BOD-25-01-CSA-Microsoft-Policy-MCP

Instructions

Implementation Reference

• cisa-m365/src/index.ts:678-702 (handler)

  The handler function that implements the core logic of the 'restrict_app_consent' tool. It uses the Microsoft Graph client to patch the app consent policy, enabling restrictions, blocking user consent for risky apps, and requiring admin consent for new apps.
  private async restrictAppConsent() { try { // Configure app consent settings using Microsoft Graph API await this.graphClient .api('/policies/appConsentPolicy') .patch({ isEnabled: true, blockUserConsentForRiskyApps: true, requireAdminConsentForNewApps: true, }); return { content: [ { type: 'text', text: 'Application consent restricted to administrators successfully', }, ], }; } catch (error: unknown) { throw new McpError( ErrorCode.InternalError, `Failed to restrict app consent: ${error instanceof Error ? error.message : 'Unknown error'}` ); }
• cisa-m365/src/index.ts:341-342 (registration)

  The switch case in the CallToolRequest handler that dispatches calls to the 'restrict_app_consent' tool to its implementation method.
  case 'restrict_app_consent': return await this.restrictAppConsent();
• cisa-m365/src/index.ts:192-199 (registration)

  The tool registration entry in the ListTools response, defining the name, description, and input schema (empty object) for 'restrict_app_consent'.
  { name: 'restrict_app_consent', description: 'Allow only administrators to consent to applications (MS.AAD.5.2v1)', inputSchema: { type: 'object', properties: {}, }, },
• cisa-m365/src/index.ts:195-198 (schema)

  The input schema definition for the 'restrict_app_consent' tool, which accepts no parameters (empty object).
  inputSchema: { type: 'object', properties: {}, },