BOD-25-01-CSA-Microsoft-Policy-MCP

Instructions

Implementation Reference

• cisa-m365/src/index.ts:787-833 (handler)

  The main handler function that executes the tool: validates args, removes existing Global Admin assignments, adds new ones for provided userIds using Microsoft Graph API.

  private async configureGlobalAdmins(args: RoleAssignmentArgs) {
    try {
      if (args.userIds.length < 2 || args.userIds.length > 8) {
        throw new McpError(
          ErrorCode.InvalidParams,
          'Number of Global Administrators must be between 2 and 8'
        );
      }
  
      // Configure Global Administrator assignments using Microsoft Graph API
      const globalAdminRoleId = 'Global Administrator';
      
      // Remove existing assignments
      const existingAssignments = await this.graphClient
        .api(`/directoryRoles/roleTemplate/${globalAdminRoleId}/members`)
        .get();
  
      for (const assignment of existingAssignments.value) {
        await this.graphClient
          .api(`/directoryRoles/roleTemplate/${globalAdminRoleId}/members/${assignment.id}`)
          .delete();
      }
  
      // Add new assignments
      for (const userId of args.userIds) {
        await this.graphClient
          .api(`/directoryRoles/roleTemplate/${globalAdminRoleId}/members/$ref`)
          .post({
            '@odata.id': `https://graph.microsoft.com/v1.0/users/${userId}`,
          });
      }
  
      return {
        content: [
          {
            type: 'text',
            text: `Global Administrator role configured with ${args.userIds.length} users successfully`,
          },
        ],
      };
    } catch (error: unknown) {
      throw new McpError(
        ErrorCode.InternalError,
        `Failed to configure Global Administrators: ${error instanceof Error ? error.message : 'Unknown error'}`
      );
    }
  }

• cisa-m365/src/index.ts:224-242 (registration)

  Tool registration in ListToolsRequestSchema handler, including name, description, and input schema requiring userIds array (2-8 users).

  {
    name: 'configure_global_admins',
    description: 'Configure Global Administrator role assignments (MS.AAD.7.1v1)',
    inputSchema: {
      type: 'object',
      properties: {
        userIds: {
          type: 'array',
          items: {
            type: 'string',
          },
          minItems: 2,
          maxItems: 8,
          description: 'List of user IDs to assign Global Administrator role',
        },
      },
      required: ['userIds'],
    },
  },

• cisa-m365/src/index.ts:22-25 (schema)

  TypeScript interface defining the input arguments for role assignment tools, including userIds and roleId.

  interface RoleAssignmentArgs {
    userIds: string[];
    roleId: string;
  }

• cisa-m365/src/index.ts:31-39 (schema)

  Runtime type guard function to validate RoleAssignmentArgs input before calling the handler.

  function isRoleAssignmentArgs(args: unknown): args is RoleAssignmentArgs {
    if (typeof args !== 'object' || args === null) return false;
    const a = args as Record<string, unknown>;
    return (
      Array.isArray(a.userIds) &&
      a.userIds.every(id => typeof id === 'string') &&
      typeof a.roleId === 'string'
    );
  }

• cisa-m365/src/index.ts:349-357 (handler)

  Dispatch case in the main CallToolRequestSchema switch that validates arguments and delegates to the configureGlobalAdmins handler.

  case 'configure_global_admins': {
    if (!isRoleAssignmentArgs(request.params.arguments)) {
      throw new McpError(
        ErrorCode.InvalidParams,
        'Invalid role assignment arguments'
      );
    }
    return await this.configureGlobalAdmins(request.params.arguments);
  }