BOD-25-01-CSA-Microsoft-Policy-MCP

Instructions

Implementation Reference

• cisa-m365/src/index.ts:529-557 (handler)

  The handler function that implements the core logic of the 'enforce_alternative_mfa' tool. It uses the Microsoft Graph client to patch the authenticationMethodsPolicy, enabling the Microsoft Authenticator as an alternative MFA method.
  private async enforceAlternativeMFA() { try { // Configure alternative MFA using Microsoft Graph API await this.graphClient .api('/policies/authenticationMethodsPolicy') .patch({ policies: { microsoftAuthenticator: { isEnabled: true, isSelfServiceRegistrationAllowed: true, }, }, }); return { content: [ { type: 'text', text: 'Alternative MFA method enforced successfully', }, ], }; } catch (error: unknown) { throw new McpError( ErrorCode.InternalError, `Failed to enforce alternative MFA: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }
• cisa-m365/src/index.ts:152-159 (registration)

  Registers the 'enforce_alternative_mfa' tool with the MCP server in the listTools handler, providing name, description, and input schema.
  { name: 'enforce_alternative_mfa', description: 'Enforce alternative MFA method if phishing-resistant MFA not enforced (MS.AAD.3.2v1)', inputSchema: { type: 'object', properties: {}, }, },
• cisa-m365/src/index.ts:155-158 (schema)

  Defines the input schema for the 'enforce_alternative_mfa' tool, which is an empty object indicating no input parameters are required.
  inputSchema: { type: 'object', properties: {}, },
• cisa-m365/src/index.ts:331-332 (handler)

  Dispatches the tool call to the enforceAlternativeMFA handler in the CallToolRequestSchema handler.
  case 'enforce_alternative_mfa': return await this.enforceAlternativeMFA();
• cisa-m365/src/index.ts:1048-1051 (helper)

  Helper check in get_policy_status tool to determine if alternative MFA is enforced.
  alternativeMFA: { enforced: authMethods.policies.microsoftAuthenticator.isEnabled, compliant: true, },