restrict_app_consent
Control application access by limiting consent permissions to administrators only, enhancing security in Microsoft 365 environments.
Instructions
Allow only administrators to consent to applications (MS.AAD.5.2v1)
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||
Implementation Reference
- cisa-m365/src/index.ts:678-703 (handler)The main handler function that executes the tool logic. It patches the app consent policy via Microsoft Graph API to enable restrictions, block user consent for risky apps, and require admin consent for new apps.private async restrictAppConsent() { try { // Configure app consent settings using Microsoft Graph API await this.graphClient .api('/policies/appConsentPolicy') .patch({ isEnabled: true, blockUserConsentForRiskyApps: true, requireAdminConsentForNewApps: true, }); return { content: [ { type: 'text', text: 'Application consent restricted to administrators successfully', }, ], }; } catch (error: unknown) { throw new McpError( ErrorCode.InternalError, `Failed to restrict app consent: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }
- cisa-m365/src/index.ts:192-199 (registration)Registers the 'restrict_app_consent' tool in the list of available tools, including its description and input schema (empty object, no parameters required).{ name: 'restrict_app_consent', description: 'Allow only administrators to consent to applications (MS.AAD.5.2v1)', inputSchema: { type: 'object', properties: {}, }, },
- cisa-m365/src/index.ts:195-198 (schema)Defines the input schema for the tool as an empty object, indicating no input parameters are required.inputSchema: { type: 'object', properties: {}, },
- cisa-m365/src/index.ts:341-342 (handler)Dispatch case in the CallToolRequest handler that routes calls to the restrictAppConsent method.case 'restrict_app_consent': return await this.restrictAppConsent();