configure_global_admins
Assign Global Administrator roles to specified users in Microsoft 365 to enforce BOD 25-01 compliance requirements for privileged access management.
Instructions
Configure Global Administrator role assignments (MS.AAD.7.1v1)
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| userIds | Yes | List of user IDs to assign Global Administrator role |
Implementation Reference
- cisa-m365/src/index.ts:787-833 (handler)The primary handler function that executes the tool logic: validates the number of userIds (2-8), removes existing Global Administrator role assignments, and assigns the role to the provided user IDs using Microsoft Graph API.private async configureGlobalAdmins(args: RoleAssignmentArgs) { try { if (args.userIds.length < 2 || args.userIds.length > 8) { throw new McpError( ErrorCode.InvalidParams, 'Number of Global Administrators must be between 2 and 8' ); } // Configure Global Administrator assignments using Microsoft Graph API const globalAdminRoleId = 'Global Administrator'; // Remove existing assignments const existingAssignments = await this.graphClient .api(`/directoryRoles/roleTemplate/${globalAdminRoleId}/members`) .get(); for (const assignment of existingAssignments.value) { await this.graphClient .api(`/directoryRoles/roleTemplate/${globalAdminRoleId}/members/${assignment.id}`) .delete(); } // Add new assignments for (const userId of args.userIds) { await this.graphClient .api(`/directoryRoles/roleTemplate/${globalAdminRoleId}/members/$ref`) .post({ '@odata.id': `https://graph.microsoft.com/v1.0/users/${userId}`, }); } return { content: [ { type: 'text', text: `Global Administrator role configured with ${args.userIds.length} users successfully`, }, ], }; } catch (error: unknown) { throw new McpError( ErrorCode.InternalError, `Failed to configure Global Administrators: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }
- cisa-m365/src/index.ts:224-242 (registration)Tool registration in the ListToolsRequestSchema handler, defining the tool name, description, and input schema requiring userIds array (2-8 items).{ name: 'configure_global_admins', description: 'Configure Global Administrator role assignments (MS.AAD.7.1v1)', inputSchema: { type: 'object', properties: { userIds: { type: 'array', items: { type: 'string', }, minItems: 2, maxItems: 8, description: 'List of user IDs to assign Global Administrator role', }, }, required: ['userIds'], }, },
- cisa-m365/src/index.ts:22-25 (schema)TypeScript interface defining the expected arguments for role assignment tools, including userIds and roleId.interface RoleAssignmentArgs { userIds: string[]; roleId: string; }
- cisa-m365/src/index.ts:31-39 (helper)Type guard function to validate if arguments match RoleAssignmentArgs shape, used in the tool dispatcher.function isRoleAssignmentArgs(args: unknown): args is RoleAssignmentArgs { if (typeof args !== 'object' || args === null) return false; const a = args as Record<string, unknown>; return ( Array.isArray(a.userIds) && a.userIds.every(id => typeof id === 'string') && typeof a.roleId === 'string' ); }
- cisa-m365/src/index.ts:349-357 (handler)Dispatcher case in the main CallToolRequestSchema handler that validates arguments and delegates to the configureGlobalAdmins method.case 'configure_global_admins': { if (!isRoleAssignmentArgs(request.params.arguments)) { throw new McpError( ErrorCode.InvalidParams, 'Invalid role assignment arguments' ); } return await this.configureGlobalAdmins(request.params.arguments); }