Labsco
hieuttmmo logo

Microsoft Entra ID MCP Server

โ˜… 39

from hieuttmmo

A Python MCP server for Microsoft Entra ID (Azure AD) directory, user, group, device, sign-in, and security operations via Microsoft Graph.

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedAccount requiredAdvanced setup

EntraID MCP Server (Microsoft Graph FastMCP)

This project provides a modular, resource-oriented FastMCP server for interacting with Microsoft Graph API. It is designed for extensibility, maintainability, and security, supporting advanced queries for users, sign-in logs, MFA status, and privileged users.

Features

  • Modular Resource Structure:
    • Each resource (users, sign-in logs, MFA, etc.) is implemented in its own module under src/msgraph_mcp_server/resources/.
    • Easy to extend with new resources (e.g., groups, devices).
  • Centralized Graph Client:
    • Handles authentication and client initialization.
    • Shared by all resource modules.
  • Comprehensive User Operations:
    • Search users by name/email.
    • Get user by ID.
    • List all privileged users (directory role members).
  • Full Group Lifecycle & Membership Management:
    • Create, read, update, and delete groups.
    • Add/remove group members and owners.
    • Search and list groups and group members.
  • Application & Service Principal Management:
    • List, create, update, and delete applications (app registrations).
    • List, create, update, and delete service principals.
    • View app role assignments and delegated permissions for both applications and service principals.
  • Sign-in Log Operations:
    • Query sign-in logs for a user for the last X days.
  • MFA Operations:
    • Get MFA status for a user.
    • Get MFA status for all members of a group.
  • Password Management:
    • Reset user passwords directly with custom or auto-generated secure passwords.
    • Option to require password change on next sign-in.
  • Permissions Helper:
    • Suggest appropriate Microsoft Graph permissions for common tasks.
    • Search and explore available Graph permissions.
    • Helps implement the principle of least privilege by recommending only necessary permissions.
  • Error Handling & Logging:
    • Consistent error handling and progress reporting via FastMCP context.
    • Detailed logging for troubleshooting.
  • Security:
    • .env and secret files are excluded from version control.
    • Uses Microsoft best practices for authentication.

Project Structure

src/msgraph_mcp_server/
โ”œโ”€โ”€ auth/           # Authentication logic (GraphAuthManager)
โ”œโ”€โ”€ resources/      # Resource modules (users, signin_logs, mfa, ...)
โ”‚   โ”œโ”€โ”€ users.py            # User operations (search, get by ID, etc.)
โ”‚   โ”œโ”€โ”€ signin_logs.py      # Sign-in log operations
โ”‚   โ”œโ”€โ”€ mfa.py              # MFA status operations
โ”‚   โ”œโ”€โ”€ permissions_helper.py # Graph permissions utilities and suggestions
โ”‚   โ”œโ”€โ”€ applications.py       # Application (app registration) operations
โ”‚   โ”œโ”€โ”€ service_principals.py # Service principal operations
โ”‚   โ””โ”€โ”€ ...                 # Other resource modules
โ”œโ”€โ”€ utils/          # Core GraphClient and other ultilities tool, such as password generator..
โ”œโ”€โ”€ server.py       # FastMCP server entry point (registers tools/resources)
โ”œโ”€โ”€ __init__.py     # Package marker

Extending the Server

  • Add new resource modules under resources/ (e.g., groups.py, devices.py).
  • Register new tools in server.py using the FastMCP @mcp.tool() decorator.
  • Use the shared GraphClient for all API calls.

Security & Best Practices

  • Never commit secrets: .env and other sensitive files are gitignored.
  • Use least privilege: Grant only the necessary Microsoft Graph permissions to your Azure AD app.
  • Audit & monitor: Use the logging output for troubleshooting and monitoring.

Required Graph API Permissions

API / PermissionTypeDescription
AuditLog.Read.AllApplicationRead all audit log data
AuthenticationContext.Read.AllApplicationRead all authentication context information
DeviceManagementManagedDevices.Read.AllApplicationRead Microsoft Intune devices
Directory.Read.AllApplicationRead directory data
Group.Read.AllApplicationRead all groups
GroupMember.Read.AllApplicationRead all group memberships
Group.ReadWrite.AllApplicationCreate, update, delete groups; manage group members and owners
Policy.Read.AllApplicationRead your organization's policies
RoleManagement.Read.DirectoryApplicationRead all directory RBAC settings
User.Read.AllApplicationRead all users' full profiles
User-PasswordProfile.ReadWrite.AllApplicationLeast privileged permission to update the passwordProfile property
UserAuthenticationMethod.Read.AllApplicationRead all users' authentication methods
Application.ReadWrite.AllApplicationCreate, update, and delete applications (app registrations) and service principals

Note: Group.ReadWrite.All is required for group creation, update, deletion, and for adding/removing group members or owners. Group.Read.All and GroupMember.Read.All are sufficient for read-only group and membership queries.

Advanced: Using with Claude or Cursor

Using with Claude (Anthropic)

To install and run this server as a Claude MCP tool, use:

fastmcp install '/path/to/src/msgraph_mcp_server/server.py' \
  --with msgraph-sdk --with azure-identity --with azure-core --with msgraph-core \
  -f /path/to/.env
  • Replace /path/to/ with your actual project path.
  • The -f flag points to your .env file (never commit secrets!).

Using with Cursor

Add the following to your .cursor/mcp.json (do not include actual secrets in version control):

{
  "EntraID MCP Server": {
    "command": "uv",
    "args": [
      "run",
      "--with", "azure-core",
      "--with", "azure-identity",
      "--with", "fastmcp",
      "--with", "msgraph-core",
      "--with", "msgraph-sdk",
      "fastmcp",
      "run",
      "/path/to/src/msgraph_mcp_server/server.py"
    ],
    "env": {
      "TENANT_ID": "<your-tenant-id>",
      "CLIENT_ID": "<your-client-id>",
      "CLIENT_SECRET": "<your-client-secret>"
    }
  }
}
  • Replace /path/to/ and the environment variables with your actual values.
  • Never commit real secrets to your repository!

License

MIT