enforce_granular_roles
Enforce granular role assignments to replace Global Administrator privileges, implementing Microsoft 365 security policy MS.AAD.7.2v1 for compliance with CSA BOD 25-01 requirements.
Instructions
Enforce use of granular roles instead of Global Administrator (MS.AAD.7.2v1)
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||
Implementation Reference
- cisa-m365/src/index.ts:835-859 (handler)The handler function that executes the tool: patches the roleManagementPolicies endpoint in Microsoft Graph to enforce granular roles by setting enforceGranularRoles to true and blocking Global Admin for general use.private async enforceGranularRoles() { try { // Configure role settings using Microsoft Graph API await this.graphClient .api('/policies/roleManagementPolicies') .patch({ enforceGranularRoles: true, blockGlobalAdminForGeneralUse: true, }); return { content: [ { type: 'text', text: 'Granular role usage enforced successfully', }, ], }; } catch (error: unknown) { throw new McpError( ErrorCode.InternalError, `Failed to enforce granular roles: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }
- cisa-m365/src/index.ts:243-250 (registration)Registers the 'enforce_granular_roles' tool in the MCP server's listTools response, including its description and input schema (empty object).{ name: 'enforce_granular_roles', description: 'Enforce use of granular roles instead of Global Administrator (MS.AAD.7.2v1)', inputSchema: { type: 'object', properties: {}, }, },
- cisa-m365/src/index.ts:246-249 (schema)Defines the input schema for the tool as an empty object (no parameters required).inputSchema: { type: 'object', properties: {}, },