BOD-25-01-CSA-Microsoft-Policy-MCP

Instructions

Implementation Reference

• cisa-m365/src/index.ts:614-650 (handler)

  The handler function for the 'enforce_privileged_mfa' tool. It creates a Conditional Access Policy via Microsoft Graph API that requires phishing-resistant MFA (FIDO2 or Windows Hello for Business) for privileged roles such as Global Administrator and Privileged Role Administrator.
  private async enforcePrivilegedMFA() { try { // Configure MFA for privileged roles using Microsoft Graph API await this.graphClient .api('/policies/conditionalAccessPolicies') .post({ displayName: 'Require Phishing-resistant MFA for Privileged Roles', state: 'enabled', conditions: { applications: { includeApplications: ['all'], }, users: { includeRoles: ['Global Administrator', 'Privileged Role Administrator'], }, }, grantControls: { operator: 'AND', builtInControls: ['fido2', 'windowsHelloForBusiness'], }, }); return { content: [ { type: 'text', text: 'Phishing-resistant MFA enforced for privileged roles successfully', }, ], }; } catch (error: unknown) { throw new McpError( ErrorCode.InternalError, `Failed to enforce privileged MFA: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }
• cisa-m365/src/index.ts:176-183 (registration)

  Registers the 'enforce_privileged_mfa' tool in the MCP server's tool list, including its name, description, and input schema (empty object).
  { name: 'enforce_privileged_mfa', description: 'Enforce phishing-resistant MFA for privileged roles (MS.AAD.3.6v1)', inputSchema: { type: 'object', properties: {}, }, },
• cisa-m365/src/index.ts:179-182 (schema)

  Defines the input schema for the 'enforce_privileged_mfa' tool as an empty object (no parameters required).
  inputSchema: { type: 'object', properties: {}, },
• cisa-m365/src/index.ts:337-338 (registration)

  Switch case in the CallToolRequest handler that dispatches calls to 'enforce_privileged_mfa' to the enforcePrivilegedMFA method.
  case 'enforce_privileged_mfa': return await this.enforcePrivilegedMFA();