Microsoft 365 Core MCP Server

# Intune Policy Creation Resources - Implementation Complete ## Overview We have successfully added comprehensive resources to the M365 Core MCP Server to ensure accurate and reliable Intune policy creation. These resources provide templates, validation rules, examples, and conflict detection capabilities for both Windows and macOS platforms. ## Added Resources ### 1. Windows Policy Templates (`intune_windows_policy_templates`) **URI Pattern:** `intune://templates/windows/{policyType}` **Supported Policy Types:** - Configuration - Compliance - EndpointSecurity **Key Features:** - **BitLocker Settings**: Complete configuration options with required/optional fields - **Windows Update Settings**: Deferral periods, automatic updates, and Windows 11 upgrade settings - **Device Security Settings**: Firewall, antivirus, and security configurations - **Available Settings Documentation**: Type definitions, constraints, and default values - **Example Policies**: Working policy structures for immediate use **Example Content:** ```json { "Configuration": { "BitLockerSettings": { "description": "Configure BitLocker drive encryption settings", "availableSettings": { "requireDeviceEncryption": { "type": "boolean", "required": true }, "allowWarningForOtherDiskEncryption": { "type": "boolean", "default": false } }, "examplePolicy": { "@odata.type": "#microsoft.graph.windows10GeneralConfiguration", "displayName": "BitLocker Configuration", "bitLockerEncryptDevice": true } } } } ``` ### 2. macOS Policy Templates (`intune_macos_policy_templates`) **URI Pattern:** `intune://templates/macos/{policyType}` **Supported Policy Types:** - Configuration - Compliance **Key Features:** - **Security Settings**: Gatekeeper, firewall, and system integrity protection - **Restrictions Settings**: App Store, Safari, camera, and Spotlight controls - **System Compliance**: OS version requirements and security baselines - **Password Compliance**: Authentication and lock screen policies - **Platform-Specific Options**: macOS-only settings and configurations **Example Content:** ```json { "Configuration": { "SecuritySettings": { "description": "Configure macOS security and privacy settings", "availableSettings": { "gatekeeperAllowedAppSource": { "enum": ["notConfigured", "macAppStore", "macAppStoreAndIdentifiedDevelopers", "anywhere"] }, "firewallEnabled": { "type": "boolean", "default": true } } } } } ``` ### 3. Policy Validation Rules (`intune_policy_validation_rules`) **URI Pattern:** `intune://validation/rules/{platform}` **Platform Support:** windows, macos, all **Key Features:** - **Required Fields**: Lists mandatory fields for each policy type - **Field Validation**: Type checking, length limits, and pattern validation - **Conflict Rules**: Identifies settings that cannot be used together - **Best Practices**: Naming conventions, assignment recommendations, and guidelines - **OData Type Validation**: Ensures correct Microsoft Graph API types **Example Content:** ```json { "windows": { "Configuration": { "requiredFields": ["@odata.type", "displayName"], "fieldValidation": { "displayName": { "minLength": 1, "maxLength": 256 }, "osMinimumVersion": { "pattern": "^\\d+\\.\\d+\\.\\d+$" } }, "conflictRules": [ { "field": "bitLockerEncryptDevice", "conflictsWith": ["bitLockerDisableWarningForOtherDiskEncryption"], "reason": "Cannot disable encryption warnings when encryption is required" } ] } }, "bestPractices": { "naming": { "conventions": [ "Use descriptive names that indicate the policy purpose", "Include platform in the name (e.g., 'Windows Security Policy')" ] } } } ``` ### 4. Policy Examples (`intune_policy_examples`) **URI Pattern:** `intune://examples/{useCase}` **Available Use Cases:** - `corporate_security`: Standard security configurations - `compliance_baseline`: Minimum compliance requirements - `kiosk_mode`: Dedicated device configurations **Key Features:** - **Complete Policy Structures**: Ready-to-use policy definitions - **Assignment Examples**: Proper group targeting and assignment intent - **Multi-Platform Support**: Examples for both Windows and macOS - **Real-World Scenarios**: Common enterprise use cases - **Best Practice Implementation**: Following Microsoft recommendations **Example Content:** ```json { "corporate_security": { "description": "Standard corporate security configuration", "platforms": ["windows", "macos"], "policies": [ { "name": "Corporate BitLocker Policy", "platform": "windows", "type": "Configuration", "policy": { "@odata.type": "#microsoft.graph.windows10GeneralConfiguration", "displayName": "Corporate BitLocker Configuration", "bitLockerEncryptDevice": true }, "assignments": [ { "groupName": "Corporate Windows Devices", "intent": "apply" } ] } ] } } ``` ### 5. Existing Policies Resource (`intune_existing_policies`) **URI Pattern:** `intune://policies/existing/{policyType}` **Supported Policy Types:** - configuration - compliance - endpointSecurity - all **Key Features:** - **Live