playbooks

home / mcp / entraid mcp server

EntraID MCP Server

MCP server for interacting with EntraID through Microsoft Graph API.

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "hieuttmmo-entraid-mcp-server": {
      "command": "uv",
      "args": [
        "run",
        "--with",
        "azure-core",
        "--with",
        "azure-identity",
        "--with",
        "fastmcp",
        "--with",
        "msgraph-core",
        "--with",
        "msgraph-sdk",
        "fastmcp",
        "run",
        "/path/to/src/msgraph_mcp_server/server.py"
      ],
      "env": {
        "CLIENT_ID": "<your-client-id>",
        "TENANT_ID": "<your-tenant-id>",
        "CLIENT_SECRET": "<your-client-secret>"
      }
    }
  }
}

You deploy and run the EntraID MCP Server to access Microsoft Graph data through a modular, resource‑oriented FastMCP interface. It exposes resources like users, groups, applications, service principals, sign‑in logs, MFA status, and more, through a centralized Graph client with secure authentication and practical tooling for permissions, auditing, and password management.

How to use

You interact with the MCP server through an MCP client. The server provides a set of resources and tool functions you can call to query data, manage entities, and perform common administration tasks. You can search and retrieve users, manage groups and memberships, handle applications and service principals, fetch sign‑in logs, verify MFA status, reset passwords, and explore Graph permissions to follow least‑privilege practices. Use the MCP client to invoke the exposed tools and inspect results and progress through the MCP context for consistent error handling and logging.

How to install

Prerequisites: make sure you have Python installed in your environment. You will also need access to an Azure AD tenant with a registered application (client ID/secret) for Microsoft Graph authentication.

Step 1: Prepare your environment variables and credentials. Create a file with these values set for your tenant and app registration:

TENANT_ID=your-tenant-id
CLIENT_ID=your-client-id
CLIENT_SECRET=your-client-secret

Run the MCP server using the Cursor startup config

You can start the MCP server locally using Cursor’s startup configuration. This runs the server with the required modules and the path to your server entry file.

{
  "EntraID MCP Server": {
    "command": "uv",
    "args": [
      "run",
      "--with", "azure-core",
      "--with", "azure-identity",
      "--with", "fastmcp",
      "--with", "msgraph-core",
      "--with", "msgraph-sdk",
      "fastmcp",
      "run",
      "/path/to/src/msgraph_mcp_server/server.py"
    ],
    "env": {
      "TENANT_ID": "<your-tenant-id>",
      "CLIENT_ID": "<your-client-id>",
      "CLIENT_SECRET": "<your-client-secret>"
    }
  }
}

Available tools

search_users

Search users by name or email and return matching user profiles.

get_user_by_id

Retrieve full details for a user by their object ID.

get_privileged_users

List all users who are members of privileged directory roles.

get_user_roles

Get all directory roles assigned to a user.

get_user_groups

Return all groups for a user, including transitive memberships.

get_all_groups

List all groups with paging support.

get_group_by_id

Fetch a group by its object ID, including metadata.

search_groups_by_name

Search groups by their display name.

get_group_members

Get members of a specific group.

create_group

Create a new group with specified fields.

update_group

Update group properties such as displayName, mailNickname, description, visibility.

delete_group

Delete a group by its ID.

add_group_member

Add a member to a group.

remove_group_member

Remove a member from a group.

add_group_owner

Add an owner to a group.

remove_group_owner

Remove an owner from a group.

get_user_sign_ins

Query sign‑in logs for a user over the last N days.

get_user_mfa_status

Get MFA status for a user.

get_group_mfa_status

Get MFA status for all members of a group.

get_all_managed_devices

List all managed devices, with optional OS filter.

get_managed_devices_by_user

List devices managed by a specific user.

get_conditional_access_policies

Fetch all Conditional Access policies.

get_conditional_access_policy_by_id

Get a single Conditional Access policy by its ID.

get_user_audit_logs

Retrieve directory audit logs for a user within a time window.

reset_user_password_direct

Reset a user password with an optional new value and change-on-sign-in requirement.

suggest_permissions_for_task

Suggest Microsoft Graph permissions best suited for a given task.

list_permission_categories_and_tasks

List all permission categories and their tasks for quick reference.

get_all_graph_permissions

Query the Microsoft Graph permissions available to your app.

search_permissions

Search Graph permissions by keyword and optional type.

list_applications

List all applications (app registrations) with paging.

get_application_by_id

Get an application by its object ID, including role assignments and delegated permissions.

create_application

Create a new application (app registration).

update_application

Update application properties such as displayName, signInAudience, tags, identifierUris, web, api, requiredResourceAccess.

delete_application

Delete an application by its object ID.

list_service_principals

List all service principals with paging.

get_service_principal_by_id

Get a service principal by its object ID, including role assignments and delegated permissions.

create_service_principal

Create a new service principal.

update_service_principal

Update a service principal with fields like displayName and accountEnabled.

delete_service_principal

Delete a service principal by its object ID.

greeting

Example resource: greeting://{name} returns a personalized greeting.