BOD-25-01-CSA-Microsoft-Policy-MCP

Instructions

Implementation Reference

• cisa-m365/src/index.ts:495-527 (handler)

  The handler function that implements the 'enforce_phishing_resistant_mfa' tool by updating the authentication methods policy to enable phishing-resistant MFA methods (FIDO2 and Windows Hello for Business).
  private async enforcePhishingResistantMFA() { try { // Configure MFA policy using Microsoft Graph API await this.graphClient .api('/policies/authenticationMethodsPolicy') .patch({ policies: { fido2: { isEnabled: true, isSelfServiceRegistrationAllowed: true, }, windowsHelloForBusiness: { isEnabled: true, isSelfServiceRegistrationAllowed: true, }, }, }); return { content: [ { type: 'text', text: 'Phishing-resistant MFA enforced successfully', }, ], }; } catch (error: unknown) { throw new McpError( ErrorCode.InternalError, `Failed to enforce phishing-resistant MFA: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }
• cisa-m365/src/index.ts:144-151 (registration)

  Registers the 'enforce_phishing_resistant_mfa' tool in the MCP server with its description and input schema (empty object).
  { name: 'enforce_phishing_resistant_mfa', description: 'Enforce phishing-resistant MFA for all users (MS.AAD.3.1v1)', inputSchema: { type: 'object', properties: {}, }, },
• cisa-m365/src/index.ts:329-330 (registration)

  Dispatches calls to the 'enforce_phishing_resistant_mfa' tool to the handler method in the switch statement of the CallToolRequest handler.
  case 'enforce_phishing_resistant_mfa': return await this.enforcePhishingResistantMFA();
• cisa-m365/src/index.ts:147-150 (schema)

  Defines the input schema for the tool as an empty object (no parameters required).
  inputSchema: { type: 'object', properties: {}, },