FAIL] message - Update ClientAppValidatorTests mocks to match suppressErrorLogging parameter Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: suppress raw subprocess output leaking before structured check results AzureAuthValidator: add suppressErrorLogging to az account show call to prevent CommandExecutor from printing raw stderr before [FAIL] output. Remove verbose LogError/LogInformation guidance blocks — the validator returns bool only; issue/resolution messaging belongs in the check layer. PowerShellModulesRequirementCheck: downgrade auto-install progress from LogInformation/LogWarning to LogDebug so they don't print before [PASS]. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: add cleanup azure --dry-run, AppService/MOS checks, update docs - Add `--dry-run` flag to `a365 cleanup azure`: previews resources that would be deleted without requiring Azure auth or making any changes - Add `AppServiceAuthRequirementCheck`: validates App Service deployment token before `a365 deploy`, catching AADSTS50173 token revocation early - Add `MosPrerequisitesRequirementCheck`: validates MOS service principals before `a365 publish` proceeds, converting SetupValidationException to structured failure output - Wire new checks into DeployCommand and PublishCommand via RunChecksOrExitAsync, replacing ad-hoc inline validation - Add `GetChecks(AzureAuthValidator)` to InfrastructureSubcommand for explicit check composition - Add `GetAppServiceTokenAsync` to AzureAuthValidator - Update CLI design.md: add Requirements/ to project structure and document the IRequirementCheck prerequisite validation pattern - Update CHANGELOG.md with user-visible additions Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: address PR #312 review comments (exit codes, log levels, skip-graph, tests) Exit codes (#7, #8/#9): - Set Environment.ExitCode = 1 in ValidateDeploymentPrerequisitesAsync before each null return so callers exit non-zero on config/Web App validation failure - Replace deploy-mcp guard `return` with ExceptionHandler.ExitWithCleanup(1) for AgentBlueprintId, AgenticAppId, and TenantId missing-config cases Log severity (#15, #16, #17): - LogCheckWarning: LogInformation -> LogWarning - LogCheckFailure: all three LogInformation -> LogError - ExecuteCheckWithLoggingAsync warning path: log ErrorMessage ?? Details so the primary warning message is no longer silently dropped skip-graph regressions (#21, #22): - Guard RunChecksOrExitAsync(MOS checks) behind if (!skipGraph) - Guard clientAppId null check behind !skipGraph in PublishCommand Unused parameter (#14): - Remove IPrerequisiteRunner from BlueprintSubcommand.CreateCommand signature - Update SetupCommand.cs call site and BlueprintSubcommandTests accordingly InfrastructureRequirementCheck (#5, #6): - Add I1/I2/I3/I1V2/I2V2/I3V2 (Isolated) SKUs to validation error message - Wrap CheckAsync with ExecuteCheckWithLoggingAsync so [PASS]/[FAIL] is printed PrerequisiteRunner warning message (#3): - Log ErrorMessage ?? Details, log even when both are empty IsCaeError gap (#18): - Add InvalidAuthenticationToken to IsCaeError in ClientAppValidator Stale comment (#10): - Update ValidateDeploymentPrerequisitesAsync doc to remove "environment" Tests (#19, #20): - Add AppServiceAuthRequirementCheckTests (success, failure, metadata, null guard) - Add MosPrerequisitesRequirementCheckTests (exception->failure, metadata, null guards) - Update FrontierPreviewRequirementCheckTests: [WARN] now at LogWarning not LogInformation Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DESCRIPTION
This script creates the Service Principal for Agent 365 Tools in your Azure AD tenant. This is a ONE-TIME operation per tenant that requires admin permissions.
After the Service Principal is created, regular users can create their own app registrations without needing admin rights.
This script needs to be accessible
& needs to be referenced before developing an agent in a tenant in Learn doc
Source: https://github.com/bap-microsoft/MCP-Platform/pull/530/files