BOD-25-01-CSA-Microsoft-Policy-MCP

Instructions

Implementation Reference

• cisa-m365/src/index.ts:835-859 (handler)

  The handler function that executes the 'enforce_granular_roles' tool. It patches the roleManagementPolicies endpoint in Microsoft Graph API to set enforceGranularRoles to true and blockGlobalAdminForGeneralUse to true, then returns a success message.
  private async enforceGranularRoles() { try { // Configure role settings using Microsoft Graph API await this.graphClient .api('/policies/roleManagementPolicies') .patch({ enforceGranularRoles: true, blockGlobalAdminForGeneralUse: true, }); return { content: [ { type: 'text', text: 'Granular role usage enforced successfully', }, ], }; } catch (error: unknown) { throw new McpError( ErrorCode.InternalError, `Failed to enforce granular roles: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }
• cisa-m365/src/index.ts:243-250 (registration)

  Registration of the 'enforce_granular_roles' tool in the ListTools response, including its name, description, and input schema (empty object).
  { name: 'enforce_granular_roles', description: 'Enforce use of granular roles instead of Global Administrator (MS.AAD.7.2v1)', inputSchema: { type: 'object', properties: {}, }, },
• cisa-m365/src/index.ts:246-249 (schema)

  Input schema for the 'enforce_granular_roles' tool, which expects an empty object (no parameters).
  inputSchema: { type: 'object', properties: {}, },
• cisa-m365/src/index.ts:358-359 (handler)

  Dispatcher switch case in the CallToolRequest handler that routes calls to the enforceGranularRoles method.
  case 'enforce_granular_roles': return await this.enforceGranularRoles();
• cisa-m365/src/index.ts:1086-1089 (helper)

  Helper code in getPolicyStatus that checks the enforcement status of granular roles from roleManagement policies.
  granularRoles: { enforced: roleManagement.enforceGranularRoles, compliant: true, },