enforce_cloud_accounts
Enforce cloud-only accounts for privileged users to comply with CSA BOD 25-01 requirements for Microsoft 365 cloud services.
Instructions
Enforce cloud-only accounts for privileged users (MS.AAD.7.3v1)
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||
Implementation Reference
- cisa-m365/src/index.ts:861-884 (handler)The main handler function for the 'enforce_cloud_accounts' tool. It patches the identitySecurityDefaultsEnforcementPolicy to require cloud-only privileged accounts via Microsoft Graph API.private async enforceCloudAccounts() { try { // Configure account settings using Microsoft Graph API await this.graphClient .api('/policies/identitySecurityDefaultsEnforcementPolicy') .patch({ requireCloudOnlyPrivilegedAccounts: true, }); return { content: [ { type: 'text', text: 'Cloud-only accounts enforced for privileged users successfully', }, ], }; } catch (error: unknown) { throw new McpError( ErrorCode.InternalError, `Failed to enforce cloud accounts: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }
- cisa-m365/src/index.ts:252-258 (registration)Registers the 'enforce_cloud_accounts' tool in the list of tools returned by ListToolsRequestSchema, including its name, description, and input schema (empty object).name: 'enforce_cloud_accounts', description: 'Enforce cloud-only accounts for privileged users (MS.AAD.7.3v1)', inputSchema: { type: 'object', properties: {}, }, },
- cisa-m365/src/index.ts:360-361 (registration)Dispatches calls to the 'enforce_cloud_accounts' tool by invoking the enforceCloudAccounts handler method in the CallToolRequestSchema handler.case 'enforce_cloud_accounts': return await this.enforceCloudAccounts();
- cisa-m365/src/index.ts:254-257 (schema)Defines the input schema for the 'enforce_cloud_accounts' tool as an empty object (no parameters required).inputSchema: { type: 'object', properties: {}, },