Sync/2.0.2602.151

[alrios-ms]

═══════════════════════════════════════════════════════════════════════
PLATFORM MODERNIZATION
═══════════════════════════════════════════════════════════════════════

AZURE FUNCTIONS MODERNIZATION

All Azure Function services were migrated from the in-process model to
the isolated worker model: AzureMaintenance, AzureUserReader,
NonProdService, JobTrigger, JobScheduler, GMO, and others. Activity
functions were updated to the isolated model pattern. All services were
then converted to Flex Consumption hosting with updated configuration,
memory allocations, and app package container settings. A migration
script was added to automate the Flex conversion process.

INFRASTRUCTURE / BICEP / DEPLOYMENT

Broad Flex Consumption migration across all Azure Function services —
updated compute templates with instanceMemoryMB parameters, storage
account RBAC assignments, and app package container configuration for
each function. Key services converted: Notifier, SyncJobUpdater,
MessageSplitter, AzureMaintenance, JobTrigger, JobScheduler, GMO,
AzureUserReader, DAU, GOO, PMO, SMO, and others.

OpenAI resources were reorganized — moved from WebApi compute to
Infrastructure/data path, added Key Vault secret configuration for
endpoints, and implemented incremental deployment for IP allowlisting.

Deployment scripts were updated to grant ADF and WebAPI identities
access to functions they interact with, support function authentication
deployment, reset function tables, and handle RBAC permission
assignments. PostDeployment scripts were updated for SAW compatibility.

Added Network Security Perimeter (NSP) support with SQL replica server
configuration. Added AzureMaintenance to compute bicep templates.
Removed unused deployment YAML files and obsolete bicep templates.

CONFIGURATION

Implemented separate add/remove concurrency settings for GraphUpdater.
Updated all local.settings.json files for isolated worker model. Added
new queue settings for MessageSplitter, exclusionary settings for
source part title generation, and various app config updates across all
services for Flex Consumption compatibility.

CI/CD / BUILD

Created SWE Agent build validation YAML. Updated public build YAML to
build source code by default. Added features/int branch to trigger
branches. Updated pnpm build tasks and nitpicker configuration. Added
build version file writing and build number setting.

═══════════════════════════════════════════════════════════════════════
CORE SYNC PIPELINE
═══════════════════════════════════════════════════════════════════════

CORE SYNC / MEMBERSHIP LOGIC

Introduced BeforeSyncUserCount and AfterSyncUserCount tracking across
the sync pipeline — GMO now writes the "before" count, GraphUpdater
writes the "after" count, and both are persisted in the SyncJobHistory
table. All services (GMO, SqlMO, TCMO, PMO, GOO, MA, GU, TCU) were
updated to use a new centralized SyncJobStatusService for consistent
status and history updates, replacing ad-hoc status writes.

Memory usage was significantly reduced by streaming membership data
through the pipeline instead of loading full payloads into memory.
Key changes include streaming transitive and delta membership to blob
storage, using async enumerables for membership merges, and stopping
the practice of sending full membership payloads back to orchestrators.

Fixed a critical drain-before-defer race condition where Service Bus
returned MessageNotFound when drain ran before DeferMessageAsync
completed, orphaning messages and leaving jobs stuck in InProgress.

GraphUpdater cache logic was overhauled with streaming delta updates,
metadata support, and improved cache file management. Added support
for hidden membership groups with user-facing confirmation warnings.

JOB SCHEDULING / TRIGGERING

Added job history purging functionality to AzureMaintenance with
configurable warnings sent to job owners regardless of schedule.
JobScheduler now only schedules Idle, InProgress, and StuckInProgress
jobs. JobTrigger bases job runs on ScheduledDate instead of LastRunTime.

Both JobScheduler and JobTrigger were migrated to isolated worker model
and Flex Consumption. Parametrized the CRON schedule for JobScheduler's
timer trigger. Updated JobTrigger to skip ownership checks for
TeamsChannel when application permission is granted. Added
UsersAdded/UsersRemoved tracking to GraphUpdater job history.

NOTIFICATIONS / EMAIL

New notification types: submission approval emails, submission rejection
emails, and job purging warning emails with purge/disable dates. The
threshold notification system was improved to prevent false triggers on
first-sync job approvals (ThresholdViolations set to N-1).

Notifier was converted to Flex Consumption plan and updated to use MSI
with storage accounts. Email content was made generic for onboardings
and change requests. Deep link email updates with group name fetching
for personalized notifications. DestinationAttributesUpdater now handles
email updates. Configurable skipMailNotifications parameter with a
sensible default.

═══════════════════════════════════════════════════════════════════════
DATA & API LAYER
═══════════════════════════════════════════════════════════════════════

DATABASE / MIGRATIONS

New EF migrations: NestedGroupsFound status, PendingConfiguration
status, new SyncJobHistory columns (BeforeSyncUserCount,
AfterSyncUserCount, UsersAdded, UsersRemoved), PurgingWarning
NotificationType, and removal of FK constraint from SyncJobHistory.

SQL filter validation moved to local validation (no SQL calls).
Added script to replace BETWEEN/NOT BETWEEN with IN/NOT IN in SQL
filters. Migration scripts updated to use SQL firewall retry functions.
Added SQL replica server to Network Security Perimeter.

