playbooks
Learn Cursor Rules Windsurf Rules MCPs Modes
Log in

Microsoft Entra ID MCP server

Provides direct access to Microsoft Entra ID resources through the Graph API, enabling IT administrators to manage users, groups, applications, and security features without switching to the Azure portal.
Back to servers
Setup instructions
Provider
Hieu Tran
Release date
May 03, 2025
Stats
18 stars
View on GitHub

The EntraID MCP Server provides a modular, resource-oriented FastMCP server for interacting with Microsoft Graph API. It enables you to perform various operations with Microsoft Entra ID (formerly Azure AD) resources including users, groups, applications, and more through a structured interface.

Installation

Prerequisites

  • Python installed on your system
  • Microsoft Entra ID tenant with appropriate permissions

Setup

  1. Clone the repository to your local machine

  2. Create a configuration file with your credentials:

    # Create a config/.env file with your Azure AD credentials
TENANT_ID=your-tenant-id
CLIENT_ID=your-client-id
CLIENT_SECRET=your-client-secret

  3. (Optional) Set up certificate-based authentication if needed

Running the Server

You can test and develop your MCP server using the FastMCP CLI:

fastmcp dev '/path/to/src/msgraph_mcp_server/server.py'

This launches an interactive development environment with the MCP Inspector.

Available Tools

User Management

# Search for users
search_users(query="john", ctx, limit=10)

# Get a specific user
get_user_by_id("user-id-here", ctx)

# List privileged users
get_privileged_users(ctx)

# Get user roles
get_user_roles("user-id-here", ctx)

# Get user groups
get_user_groups("user-id-here", ctx)

Group Management

# List all groups
get_all_groups(ctx, limit=100)

# Get a specific group
get_group_by_id("group-id-here", ctx)

# Search for groups
search_groups_by_name("Marketing", ctx, limit=50)

# Get group members
get_group_members("group-id-here", ctx, limit=100)

# Create a new group
group_data = {
    "displayName": "Marketing Team",
    "mailNickname": "marketing",
    "description": "Marketing department group",
    "groupTypes": ["Unified"],
    "visibility": "Private"
}
create_group(ctx, group_data)

# Update a group
update_data = {"description": "Updated description"}
update_group("group-id-here", ctx, update_data)

# Delete a group
delete_group("group-id-here", ctx)

# Manage group membership
add_group_member("group-id-here", "member-id-here", ctx)
remove_group_member("group-id-here", "member-id-here", ctx)
add_group_owner("group-id-here", "owner-id-here", ctx)
remove_group_owner("group-id-here", "owner-id-here", ctx)

Sign-in and MFA Operations

# Get user sign-in logs
get_user_sign_ins("user-id-here", ctx, days=7)

# Get MFA status
get_user_mfa_status("user-id-here", ctx)
get_group_mfa_status("group-id-here", ctx)

Device Management

# Get managed devices
get_all_managed_devices(filter_os="Windows")
get_managed_devices_by_user("user-id-here")

Password Management

# Reset a user's password
reset_user_password_direct("user-id-here", password="NewP@ssword123", require_change_on_next_sign_in=True)

# Generate a random password
reset_user_password_direct("user-id-here", generate_password=True, password_length=16)

Application Management

# List all applications
list_applications(ctx, limit=100)

# Get specific application details
get_application_by_id("app-id-here", ctx)

# Create a new application
app_data = {
    "displayName": "My New App",
    "signInAudience": "AzureADMyOrg"
}
create_application(ctx, app_data)

# Update an application
update_data = {"displayName": "Updated App Name"}
update_application("app-id-here", ctx, update_data)

# Delete an application
delete_application("app-id-here", ctx)

Service Principal Management

# List all service principals
list_service_principals(ctx, limit=100)

# Get specific service principal details
get_service_principal_by_id("sp-id-here", ctx)

# Create a service principal
sp_data = {
    "appId": "app-id-here",
    "accountEnabled": True
}
create_service_principal(ctx, sp_data)

# Update a service principal
update_data = {"displayName": "Updated SP Name"}
update_service_principal("sp-id-here", ctx, update_data)

