manage_security_groups
Create, update, and manage Azure AD security groups to control access by adding or removing members and configuring security settings.
Instructions
Manage Azure AD security groups for access control, including group creation, membership, and security settings.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| action | Yes | Action to perform on security group | |
| groupId | No | Security group ID for existing group operations | |
| displayName | No | Display name for the security group | |
| description | No | Description of the security group | |
| members | No | List of member email addresses | |
| settings | No | Security group settings |
Implementation Reference
- src/handlers.ts:1121-1206 (handler)Core handler function implementing manage_security_groups tool logic: handles actions like get, create, update, delete, add_members, remove_members using Microsoft Graph API on /groups endpoint.export async function handleSecurityGroups( graphClient: Client, args: SecurityGroupArgs ): Promise<{ content: { type: string; text: string }[] }> { let apiPath = ''; let result: any; switch (args.action) { case 'get': if (!args.groupId) { throw new McpError(ErrorCode.InvalidParams, 'groupId is required for get action'); } apiPath = `/groups/${args.groupId}`; result = await graphClient.api(apiPath).get(); break; case 'create': if (!args.displayName) { throw new McpError(ErrorCode.InvalidParams, 'displayName is required for create action'); } apiPath = '/groups'; const createPayload = { displayName: args.displayName, description: args.description || '', mailNickname: args.displayName.replace(/\s+/g, '').toLowerCase(), mailEnabled: args.settings?.mailEnabled || false, securityEnabled: args.settings?.securityEnabled !== false, // Default to true groupTypes: [] }; result = await graphClient.api(apiPath).post(createPayload); break; case 'update': if (!args.groupId) { throw new McpError(ErrorCode.InvalidParams, 'groupId is required for update action'); } apiPath = `/groups/${args.groupId}`; const updatePayload: any = {}; if (args.displayName) updatePayload.displayName = args.displayName; if (args.description) updatePayload.description = args.description; result = await graphClient.api(apiPath).patch(updatePayload); break; case 'delete': if (!args.groupId) { throw new McpError(ErrorCode.InvalidParams, 'groupId is required for delete action'); } apiPath = `/groups/${args.groupId}`; await graphClient.api(apiPath).delete(); result = { message: 'Security group deleted successfully' }; break; case 'add_members': if (!args.groupId || !args.members?.length) { throw new McpError(ErrorCode.InvalidParams, 'groupId and members are required for add_members action'); } for (const member of args.members) { await graphClient .api(`/groups/${args.groupId}/members/$ref`) .post({ '@odata.id': `https://graph.microsoft.com/v1.0/users/${member}` }); } result = { message: `Added ${args.members.length} members to security group` }; break; case 'remove_members': if (!args.groupId || !args.members?.length) { throw new McpError(ErrorCode.InvalidParams, 'groupId and members are required for remove_members action'); } for (const member of args.members) { await graphClient .api(`/groups/${args.groupId}/members/${member}/$ref`) .delete(); } result = { message: `Removed ${args.members.length} members from security group` }; break; default: throw new McpError(ErrorCode.InvalidParams, `Invalid action: ${args.action}`); } return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] }; }
- src/server.ts:375-394 (registration)MCP server registration of the 'manage_security_groups' tool, wiring the handler function, Zod input schema, and tool annotations.this.server.tool( "manage_security_groups", "Manage Azure AD security groups for access control, including group creation, membership, and security settings.", securityGroupSchema.shape, {"readOnlyHint":false,"destructiveHint":true,"idempotentHint":false}, wrapToolHandler(async (args: SecurityGroupArgs) => { // Validate credentials only when tool is executed (lazy loading) this.validateCredentials(); try { return await handleSecurityGroups(this.getGraphClient(), args); } catch (error) { if (error instanceof McpError) { throw error; } throw new McpError( ErrorCode.InternalError, `Error executing tool: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }) ); // M365 Groups - Lazy loading enabled for tool discovery
- src/tool-definitions.ts:54-64 (schema)Zod schema defining input parameters and validation for the manage_security_groups tool, used in tool registration.export const securityGroupSchema = z.object({ action: z.enum(['get', 'create', 'update', 'delete', 'add_members', 'remove_members']).describe('Action to perform on security group'), groupId: z.string().optional().describe('Security group ID for existing group operations'), displayName: z.string().optional().describe('Display name for the security group'), description: z.string().optional().describe('Description of the security group'), members: z.array(z.string()).optional().describe('List of member email addresses'), settings: z.object({ securityEnabled: z.boolean().optional().describe('Whether security is enabled'), mailEnabled: z.boolean().optional().describe('Whether mail is enabled'), }).optional().describe('Security group settings'), });
- src/tool-metadata.ts:26-29 (schema)Tool metadata including description, title, and annotations for manage_security_groups, used in capabilities and tool info.manage_security_groups: { description: "Manage Azure AD security groups for access control, including group creation, membership, and security settings.", title: "Security Group Manager", annotations: { title: "Security Group Manager", readOnlyHint: false, destructiveHint: true, idempotentHint: false, openWorldHint: true }