logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

Entra-ID-CISA-BOD25-01-Enforcement-Utility

A specialized Model Context Protocol (MCP) utility engineered to systematically deploy and validate security configurations within Microsoft Entra ID (Azure AD) environments, strictly conforming to the mandates established by CISA Binding Operational Directive 25-01 guidelines.

Author

Entra-ID-CISA-BOD25-01-Enforcement-Utility logo

DynamicEndpoints

No License

Quick Info

GitHub GitHub Stars 2
NPM Weekly Downloads 0
Tools 1
Last Updated 2026-02-19

Actions

GitHub View on GitHub

Tags

azurecisapoliciesservices dynamicendpointsmicrosoft policiescisa microsoft

CISA Directive 25-01 Compliance Module for Entra ID

smithery badge This repository furnishes an MCP server dedicated to operationalizing the mandated security controls outlined in CISA's Binding Operational Directive 25-01, specifically targeting identity and access management components within the Microsoft 365 ecosystem, primarily Azure Active Directory (now Entra ID).

Table of Contents

Executive Summary

This MCP execution engine furnishes declarative tooling to configure and govern Microsoft 365 security parameters in alignment with BOD 25-01 specifications. It leverages the Microsoft Graph API pathway to instantiate security policies, track adherence status, and generate granular compliance audit artifacts.

Core Capabilities

  • Deprecation of antiquated authentication pathways
  • Implementation of advanced risk-based conditional access mechanisms
  • Rigorous Multi-Factor Authentication (MFA) lifecycle management
  • Governance over application provisioning and consent delegation
  • Centralized credential lifecycle policy administration
  • Privileged Access Management (PAM) role governance
  • Enforcement of cloud-native identity adherence
  • Integration with external PAM solutions
  • Comprehensive audit and reporting capabilities
  • Secure token-based interaction model
  • Statically-typed argument verification
  • Robust logging and structured exception reporting

Mandated Controls Matrix

Control ID: MS.AAD.1.1v1

Target Remediation Deadline: 2025-06-20

Action: Disable Insecure Authentication Protocols - Revokes support for obsolete authentication methods (e.g., Basic Auth). - Substantially minimizes the exploitable digital footprint. - Elevates overall security posture.

Implementation Snippet: typescript await graphClient .api('/policies/authenticationMethodsPolicy') .patch({ allowLegacyAuthentication: false, blockLegacyAuthenticationMethods: true, });

Controls: MS.AAD.2.1v1 & MS.AAD.2.3v1

Target Remediation Deadline: 2025-06-20

Action: Mitigation of High-Risk Identities and Sessions - Automatically nullifies access for identities flagged as high-risk. - Prevents high-risk sign-in events from succeeding. - Capitalizes on integrated Microsoft threat intelligence feeds.

Implementation Snippet: typescript await graphClient .api('/policies/identitySecurityDefaultsEnforcementPolicy') .patch({ blockHighRiskUsers: true, riskLevelForBlocking: 'high', });

Controls: MS.AAD.3.1v1, MS.AAD.3.2v1, MS.AAD.3.3v1

Target Remediation Deadline: 2025-06-20

Action: Advanced MFA Orchestration - Mandates the usage of phishing-resistant MFA mechanisms (e.g., FIDO2). - Provisions and manages acceptable secondary authentication modalities. - Ensures contextual login prompts are displayed via Microsoft Authenticator.

Implementation Snippet: typescript await graphClient .api('/policies/authenticationMethodsPolicy') .patch({ policies: { fido2: { isEnabled: true, isSelfServiceRegistrationAllowed: true, }, windowsHelloForBusiness: { isEnabled: true, isSelfServiceRegistrationAllowed: true, }, }, });

Controls: MS.AAD.5.1v1 through MS.AAD.5.4v1

Target Remediation Deadline: 2025-06-20

Action: Application Lifecycle Security Hardening - Restricts the creation of new application registrations to authorized administrators. - Limits the scope of application consent authorization to privileged accounts. - Establishes robust admin consent workflow parameters. - Prohibits consent delegation by standard group owners.

Implementation Snippet: typescript await graphClient .api('/policies/applicationRegistrationManagement') .patch({ restrictAppRegistration: true, restrictNonAdminUsers: true, });

Control ID: MS.AAD.6.1v1

Target Remediation Deadline: 2025-06-20

Action: Credential Lifecycle Standardization - Deactivates mandatory periodic password expiration cycles. - Aligns credential policies with contemporary security doctrine.

