enforce_phishing_resistant_mfa
Enforce phishing-resistant multi-factor authentication for all users to meet BOD 25-01 compliance requirements in Microsoft 365 environments.
Instructions
Enforce phishing-resistant MFA for all users (MS.AAD.3.1v1)
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||
Implementation Reference
- cisa-m365/src/index.ts:495-527 (handler)The handler function that executes the tool logic: patches the Microsoft Graph API /policies/authenticationMethodsPolicy to enable phishing-resistant MFA methods (FIDO2 and Windows Hello for Business).
private async enforcePhishingResistantMFA() { try { // Configure MFA policy using Microsoft Graph API await this.graphClient .api('/policies/authenticationMethodsPolicy') .patch({ policies: { fido2: { isEnabled: true, isSelfServiceRegistrationAllowed: true, }, windowsHelloForBusiness: { isEnabled: true, isSelfServiceRegistrationAllowed: true, }, }, }); return { content: [ { type: 'text', text: 'Phishing-resistant MFA enforced successfully', }, ], }; } catch (error: unknown) { throw new McpError( ErrorCode.InternalError, `Failed to enforce phishing-resistant MFA: ${error instanceof Error ? error.message : 'Unknown error'}` ); } } - cisa-m365/src/index.ts:144-151 (registration)Tool registration in the ListTools response, including name, description, and input schema (empty object).
{ name: 'enforce_phishing_resistant_mfa', description: 'Enforce phishing-resistant MFA for all users (MS.AAD.3.1v1)', inputSchema: { type: 'object', properties: {}, }, }, - cisa-m365/src/index.ts:329-330 (registration)Dispatcher case in the CallToolRequest handler that routes to the enforcePhishingResistantMFA method.
case 'enforce_phishing_resistant_mfa': return await this.enforcePhishingResistantMFA(); - cisa-m365/src/index.ts:147-150 (schema)Input schema definition for the tool (empty object, no parameters).
inputSchema: { type: 'object', properties: {}, },