microsoft · Copilot · May 21, 2026 · May 21, 2026 · May 21, 2026 · May 21, 2026
@@ -4,6 +4,7 @@
 ENHANCEMENTS:
 * Specify default_outbound_access_enabled = false setting for all subnets ([#4757](https://github.com/microsoft/AzureTRE/pull/4757))
 * Pin all GitHub Actions workflow steps to full commit SHAs to prevent supply chain attacks plus update to latest releases ([#4886](https://github.com/microsoft/AzureTRE/pull/4886))
+* Propagate sensitive Porter parameters into template registration schema to remove duplicate sensitivity metadata from template schemas ([#4910](https://github.com/microsoft/AzureTRE/pull/4910)).
 
 ## (0.28.0) (March 2, 2026)
 **BREAKING CHANGES**
@@ -1700,4 +1701,3 @@ FEATURES:
 * Centrally manage the firewall share service state to enable other services to ask for rule changes
 
 Many more enhancements are listed on the [release page](https://github.com/microsoft/AzureTRE/releases/tag/v0.4)
-
@@ -99,7 +99,23 @@ fi
 acr_domain_suffix=$(az cloud show --query suffixes.acrLoginServerEndpoint --output tsv)
 explain_json=$(porter explain --reference "${acr_name}${acr_domain_suffix}"/"$(yq eval '.name' porter.yaml)":v"$(yq eval '.version' porter.yaml)" -o json)
 
-payload=$(echo "${explain_json}" | jq --slurpfile json_schema template_schema.json --arg current "${current}" --arg bundle_type "${bundle_type}" '. + {"json_schema": $json_schema[0], "resourceType": $bundle_type, "current": $current}')
+payload=$(echo "${explain_json}" | jq --slurpfile json_schema template_schema.json --arg current "${current}" --arg bundle_type "${bundle_type}" '
+  . as $explain
+  | ($explain.parameters // [] | map(select(.sensitive == true) | .name) | unique) as $sensitive_parameter_names
+  | ($json_schema[0] | walk(
+      if type == "object" and has("properties") and (.properties | type) == "object"
+      then .properties |= with_entries(
+        .key as $parameter_name
+        | if ($sensitive_parameter_names | index($parameter_name)) != null
+        then .value |= (. + {"sensitive": true})
+        else .
+        end
+      )
+      else .
+      end
+    )) as $schema
+  | $explain + {"json_schema": $schema, "resourceType": $bundle_type, "current": $current}
+')
 
 if [ "${dry_run}" == "true" ]; then
     echo "--dry-run specified - automatic bundle registration disabled. Use the script output to self-register."

@@ -39,8 +39,7 @@
       "type": "string",
       "title": "SMTP Password",
       "description": "SMTP Password",
-      "updateable": false,
-      "sensitive": true
+      "updateable": false
     },
     "smtp_from_email": {
       "$id": "#/properties/smtp_from_email",

@@ -81,6 +81,7 @@ parameters:
     type: string
     description: "A SAS token to access storage resource in workspace under review"
     env: airlock_request_sas_url
+    sensitive: true
   - name: enable_cmk_encryption
     type: boolean
     default: false

@@ -34,8 +34,7 @@
         "type": "string",
         "title": "Airlock request SAS Token",
         "description": "SAS Token for airlock request",
-        "updateable": false,
-        "sensitive": true
+        "updateable": false
       }
     }
 }
@@ -88,6 +88,7 @@ parameters:
     type: string
     description: "A SAS token to access storage resource in workspace under review"
     env: airlock_request_sas_url
+    sensitive: true
   - name: enable_cmk_encryption
     type: boolean
     default: false

@@ -34,8 +34,7 @@
         "type": "string",
         "title": "Airlock request SAS Token",
         "description": "SAS Token for airlock request",
-        "updateable": false,
-        "sensitive": true
+        "updateable": false
       }
     }
 }
@@ -87,6 +87,7 @@ parameters:
       "The client secret of the workspace in the identity provider. This value is typically provided to you
       when you create the ws application"
     default: ""
+    sensitive: true
   - name: ui_client_id
     type: string
     default: ""

@@ -103,7 +103,6 @@
             "type": "string",
             "title": "Application (Client) Secret",
             "description": "The AAD Application Registration secret for the workspace. This value will be stored in the Workspace Key Vault.",
-            "sensitive": true,
             "updateable": true
           }
         },

@@ -90,6 +90,7 @@ parameters:
       "The client secret of the workspace in the identity provider. This value is typically provided to you
       when you create the ws application"
     default: ""
+    sensitive: true
   - name: ui_client_id
     type: string
     default: ""

@@ -249,7 +249,6 @@
             "type": "string",
             "title": "Application (Client) Secret",
             "description": "The AAD Application Registration secret for the workspace. This value will be stored in the Workspace Key Vault.",
-            "sensitive": true,
             "updateable": true
           }
         },
@@ -357,4 +356,4 @@
       "*"
     ]
   }
-}
+}
@@ -98,6 +98,7 @@ parameters:
       "The client secret of the workspace in the identity provider. This value is typically provided to you
       when you create the ws application"
     default: ""
+    sensitive: true
   - name: ui_client_id
     type: string
     default: ""

@@ -132,7 +132,6 @@
             "type": "string",
             "title": "Application (Client) Secret",
             "description": "The AAD Application Registration secret for the workspace. This value will be stored in the Workspace Key Vault.",
-            "sensitive": true,
             "updateable": true
           }
         },