enforce_pam
Enforce Privileged Access Management to control and monitor privileged role assignments in Microsoft 365 environments, implementing BOD 25-01 compliance requirements.
Instructions
Enforce PAM system for privileged role assignments (MS.AAD.7.5v1)
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||
Implementation Reference
- cisa-m365/src/index.ts:886-910 (handler)The main handler function that implements the 'enforce_pam' tool. It configures Privileged Access Management (PAM) by patching the privilegedAccessPolicy via Microsoft Graph API to require PAM for privileged roles and block direct assignments.private async enforcePAM() { try { // Configure PAM settings using Microsoft Graph API await this.graphClient .api('/policies/privilegedAccessPolicy') .patch({ requirePAMForPrivilegedRoles: true, blockDirectAssignment: true, }); return { content: [ { type: 'text', text: 'PAM system enforcement configured successfully', }, ], }; } catch (error: unknown) { throw new McpError( ErrorCode.InternalError, `Failed to enforce PAM: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }
- cisa-m365/src/index.ts:259-266 (registration)Registers the 'enforce_pam' tool in the ListTools response, including its name, description, and input schema (empty object).{ name: 'enforce_pam', description: 'Enforce PAM system for privileged role assignments (MS.AAD.7.5v1)', inputSchema: { type: 'object', properties: {}, }, },
- cisa-m365/src/index.ts:362-363 (registration)In the CallToolRequest handler switch statement, dispatches calls to 'enforce_pam' by invoking the enforcePAM() method.case 'enforce_pam': return await this.enforcePAM();
- cisa-m365/src/index.ts:262-265 (schema)Defines the input schema for the 'enforce_pam' tool as an empty object (no parameters required).inputSchema: { type: 'object', properties: {}, },