enforce_pam
Enforce Privileged Access Management to control privileged role assignments in Microsoft 365 environments, implementing CSA BOD 25-01 security requirements.
Instructions
Enforce PAM system for privileged role assignments (MS.AAD.7.5v1)
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||
Implementation Reference
- cisa-m365/src/index.ts:886-910 (handler)The main handler function that implements the 'enforce_pam' tool logic by configuring Privileged Access Management (PAM) settings via Microsoft Graph API.
private async enforcePAM() { try { // Configure PAM settings using Microsoft Graph API await this.graphClient .api('/policies/privilegedAccessPolicy') .patch({ requirePAMForPrivilegedRoles: true, blockDirectAssignment: true, }); return { content: [ { type: 'text', text: 'PAM system enforcement configured successfully', }, ], }; } catch (error: unknown) { throw new McpError( ErrorCode.InternalError, `Failed to enforce PAM: ${error instanceof Error ? error.message : 'Unknown error'}` ); } } - cisa-m365/src/index.ts:259-266 (registration)Registration of the 'enforce_pam' tool in the list of available tools, including its description and empty input schema.
{ name: 'enforce_pam', description: 'Enforce PAM system for privileged role assignments (MS.AAD.7.5v1)', inputSchema: { type: 'object', properties: {}, }, }, - cisa-m365/src/index.ts:362-363 (registration)Dispatch case in the CallToolRequest handler that routes calls to the 'enforce_pam' tool to its implementation method.
case 'enforce_pam': return await this.enforcePAM();