Skip to content

Fix agentBlueprintClientSecret being nulled out on subsequent setup blueprint runs#302

Merged
meghanshubhatt merged 3 commits intomainfrom
copilot/fix-client-secret-overwrite
Mar 6, 2026
Merged

Fix agentBlueprintClientSecret being nulled out on subsequent setup blueprint runs#302
meghanshubhatt merged 3 commits intomainfrom
copilot/fix-client-secret-overwrite

Conversation

Copy link
Contributor

Copilot AI commented Mar 2, 2026
edited
Loading

Running a365 setup blueprint a second time on an existing blueprint overwrites agentBlueprintClientSecret to null in a365.generated.config.json, rendering the blueprint unusable.

Root Cause

SetupBlueprintAsync rebuilds the generated config as a camelCaseConfig JsonObject and writes it directly to disk as an intermediate step before deciding whether to create a new client secret. This object preserved managedIdentityPrincipalId and resourceConsents from the existing config, but omitted agentBlueprintClientSecret and agentBlueprintClientSecretProtected. When the existing secret validates successfully, CreateBlueprintClientSecretAsync (and its SaveStateAsync call) is correctly skipped — leaving the file with no secret.

Fix

Preserve the existing secret fields in the intermediate write, consistent with the other passthrough fields:

var camelCaseConfig = new JsonObject
{
    ["managedIdentityPrincipalId"] = generatedConfig["managedIdentityPrincipalId"]?.DeepClone(),
    // ... other fields ...
    ["resourceConsents"] = generatedConfig["resourceConsents"]?.DeepClone() ?? new JsonArray(),
    // Added: preserve secret across the intermediate file write
    ["agentBlueprintClientSecret"] = generatedConfig["agentBlueprintClientSecret"]?.DeepClone(),
    ["agentBlueprintClientSecretProtected"] = generatedConfig["agentBlueprintClientSecretProtected"]?.DeepClone(),
};
Original prompt

This section details on the original issue you should resolve

<issue_title>agentBlueprintClientSecret in a365.generated.config.json gets overwritten on subsequent runs of a365 setup blueprint</issue_title>
<issue_description>### Description

When you first run a365 setup all for the very first time with a new blueprint, the client secret for the Blueprint app registration will appear in the a365.generated.config.json, but if you ever run a365 setup blueprint on the same blueprint again, this value will get overwritten to null and then the Blueprint is basically lost and useless, because you can never generate a new Client Secret (UI says insufficient privileges eventho the listed Owner on the app registration is me, the user who created the blueprint via CLI)

Expected behavior

the client secret stays in the generated config AND (even better) owner user should be able to create new client secret via the UI in Azure portal: https://www.loom.com/share/970faccc56fd45789ed0a42d8444b3e3

SDK Version

1.1.94-preview+61107da00a

Language/Runtime

Node

OS

macOS 15.7.3 (24G419)

How to Reproduce

  1. create a new blueprint via a365 config init
  2. then run a365 setup all
  3. notice how agentBlueprintClientSecret in a365.generated.config.json is visible as string (at least on Mac, as documented)
  4. run a365 setup blueprint again
  5. notice how agentBlueprintClientSecret is now null

Output

No response

Screenshots

No response

Code of Conduct

<agent_instructions>Please verify the current behavior and fix the issue with out regressions.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

@sellakumaran
Fix: preserve agentBlueprintClientSecret in generated config on subse…
3f44957 
…quent setup blueprint runs

Co-authored-by: sellakumaran <147754920+sellakumaran@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix client secret overwrite in generated config Fix agentBlueprintClientSecret being nulled out on subsequent setup blueprint runs Mar 2, 2026
@github-actions
Copy link

github-actions bot commented Mar 6, 2026

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@meghanshubhatt meghanshubhatt marked this pull request as ready for review March 6, 2026 00:43
@meghanshubhatt meghanshubhatt requested review from a team as code owners March 6, 2026 00:43
Copilot AI review requested due to automatic review settings March 6, 2026 00:43
Copilot AI reviewed Mar 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a bug where running a365 setup blueprint a second time on an existing blueprint would overwrite agentBlueprintClientSecret to null in a365.generated.config.json, rendering the blueprint unusable. The root cause was that the intermediate save created a new JsonObject with only explicitly listed fields, omitting the client secret fields.

Changes:

  • Replace the new JsonObject construction pattern with in-place mutation of the existing generatedConfig object, preserving all pre-existing fields including agentBlueprintClientSecret and agentBlueprintClientSecretProtected
  • Add two regression tests verifying that the merge pattern preserves existing config fields and initializes resourceConsents when absent

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintSubcommand.cs Replace new JsonObject with in-place mutation of generatedConfig, fixing the field-dropping bug
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/BlueprintSubcommandTests.cs Add regression tests for the merge pattern preserving existing fields and initializing missing resourceConsents

@meghanshubhatt meghanshubhatt requested a review from Copilot March 6, 2026 01:05
Copilot AI reviewed Mar 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

@meghanshubhatt meghanshubhatt enabled auto-merge (squash) March 6, 2026 01:13
@sellakumaran sellakumaran self-requested a review March 6, 2026 16:16
sellakumaran
sellakumaran previously approved these changes Mar 6, 2026
View reviewed changes
@sellakumaran sellakumaran dismissed their stale review March 6, 2026 16:16

Will rerequest review

@meghanshubhatt meghanshubhatt merged commit 4d2fda1 into main Mar 6, 2026
16 checks passed
@meghanshubhatt meghanshubhatt deleted the copilot/fix-client-secret-overwrite branch March 6, 2026 16:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gwharris7 gwharris7 gwharris7 approved these changes

@ajmfehr ajmfehr ajmfehr approved these changes

+1 more reviewer

@sellakumaran sellakumaran sellakumaran approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@meghanshubhatt meghanshubhatt

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

agentBlueprintClientSecret in a365.generated.config.json gets overwritten on subsequent runs of a365 setup blueprint

6 participants

@gwharris7 @ajmfehr @sellakumaran @meghanshubhatt