Implementation Snippet: typescript await graphClient .api('/policies/passwordPolicy') .patch({ passwordExpirationPolicy: { passwordExpirationDays: 0, neverExpire: true, }, });

Controls: MS.AAD.7.1v1 through MS.AAD.7.8v1

Target Remediation Deadline: 2025-06-20

Action: Privileged Role Lifecycle Management (PRLM) - Imposes strict limits on the population of Global Administrator roles. - Enforces the use of finely-scoped role definitions. - Requires identities holding sensitive roles to be cloud-native accounts. - Mandates utilization of an external PAM system for elevation. - Configures formal authorization workflows for role elevation. - Establishes comprehensive alerting mechanisms for role activity.

Implementation Snippet: typescript await graphClient .api('/policies/roleManagementPolicies') .patch({ enforceGranularRoles: true, blockGlobalAdminForGeneralUse: true, requireApprovalForGlobalAdmin: true, });

System Architecture Overview

Core Modules

  1. Protocol Handler Engine
  2. Manages MCP specification adherence.
  3. Orchestrates tool registration and execution sequencing.

  4. Provides centralized exception capture and operational logging.

  5. Identity Verification Layer

  6. Utilizes OAuth 2.0 tokens for Microsoft Graph authorization.
  7. Implements silent token renewal routines.

  8. Oversees secure secret key management.

  9. Graph Interaction Abstraction

  10. Encapsulates Microsoft Graph API calls.
  11. Offers statically-typed interfaces for request formulation and result parsing.

  12. Incorporates intelligent retry mechanisms and failure analysis.

  13. Compliance Toolset

  14. Utilities for legacy auth remediation.
  15. Tools for identity risk posture management.
  16. MFA deployment utilities.
  17. Application governance modules.
  18. Credential policy application.
  19. Role management configuration utilities.
  20. System health and policy status retrieval.

Data Flow Visualization

mermaid graph TD A[MCP Consumer Agent] -->|Command Execution Request| B[Protocol Engine Server] B -->|Credential Exchange| C[Token Vault/Manager] C -->|Validated Access Token| D[Graph Interface Module] D -->|REST/OData Calls| E[Microsoft Graph Security Endpoint] E -->|Response Data| D D -->|Processed Results| B B -->|Response Payload| A

Prerequisites and Setup

  • Runtime Environment: Node.js version 18.x or later.
  • Tenant Access: Administrative credentials required for the target Microsoft 365 tenant.
  • Azure AD Application Registration: Must possess the following delegated/application permissions:
  • Policy.ReadWrite.All
  • RoleManagement.ReadWrite.All
  • User.Read.All
  • Application.ReadWrite.All

Deployment Procedures

Automated Installation via Smithery Platform

To invoke automatic provisioning of the CISA M365 Compliance Module via the Smithery CLI:

bash npx -y @smithery/cli install cisa-m365

Alternatively, the core MCP metadata and definitions can be sourced directly from the Smithery Protocol Directory and integrated into your supported LLM/MCP framework setup.

Manual Clone and Build Steps:

  1. Obtain Repository Source: bash git clone https://github.com/DynamicEndpoints/BOD-25-01-CSA-MCP.git cd cisa-m365

  2. Dependency Resolution: bash npm install

  3. Compilation Stage: bash npm run build

Operational Configuration

  1. Azure AD Application Initialization:
  2. Navigate to the Azure Portal > Entra ID Blade.
  3. Provision a new application registration.
  4. Assign required API permissions (as listed in Prerequisites).

  5. Generate and secure a new client secret key.

  6. Environment Variable Mapping:

  7. Initialize configuration file from template: bash cp .env.example .env

  8. Populate .env with correct values: env TENANT_ID=your-tenant-id-guid CLIENT_ID=your-application-client-id CLIENT_SECRET=the-generated-secret-key

  9. MCP Server Definition:

Configuration snippet for the consuming framework (mcp-config.json):

{ "mcpServers": { "cisa-m365": { "command": "node", "args": ["path/to/cisa-m365/build/index.js"], "env": { "TENANT_ID": "your-tenant-id-guid", "CLIENT_ID": "your-application-client-id", "CLIENT_SECRET": "the-generated-secret-key" } } } }

Tool Invocation Syntax

Available Functions (Tools)

block_legacy_auth

Immediately terminates support for legacy authentication protocols.

