Skip to content

Update prod scope#234

Closed
gwharris7 wants to merge 1 commit intomainfrom
users/gwharris7/obs-scopes
Closed

Update prod scope#234
gwharris7 wants to merge 1 commit intomainfrom
users/gwharris7/obs-scopes

Conversation

@gwharris7
Copy link
Copy Markdown
Contributor

@gwharris7 gwharris7 commented Apr 20, 2026

This pull request updates the authentication scope used for observability in the production environment. The change ensures that the correct resource identifier is used for authentication.

Authentication scope update:

  • Changed the value of PROD_OBSERVABILITY_SCOPE in environment_utils.py to use a resource-specific identifier instead of a generic default scope.

Copilot AI review requested due to automatic review settings April 20, 2026 21:36
@gwharris7 gwharris7 requested a review from a team as a code owner April 20, 2026 21:36
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 20, 2026

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

Copilot AI reviewed Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the production authentication scope returned by the runtime environment utilities for use when acquiring tokens to export observability telemetry.

Changes:

  • Updated PROD_OBSERVABILITY_SCOPE to a new api://.../Agent365.Observability.OtelWrite scope value.

Comment thread libraries/microsoft-agents-a365-runtime/microsoft_agents_a365/runtime/environment_utils.py

# Authentication scopes for different environments
PROD_OBSERVABILITY_SCOPE = "https://api.powerplatform.com/.default"
PROD_OBSERVABILITY_SCOPE = "api://9b975845-388f-4429-889e-eab1ef63949c/Agent365.Observability.OtelWrite"
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new PROD_OBSERVABILITY_SCOPE value is an explicit permission scope (…/Agent365.Observability.OtelWrite) rather than a resource /.default scope. If callers obtain tokens via client-credentials/managed identity flows, Azure AD typically requires requesting api://<app-id>/.default and will reject individual delegated scopes. Please confirm the intended auth flow for observability export and either switch this constant to the correct /.default scope or document/rename to make it clear this is a delegated scope that requires user context.

Suggested change
PROD_OBSERVABILITY_SCOPE = "api://9b975845-388f-4429-889e-eab1ef63949c/Agent365.Observability.OtelWrite"
PROD_OBSERVABILITY_SCOPE = "api://9b975845-388f-4429-889e-eab1ef63949c/.default"

Copilot uses AI. Check for mistakes.
@nikhilNava
Copy link
Copy Markdown
Contributor

nikhilNava commented Apr 21, 2026

Thanks. Closing this PR as implemented below
#235

@nikhilNava nikhilNava closed this Apr 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gwharris7 @nikhilNava