CISA M365

BOD 25-01: Implementing Secure Practices for Cloud Services Required Configurations MCP
  • javascript

4

GitHub Stars

javascript

Language

6 months ago

First Indexed

2 months ago

Catalog Refreshed

Documentation & install

Readme and setup notes from the catalogue, plus a client-ready config you can copy for your MCP host.

Installation

Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "dynamicendpoints-automated-bod-25-01-cisa-microsoft-policies-mcp": {
      "command": "node",
      "args": [
        "path/to/cisa-m365/build/index.js"
      ],
      "env": {
        "CLIENT_ID": "your-client-id",
        "TENANT_ID": "your-tenant-id",
        "CLIENT_SECRET": "your-client-secret"
      }
    }
  }
}

You run the CISA M365 MCP Server to configure and enforce Microsoft 365 security controls via the MCP protocol. It integrates with Microsoft Graph to apply BOD 25-01 security policies, monitor compliance, and provide actionable status reports while offering structured command-based interactions through MCP clients.

How to use

Use an MCP client to send tool requests to the CISA M365 MCP Server. You can request policy status, block legacy authentication, enforce phishing-resistant MFA, manage privileged roles, control application registration, and adjust password and risk-based access settings. The server authenticates with Microsoft Graph, applies the requested policies, and returns the results or status updates back to your MCP client.

How to install

Prerequisites you need before starting: Node.js 18.x or higher, and a Microsoft 365 tenant with admin access.

  1. Install the MCP server using the supported installer, or clone the project and install dependencies.

  2. Build the server so it can run the compiled JavaScript assets.

  3. Configure environment variables for your Azure AD application and tenant.

  4. Start the MCP server and register it with your MCP client setup.

Configuration

Create an Azure AD application and grant the required permissions, then set up environment variables for the server to authenticate to Microsoft Graph.

MCP settings for running the server locally can be defined as shown below. This example config uses node to run the server binary from the specified path and passes the necessary credentials via environment variables.

{
  "mcpServers": {
    "cisa-m365": {
      "command": "node",
      "args": ["path/to/cisa-m365/build/index.js"],
      "env": {
        "TENANT_ID": "your-tenant-id",
        "CLIENT_ID": "your-client-id",
        "CLIENT_SECRET": "your-client-secret"
      }
    }
  }
}

Security considerations

Securely store tokens and credentials, rotate tokens regularly, and monitor for unusual activity. Follow principle of least privilege for Graph API permissions and implement audit logging for policy changes.

Usage examples

Once the server is running, you can perform operations such as blocking legacy authentication, configuring MFA, restricting app registration, and getting the current policy status through your MCP client. Each tool call returns a result or status that you can interpret to verify compliance with BOD 25-01 controls.

API reference (high level)

The server exposes tool endpoints for core controls such as legacy authentication, high-risk user blocking, MFA configuration, application controls, password policy, and privileged role management. Each tool invocation returns a structured result indicating success, fail state, or the current policy status.

Troubleshooting

If you encounter authentication or API errors, verify that your Azure AD app has the correct permissions, and that TENANT_ID, CLIENT_ID, and CLIENT_SECRET are set correctly in your environment. Check token refresh behavior and ensure network access to Microsoft Graph endpoints.

Testing

Run unit, integration, and compliance tests as part of your CI pipeline to ensure policy changes are applied correctly and that reporting remains accurate across updates.

Notes

This MCP server focuses on enforcing Microsoft 365 security controls in line with BOD 25-01. It uses a Graph client with type-safe request handling, includes error handling and logging, and follows a token-based authentication flow to keep interactions secure.

Available tools

block_legacy_auth

Block legacy authentication methods to reduce exposure to older protocols.

block_high_risk_users

Block users and sign-ins identified as high risk using threat intelligence.

enforce_phishing_resistant_mfa

Enforce phishing-resistant MFA methods and configure alternative MFA options.

configure_global_admins

Restrict app registration and consent to admins, and configure admin consent workflow.

get_policy_status

Get the current status of all security policies.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational