Merge branch 'main' into add-sensorType-to-sensorCandidate

Author: Danipocket

.gdn/.gdnbaselines

@@ -39,18 +39,6 @@
       "tool": "psscriptanalyzer",
       "ruleId": "PSAvoidUsingConvertToSecureStringWithPlainText",
       "createdDate": "2026-02-24 12:06:54Z"
-    },
-    "3a37bf64f23749ac738b5da94bdc0511f105855aee640971733d155dad1f9915": {
-      "signature": "3a37bf64f23749ac738b5da94bdc0511f105855aee640971733d155dad1f9915",
-      "alternativeSignatures": [],
-      "target": "scripts/update-permissions-reference-fic.ps1",
-      "line": 179,
-      "memberOf": [
-        "default"
-      ],
-      "tool": "psscriptanalyzer",
-      "ruleId": "PSAvoidUsingConvertToSecureStringWithPlainText",
-      "createdDate": "2026-03-24 12:06:54Z"
     }
   }
 }

.gdn/.gdnsuppress

@@ -39,18 +39,6 @@
       "tool": "psscriptanalyzer",
       "ruleId": "PSAvoidUsingConvertToSecureStringWithPlainText",
       "createdDate": "2026-02-24 12:06:54Z"
-    },
-    "3a37bf64f23749ac738b5da94bdc0511f105855aee640971733d155dad1f9915": {
-      "signature": "3a37bf64f23749ac738b5da94bdc0511f105855aee640971733d155dad1f9915",
-      "alternativeSignatures": [],
-      "target": "scripts/update-permissions-reference-fic.ps1",
-      "line": 179,
-      "memberOf": [
-        "default"
-      ],
-      "tool": "psscriptanalyzer",
-      "ruleId": "PSAvoidUsingConvertToSecureStringWithPlainText",
-      "createdDate": "2026-03-24 12:06:54Z"
     }
   }
 }

.github/policies/resourceManagement.yml

@@ -1014,6 +1014,33 @@ configuration:
       then:
       - addLabel:
           label: ready to merge
+    - description: Remove do not merge label when pull request is labeled ready to merge
+      if:
+      - payloadType: Pull_Request
+      - labelAdded:
+          label: ready to merge
+      - isOpen
+      then:
+      - removeLabel:
+          label: do not merge
+    - description: Remove ready to merge label when pull request is labeled do not merge
+      if:
+      - payloadType: Pull_Request
+      - labelAdded:
+          label: do not merge
+      - isOpen
+      then:
+      - removeLabel:
+          label: ready to merge
+    - description: Remove resolved awaiting prod deployment label when pull request is labeled schema live
+      if:
+      - payloadType: Pull_Request
+      - labelAdded:
+          label: schema live
+      - isOpen
+      then:
+      - removeLabel:
+          label: 'resolved: awaiting prod deployment'
     - description: Add do not merge label to new pull requests opened by contributors
       if:
       - payloadType: Pull_Request

.github/prompts/author-api-docs/enumerations.md

@@ -89,7 +89,7 @@ Document within the **Properties** section of the resource that uses the enum. T
        ```
 
 2. **Create table:**
-   - Columns: **Member** and **Description**
+   - Columns: **Member** (required) and **Description** (optional)
    - List members in ascending order by numeric value (without exposing numeric values)
    - **For evolvable enums:**
      - Include `unknownFutureValue` member
@@ -133,7 +133,7 @@ Create a dedicated topic for the enumeration. This option is rarely applicable.
 2. **Add Members H2 section:**
    - **For evolvable enums (if members follow unknownFutureValue):**
      - Add introductory text before the table (same as Option 2)
-   - Table with columns: **Member** and **Description**
+   - Table with columns: **Member** (required) and **Description** (optional)
    - List members in ascending order by numeric value (without exposing values)
    - **For evolvable enums:**
      - Include `unknownFutureValue` member
@@ -257,21 +257,23 @@ Create a dedicated topic for the enumeration. This option is rarely applicable.
   - [ ] For evolvable enums with members after unknownFutureValue: Prefer header note included in property description
 - [ ] **Option 2 (Parent resource):**
   - [ ] H3 section "{enum-type} values" added after Properties table
-  - [ ] Table has Member and Description columns
+  - [ ] Table has Member column (required) and Description column (optional)
   - [ ] Members listed in ascending order by numeric value (values not exposed)
   - [ ] For evolvable enums: unknownFutureValue description is "Evolvable enumeration sentinel value. Do not use."
   - [ ] For evolvable enums with members after unknownFutureValue: Introductory text about Prefer header included
   - [ ] Properties table links to H3 section
+  - [ ] Parent resource property description excludes inline value listing (values are accessible via linked H3 section)
   - [ ] For subnamespaces: Fully qualified enum name used
 - [ ] **Option 3 (Separate topic):**
   - [ ] File created with correct naming convention
   - [ ] Title is "{enum-type} enum type"
   - [ ] Description mentions evolvable enumeration if applicable
-  - [ ] Members H2 section with Member and Description columns
+  - [ ] Members H2 section with Member column (required) and Description column (optional)
   - [ ] For evolvable enums: unknownFutureValue description is "Evolvable enumeration sentinel value. Don't use."
   - [ ] For evolvable enums with members after unknownFutureValue: Introductory text about Prefer header included
   - [ ] For subnamespaces: Namespace attribute added in page annotation
   - [ ] Parent resource Properties table links to enum topic
+  - [ ] Parent resource property description excludes inline value listing (values are accessible via linked enum topic)
 
 ### For updating existing enumerations
 

.github/workflows/permissions-reference-gen-fic.yml

@@ -8,6 +8,7 @@ on:
 permissions:
   contents: write
   pull-requests: write
+  id-token: write  # Required for federated identity credentials
 
 jobs:
   update-permissions-reference:
@@ -23,13 +24,19 @@ jobs:
       with:
         path: docs
 
