restrict_group_consent
Prevent group owners from granting application consent to enforce security policies and control access permissions in Microsoft 365 environments.
Instructions
Prevent group owners from consenting to applications (MS.AAD.5.4v1)
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||
Implementation Reference
- cisa-m365/src/index.ts:733-757 (handler)The handler function that executes the restrict_group_consent tool. It patches the groupConsentPolicy via Microsoft Graph API to enable it and block group owner consent for apps.private async restrictGroupConsent() { try { // Configure group consent settings using Microsoft Graph API await this.graphClient .api('/policies/groupConsentPolicy') .patch({ isEnabled: true, blockGroupOwnerConsentForApps: true, }); return { content: [ { type: 'text', text: 'Group owner application consent blocked successfully', }, ], }; } catch (error: unknown) { throw new McpError( ErrorCode.InternalError, `Failed to restrict group consent: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }
- cisa-m365/src/index.ts:208-215 (registration)Registration of the restrict_group_consent tool in the ListTools response, including name, description, and input schema (empty object).{ name: 'restrict_group_consent', description: 'Prevent group owners from consenting to applications (MS.AAD.5.4v1)', inputSchema: { type: 'object', properties: {}, }, },
- cisa-m365/src/index.ts:345-346 (registration)Dispatch case in the CallToolRequest handler that routes to the restrictGroupConsent method.case 'restrict_group_consent': return await this.restrictGroupConsent();
- cisa-m365/src/index.ts:211-215 (schema)Input schema for the tool (empty object, no parameters required).inputSchema: { type: 'object', properties: {}, }, },
- cisa-m365/src/index.ts:1074-1077 (helper)Helper in get_policy_status that checks the status of group consent policy.groupConsent: { blocked: groupConsent.blockGroupOwnerConsentForApps, compliant: true, },