Data**: Fetches current policies from Microsoft Graph API - **Conflict Analysis**: Metadata for identifying potential conflicts - **Policy Counts**: Total number of existing policies by type - **Common Conflict Scenarios**: Documentation of typical overlap issues - **Last Updated Timestamp**: Data freshness indication **Example Content:** ```json { "metadata": { "totalPolicies": 15, "lastUpdated": "2025-06-17T10:30:00Z", "conflictAnalysis": { "note": "Review existing policies before creating new ones to avoid conflicts", "commonConflicts": [ "Multiple BitLocker policies targeting the same devices", "Overlapping Windows Update settings", "Conflicting password policies" ] } }, "policies": { "configuration": [...], "compliance": [...], "endpointSecurity": [...] } } ``` ## Enhanced Policy Creation Tool ### Tool: `create_intune_policy` **Description:** Create accurate and complete Intune policies for Windows or macOS with validated settings and proper structure **Parameters:** - `platform`: "windows" | "macos" - `policyType`: "Configuration" | "Compliance" | "Security" | "Update" | "AppProtection" | "EndpointSecurity" - `displayName`: string (required) - `description`: string (optional) - `settings`: object (platform and type-specific) - `assignments`: array (optional) **Key Features:** - **Schema Validation**: Type-safe parameter validation using Zod - **Platform-Aware**: Delegates to appropriate platform-specific handlers - **Error Handling**: Comprehensive error messages and validation feedback - **Unified Interface**: Single tool for all Intune policy types and platforms ## Implementation Benefits ### 1. Accuracy Improvements - **Template-Driven**: Uses Microsoft Graph API-compliant templates - **Validation Rules**: Prevents common configuration errors - **Field Constraints**: Type and length validation for all settings - **OData Type Checking**: Ensures correct API object types ### 2. Conflict Prevention - **Existing Policy Review**: Check current policies before creating new ones - **Setting Conflicts**: Identifies incompatible setting combinations - **Group Assignment**: Prevents overlapping assignments to same devices - **Best Practice Guidance**: Built-in recommendations for deployment ### 3. Developer Experience - **Rich Documentation**: Complete examples and available settings - **Platform-Specific**: Separate resources for Windows and macOS - **Use Case Examples**: Real-world scenarios and configurations - **Error Prevention**: Validation before API calls ### 4. Enterprise Readiness - **Security Focused**: Templates based on security best practices - **Compliance Support**: Built-in compliance baseline examples - **Scalable**: Supports assignment to device groups - **Audit Ready**: Complete policy documentation and validation ## Usage Workflow ### 1. Plan Policy Creation ``` 1. Review: intune_policy_examples for similar use cases 2. Check: intune_existing_policies to avoid conflicts 3. Select: intune_windows_policy_templates or intune_macos_policy_templates ``` ### 2. Configure Policy Settings ``` 1. Reference: Policy templates for available settings 2. Validate: intune_policy_validation_rules for requirements 3. Structure: Use example policies as starting point ``` ### 3. Create and Deploy ``` 1. Use: create_intune_policy tool with validated settings 2. Test: Deploy to pilot group first 3. Monitor: Check compliance and effectiveness ``` ## Technical Implementation ### Files Modified/Added: - `src/server.ts`: Added 5 new resource definitions in setupResources method - `src/tool-definitions-intune.ts`: Schema definitions for policy creation - `src/handlers/intune-handler.ts`: Unified policy creation handler - `src/types.ts`: CreateIntunePolicyArgs interface ### Integration Points: - **Microsoft Graph API**: Direct integration for policy creation and retrieval - **MCP Resource System**: Standard resource template pattern - **Zod Validation**: Type-safe schema validation - **Error Handling**: Comprehensive McpError integration ### Testing and Validation: - **Build Verification**: TypeScript compilation successful - **Resource Structure**: All templates follow consistent patterns - **Schema Validation**: Tool parameters properly typed - **Documentation**: Complete usage examples and guidelines ## Summary The implementation is now complete with comprehensive resources that ensure accurate Intune policy creation. The system provides: ✅ **5 New Resources** for templates, validation, examples, and conflict detection ✅ **Enhanced Policy Tool** with schema-driven validation ✅ **Platform Support** for both Windows and macOS ✅ **Best Practices** built into templates and examples ✅ **Conflict Prevention** through existing policy review ✅ **Type Safety** with Zod schema validation ✅ **Enterprise Ready** with security-focused templates The resources work together to provide a complete policy creation ecosystem that prevents errors, follows best practices, and ensures compliance with Microsoft Graph API requirements.