BOD-25-01-CSA-Microsoft-Policy-MCP

Overview Schema Related Servers Score Discussions

enforce_privileged_mfa

Enforce phishing-resistant multi-factor authentication for privileged roles to comply with CSA BOD 25-01 requirements in Microsoft 365 environments.

Instructions

Enforce phishing-resistant MFA for privileged roles (MS.AAD.3.6v1)

Input Schema

TableJSON Schema

Name	Required	Description	Default
No arguments

Implementation Reference

cisa-m365/src/index.ts:614-650 (handler)

The handler function for the 'enforce_privileged_mfa' tool. It creates a Conditional Access Policy via Microsoft Graph API that requires phishing-resistant MFA (FIDO2 or Windows Hello for Business) for privileged roles such as Global Administrator and Privileged Role Administrator.

private async enforcePrivilegedMFA() {
  try {
    // Configure MFA for privileged roles using Microsoft Graph API
    await this.graphClient
      .api('/policies/conditionalAccessPolicies')
      .post({
        displayName: 'Require Phishing-resistant MFA for Privileged Roles',
        state: 'enabled',
        conditions: {
          applications: {
            includeApplications: ['all'],
          },
          users: {
            includeRoles: ['Global Administrator', 'Privileged Role Administrator'],
          },
        },
        grantControls: {
          operator: 'AND',
          builtInControls: ['fido2', 'windowsHelloForBusiness'],
        },
      });

    return {
      content: [
        {
          type: 'text',
          text: 'Phishing-resistant MFA enforced for privileged roles successfully',
        },
      ],
    };
  } catch (error: unknown) {
    throw new McpError(
      ErrorCode.InternalError,
      `Failed to enforce privileged MFA: ${error instanceof Error ? error.message : 'Unknown error'}`
    );
  }
}

cisa-m365/src/index.ts:176-183 (registration)

Registers the 'enforce_privileged_mfa' tool in the MCP server's tool list, including its name, description, and input schema (empty object).

{
  name: 'enforce_privileged_mfa',
  description: 'Enforce phishing-resistant MFA for privileged roles (MS.AAD.3.6v1)',
  inputSchema: {
    type: 'object',
    properties: {},
  },
},

cisa-m365/src/index.ts:179-182 (schema)
Defines the input schema for the 'enforce_privileged_mfa' tool as an empty object (no parameters required).
```
inputSchema: {
  type: 'object',
  properties: {},
},
```
cisa-m365/src/index.ts:337-338 (registration)
Switch case in the CallToolRequest handler that dispatches calls to 'enforce_privileged_mfa' to the enforcePrivilegedMFA method.
```
case 'enforce_privileged_mfa':
  return await this.enforcePrivilegedMFA();
```

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/DynamicEndpoints/Automated-BOD-25-01-CISA-Microsoft-Policies-MCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server