enforce_alternative_mfa
Enforce alternative multi-factor authentication methods when phishing-resistant MFA is not implemented, addressing Microsoft 365 security compliance requirements.
Instructions
Enforce alternative MFA method if phishing-resistant MFA not enforced (MS.AAD.3.2v1)
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||
Implementation Reference
- cisa-m365/src/index.ts:529-557 (handler)The handler function that implements the 'enforce_alternative_mfa' tool by updating the authentication methods policy to enable Microsoft Authenticator as an alternative MFA method.
private async enforceAlternativeMFA() { try { // Configure alternative MFA using Microsoft Graph API await this.graphClient .api('/policies/authenticationMethodsPolicy') .patch({ policies: { microsoftAuthenticator: { isEnabled: true, isSelfServiceRegistrationAllowed: true, }, }, }); return { content: [ { type: 'text', text: 'Alternative MFA method enforced successfully', }, ], }; } catch (error: unknown) { throw new McpError( ErrorCode.InternalError, `Failed to enforce alternative MFA: ${error instanceof Error ? error.message : 'Unknown error'}` ); } } - cisa-m365/src/index.ts:152-159 (registration)Registration of the 'enforce_alternative_mfa' tool in the MCP server, including name, description, and empty input schema.
{ name: 'enforce_alternative_mfa', description: 'Enforce alternative MFA method if phishing-resistant MFA not enforced (MS.AAD.3.2v1)', inputSchema: { type: 'object', properties: {}, }, }, - cisa-m365/src/index.ts:155-159 (schema)Input schema for the 'enforce_alternative_mfa' tool, which requires no parameters.
inputSchema: { type: 'object', properties: {}, }, }, - cisa-m365/src/index.ts:331-332 (registration)Dispatch logic in the CallToolRequest handler that routes to the enforceAlternativeMFA method.
case 'enforce_alternative_mfa': return await this.enforceAlternativeMFA();