Microsoft 365 Core MCP Server

Instructions

Implementation Reference

• src/handlers.ts:462-515 (handler)

  The core handler function implementing manage_azure_ad_devices tool logic. Handles actions: list_devices, get_device, enable_device, disable_device, delete_device using Microsoft Graph /devices endpoint.
  export async function handleAzureAdDevices( graphClient: Client, args: AzureAdDeviceArgs ): Promise<{ content: { type: string; text: string }[] }> { let apiPath = ''; let result: any; switch (args.action) { case 'list_devices': apiPath = '/devices'; if (args.filter) { apiPath += `?$filter=${encodeURIComponent(args.filter)}`; } result = await graphClient.api(apiPath).get(); break; case 'get_device': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for get_device'); } apiPath = `/devices/${args.deviceId}`; result = await graphClient.api(apiPath).get(); break; case 'enable_device': case 'disable_device': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, `deviceId is required for ${args.action}`); } // Note: Enabling/Disabling devices is done via update, setting accountEnabled // This requires Device.ReadWrite.All permission. apiPath = `/devices/${args.deviceId}`; await graphClient.api(apiPath).patch({ accountEnabled: args.action === 'enable_device' }); result = { message: `Device ${args.action === 'enable_device' ? 'enabled' : 'disabled'} successfully` }; break; case 'delete_device': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for delete_device'); } // Requires Device.ReadWrite.All permission. apiPath = `/devices/${args.deviceId}`; await graphClient.api(apiPath).delete(); result = { message: 'Device deleted successfully' }; break; default: throw new McpError(ErrorCode.InvalidParams, `Invalid action: ${args.action}`); } return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] }; }
• src/tool-definitions.ts:149-153 (schema)

  Zod schema defining the input parameters (action, deviceId, filter) for the manage_azure_ad_devices tool, used for validation.
  export const azureAdDeviceSchema = z.object({ action: z.enum(['list_devices', 'get_device', 'enable_device', 'disable_device', 'delete_device']).describe('Azure AD device management action'), deviceId: z.string().optional().describe('Object ID of the device'), filter: z.string().optional().describe('OData filter string'), });
• src/server.ts:564-584 (registration)

  MCP server registration of the 'manage_azure_ad_devices' tool, linking schema, metadata annotations, and handler function.
  this.server.tool( "manage_azure_ad_devices", "Manage devices registered in Azure AD including device compliance, BitLocker keys, and device actions.", azureAdDeviceSchema.shape, {"readOnlyHint":false,"destructiveHint":true,"idempotentHint":false}, wrapToolHandler(async (args: AzureAdDeviceArgs) => { // Validate credentials only when tool is executed (lazy loading) this.validateCredentials(); try { return await handleAzureAdDevices(this.getGraphClient(), args); } catch (error) { if (error instanceof McpError) { throw error; } throw new McpError( ErrorCode.InternalError, `Error executing tool: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }) );
• src/tool-metadata.ts:79-82 (schema)

  Tool metadata including description, title, and annotations (readOnlyHint, destructiveHint, etc.) for manage_azure_ad_devices.
  manage_azure_ad_devices: { description: "Manage devices registered in Azure AD including device compliance, BitLocker keys, and device actions.", title: "Azure AD Device Manager", annotations: { title: "Azure AD Device Manager", readOnlyHint: false, destructiveHint: true, idempotentHint: false, openWorldHint: true }