BOD-25-01-CSA-Microsoft-Policy-MCP

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault
CLIENT_IDYesYour Azure AD application client ID
TENANT_IDYesYour Azure AD tenant ID
CLIENT_SECRETYesYour Azure AD application client secret

Schema

Prompts

Interactive templates invoked by user choice

NameDescription

No prompts

Resources

Contextual data attached and managed by the client

NameDescription

No resources

Tools

Functions exposed to the LLM to take actions

NameDescription
block_legacy_auth

Block legacy authentication (MS.AAD.1.1v1)

block_high_risk_users

Block users detected as high risk (MS.AAD.2.1v1)

block_high_risk_signins

Block sign-ins detected as high risk (MS.AAD.2.3v1)

enforce_phishing_resistant_mfa

Enforce phishing-resistant MFA for all users (MS.AAD.3.1v1)

enforce_alternative_mfa

Enforce alternative MFA method if phishing-resistant MFA not enforced (MS.AAD.3.2v1)

configure_authenticator_context

Configure Microsoft Authenticator to show login context (MS.AAD.3.3v1)

complete_auth_methods_migration

Set Authentication Methods Manage Migration to Complete (MS.AAD.3.4v1)

enforce_privileged_mfa

Enforce phishing-resistant MFA for privileged roles (MS.AAD.3.6v1)

restrict_app_registration

Allow only administrators to register applications (MS.AAD.5.1v1)

restrict_app_consent

Allow only administrators to consent to applications (MS.AAD.5.2v1)

configure_admin_consent

Configure admin consent workflow for applications (MS.AAD.5.3v1)

restrict_group_consent

Prevent group owners from consenting to applications (MS.AAD.5.4v1)

disable_password_expiry

Disable password expiration (MS.AAD.6.1v1)

configure_global_admins

Configure Global Administrator role assignments (MS.AAD.7.1v1)

enforce_granular_roles

Enforce use of granular roles instead of Global Administrator (MS.AAD.7.2v1)

enforce_cloud_accounts

Enforce cloud-only accounts for privileged users (MS.AAD.7.3v1)

enforce_pam

Enforce PAM system for privileged role assignments (MS.AAD.7.5v1)

configure_global_admin_approval

Configure approval requirement for Global Administrator activation (MS.AAD.7.6v1)

configure_role_alerts

Configure alerts for privileged role assignments (MS.AAD.7.7v1)

configure_admin_alerts

Configure alerts for Global Administrator activation (MS.AAD.7.8v1)

get_policy_status

Get current status of all CISA M365 security policies