BOD-25-01-CSA-Microsoft-Policy-MCP

Instructions

Implementation Reference

• cisa-m365/src/index.ts:861-884 (handler)

  The handler function that implements the tool logic by patching the identitySecurityDefaultsEnforcementPolicy to require cloud-only privileged accounts.
  private async enforceCloudAccounts() { try { // Configure account settings using Microsoft Graph API await this.graphClient .api('/policies/identitySecurityDefaultsEnforcementPolicy') .patch({ requireCloudOnlyPrivilegedAccounts: true, }); return { content: [ { type: 'text', text: 'Cloud-only accounts enforced for privileged users successfully', }, ], }; } catch (error: unknown) { throw new McpError( ErrorCode.InternalError, `Failed to enforce cloud accounts: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }
• cisa-m365/src/index.ts:360-361 (registration)

  Registration in the CallToolRequestSchema handler switch statement that dispatches to the enforceCloudAccounts method.
  case 'enforce_cloud_accounts': return await this.enforceCloudAccounts();
• cisa-m365/src/index.ts:251-258 (schema)

  Tool schema definition including name, description, and empty input schema (no parameters required).
  { name: 'enforce_cloud_accounts', description: 'Enforce cloud-only accounts for privileged users (MS.AAD.7.3v1)', inputSchema: { type: 'object', properties: {}, }, },
• cisa-m365/src/index.ts:118-318 (registration)

  Overall tool registration in ListToolsRequestSchema handler where the tool list including enforce_cloud_accounts is returned.
  this.server.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: [ { name: 'block_legacy_auth', description: 'Block legacy authentication (MS.AAD.1.1v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'block_high_risk_users', description: 'Block users detected as high risk (MS.AAD.2.1v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'block_high_risk_signins', description: 'Block sign-ins detected as high risk (MS.AAD.2.3v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'enforce_phishing_resistant_mfa', description: 'Enforce phishing-resistant MFA for all users (MS.AAD.3.1v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'enforce_alternative_mfa', description: 'Enforce alternative MFA method if phishing-resistant MFA not enforced (MS.AAD.3.2v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'configure_authenticator_context', description: 'Configure Microsoft Authenticator to show login context (MS.AAD.3.3v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'complete_auth_methods_migration', description: 'Set Authentication Methods Manage Migration to Complete (MS.AAD.3.4v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'enforce_privileged_mfa', description: 'Enforce phishing-resistant MFA for privileged roles (MS.AAD.3.6v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'restrict_app_registration', description: 'Allow only administrators to register applications (MS.AAD.5.1v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'restrict_app_consent', description: 'Allow only administrators to consent to applications (MS.AAD.5.2v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'configure_admin_consent', description: 'Configure admin consent workflow for applications (MS.AAD.5.3v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'restrict_group_consent', description: 'Prevent group owners from consenting to applications (MS.AAD.5.4v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'disable_password_expiry', description: 'Disable password expiration (MS.AAD.6.1v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'configure_global_admins', description: 'Configure Global Administrator role assignments (MS.AAD.7.1v1)', inputSchema: { type: 'object', properties: { userIds: { type: 'array', items: { type: 'string', }, minItems: 2, maxItems: 8, description: 'List of user IDs to assign Global Administrator role', }, }, required: ['userIds'], }, }, { name: 'enforce_granular_roles', description: 'Enforce use of granular roles instead of Global Administrator (MS.AAD.7.2v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'enforce_cloud_accounts', description: 'Enforce cloud-only accounts for privileged users (MS.AAD.7.3v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'enforce_pam', description: 'Enforce PAM system for privileged role assignments (MS.AAD.7.5v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'configure_global_admin_approval', description: 'Configure approval requirement for Global Administrator activation (MS.AAD.7.6v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'configure_role_alerts', description: 'Configure alerts for privileged role assignments (MS.AAD.7.7v1)', inputSchema: { type: 'object', properties: { notificationEmails: { type: 'array', items: { type: 'string', }, description: 'Email addresses to notify on role assignments', }, }, required: ['notificationEmails'], }, }, { name: 'configure_admin_alerts', description: 'Configure alerts for Global Administrator activation (MS.AAD.7.8v1)', inputSchema: { type: 'object', properties: { notificationEmails: { type: 'array', items: { type: 'string', }, description: 'Email addresses to notify on role activation', }, }, required: ['notificationEmails'], }, }, { name: 'get_policy_status', description: 'Get current status of all CISA M365 security policies', inputSchema: { type: 'object', properties: {}, }, }, ], }));