{}

block_high_risk_users

Triggers the blocking of identity objects flagged by Microsoft's risk detection engines.

{}

enforce_phishing_resistant_mfa

Establishes FIDO2/certificate-based authentication as the primary MFA standard.

{}

configure_global_admins

Applies governance settings to specified Global Administrator principals (requires list of IDs).

{ "userIds": ["user1-id", "user2-id"] }

get_policy_status

Retrieves the current configuration state across all BOD 25-01 enforced policy domains.

{}

Execution Example

typescript // Directive 1.1v1 execution const result = await client.callTool('block_legacy_auth', {});

// Compliance check const status = await client.callTool('get_policy_status', {});

Interface Specification

PolicyState Query Output Schema

typescript interface PolicyStateReport { legacyAuthentication: { blocked: boolean; compliant: boolean; }; highRiskUsers: { blocked: boolean; compliant: boolean; }; mfa: { phishingResistant: boolean; alternativeEnabled: boolean; compliant: boolean; }; applications: { registrationRestricted: boolean; consentRestricted: boolean; compliant: boolean; }; passwords: { expirationDisabled: boolean; compliant: boolean; }; roles: { globalAdminCount: number; granularRolesEnforced: boolean; pamEnforced: boolean; compliant: boolean; }; }

Exception Management

The engine provides structured feedback for execution failures, categorized as:

  1. Authorization Failures: Issues retrieving or validating access tokens, credential expiration, or insufficient Graph API permissions.
  2. Service Interaction Failures: Errors originating from the Microsoft Graph API endpoint (e.g., HTTP 4xx/5xx responses, service throttling).
  3. Input Contract Violations: Failures due to incorrect parameter types or missing required arguments for a specific tool.
  4. System Runtime Issues: Unexpected process interruptions, network timeouts, or resource exhaustion.

Standardized Error Payload Example:

{ "error": { "code": "InputContractViolation", "message": "Malformed parameters supplied for role configuration.", "details": { "parameter": "userIds", "constraint": "Requires a minimum of two principals for assignment operations.", "received": "One identifier provided" } } }

Validation Framework

Verification workflows are segmented for thorough testing:

  1. Unit Tests: Execute isolated logic verification. bash npm test

  2. Integration Tests: Validate end-to-end connectivity with a live or mocked Graph environment. bash npm run test:integration

  3. Directive Compliance Tests: Automated checks to confirm deployed configurations satisfy the CISA requirements. bash npm run test:compliance

Security Posture Review

Security scrutiny is applied across the operational stack:

  1. Identity Token Security: Strict protocols for credential secrecy, mandatory token rotation policies, and activity monitoring for anomalous access patterns.

  2. API Access Control: Adherence to the principle of least privilege for all Graph permissions; scheduled review cycles for assigned permissions; continuous monitoring of API request patterns.

  3. Data Preservation: Strict policy against logging of secrets or PII; secure persistence mechanisms for configuration secrets; routine static analysis security scanning.

  4. Governance Assurance: Implementation of continuous compliance verification routines; automated policy state assessment; comprehensive execution audit trails.

Contribution Guidelines

  1. Branch from the main line into a dedicated feature branch.
  2. Ensure all modifications adhere to established code stylistic conventions.
  3. New functionality must be accompanied by comprehensive unit and integration tests.
  4. Update relevant documentation sections to reflect changes.
  5. Submit contributions via atomic, well-described pull requests.

Software Licensing

This project is distributed under the terms of the MIT License.

WIKIPEDIA: Cloud computing is often described by its essential characteristics as defined by standards bodies. The ISO definition focuses on the network access paradigm that allows for scalable, elastic, and self-service management of computing assets, often virtualized.

See Also

Man Pages
boolean Man Pages
MCP
Genaiscript Mcp
Man Pages
security Man Pages
Man Pages
Moose::Manual::Support Man Pages
Man Pages
application Man Pages
MCP
Automated-bod-25-01-cisa-microsoft-policies-mcp Mcp
Man Pages
true Man Pages
Graph
Graph PNG Icons
Man Pages
ifmib Man Pages
← Back to Cloud Services🙏  Credits & Acknowledgments
`