BOD-25-01-CSA-Microsoft-Policy-MCP

Instructions

Implementation Reference

• cisa-m365/src/index.ts:184-191 (registration)

  Registers the 'restrict_app_registration' tool with MCP server including name, description, and input schema.
  { name: 'restrict_app_registration', description: 'Allow only administrators to register applications (MS.AAD.5.1v1)', inputSchema: { type: 'object', properties: {}, }, },
• cisa-m365/src/index.ts:187-190 (schema)

  Defines the input schema for the tool as an empty object (no input parameters required).
  inputSchema: { type: 'object', properties: {}, },
• cisa-m365/src/index.ts:652-676 (handler)

  The main execution handler that updates Microsoft Graph API policy to restrict app registrations to administrators only.
  private async restrictAppRegistration() { try { // Configure app registration settings using Microsoft Graph API await this.graphClient .api('/policies/applicationRegistrationManagement') .patch({ restrictAppRegistration: true, restrictNonAdminUsers: true, }); return { content: [ { type: 'text', text: 'Application registration restricted to administrators successfully', }, ], }; } catch (error: unknown) { throw new McpError( ErrorCode.InternalError, `Failed to restrict app registration: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }
• cisa-m365/src/index.ts:339-340 (helper)

  Dispatches the tool call to the restrictAppRegistration handler method.
  case 'restrict_app_registration': return await this.restrictAppRegistration();
• cisa-m365/src/index.ts:1060-1064 (helper)

  Helper logic in get_policy_status tool to check and report the status of app registration restrictions.
  appRegistration: { restrictedToAdmins: appRegistration.restrictAppRegistration && appRegistration.restrictNonAdminUsers, compliant: true, },