manage_security_groups
Create, update, and manage Azure AD security groups for access control, including group membership and security settings configuration.
Instructions
Manage Azure AD security groups for access control, including group creation, membership, and security settings.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| action | Yes | Action to perform on security group | |
| groupId | No | Security group ID for existing group operations | |
| displayName | No | Display name for the security group | |
| description | No | Description of the security group | |
| members | No | List of member email addresses | |
| settings | No | Security group settings |
Implementation Reference
- src/handlers.ts:1121-1206 (handler)Core handler function implementing manage_security_groups tool. Handles CRUD operations and membership management for Azure AD security groups using Microsoft Graph API endpoints (/groups).export async function handleSecurityGroups( graphClient: Client, args: SecurityGroupArgs ): Promise<{ content: { type: string; text: string }[] }> { let apiPath = ''; let result: any; switch (args.action) { case 'get': if (!args.groupId) { throw new McpError(ErrorCode.InvalidParams, 'groupId is required for get action'); } apiPath = `/groups/${args.groupId}`; result = await graphClient.api(apiPath).get(); break; case 'create': if (!args.displayName) { throw new McpError(ErrorCode.InvalidParams, 'displayName is required for create action'); } apiPath = '/groups'; const createPayload = { displayName: args.displayName, description: args.description || '', mailNickname: args.displayName.replace(/\s+/g, '').toLowerCase(), mailEnabled: args.settings?.mailEnabled || false, securityEnabled: args.settings?.securityEnabled !== false, // Default to true groupTypes: [] }; result = await graphClient.api(apiPath).post(createPayload); break; case 'update': if (!args.groupId) { throw new McpError(ErrorCode.InvalidParams, 'groupId is required for update action'); } apiPath = `/groups/${args.groupId}`; const updatePayload: any = {}; if (args.displayName) updatePayload.displayName = args.displayName; if (args.description) updatePayload.description = args.description; result = await graphClient.api(apiPath).patch(updatePayload); break; case 'delete': if (!args.groupId) { throw new McpError(ErrorCode.InvalidParams, 'groupId is required for delete action'); } apiPath = `/groups/${args.groupId}`; await graphClient.api(apiPath).delete(); result = { message: 'Security group deleted successfully' }; break; case 'add_members': if (!args.groupId || !args.members?.length) { throw new McpError(ErrorCode.InvalidParams, 'groupId and members are required for add_members action'); } for (const member of args.members) { await graphClient .api(`/groups/${args.groupId}/members/$ref`) .post({ '@odata.id': `https://graph.microsoft.com/v1.0/users/${member}` }); } result = { message: `Added ${args.members.length} members to security group` }; break; case 'remove_members': if (!args.groupId || !args.members?.length) { throw new McpError(ErrorCode.InvalidParams, 'groupId and members are required for remove_members action'); } for (const member of args.members) { await graphClient .api(`/groups/${args.groupId}/members/${member}/$ref`) .delete(); } result = { message: `Removed ${args.members.length} members from security group` }; break; default: throw new McpError(ErrorCode.InvalidParams, `Invalid action: ${args.action}`); } return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] }; }
- src/server.ts:375-394 (registration)MCP server tool registration for manage_security_groups, linking schema, metadata, and handler function.this.server.tool( "manage_security_groups", "Manage Azure AD security groups for access control, including group creation, membership, and security settings.", securityGroupSchema.shape, {"readOnlyHint":false,"destructiveHint":true,"idempotentHint":false}, wrapToolHandler(async (args: SecurityGroupArgs) => { // Validate credentials only when tool is executed (lazy loading) this.validateCredentials(); try { return await handleSecurityGroups(this.getGraphClient(), args); } catch (error) { if (error instanceof McpError) { throw error; } throw new McpError( ErrorCode.InternalError, `Error executing tool: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }) ); // M365 Groups - Lazy loading enabled for tool discovery
- src/tool-definitions.ts:54-64 (schema)Zod schema defining input parameters and validation for manage_security_groups tool.export const securityGroupSchema = z.object({ action: z.enum(['get', 'create', 'update', 'delete', 'add_members', 'remove_members']).describe('Action to perform on security group'), groupId: z.string().optional().describe('Security group ID for existing group operations'), displayName: z.string().optional().describe('Display name for the security group'), description: z.string().optional().describe('Description of the security group'), members: z.array(z.string()).optional().describe('List of member email addresses'), settings: z.object({ securityEnabled: z.boolean().optional().describe('Whether security is enabled'), mailEnabled: z.boolean().optional().describe('Whether mail is enabled'), }).optional().describe('Security group settings'), });
- src/tool-metadata.ts:26-29 (schema)Tool metadata including description, title, and MCP annotations (readOnlyHint, destructiveHint, etc.) for manage_security_groups.manage_security_groups: { description: "Manage Azure AD security groups for access control, including group creation, membership, and security settings.", title: "Security Group Manager", annotations: { title: "Security Group Manager", readOnlyHint: false, destructiveHint: true, idempotentHint: false, openWorldHint: true }