What happened?

Currently, users can share agents, prompts, and other resources with ANY group in people picker, regardless of whether they are members of that group.
This creates serious security and logical consistency issues.es:

Security/Privacy Issues:

• Users can grant permissions to groups they are not a member off and have no authority over.
• Organizational boundaries are violated (e.g., Team A member sharing with Team B's private group)
• Information disclosure through group discovery
• Potential for spam/abuse

Logical Inconsistency:
Even if we wanted to allow cross-group sharing, the current behavior breaks fundamental consistency: A user can share resources with a group they themselves cannot access. This makes no sense from an access control perspective - if you can't access a group, why should you be able to grant that group access to your resources?

Expected Behavior:
Users should only be able to share resources with groups they are members of. This aligns with:

• Standard access control principles
• Organizational boundaries
• User expectations
• Security best practices

Version Information

c30afb8

Steps to Reproduce

1. As Admin enable Groups for Users in PeoplePicker
2. Create some groups in the backend or import via Azure sync (or OIDC Sync, PR open)
3. Login as user B, not being a member of any group. Create a new agent or prompt
4. Click "Share" button
5. Search for groups in the people picker
6. Observe: User B can see all Groups and pick Group X for sharing
7. Bug: Share succeeds - all "Group X" members now have access
8. Expected: User should not be able to share or see Groups, which user is not member off

What browsers are you seeing the problem on?

Chrome, Microsoft Edge

Relevant log output

none

Screenshots

No response

Code of Conduct

• I agree to follow this project's Code of Conduct