WEBAPI / BACKEND API

WebAPI was updated to leverage function authentication, replacing
traditional auth patterns. NotificationsController now uses AAD
authentication directly, removing deprecated ActionableMessage
validation. All WebAPI authentication shifted from DefaultAzureCredential
to ManagedIdentityCredential.

New endpoints: group members check (members of 'Group' type), AI-powered
title generation via OpenAI, configurable auto-approval for group-based
syncs, and a GMM reset endpoint. PATCH endpoints were refactored into
3 separate endpoints with proper JsonElement deserialization and array
type handling.

WebAPI now performs EF migrations on startup, has admin role on SQL DB,
and supports PendingConfiguration status for GroupMembership types.
Added ServiceBus queue repository injection for PendingConfigurationQueue.
Swagger endpoint restricted to development environments only.

═══════════════════════════════════════════════════════════════════════
FRONTEND
═══════════════════════════════════════════════════════════════════════

UI / FRONTEND

Major redesign of the History panel with color-coded status indicators,
a two-row date display, and a new Sync tab showing before/after user
counts with role-based visibility. Added Playwright tests for the
history panel and other flows.

Dashboard improvements include a new WriteRequests metric, partial
success status display, and filtering out internal messages. The run
history view now shows only the most recent run per pipeline and maps
status values to user-friendly text.

New features: page-size persistence across sessions, operator
descriptions shown in dropdown options, disclaimer button with
configurable visibility, submission and review workflow with navigation,
and a Submission Rejector role in the UI. Query editor improvements
include fixing automatic parenthesis insertion during typing and
preventing mode bouncing when special characters appear in values.

Accessibility and localization fixes including locale-aware equality
operators, Microsoft blue link colors, Spanish translation corrections,
and spinner display during AI title generation.

OPENAI / AI INTEGRATION

Integrated OpenAI for AI-powered title generation in the WebAPI with a
configurable feature flag. Aligned RAI (Responsible AI) policy with
DefaultV2 content filters. OpenAI resources hardened with disabled
public network access, disabled local auth, diagnostic settings, and
optional deployment. Added copilot instructions for the repository.

═══════════════════════════════════════════════════════════════════════
CROSS-CUTTING CONCERNS
═══════════════════════════════════════════════════════════════════════

AUTHENTICATION / AUTHORIZATION

Implemented function authentication across all services with a new
Set-FunctionAuthApplication script and deployment support. Added the
ability to skip function auth app creation and lock down to empty
principal lists.

Migrated all services from DefaultAzureCredential to
ManagedIdentityCredential for blob storage and Graph API access (AUR,
GMO, AM, JS, GU, MS, DAU). Upgraded Azure.Identity to 1.16.0. Added
device authentication support and Linux token management. New scripts
for orphaned role assignment cleanup and WebAPI app role grants.

SECURITY / DEPENDENCIES

Multiple rounds of CG (Component Governance) findings remediation.
Updated NuGet packages including Durable Abstractions,
Microsoft.DurableTask.Abstractions, Azure Function packages, and
isolated worker packages. Frontend CVE patches via pnpmfile updates
(CVE-2025-15284, CVE-2026-22029). Removed unused package references
and updated Directory.Packages.props for centralized version management.

PERFORMANCE / RELIABILITY

Added retry policies for concurrent exceptions, HttpRequestExceptions,
and session-enabled Service Bus subscriptions. Increased
maxConcurrentOrchestrators for GMO and MA, enabled extendedSessions on
GMO, and added concurrentWriteRequests parameter for GraphUpdater.

Memory optimizations: increased instanceMemoryMB for GMO and
MessageSplitter, reduced orchestrator memory usage by streaming data,
and added cache file metadata with conditional format conversion.
Improved SQL firewall retry logic with increased retry counts and
better logging.

MONITORING / METRICS

Renamed "write metric" to "http request" to avoid confusion. Enhanced
RUU (Resource Unit Usage) tracking with new metrics for monitoring
per-lane p-values. Added TeamsChannelRepository tracking and blob
status logging in AzureMaintenance. Improved logging throughout with
more telemetry, activity logging, and better metric naming in
JobScheduler.

═══════════════════════════════════════════════════════════════════════
QUALITY & MAINTENANCE
═══════════════════════════════════════════════════════════════════════

TESTING

Comprehensive test updates across all services to support isolated
worker model and new features. Added Playwright tests for history panel,
submission/review flow, maintenance, and title generation. Increased
code coverage for WebAPI, GraphUpdater, GMO, TCU, and other services.
Updated mocks for new SyncJobStatusService, ConcurrentRemoveRequests,
and other refactored interfaces.

BUG FIXES

Fixed PATCH endpoints with JsonElement deserialization and array type
mismatches. Fixed DefaultAzureCredential issues across multiple
services. Fixed retry count display, automatic parenthesis insertion in
query editor, locale-aware operator descriptions, and various typos.
Reverted unintended changes in translations. Fixed logging errors,
migration detection for multi-instance functions, and email rendering
issues.

DOCUMENTATION

Added documentation for OAM (Outlook Actionable Messages) app setup,
RunLimiter, TCU conversion summary, and accessibility testing with
Accessibility Insights. Updated GMM support document and deployment
YAML environment setup docs. Added Submission Rejector role documentation.