# CISA M365

Implements CISA BOD 25-01 security controls for Microsoft 365 (Azure AD/Entra ID).

## Quick Start

```bash
# Connect this server (installs CLI if needed)
npx -y smithery mcp add cisa-m365

# Browse available tools
npx -y smithery tool list cisa-m365

# Get full schema for a tool
npx -y smithery tool get cisa-m365 block_legacy_auth

# Call a tool
npx -y smithery tool call cisa-m365 block_legacy_auth '{}'
```

## Tools (21)

- `block_legacy_auth` — Block legacy authentication (MS.AAD.1.1v1)
- `block_high_risk_users` — Block users detected as high risk (MS.AAD.2.1v1)
- `block_high_risk_signins` — Block sign-ins detected as high risk (MS.AAD.2.3v1)
- `enforce_phishing_resistant_mfa` — Enforce phishing-resistant MFA for all users (MS.AAD.3.1v1)
- `enforce_alternative_mfa` — Enforce alternative MFA method if phishing-resistant MFA not enforced (MS.AAD.3.2v1)
- `configure_authenticator_context` — Configure Microsoft Authenticator to show login context (MS.AAD.3.3v1)
- `complete_auth_methods_migration` — Set Authentication Methods Manage Migration to Complete (MS.AAD.3.4v1)
- `enforce_privileged_mfa` — Enforce phishing-resistant MFA for privileged roles (MS.AAD.3.6v1)
- `restrict_app_registration` — Allow only administrators to register applications (MS.AAD.5.1v1)
- `restrict_app_consent` — Allow only administrators to consent to applications (MS.AAD.5.2v1)
- `configure_admin_consent` — Configure admin consent workflow for applications (MS.AAD.5.3v1)
- `restrict_group_consent` — Prevent group owners from consenting to applications (MS.AAD.5.4v1)
- `disable_password_expiry` — Disable password expiration (MS.AAD.6.1v1)
- `configure_global_admins` — Configure Global Administrator role assignments (MS.AAD.7.1v1)
- `enforce_granular_roles` — Enforce use of granular roles instead of Global Administrator (MS.AAD.7.2v1)
- `enforce_cloud_accounts` — Enforce cloud-only accounts for privileged users (MS.AAD.7.3v1)
- `enforce_pam` — Enforce PAM system for privileged role assignments (MS.AAD.7.5v1)
- `configure_global_admin_approval` — Configure approval requirement for Global Administrator activation (MS.AAD.7.6v1)
- `configure_role_alerts` — Configure alerts for privileged role assignments (MS.AAD.7.7v1)
- `configure_admin_alerts` — Configure alerts for Global Administrator activation (MS.AAD.7.8v1)
- `get_policy_status` — Get current status of all CISA M365 security policies

```bash
# Get full input/output schema for a tool
npx -y smithery tool get cisa-m365 <tool-name>
```

---

License: MIT