cipp-securitylisted

Use this skill when reviewing M365 conditional access policies and named locations through CIPP — auditing CA coverage, finding policies that exclude critical apps, listing trusted IP ranges, identifying tenants without baseline conditional access. Read-only surface focused on security posture review.
wyre-technology/msp-claude-plugins · ★ 26 · DevOps & Infrastructure · score 82

Install: claude install-skill wyre-technology/msp-claude-plugins

# CIPP Security — Conditional Access & Named Locations Read-only access to a tenant's Conditional Access policy graph and named-location list. Use as input to security posture reviews and to detect tenants drifting from MSP baseline policies. CIPP doesn't expose CA write operations through MCP — apply policy changes via CIPP standards or the CIPP UI. ## Tools ### `cipp_list_conditional_access_policies` ``` cipp_list_conditional_access_policies(tenantFilter='contoso.onmicrosoft.com') ``` Returns every CA policy with `displayName`, `state` (`enabled` / `disabled` / `enabledForReportingButNotEnforced`), `conditions` (users, apps, locations, platforms, sign-in risk), and `grantControls` (MFA, compliant device, terms of use, etc). ### `cipp_list_named_locations` ``` cipp_list_named_locations(tenantFilter='contoso.onmicrosoft.com') ``` Returns named locations: IP ranges (trusted/untrusted) and country-based locations. These are the building blocks CA policies reference for location-based controls. ## What to look for in a CA review | Finding | Why it matters | |---------|----------------| | Zero policies in `enabled` state | Tenant has no CA enforcement at all — a baseline `enabledForReportingButNotEnforced` doesn't block anything | | MFA not required for "All cloud apps" | A baseline policy is missing or scoped too narrowly | | Policies excluding the entire admin role | Common configuration mistake; admins should require *more* MFA, not less | | Trusted location includes