- Home
- MCP servers
- CISA M365
CISA M365
- javascript
4
GitHub Stars
javascript
Language
6 months ago
First Indexed
2 months ago
Catalog Refreshed
Documentation & install
Readme and setup notes from the catalogue, plus a client-ready config you can copy for your MCP host.
Installation
Add the following to your MCP client configuration file.
Configuration
View docs{
"mcpServers": {
"dynamicendpoints-automated-bod-25-01-cisa-microsoft-policies-mcp": {
"command": "node",
"args": [
"path/to/cisa-m365/build/index.js"
],
"env": {
"CLIENT_ID": "your-client-id",
"TENANT_ID": "your-tenant-id",
"CLIENT_SECRET": "your-client-secret"
}
}
}
}You run the CISA M365 MCP Server to configure and enforce Microsoft 365 security controls via the MCP protocol. It integrates with Microsoft Graph to apply BOD 25-01 security policies, monitor compliance, and provide actionable status reports while offering structured command-based interactions through MCP clients.
How to use
Use an MCP client to send tool requests to the CISA M365 MCP Server. You can request policy status, block legacy authentication, enforce phishing-resistant MFA, manage privileged roles, control application registration, and adjust password and risk-based access settings. The server authenticates with Microsoft Graph, applies the requested policies, and returns the results or status updates back to your MCP client.
How to install
Prerequisites you need before starting: Node.js 18.x or higher, and a Microsoft 365 tenant with admin access.
-
Install the MCP server using the supported installer, or clone the project and install dependencies.
-
Build the server so it can run the compiled JavaScript assets.
-
Configure environment variables for your Azure AD application and tenant.
-
Start the MCP server and register it with your MCP client setup.
Configuration
Create an Azure AD application and grant the required permissions, then set up environment variables for the server to authenticate to Microsoft Graph.
MCP settings for running the server locally can be defined as shown below. This example config uses node to run the server binary from the specified path and passes the necessary credentials via environment variables.
{
"mcpServers": {
"cisa-m365": {
"command": "node",
"args": ["path/to/cisa-m365/build/index.js"],
"env": {
"TENANT_ID": "your-tenant-id",
"CLIENT_ID": "your-client-id",
"CLIENT_SECRET": "your-client-secret"
}
}
}
}
Security considerations
Securely store tokens and credentials, rotate tokens regularly, and monitor for unusual activity. Follow principle of least privilege for Graph API permissions and implement audit logging for policy changes.
Usage examples
Once the server is running, you can perform operations such as blocking legacy authentication, configuring MFA, restricting app registration, and getting the current policy status through your MCP client. Each tool call returns a result or status that you can interpret to verify compliance with BOD 25-01 controls.
API reference (high level)
The server exposes tool endpoints for core controls such as legacy authentication, high-risk user blocking, MFA configuration, application controls, password policy, and privileged role management. Each tool invocation returns a structured result indicating success, fail state, or the current policy status.
Troubleshooting
If you encounter authentication or API errors, verify that your Azure AD app has the correct permissions, and that TENANT_ID, CLIENT_ID, and CLIENT_SECRET are set correctly in your environment. Check token refresh behavior and ensure network access to Microsoft Graph endpoints.
Testing
Run unit, integration, and compliance tests as part of your CI pipeline to ensure policy changes are applied correctly and that reporting remains accurate across updates.
Notes
This MCP server focuses on enforcing Microsoft 365 security controls in line with BOD 25-01. It uses a Graph client with type-safe request handling, includes error handling and logging, and follows a token-based authentication flow to keep interactions secure.
Available tools
block_legacy_auth
Block legacy authentication methods to reduce exposure to older protocols.
block_high_risk_users
Block users and sign-ins identified as high risk using threat intelligence.
enforce_phishing_resistant_mfa
Enforce phishing-resistant MFA methods and configure alternative MFA options.
configure_global_admins
Restrict app registration and consent to admins, and configure admin consent workflow.
get_policy_status
Get the current status of all security policies.