Back to search
Security

EntraID MCP Server (Microsoft Graph FastMCP)

This project provides a modular, resource-oriented FastMCP server for interacting with Microsoft Graph API. It is designed for extensibility, maintainability, and security, supporting advanced queries for users, sign-in logs, MFA status, and privileged users.

Features

  • Modular Resource Structure:
    • Each resource (users, sign-in logs, MFA, etc.) is implemented in its own module under src/msgraph_mcp_server/resources/.
    • Easy to extend with new resources (e.g., groups, devices).
  • Centralized Graph Client:
    • Handles authentication and client initialization.
    • Shared by all resource modules.
  • Comprehensive User Operations:
    • Search users by name/email.
    • Get user by ID.
    • List all privileged users (directory role members).
  • Full Group Lifecycle & Membership Management:
    • Create, read, update, and delete groups.
    • Add/remove group members and owners.
    • Search and list groups and group members.
  • Application & Service Principal Management:
    • List, create, update, and delete applications (app registrations).
    • List, create, update, and delete service principals.
    • View app role assignments and delegated permissions for both applications and service principals.
  • Sign-in Log Operations:
    • Query sign-in logs for a user for the last X days.
  • MFA Operations:
    • Get MFA status for a user.
    • Get MFA status for all members of a group.
  • Password Management:
    • Reset user passwords directly with custom or auto-generated secure passwords.
    • Option to require password change on next sign-in.
  • Permissions Helper:
    • Suggest appropriate Microsoft Graph permissions for common tasks.
    • Search and explore available Graph permissions.
    • Helps implement the principle of least privilege by recommending only necessary permissions.
  • Error Handling & Logging:
    • Consistent error handling and progress reporting via FastMCP context.
    • Detailed logging for troubleshooting.
  • Security:
    • .env and secret files are excluded from version control.
    • Uses Microsoft best practices for authentication.

Project Structure

src/msgraph_mcp_server/
├── auth/           # Authentication logic (GraphAuthManager)
├── resources/      # Resource modules (users, signin_logs, mfa, ...)
│   ├── users.py            # User operations (search, get by ID, etc.)
│   ├── signin_logs.py      # Sign-in log operations
│   ├── mfa.py              # MFA status operations
│   ├── permissions_helper.py # Graph permissions utilities and suggestions
│   ├── applications.py       # Application (app registration) operations
│   ├── service_principals.py # Service principal operations
│   └── ...                 # Other resource modules
├── utils/          # Core GraphClient and other ultilities tool, such as password generator..
├── server.py       # FastMCP server entry point (registers tools/resources)
├── __init__.py     # Package marker

Usage

1. Setup

  • Clone the repo.
  • Create a config/.env file with your Azure AD credentials: 
    TENANT_ID=your-tenant-id
CLIENT_ID=your-client-id
CLIENT_SECRET=your-client-secret
  • (Optional) Set up certificate-based auth if needed.

2. Testing & Development

You can test and develop your MCP server directly using the FastMCP CLI:

fastmcp dev '/path/to/src/msgraph_mcp_server/server.py'

This launches an interactive development environment with the MCP Inspector. For more information and advanced usage, see the FastMCP documentation.

3. Available Tools

User Tools

  • search_users(query, ctx, limit=10) — Search users by name/email
  • get_user_by_id(user_id, ctx) — Get user details by ID
  • get_privileged_users(ctx) — List all users in privileged directory roles
  • get_user_roles(user_id, ctx) — Get all directory roles assigned to a user
  • get_user_groups(user_id, ctx) — Get all groups (including transitive memberships) for a user

Group Tools

  • get_all_groups(ctx, limit=100) — Get all groups (with paging)
  • get_group_by_id(group_id, ctx) — Get a specific group by its ID
  • search_groups_by_name(name, ctx, limit=50) — Search for groups by display name
  • get_group_members(group_id, ctx, limit=100) — Get members of a group by group ID
  • create_group(ctx, group_data) — Create a new group (see below for group_data fields)
  • update_group(group_id, ctx, group_data) — Update an existing group (fields: displayName, mailNickname, description, visibility)
  • delete_group(group_id, ctx) — Delete a group by its ID
  • add_group_member(group_id, member_id, ctx) — Add a member (user, group, device, etc.) to a group
  • remove_group_member(group_id, member_id, ctx) — Remove a member from a group
  • add_group_owner(group_id, owner_id, ctx) — Add an owner to a group
  • remove_group_owner(group_id, owner_id, ctx) — Remove an owner from a group

Group Creation/Update Example:

  • group_data for create_group and update_group should be a dictionary with keys such as:
    • displayName (required for create)
    • mailNickname (required for create)
    • description (optional)
    • groupTypes (optional, e.g., ["Unified"])
    • mailEnabled (optional)
    • securityEnabled (optional)
    • visibility (optional, "Private" or "Public")
    • owners (optional, list of user IDs)
    • members (optional, list of IDs)
    • membershipRule (required for dynamic groups)
    • membershipRuleProcessingState (optional, "On" or "Paused")

See the groups.py docstrings for more details on supported fields and behaviors.

