Skip to content

Fix: Move OAuth2 grant logging from Information to Debug level#165

Merged
sellakumaran merged 2 commits intomainfrom
copilot/fix-cli-access-token-logging
Jan 21, 2026
Merged

Fix: Move OAuth2 grant logging from Information to Debug level#165
sellakumaran merged 2 commits intomainfrom
copilot/fix-cli-access-token-logging

Conversation

Copy link
Contributor

Copilot AI commented Jan 21, 2026
edited
Loading

During a365 setup operations, OAuth2 grant details (client IDs, resource IDs, scopes) were being logged to console at Information level:

OAuth2 grant: client 2a479473-7188-45d0-973c-a1a8d92bac91 to resource 51ee9df3-62eb-46ee-b00e-10c50e28a2b2 scopes [Mail.ReadWrite Mail.Send Chat.ReadWrite User.Read.All Sites.Read.All]

This is excessive technical detail for normal operation.

Changes

  • SetupHelpers.cs (line 263): LogInformationLogDebug for OAuth2 grant messages
  • DeployCommand.cs (line 400): LogInformationLogDebug for OAuth2 granted messages

Grant details remain available when debug logging is enabled (e.g., --verbose flag).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • graph.microsoft.com
    • Triggering command: /usr/share/dotnet/dotnet /usr/share/dotnet/dotnet exec --runtimeconfig /home/REDACTED/work/Agent365-devTools/Agent365-devTools/src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/bin/Release/net8.0/Microsoft.Agents.A365.DevTools.Cli.Tests.runtimeconfig.json --depsfile /home/REDACTED/work/Agent365-devTools/Agent365-devTools/src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/bin/Release/net8.0/Microsoft.Agents.A365.DevTools.Cli.Tests.deps.json /home/REDACTED/work/Agent365-devTools/Agent365-devTools/src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/bin/Release/net8.0/testhost.dll --port 42393 --endpoint 127.0.0.1:042393 --role client --parentprocessid 4006 --telemetryoptedin false (dns block)
    • Triggering command: /usr/bin/../../opt/az/bin/python3 /usr/bin/../../opt/az/bin/python3 -Im azure.cli rest --method GET --url REDACTED$filter=appId eq 'a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6'&$select=id --headers Authorization=Bearer fake-token-123 (dns block)
    • Triggering command: /usr/bin/../../opt/az/bin/python3 /usr/bin/../../opt/az/bin/python3 -Im azure.cli rest --method PATCH --url REDACTED --headers Content-Type=application/json Authorization=Bearer fake-token-123 --body {"publicClient":{"redirectUris":["http://localhost","http://localhost:8400/","ms-appx-web://microsoft.aad.brokerplugin/a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6"]}} (dns block)
  • login.microsoftonline.com
    • Triggering command: /usr/bin/../../opt/az/bin/python3 /usr/bin/../../opt/az/bin/python3 -Im azure.cli login --tenant 12345678-1234-1234-1234-123456789012 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>A365 CLI setup comments emit access token into console</issue_title>
<issue_description>Version: v1.1.40-preview+4c5eb33773

Describe the bug
During Setup operation. the A365 CLI is writing the access token it is creating to the console.

While i respect that is useful in debugging, it is appearing during normal operation w/out log level's being set beyond default.

To Reproduce
Steps to reproduce the behavior:
setup an intial config using a365 config init
start deployment - a365 setup blueprint

example output:
....
Opening browser for Graph API admin consent...
Consent granted (Graph API Scopes).
Graph API admin consent granted successfully!
Configuring inheritable permissions for Microsoft Graph...
Acquiring Microsoft Graph delegated access token via PowerShell (Device Code: False)

Microsoft Graph access token acquired successfully

OAuth2 grant: client 2a479473-7188-45d0-973c-a1a8d92bac91 to resource 51ee9df3-62eb-46ee-b00e-10c50e28a2b2 scopes [Mail.ReadWrite Mail.Send Chat.ReadWrite User.Read.All Sites.Read.All]</issue_description>

<agent_instructions>Can you please analyze the codebase and find out places where we are emitting tokens in the log/console and fix those?</agent_instructions>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@sellakumaran
Change OAuth2 grant logging from LogInformation to LogDebug level
7af81aa 
Co-authored-by: sellakumaran <147754920+sellakumaran@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix A365 CLI setup to prevent token logging Fix: Move OAuth2 grant logging from Information to Debug level Jan 21, 2026
Copilot AI requested a review from sellakumaran January 21, 2026 17:57
@sellakumaran sellakumaran marked this pull request as ready for review January 21, 2026 18:24
@sellakumaran sellakumaran requested review from a team as code owners January 21, 2026 18:24
Copilot AI review requested due to automatic review settings January 21, 2026 18:24
Copilot AI reviewed Jan 21, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses excessive technical detail logging during a365 setup operations by moving OAuth2 grant configuration details from Information to Debug logging level. The reported issue showed OAuth2 client IDs, resource IDs, and scopes being displayed in normal console output, which provides unnecessary technical detail for typical users.

Changes:

  • Modified two logging statements to use LogDebug instead of LogInformation for OAuth2 grant details
  • Grant information remains available when debug/verbose logging is enabled

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/SetupHelpers.cs Changed OAuth2 grant logging from Information to Debug level (line 263)
src/Microsoft.Agents.A365.DevTools.Cli/Commands/DeployCommand.cs Changed OAuth2 granted logging from Information to Debug level (line 400)

@sellakumaran sellakumaran enabled auto-merge (squash) January 21, 2026 18:38
@sellakumaran sellakumaran merged commit 69e4b9c into main Jan 21, 2026
11 checks passed
@sellakumaran sellakumaran deleted the copilot/fix-cli-access-token-logging branch January 21, 2026 18:41
sellakumaran added a commit that referenced this pull request Feb 27, 2026
@sellakumaran
Fix: Move OAuth2 grant logging from Information to Debug level (#165)
14b6330 
* Initial plan

* Change OAuth2 grant logging from LogInformation to LogDebug level

Co-authored-by: sellakumaran <147754920+sellakumaran@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: sellakumaran <147754920+sellakumaran@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rahuldevikar761 rahuldevikar761 rahuldevikar761 approved these changes

@mengyimicro mengyimicro mengyimicro approved these changes

+1 more reviewer

@sellakumaran sellakumaran sellakumaran approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@sellakumaran sellakumaran

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

A365 CLI setup comments emit access token into console

5 participants

@rahuldevikar761 @mengyimicro @sellakumaran