BOD-25-01-CSA-Microsoft-Policy-MCP

Overview Schema Related Servers Score Discussions

enforce_granular_roles

Enforce granular role assignments to replace Global Administrator privileges, implementing Microsoft 365 security policy MS.AAD.7.2v1 for compliance with CSA BOD 25-01 requirements.

Instructions

Enforce use of granular roles instead of Global Administrator (MS.AAD.7.2v1)

Input Schema

TableJSON Schema

Name	Required	Description	Default
No arguments

Implementation Reference

cisa-m365/src/index.ts:835-859 (handler)

The handler function that executes the 'enforce_granular_roles' tool. It patches the roleManagementPolicies endpoint in Microsoft Graph API to set enforceGranularRoles to true and blockGlobalAdminForGeneralUse to true, then returns a success message.

private async enforceGranularRoles() {
  try {
    // Configure role settings using Microsoft Graph API
    await this.graphClient
      .api('/policies/roleManagementPolicies')
      .patch({
        enforceGranularRoles: true,
        blockGlobalAdminForGeneralUse: true,
      });

    return {
      content: [
        {
          type: 'text',
          text: 'Granular role usage enforced successfully',
        },
      ],
    };
  } catch (error: unknown) {
    throw new McpError(
      ErrorCode.InternalError,
      `Failed to enforce granular roles: ${error instanceof Error ? error.message : 'Unknown error'}`
    );
  }
}

cisa-m365/src/index.ts:243-250 (registration)

Registration of the 'enforce_granular_roles' tool in the ListTools response, including its name, description, and input schema (empty object).

{
  name: 'enforce_granular_roles',
  description: 'Enforce use of granular roles instead of Global Administrator (MS.AAD.7.2v1)',
  inputSchema: {
    type: 'object',
    properties: {},
  },
},

cisa-m365/src/index.ts:246-249 (schema)
Input schema for the 'enforce_granular_roles' tool, which expects an empty object (no parameters).
```
inputSchema: {
  type: 'object',
  properties: {},
},
```
cisa-m365/src/index.ts:358-359 (handler)
Dispatcher switch case in the CallToolRequest handler that routes calls to the enforceGranularRoles method.
```
case 'enforce_granular_roles':
  return await this.enforceGranularRoles();
```
cisa-m365/src/index.ts:1086-1089 (helper)
Helper code in getPolicyStatus that checks the enforcement status of granular roles from roleManagement policies.
```
granularRoles: {
  enforced: roleManagement.enforceGranularRoles,
  compliant: true,
},
```

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/DynamicEndpoints/Automated-BOD-25-01-CISA-Microsoft-Policies-MCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server