Sign-in Log Tools

  • get_user_sign_ins(user_id, ctx, days=7) — Get sign-in logs for a user

MFA Tools

  • get_user_mfa_status(user_id, ctx) — Get MFA status for a user
  • get_group_mfa_status(group_id, ctx) — Get MFA status for all group members

Device Tools

  • get_all_managed_devices(filter_os=None) — Get all managed devices (optionally filter by OS)
  • get_managed_devices_by_user(user_id) — Get all managed devices for a specific user

Conditional Access Policy Tools

  • get_conditional_access_policies(ctx) — Get all conditional access policies
  • get_conditional_access_policy_by_id(policy_id, ctx) — Get a single conditional access policy by its ID

Audit Log Tools

  • get_user_audit_logs(user_id, days=30) — Get all relevant directory audit logs for a user by user_id within the last N days

Password Management Tools

  • reset_user_password_direct(user_id, password=None, require_change_on_next_sign_in=True, generate_password=False, password_length=12) — Reset a user's password with a specific password value or generate a secure random password

Permissions Helper Tools

  • suggest_permissions_for_task(task_category, task_name) — Suggest Microsoft Graph permissions for a specific task based on common mappings
  • list_permission_categories_and_tasks() — List all available categories and tasks for permission suggestions
  • get_all_graph_permissions() — Get all Microsoft Graph permissions directly from the Microsoft Graph API
  • search_permissions(search_term, permission_type=None) — Search for Microsoft Graph permissions by keyword

Application Tools

  • list_applications(ctx, limit=100) — List all applications (app registrations) in the tenant, with paging
  • get_application_by_id(app_id, ctx) — Get a specific application by its object ID (includes app role assignments and delegated permissions)
  • create_application(ctx, app_data) — Create a new application (see below for app_data fields)
  • update_application(app_id, ctx, app_data) — Update an existing application (fields: displayName, signInAudience, tags, identifierUris, web, api, requiredResourceAccess)
  • delete_application(app_id, ctx) — Delete an application by its object ID

Application Creation/Update Example:

  • app_data for create_application and update_application should be a dictionary with keys such as:
    • displayName (required for create)
    • signInAudience (optional)
    • tags (optional)
    • identifierUris (optional)
    • web (optional)
    • api (optional)
    • requiredResourceAccess (optional)

Service Principal Tools

  • list_service_principals(ctx, limit=100) — List all service principals in the tenant, with paging
  • get_service_principal_by_id(sp_id, ctx) — Get a specific service principal by its object ID (includes app role assignments and delegated permissions)
  • create_service_principal(ctx, sp_data) — Create a new service principal (see below for sp_data fields)
  • update_service_principal(sp_id, ctx, sp_data) — Update an existing service principal (fields: displayName, accountEnabled, tags, appRoleAssignmentRequired)
  • delete_service_principal(sp_id, ctx) — Delete a service principal by its object ID

Service Principal Creation/Update Example:

  • sp_data for create_service_principal and update_service_principal should be a dictionary with keys such as:
    • appId (required for create)
    • accountEnabled (optional)
    • tags (optional)
    • appRoleAssignmentRequired (optional)
    • displayName (optional)

Example Resource

  • greeting://{name} — Returns a personalized greeting

Extending the Server

  • Add new resource modules under resources/ (e.g., groups.py, devices.py).
  • Register new tools in server.py using the FastMCP @mcp.tool() decorator.
  • Use the shared GraphClient for all API calls.

Security & Best Practices

  • Never commit secrets: .env and other sensitive files are gitignored.
  • Use least privilege: Grant only the necessary Microsoft Graph permissions to your Azure AD app.
  • Audit & monitor: Use the logging output for troubleshooting and monitoring.

Required Graph API Permissions

API / Permission Type Description
AuditLog.Read.All Application Read all audit log data
AuthenticationContext.Read.All Application Read all authentication context information
DeviceManagementManagedDevices.Read.All Application Read Microsoft Intune devices
Directory.Read.All Application Read directory data
Group.Read.All Application Read all groups
GroupMember.Read.All Application Read all group memberships
Group.ReadWrite.All Application Create, update, delete groups; manage group members and owners
Policy.Read.All Application Read your organization's policies
RoleManagement.Read.Directory Application Read all directory RBAC settings
User.Read.All Application Read all users' full profiles
User-PasswordProfile.ReadWrite.All Application Least privileged permission to update the passwordProfile property
UserAuthenticationMethod.Read.All Application Read all users' authentication methods
Application.ReadWrite.All Application Create, update, and delete applications (app registrations) and service principals

Note: Group.ReadWrite.All is required for group creation, update, deletion, and for adding/removing group members or owners. Group.Read.All and GroupMember.Read.All are sufficient for read-only group and membership queries.

Advanced: Using with Claude or Cursor

Using with Claude (Anthropic)

To install and run this server as a Claude MCP tool, use:

fastmcp install '/path/to/src/msgraph_mcp_server/server.py' \
  --with msgraph-sdk --with azure-identity --with azure-core --with msgraph-core \
  -f /path/to/.env
  • Replace /path/to/ with your actual project path.
  • The -f flag points to your .env file (never commit secrets!).

Using with Cursor

Add the following to your .cursor/mcp.json (do not include actual secrets in version control):

{
  "EntraID MCP Server": {
    "command": "uv",
    "args": [
      "run",
      "--with", "azure-core",
      "--with", "azure-identity",
      "--with", "fastmcp",
      "--with", "msgraph-core",
      "--with", "msgraph-sdk",
      "fastmcp",
      "run",
      "/path/to/src/msgraph_mcp_server/server.py"
    ],
    "env": {
      "TENANT_ID": "<your-tenant-id>",
      "CLIENT_ID": "<your-client-id>",
      "CLIENT_SECRET": "<your-client-secret>"
    }
  }
}
  • Replace /path/to/ and the environment variables with your actual values.
  • Never commit real secrets to your repository!

License

MIT

Author
hound
Github Url
https://github.com/hieuttmmo/entraid-mcp-server
GitHub Stars
20
Last published:10/09/2025
Last updated:05/11/2025