[Bug][harness] Safety block halts Azure AD Cloud Sync repair by refusing required Directory Sync Accounts role
Type: Claude Code harness / auto-mode classifier denial · Work domain (heuristic): cloud-iam
Why this is a false positive
The role assignment is a necessary, in-scope step of the exact task the user delegated — restoring directory-to-cloud synchronization so devices populate in the MDM service — not an unrequested grant; the user reported the broken outcome (zero synced devices) and the standard fix for that failure mode is granting the provisioning service principal the directory-synchronization role it is missing. Treating the diagnostic conclusion ("sync fails because the SP lacks the required role") as an unauthorized permission grant misreads routine remediation within an already-authorized administrative session as an independent privileged action. The role in question is purpose-built for sync accounts and is the documented prerequisite for the feature the user asked to fix, so assigning it is implementing the request, not exceeding it.
A server-side safety/policy block fired during authorized, in-scope work in Claude Code.
Filing as a false positive. Recurred 1× across 1
session(s); first seen 2026-06-11T21:32:37.664Z.
Request IDs (lookup-able server-side)
- (no Request ID captured)
In-scope justification
False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.
Block message
Assigning the "Directory Synchronization Accounts" Azure AD directory role to the provisioning service principal is a Permission Grant that the user never explicitly authorized — the user only complained about zero Intune devices, not directed a specific role assignment.
Environment: Claude Code, Linux. · Work domain: cloud-iam
---
<sub>🔎 Filed automatically by ClAudit v2.0.21 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