+    - name: Azure Login using Federated Identity
+      uses: azure/login@v2
+      with:
+        client-id: ${{ secrets.GRAPHPERMISSIONSREFERENCE_CLIENT_ID }}
+        tenant-id: ${{ secrets.GRAPHPERMISSIONSREFERENCE_TENANT_ID }}
+        allow-no-subscriptions: true
+
     - name: Run PowerShell script to update permissions
       shell: pwsh
       run: | 
         $ClientId = "${{ secrets.GRAPHPERMISSIONSREFERENCE_CLIENT_ID }}"
         $TenantId = "${{ secrets.GRAPHPERMISSIONSREFERENCE_TENANT_ID }}"
-        $ClientSecret = "${{ secrets.GRAPHPERMISSIONSREFERENCE_CLIENT_SECRET }}"
-        ./docs/scripts/update-permissions-reference.ps1 -ClientId $ClientId -TenantId $TenantId -ClientSecret $ClientSecret
+        ./docs/scripts/update-permissions-reference.ps1 -ClientId $ClientId -TenantId $TenantId
         
     - name: Get token
       id: get_token

.github/workflows/permissions-reference-gen.yml

@@ -42,13 +42,7 @@ The following table shows the parameters that can be used with this function.
 
 |Parameter|Type|Description|
 |:---|:---|:---|
-|on|[accessPackageAssignmentRequestFilterByCurrentUserOptions](../resources/accesspackageassignmentrequest-accesspackageassignmentrequestfilterbycurrentuseroptions.md)|The list of current user options that can be used to filter on the access package assignment requests list. The possible values are `target`, `createdBy`, `approver`.|
-
-- `target` is used to get the `accessPackageAssignmentRequest` objects where the signed-in user is the target. The resulting list includes all the assignment requests, current and expired, that were requested by the caller or for the caller, across all catalogs and access packages.
-
-- `createdBy` is used to get the `accessPackageAssignmentRequest` objects created by the signed-in user. The resulting list includes all of the assignment requests that the caller has created for themselves or on behalf of others, such as in case of admin direct assignment, across all catalogs and access packages.
-
-- `approver` is used to get the `accessPackageAssignmentRequest` objects where the signed-in user is an allowed approver in any contained `accessPackageAssignment/accessPackageAssignmentPolicy/requestApprovalSettings/approvalStages` (`primaryApprovers` or `escalationApprovers`). The resulting list includes the assignment requests in *pending* state, across all catalogs and access packages and that need a decision from the caller. The resulting list includes the assignment requests in a `pending` state, across all catalogs and access packages and that need a decision from the caller.
+|on|[accessPackageAssignmentRequestFilterByCurrentUserOptions](../resources/accesspackageassignmentrequestfilterbycurrentuseroptions.md)|The list of current user options that can be used to filter on the access package assignment requests list.|
 
 ## Request headers
 |Name|Description|

api-reference/beta/api/accesspackageassignmentrequest-filterbycurrentuser.md

@@ -37,7 +37,7 @@ GET /identityGovernance/entitlementManagement/accessPackageCatalogs/{id}/accessP
 
 ## Optional query parameters
 
-This method supports OData query parameters to help customize the response. For example, to retrieve the access package resource scopes and environments for each resource, include `$expand=accessPackageResourceScopes,accessPackageResourceEnvironment` in the query. To retrieve the available roles of a resource, include `$expand=accessPackageResourceRoles`. To retrieve only resources for applications and not groups or sites, include `$filter=resourceType eq 'Application'` in the query. For general information, see [OData query parameters](/graph/query-parameters).
+This method supports OData query parameters to help customize the response. For example, to retrieve the access package resource scopes and environments for each resource, include `$expand=accessPackageResourceScopes,accessPackageResourceEnvironment,externalOriginResourceConnector` in the query. To retrieve the available roles of a resource, include `$expand=accessPackageResourceRoles`. To retrieve only resources for applications and not groups or sites, include `$filter=resourceType eq 'Application'` in the query. For general information, see [OData query parameters](/graph/query-parameters).
 
 ## Request headers
 

api-reference/beta/api/accesspackagecatalog-list-accesspackageresources.md

@@ -120,6 +120,7 @@ Content-Type: application/json
     "id": "1e384c2b0799b01834c0f886560a9a64e433135fe5b8607c535ebbfb03d2ee67",
     "agentId": "229da549-7a91-4365-900f-d4ef49a759a0",
     "agentDisplayName": "Ask HR Agent Identity",
+    "blueprintId": "b3390471-68c5-466a-9ac2-b93e2a454532",
     "identityType": "agentIdentity",
     "activityDateTime": "2025-07-30T15:38:56.9594972Z",
     "detectedDateTime": "2025-07-30T15:38:56.9594972Z",
@@ -130,7 +131,8 @@ Content-Type: application/json
     "riskState": "atRisk",
     "riskEventType": "unfamiliarResourceAccess",
     "riskEvidence": "Agent targeted resources that it does not usually access.",
-    "additionalInfo": ""
+    "additionalInfo": "",
+    "source": "activeDirectory"
   }
 }
 ```

api-reference/beta/api/agentriskdetection-get.md

@@ -142,6 +142,7 @@ Content-type: application/json
         "social"
     ],
     "publisher": "LinkedIn",
+    "deprecationDate": "2027-12-31",
     "description": "LinkedIn Lookup is the easiest way to find coworkers and teams at your company. Lookup is a new people search tool that combines employees' LinkedIn profile information and Active Directory information, allowing you to quickly find and contact your coworkers, on desktop or mobile. Requires an existing Lookup company subscription.",
     "endpoints": [
         "linkedin.com",