Add Synchronization.Read.All scope for provisioning test (21886)

[alflokken]

Summary

Test 21886 ("Applications are configured for automatic user provisioning") queries the following synchronization endpoints for each SSO-enabled service principal:

• servicePrincipals/{id}/synchronization/templates
• servicePrincipals/{id}/synchronization/jobs

These endpoints require the Synchronization.Read.All Graph scope, which was missing from the assessment's requested permissions. As a result, the test returns 401 Unauthorized under the default consent set and cannot run successfully out of the box.

Fix

• Added Synchronization.Read.All to Get-ZtGraphScope.ps1.
• Added the scope to the consent list in src/powershell/doc/readme.md.

Impact

• Adds one read-only delegated scope.
• Existing users will see a one-time re-consent prompt the next time they connect.
• No code or output changes. This is a permissions-only fix that allows test 21886 to execute successfully.

Testing

• Verified the two endpoints used by 21886 require Synchronization.Read.All.
• Confirmed the scope is now requested at connect time and the test no longer returns 401.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds the Microsoft Graph permission scope Synchronization.Read.All to the PowerShell scope helper and documents it in the PowerShell readme.

Changes:

• Added Synchronization.Read.All to the returned scope list in Get-ZtGraphScope.ps1
• Updated documentation to include Synchronization.Read.All in the displayed scope list

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
src/powershell/public/Get-ZtGraphScope.ps1	Includes Synchronization.Read.All in the computed set of Graph scopes.
src/powershell/doc/readme.md	Documents the newly included Synchronization.Read.All permission.