BOD-25-01-CSA-Microsoft-Policy-MCP

configure_global_admins

Assign Global Administrator roles to users in Microsoft 365 to manage access and enforce security policies according to BOD 25-01 requirements.

Instructions

Configure Global Administrator role assignments (MS.AAD.7.1v1)

Input Schema

TableJSON Schema

Name	Required	Description	Default
`userIds`	Yes	List of user IDs to assign Global Administrator role

Implementation Reference

cisa-m365/src/index.ts:787-833 (handler)

The main handler function that executes the tool: validates args, removes existing Global Admin assignments, adds new ones for provided userIds using Microsoft Graph API.

private async configureGlobalAdmins(args: RoleAssignmentArgs) {
  try {
    if (args.userIds.length < 2 || args.userIds.length > 8) {
      throw new McpError(
        ErrorCode.InvalidParams,
        'Number of Global Administrators must be between 2 and 8'
      );
    }

    // Configure Global Administrator assignments using Microsoft Graph API
    const globalAdminRoleId = 'Global Administrator';
    
    // Remove existing assignments
    const existingAssignments = await this.graphClient
      .api(`/directoryRoles/roleTemplate/${globalAdminRoleId}/members`)
      .get();

    for (const assignment of existingAssignments.value) {
      await this.graphClient
        .api(`/directoryRoles/roleTemplate/${globalAdminRoleId}/members/${assignment.id}`)
        .delete();
    }

    // Add new assignments
    for (const userId of args.userIds) {
      await this.graphClient
        .api(`/directoryRoles/roleTemplate/${globalAdminRoleId}/members/$ref`)
        .post({
          '@odata.id': `https://graph.microsoft.com/v1.0/users/${userId}`,
        });
    }

    return {
      content: [
        {
          type: 'text',
          text: `Global Administrator role configured with ${args.userIds.length} users successfully`,
        },
      ],
    };
  } catch (error: unknown) {
    throw new McpError(
      ErrorCode.InternalError,
      `Failed to configure Global Administrators: ${error instanceof Error ? error.message : 'Unknown error'}`
    );
  }
}

cisa-m365/src/index.ts:224-242 (registration)

Tool registration in ListToolsRequestSchema handler, including name, description, and input schema requiring userIds array (2-8 users).

{
  name: 'configure_global_admins',
  description: 'Configure Global Administrator role assignments (MS.AAD.7.1v1)',
  inputSchema: {
    type: 'object',
    properties: {
      userIds: {
        type: 'array',
        items: {
          type: 'string',
        },
        minItems: 2,
        maxItems: 8,
        description: 'List of user IDs to assign Global Administrator role',
      },
    },
    required: ['userIds'],
  },
},

cisa-m365/src/index.ts:22-25 (schema)
TypeScript interface defining the input arguments for role assignment tools, including userIds and roleId.
```
interface RoleAssignmentArgs {
  userIds: string[];
  roleId: string;
}
```

cisa-m365/src/index.ts:31-39 (schema)

Runtime type guard function to validate RoleAssignmentArgs input before calling the handler.

function isRoleAssignmentArgs(args: unknown): args is RoleAssignmentArgs {
  if (typeof args !== 'object' || args === null) return false;
  const a = args as Record<string, unknown>;
  return (
    Array.isArray(a.userIds) &&
    a.userIds.every(id => typeof id === 'string') &&
    typeof a.roleId === 'string'
  );
}

cisa-m365/src/index.ts:349-357 (handler)

Dispatch case in the main CallToolRequestSchema switch that validates arguments and delegates to the configureGlobalAdmins handler.

case 'configure_global_admins': {
  if (!isRoleAssignmentArgs(request.params.arguments)) {
    throw new McpError(
      ErrorCode.InvalidParams,
      'Invalid role assignment arguments'
    );
  }
  return await this.configureGlobalAdmins(request.params.arguments);
}

Tool Definition Quality

C2.9/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries the full burden of behavioral disclosure. It states 'configure' which implies a write operation, but does not specify permissions required, whether changes are reversible, potential side effects, or any rate limits. This is a significant gap for a tool that modifies administrator roles.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single, efficient sentence that directly states the tool's purpose without unnecessary details. It is front-loaded and wastes no words, making it easy for an agent to parse quickly.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the complexity of configuring global administrators, the lack of annotations and output schema means the description should provide more context. It does not cover behavioral aspects like security implications, error handling, or response format, leaving the agent with incomplete information for safe and effective use.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The input schema has 100% description coverage, with 'userIds' clearly documented as a list of user IDs for role assignment, including constraints (2-8 items). The description does not add any additional meaning beyond this, such as format examples or validation rules, so it meets the baseline for high schema coverage.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the action ('configure') and resource ('Global Administrator role assignments'), with a specific reference to MS.AAD.7.1v1 indicating a compliance or technical standard. However, it does not explicitly differentiate from sibling tools like 'configure_admin_alerts' or 'configure_role_alerts', which might involve similar configuration actions but for different aspects.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides no guidance on when to use this tool versus alternatives, such as 'enforce_granular_roles' or 'configure_admin_consent', which could be related to role management. There is no mention of prerequisites, context, or exclusions, leaving the agent without clear usage instructions.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/DynamicEndpoints/Automated-BOD-25-01-CISA-Microsoft-Policies-MCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server