restrict_app_registration
Enforce administrator-only application registration to prevent unauthorized access and maintain security compliance in Microsoft 365 environments.
Instructions
Allow only administrators to register applications (MS.AAD.5.1v1)
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||
Implementation Reference
- cisa-m365/src/index.ts:652-676 (handler)The main handler function that executes the tool logic by patching the Microsoft Graph API to restrict app registrations to administrators only.private async restrictAppRegistration() { try { // Configure app registration settings using Microsoft Graph API await this.graphClient .api('/policies/applicationRegistrationManagement') .patch({ restrictAppRegistration: true, restrictNonAdminUsers: true, }); return { content: [ { type: 'text', text: 'Application registration restricted to administrators successfully', }, ], }; } catch (error: unknown) { throw new McpError( ErrorCode.InternalError, `Failed to restrict app registration: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }
- cisa-m365/src/index.ts:339-340 (registration)The switch case in the CallToolRequest handler that dispatches to the restrictAppRegistration method.case 'restrict_app_registration': return await this.restrictAppRegistration();
- cisa-m365/src/index.ts:184-191 (schema)The tool definition including name, description, and input schema (empty object) registered in the ListTools response.{ name: 'restrict_app_registration', description: 'Allow only administrators to register applications (MS.AAD.5.1v1)', inputSchema: { type: 'object', properties: {}, }, },
- cisa-m365/src/index.ts:1060-1064 (helper)Helper logic in getPolicyStatus that checks the status of app registration restrictions.appRegistration: { restrictedToAdmins: appRegistration.restrictAppRegistration && appRegistration.restrictNonAdminUsers, compliant: true, },