BOD-25-01-CSA-Microsoft-Policy-MCP

Instructions

Implementation Reference

• cisa-m365/src/index.ts:733-757 (handler)

  The handler function that executes the 'restrict_group_consent' tool. It patches the Microsoft Graph API endpoint '/policies/groupConsentPolicy' to enable the policy and block group owners from consenting to applications.
  private async restrictGroupConsent() { try { // Configure group consent settings using Microsoft Graph API await this.graphClient .api('/policies/groupConsentPolicy') .patch({ isEnabled: true, blockGroupOwnerConsentForApps: true, }); return { content: [ { type: 'text', text: 'Group owner application consent blocked successfully', }, ], }; } catch (error: unknown) { throw new McpError( ErrorCode.InternalError, `Failed to restrict group consent: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }
• cisa-m365/src/index.ts:208-317 (registration)

  The registration of the 'restrict_group_consent' tool in the ListToolsRequestHandler response, including its name, description, and input schema.
  { name: 'restrict_group_consent', description: 'Prevent group owners from consenting to applications (MS.AAD.5.4v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'disable_password_expiry', description: 'Disable password expiration (MS.AAD.6.1v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'configure_global_admins', description: 'Configure Global Administrator role assignments (MS.AAD.7.1v1)', inputSchema: { type: 'object', properties: { userIds: { type: 'array', items: { type: 'string', }, minItems: 2, maxItems: 8, description: 'List of user IDs to assign Global Administrator role', }, }, required: ['userIds'], }, }, { name: 'enforce_granular_roles', description: 'Enforce use of granular roles instead of Global Administrator (MS.AAD.7.2v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'enforce_cloud_accounts', description: 'Enforce cloud-only accounts for privileged users (MS.AAD.7.3v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'enforce_pam', description: 'Enforce PAM system for privileged role assignments (MS.AAD.7.5v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'configure_global_admin_approval', description: 'Configure approval requirement for Global Administrator activation (MS.AAD.7.6v1)', inputSchema: { type: 'object', properties: {}, }, }, { name: 'configure_role_alerts', description: 'Configure alerts for privileged role assignments (MS.AAD.7.7v1)', inputSchema: { type: 'object', properties: { notificationEmails: { type: 'array', items: { type: 'string', }, description: 'Email addresses to notify on role assignments', }, }, required: ['notificationEmails'], }, }, { name: 'configure_admin_alerts', description: 'Configure alerts for Global Administrator activation (MS.AAD.7.8v1)', inputSchema: { type: 'object', properties: { notificationEmails: { type: 'array', items: { type: 'string', }, description: 'Email addresses to notify on role activation', }, }, required: ['notificationEmails'], }, }, { name: 'get_policy_status', description: 'Get current status of all CISA M365 security policies', inputSchema: { type: 'object', properties: {}, }, }, ],
• cisa-m365/src/index.ts:345-346 (registration)

  The switch case in CallToolRequestHandler that dispatches calls to the 'restrict_group_consent' handler method.
  case 'restrict_group_consent': return await this.restrictGroupConsent();
• cisa-m365/src/index.ts:211-214 (schema)

  The input schema for the 'restrict_group_consent' tool, which expects no parameters (empty object).
  inputSchema: { type: 'object', properties: {}, },
• cisa-m365/src/index.ts:1074-1077 (helper)

  Helper logic in get_policy_status that checks the status of the group consent policy.
  groupConsent: { blocked: groupConsent.blockGroupOwnerConsentForApps, compliant: true, },