# Delete a service principal
delete_service_principal("sp-id-here", ctx)

Permissions Helper

# Get permission suggestions
suggest_permissions_for_task("User Management", "Read users")

# List permission categories
list_permission_categories_and_tasks()

# Search for specific permissions
search_permissions("calendar", permission_type="Delegated")

# Get all Graph permissions
get_all_graph_permissions()

Integrating with Other Tools

Using with Claude (Anthropic)

fastmcp install '/path/to/src/msgraph_mcp_server/server.py' \
  --with msgraph-sdk --with azure-identity --with azure-core --with msgraph-core \
  -f /path/to/.env

Using with Cursor

Add this to your .cursor/mcp.json file:

{
  "EntraID MCP Server": {
    "command": "uv",
    "args": [
      "run",
      "--with", "azure-core",
      "--with", "azure-identity",
      "--with", "fastmcp",
      "--with", "msgraph-core",
      "--with", "msgraph-sdk",
      "fastmcp",
      "run",
      "/path/to/src/msgraph_mcp_server/server.py"
    ],
    "env": {
      "TENANT_ID": "<your-tenant-id>",
      "CLIENT_ID": "<your-client-id>",
      "CLIENT_SECRET": "<your-client-secret>"
    }
  }
}

Required Graph API Permissions

The server requires the following Microsoft Graph API permissions:

  • AuditLog.Read.All
  • AuthenticationContext.Read.All
  • DeviceManagementManagedDevices.Read.All
  • Directory.Read.All
  • Group.Read.All
  • GroupMember.Read.All
  • Group.ReadWrite.All (for group creation/modification)
  • Policy.Read.All
  • RoleManagement.Read.Directory
  • User.Read.All
  • User-PasswordProfile.ReadWrite.All
  • UserAuthenticationMethod.Read.All
  • Application.ReadWrite.All

Ensure your application has been granted these permissions in your Microsoft Entra ID tenant.

How to install this MCP server

For Claude Code

To add this MCP server to Claude Code, run this command in your terminal:

claude mcp add-json "EntraID-MCP-Server" '{"command":"uv","args":["run","--with","azure-core","--with","azure-identity","--with","fastmcp","--with","msgraph-core","--with","msgraph-sdk","fastmcp","run","/path/to/src/msgraph_mcp_server/server.py"],"env":{"TENANT_ID":"<your-tenant-id>","CLIENT_ID":"<your-client-id>","CLIENT_SECRET":"<your-client-secret>"}}'

See the official Claude Code MCP documentation for more details.

For Cursor

There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.

If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.

Adding an MCP server to Cursor globally

To add a global MCP server go to Cursor Settings > Tools & Integrations and click "New MCP Server".

When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:

{
    "mcpServers": {
        "EntraID MCP Server": {
            "command": "uv",
            "args": [
                "run",
                "--with",
                "azure-core",
                "--with",
                "azure-identity",
                "--with",
                "fastmcp",
                "--with",
                "msgraph-core",
                "--with",
                "msgraph-sdk",
                "fastmcp",
                "run",
                "/path/to/src/msgraph_mcp_server/server.py"
            ],
            "env": {
                "TENANT_ID": "<your-tenant-id>",
                "CLIENT_ID": "<your-client-id>",
                "CLIENT_SECRET": "<your-client-secret>"
            }
        }
    }
}

Adding an MCP server to a project

To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.

How to use the MCP server

Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.

The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.

You can also explicitly ask the agent to use the tool by mentioning the tool name and describing what the function does.

For Claude Desktop

To add this MCP server to Claude Desktop:

1. Find your configuration file:

  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%\Claude\claude_desktop_config.json
  • Linux: ~/.config/Claude/claude_desktop_config.json

2. Add this to your configuration file:

{
    "mcpServers": {
        "EntraID MCP Server": {
            "command": "uv",
            "args": [
                "run",
                "--with",
                "azure-core",
                "--with",
                "azure-identity",
                "--with",
                "fastmcp",
                "--with",
                "msgraph-core",
                "--with",
                "msgraph-sdk",
                "fastmcp",
                "run",
                "/path/to/src/msgraph_mcp_server/server.py"
            ],
            "env": {
                "TENANT_ID": "<your-tenant-id>",
                "CLIENT_ID": "<your-client-id>",
                "CLIENT_SECRET": "<your-client-secret>"
            }
        }
    }
}

3. Restart Claude Desktop for the changes to take effect

Want to 10x your AI skills?

Get a free account and learn to code + market your apps using AI (with or without vibes!).

Nah, maybe later