Making changes to the publish CLI to for MOS Publish, Custom connector creation and App registrations#400
Merged
Conversation
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the develop-mcp publish CLI flow to orchestrate Entra app creation and post-publish configuration (redirect URIs + PPMI scope grants), aligning it with the existing BYO registration orchestration pattern.
Changes:
- Extends
develop-mcp publishcommand options (adds--tenant-idand--service-tree-id) and wires execution through a newPublishCommandExecutor. - Expands publish request/response models to carry Entra app + connector-related fields needed for post-publish orchestration.
- Adjusts/realigns tests around publish command description and dry-run parsing.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/DevelopMcpCommandTests.cs | Updates publish subcommand description assertion and validates new options exist. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/DevelopMcpCommandRegressionTests.cs | Refactors a publish integration test toward dry-run parsing behavior. |
| src/Microsoft.Agents.A365.DevTools.Cli/Models/PublishMcpServerResponse.cs | Adds publish response fields used for redirect-URI + PPMI permission back-fill. |
| src/Microsoft.Agents.A365.DevTools.Cli/Models/PublishMcpServerRequest.cs | Adds request fields for passing Entra app credentials/ids to the publish API. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/PublishCommandExecutor.cs | New executor implementing publish orchestration and post-publish Graph configuration. |
| src/Microsoft.Agents.A365.DevTools.Cli/Commands/DevelopMcpCommand.cs | Updates publish subcommand wiring and adds new flags/options for orchestration inputs. |
ragurubhaarath
requested changes
May 5, 2026
deepaligargms
force-pushed
the
u/deepaligarg/publish-orchestration
branch
from
3d7f93c to
20345d8
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 12 out of 12 changed files in this pull request and generated 7 comments.
Comments suppressed due to low confidence (2)
src/Microsoft.Agents.A365.DevTools.Cli/Services/EntraAppFactory.cs:122
CreatePublicClientsAppAsyncconstructs the WAM broker redirect URI asms-appx-web://Microsoft.AAD.BrokerPlugin/{clientId}, but the canonical format used elsewhere is lowercase (AuthenticationConstants.WamBrokerRedirectUriFormat/ MSAL WAM setup). Redirect URI matching can be exact, so this casing mismatch can break WAM auth. Prefer building this viaAuthenticationConstants.WamBrokerRedirectUriFormat(or a shared helper) to keep all flows consistent.
_logger.LogInformation("Created Entra app '{AppName}' (clientId: {ClientId})", appName, clientId);
var brokerRedirectUri = $"ms-appx-web://Microsoft.AAD.BrokerPlugin/{clientId}";
var publicClientUris = new[] { brokerRedirectUri }.Concat(PublicClientCanonicalRedirectUris).ToArray();
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/EntraAppFactoryTests.cs:166
- This test expects the broker redirect URI
ms-appx-web://Microsoft.AAD.BrokerPlugin/{clientId}, but the canonical value used elsewhere is lowercase (ms-appx-web://microsoft.aad.brokerplugin/{clientId}). If the implementation is corrected to the canonical format, update the expected value here (ideally derive it fromAuthenticationConstants.WamBrokerRedirectUriFormat).
uris.Should().BeEquivalentTo(new[]
{
$"ms-appx-web://Microsoft.AAD.BrokerPlugin/{AppClientId}",
"http://localhost:8080/callback",
"https://vscode.dev/redirect",
20345d8 to
f7601de
Compare
…r creation and App registrations
deepaligargms
force-pushed
the
u/deepaligarg/publish-orchestration
branch
from
e0ce7e9 to
79319cb
Compare
Contributor
|
@deepaligargms, Fill in:
|
sellakumaran
reviewed
Jun 3, 2026
sellakumaran
reviewed
Jun 3, 2026
sellakumaran
reviewed
Jun 3, 2026
sellakumaran
requested changes
Jun 3, 2026
ragurubhaarath
requested changes
Jun 3, 2026
github-actions
Bot
added
the
documentation
ragurubhaarath
approved these changes
Jun 3, 2026
ragurubhaarath
approved these changes
Jun 3, 2026
sellakumaran
reviewed
Jun 4, 2026
sellakumaran
approved these changes
Jun 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reworks a365 develop-mcp publish from a thin pass-through into a full client-side orchestrator: the CLI now creates the Entra app registration the published server needs, calls the platform's new /publish/v2 endpoint, and back-fills API permissions on the app it created. Adds --publisher-name and --yes, removes --tenant-id from register-external-mcp-server, and extracts the shared Entra-app creation logic into a new EntraAppProvisioner used by both publish and register. Several user-visible behaviors change — see Breaking Changes
Why this change
Publishing a first-party MCP server to a Dataverse environment isn't a single API call — it requires a MOS package upload, PPMI (per-publisher managed identity) provisioning, and Entra app registrations that hold the OAuth scopes clients use to reach the server. Previously the CLI sent a minimal publish request (alias/display name/description) and left the rest to the platform.
What changed
develop-mcp publish is now orchestrated by PublishCommandExecutor
New PublishCommandExecutor.cs handles: input resolution + validation (with dry-run placeholders), tenant detection from az login, Entra app creation, the /publish/v2 call, post-publish API-permission back-fill, and best-effort rollback of created apps if publish fails. The subcommand handler in DevelopMcpCommand.cs is now a thin shell that builds RawPublishArgs and delegates (≈191 lines of inline logic removed). The publish/register subcommands now receive GraphApiService so they can create app registrations.
Breaking Changes
publish creates a -PublicClients Entra app registration in your tenant. A side effect of the orchestration moving CLI-side — users will see new app registrations after each publish and should know they came from the CLI.
publish now requires the Application.ReadWrite.All Microsoft Graph permission to create that app. Running publish with read-only Graph permissions hard-breaks. Grant Application.ReadWrite.All to the account/app running the CLI.
--tenant-id / -t removed from register-external-mcp-server — tenant is auto-detected from the current az login session. Scripts passing -t get a System.CommandLine parse error; use az login --tenant instead.
Added
--publisher-name / -p on publish — sets package-metadata publisher; required for custom (user-created) servers, ignored for 1p Microsoft-owned servers (always "Microsoft"). Prompted when omitted.
--yes / -y on publish — skips the "Proceed with publish? (y/N)" confirmation for CI / scripted contexts.
Testing
New [PublishCommandExecutorDryRunTests.cs] — dry-run output (app naming, PPMI-scope-only back-fill, no platform call), --publisher-name threading, --yes short-circuit.
New [EntraAppProvisionerTests.cs] — every branch of proxy + public-clients app creation, including each failure mode and orphan rollback.
Updated DevelopMcpCommandTests / DevelopMcpCommandRegressionTests for the new publish wiring and the removed --tenant-id option.
CHANGELOG
Added 2 Breaking Changes + 2 Added entries for the four user-visible changes above (plus the existing --tenant-id removal entry). The /publish/v2 endpoint switch and the A365 Proxy code removal are implementation details and deliberately excluded.
Reviewer notes / follow-ups
CreateEntraAppsAsync in the publish executor still has a defensive nullable return + apps is null guard even though the only null path (proxy creation) is gone; left as harmless defense.
Follow Up
The MOS package upload is now being done as a part of the publish flow and doesn't require a separate package mcp server command. The approve and block commands will be redundant as governance is handled through Microsoft Admin Center. Follow Up R to remove these commands: #439