playbooks

home / mcp / microsoft graph mcp server

Microsoft Graph MCP Server

MCP for MS Graph

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "burconsult-msgraph-mcp": {
      "command": "msgraph-mcp",
      "args": [],
      "env": {
        "MSGRAPH_CLIENT_ID": "your-client-id",
        "MSGRAPH_LOG_LEVEL": "INFO",
        "MSGRAPH_TENANT_ID": "your-tenant-id",
        "MSGRAPH_AUTH_METHOD": "client_credentials",
        "MSGRAPH_CLIENT_SECRET": "your-client-secret"
      }
    }
  }
}

You deploy and run an MCP server that exposes Microsoft Graph v2 beta data and operations through standardized MCP interfaces. This server lets AI applications manage users, groups, applications, and directory data against an Azure AD / Microsoft 365 tenant with robust authentication, rate limiting, and structured data access.

How to use

Start the MCP server and connect with an MCP client using the provided command. You can perform direct operations to manage users, groups, and applications, access static and dynamic resources, and run AI workflows through prompts. Use the HTTP/MCP server endpoint for remote usage or run the server locally in stdio mode and connect via the MCP client that launches the server process.

Common usage patterns include listing users, fetching organization info, managing group memberships, and running security analyses or reports. You can mix Tools (direct operations), Resources (structured data), and Prompts (AI workflows) to build end-to-end automation for user lifecycle, group governance, and reporting tasks.

How to install

# Prerequisites
# - Python 3.10 or higher
# - Azure AD application registration with permissions
# - Access to Microsoft 365 or Azure AD tenant

# Install from source (if you have the repository)
git clone <repository-url>
cd msgraph-mcp

# Install in development mode (editable)
pip install -e .

# Or install directly
pip install .

# Optional development dependencies
pip install -e ".[dev]"

Start the MCP server with the standard CLI entry point. You can test configuration, run with debug logging, or specify a custom environment file.

# Start the MCP server
msgraph-mcp

# Test configuration and connection
msgraph-mcp --test-config

# Run with debug logging
msgraph-mcp --log-level DEBUG --debug

# Use a custom configuration file
msgraph-mcp --config-file /path/to/custom.env

Additional sections

Configuration and security are important for reliable operation. You can configure authentication methods, rate limiting, and feature toggles via environment variables or a .env file. The server supports multiple authentication flows, token caching, SSL validation, and permission-based access control.

Key security practices include keeping credentials out of version control, enforcing least privilege, enabling SSL validation in production, and relying on automatic token refreshing and secure token caching.

For production usage, you will typically configure: tenant ID, client ID, client secret, base Graph URL, rate limits, and which operations are enabled. Example variables are shown in the configuration sections.

Notes and troubleshooting

If authentication or permission issues arise, verify the Azure AD app has the required Microsoft Graph permissions, ensure admin consent is granted, and confirm tenant and client details are correct.

If you hit rate limit errors, adjust the maximum requests per second and concurrency settings to align with your subscription and expected load.

Available tools

list_users

List users with optional filters and pagination to retrieve user profiles like displayName, mail, and jobTitle.

get_user

Get details for a specific user by ID or user principal name, with optional selected fields.

create_user

Create a new user with required attributes such as display name, userPrincipalName, password, and mailNickname.

update_user

Update properties of an existing user, such as job title or department.

delete_user

Delete a user by ID or principal name.

list_groups

List groups and manage group members; fetch group details and membership.

get_group

Retrieve details for a specific group, including its members and metadata.

manage_group_members

Add or remove members from a group.

list_applications

List applications and service principals registered in the directory.

get_org_info

Get organization level information such as name and basic metadata.

list_directory_roles

List directory roles and their members.

get_role_members

Fetch members assigned to a specific directory role.

connection_test

Test connectivity to Microsoft Graph endpoints and validate permissions.

service_information

Provide metadata about the MCP service itself including version and status.