[Bug] [github team] Organization member failed to use Organization installed GitHub App in Copilot

[leungkimming2]

Describe the bug
An organization member, with a Copilot Business seat assigned by the organization owner, when typing "@" in VS Code Copilot chat could not see the GitHub Apps installed by the organization owner onto the organization.

To Reproduce
Steps to reproduce the behavior:

1. setup ORG1 organization and purchase GitHub Copilot Business subscription.
2. enabled the Copilot Extensions policy for the organization.
3. assigned a Copilot Business seat to a member Member1
4. the owner ORG1 installed "Mermaid Chart" GitHub App onto Org1
5. Member1 logon GitHub Copilot in VS Code and type "@", "Mermaid Chart" did not appear.
6. According to this GitHub Document, Member1 should be able to use Mermaid Chart.

Expected behavior
When Member1 logon GitHub Copilot in VS Code and type "@", "Mermaid Chart" should appear

Screenshots
NA

Desktop (please complete the following information):

• OS: Windows 11
• VS Code: 1.95.3

Smartphone (please complete the following information):
NA

Additional context
Here is a workaround:
After the Organization owner installed Mermaid Chart to the Organization, the member should first login GitHub.com and invoke Copilot Chat on the browser. Typing "@" won't list out installed Apps but you have to type "@Mermaid-Chart". Then, you can authorize the App. After authorizing the App, the member can navigate to personal account's Settings, Integrations, Applications. The "Installed GitHub Apps" is still empty but Mermaid-Chart was shown in the "Authorized GitHub Apps" tab. Then, the member can use VS Code, Copilot Chat and type "@" to list out Mermaid-Chart.

1. Organization GitHub Apps should be shown in VS Code Copilot Chat after typing "@"
2. Members should be able to view Organization's Installed Github Apps.
3. Organization owner should be able to disable members from installing GitHub Apps thru their personal accounts if Copilot Business seat was given by the Organization. This is a serious security loophole, which will expose private repositories to unknown Copilot agents hosted elsewhere.

[belaltaher8]

Hi @leungkimming2

Thanks for bringing this to our attention! This definitely sounds like a bug. You are right in assuming that the Org member should see that extension under their "Installed Extensions" view as well as when they type "@" in Copilot Chat.

We will open an issue up on our side and investigate.

[hkelectric-apj-001d]

Hi @belaltaher8
Can you let me know when this issue will be fixed? I’m encountering the same problem.

[D1M1TR10S]

Hi @hkelectric-apj-001d @leungkimming2. We're looking into this issue now. I'll post an update once it's resolved.

[leungkimming2]

Dear Dimitrios Philliou, Please note that showing installed extensions in dropdown list does not mean the extension has been authorized in personal accounts. Below are the differences between extensions installed in personal accounts and organization accounts: 1. Extensions installed in personal accounts: i. After the extension is installed and BEFORE the extension is authorized, typing @ CAN SHOW the extension in dropdown in VS Code copilot chat. ii. After selecting the extension from the dropdown and issue the first prompt, the authorization flow will be triggered. iii. After successful authorization, the user can start to use the extension. iv. Great user experience! 1. Extensions installed in Organization accounts: i. After the extension is installed in an organization and before the extension is authorized, a member typing @ CANNOT show the extension in dropdown inside VS Code Copilot chat. ii. Typing @<the extension's slug name> is not recognized by VS code Copilot chat and CANNOT trigger the authorization flow. iii. There is NO WAY for a member to use the installed extension in VS code Copilot chat iv. Workaround i. The member has to launch Copilot Web chat and type @<the extension's slug name> there to trigger the authorization flow. ii. After successful authorization, the member can type @ to show and select the extension in VS code Copilot chat. iii. This is cumbersome and not user friendly 1. Besides, for security reasons, the organization admin should have a way to disable members installing extension themselves. Members, with a Copilot seat granted thru the organization, should only be allowed to use extensions installed on the organization level by the organization admin. Currently, a member can authorize ANY extension installed in his or her own personal account to access organizational repositories on his or her behalf. This security issue has blocked my organization from adopting VS Code Copilot. I hope my explanation is helpful. Regards, Michael Leung Sent from Outlook<http://aka.ms/weboutlook> From: Dimitrios Philliou ***@***.***> Sent: Friday, January 17, 2025 2:21 PM To: copilot-extensions/user-feedback ***@***.***> Cc: leungkimming2 ***@***.***>; Mention ***@***.***> Subject: Re: [copilot-extensions/user-feedback] [Bug] [github team] Organization member failed to use Organization installed GitHub App in Copilot (Issue #11) @belaltaher8<https://github.com/belaltaher8> I have this issue specced and on the backlog for the marketplace team, since it's related to org installs. It might make more sense in extensibility. [Task] Show org-installed extensions in dropdown list<https://github.com/github/marketplace/issues/3976> I believe the issue here (let's confirm) is that the logic for the dropdown list is to show authorized extensions only. When an extension is installed by an org though, it's not authorized until the user manually types the extension's slug name and sends their first prompt (with no the highlight or dropdown). Without being notified of an org install, no members will ever do this. If that's the case, this could be a very super fix and unblock A LOT of org members. - Reply to this email directly, view it on GitHub<#11 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BNIM6REBY5WRO52UPRIYHVD2LCOLDAVCNFSM6AAAAABTHLJD6KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKOJXGUYTSNRRGY>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>