EntraID MCP Server (Microsoft Graph FastMCP)

This project provides a modular, resource-oriented FastMCP server for interacting with Microsoft Graph API. It is designed for extensibility, maintainability, and security, supporting advanced queries for users, sign-in logs, MFA status, and privileged users.

Features

• Modular Resource Structure:

  • Each resource (users, sign-in logs, MFA, etc.) is implemented in its own module under src/msgraph_mcp_server/resources/.

  • Easy to extend with new resources (e.g., groups, devices).

• Centralized Graph Client:

  • Handles authentication and client initialization.

  • Shared by all resource modules.

• Comprehensive User Operations:

  • Search users by name/email.

  • Get user by ID.

  • List all privileged users (directory role members).

• Full Group Lifecycle & Membership Management:

  • Create, read, update, and delete groups.

  • Add/remove group members and owners.

  • Search and list groups and group members.

• Application & Service Principal Management:

  • List, create, update, and delete applications (app registrations).

  • List, create, update, and delete service principals.

  • View app role assignments and delegated permissions for both applications and service principals.

• Sign-in Log Operations:

  • Query sign-in logs for a user for the last X days.

• MFA Operations:

  • Get MFA status for a user.

  • Get MFA status for all members of a group.

• Password Management:

  • Reset user passwords directly with custom or auto-generated secure passwords.

  • Option to require password change on next sign-in.

• Permissions Helper:

  • Suggest appropriate Microsoft Graph permissions for common tasks.

  • Search and explore available Graph permissions.

  • Helps implement the principle of least privilege by recommending only necessary permissions.

• Error Handling & Logging:

  • Consistent error handling and progress reporting via FastMCP context.

  • Detailed logging for troubleshooting.

• Security:

  • .env and secret files are excluded from version control.

  • Uses Microsoft best practices for authentication.

Related MCP server: Cloud PC Management MCP Server

Project Structure

Usage

1. Setup

• Clone the repo.

• Create a config/.env file with your Azure AD credentials:

  TENANT_ID=your-tenant-id CLIENT_ID=your-client-id CLIENT_SECRET=your-client-secret

• (Optional) Set up certificate-based auth if needed.

2. Testing & Development

You can test and develop your MCP server directly using the FastMCP CLI:

This launches an interactive development environment with the MCP Inspector. For more information and advanced usage, see the FastMCP documentation.

3. Available Tools

User Tools

• search_users(query, ctx, limit=10) — Search users by name/email

• get_user_by_id(user_id, ctx) — Get user details by ID

• get_privileged_users(ctx) — List all users in privileged directory roles

• get_user_roles(user_id, ctx) — Get all directory roles assigned to a user

• get_user_groups(user_id, ctx) — Get all groups (including transitive memberships) for a user

Group Tools

• get_all_groups(ctx, limit=100) — Get all groups (with paging)

• get_group_by_id(group_id, ctx) — Get a specific group by its ID

• search_groups_by_name(name, ctx, limit=50) — Search for groups by display name

• get_group_members(group_id, ctx, limit=100) — Get members of a group by group ID

• create_group(ctx, group_data) — Create a new group (see below for group_data fields)

• update_group(group_id, ctx, group_data) — Update an existing group (fields: displayName, mailNickname, description, visibility)

• delete_group(group_id, ctx) — Delete a group by its ID

• add_group_member(group_id, member_id, ctx) — Add a member (user, group, device, etc.) to a group

• remove_group_member(group_id, member_id, ctx) — Remove a member from a group

• add_group_owner(group_id, owner_id, ctx) — Add an owner to a group

• remove_group_owner(group_id, owner_id, ctx) — Remove an owner from a group

Group Creation/Update Example:

• group_data for create_group and update_group should be a dictionary with keys such as:

  • displayName (required for create)

  • mailNickname (required for create)

  • description (optional)

  • groupTypes (optional, e.g., ["Unified"])

  • mailEnabled (optional)

  • securityEnabled (optional)

  • visibility (optional, "Private" or "Public")

  • owners (optional, list of user IDs)

  • members (optional, list of IDs)

  • membershipRule (required for dynamic groups)

  • membershipRuleProcessingState (optional, "On" or "Paused")

See the groups.py docstrings for more details on supported fields and behaviors.

Sign-in Log Tools

• get_user_sign_ins(user_id, ctx, days=7) — Get sign-in logs for a user

MFA Tools

• get_user_mfa_status(user_id, ctx) — Get MFA status for a user

• get_group_mfa_status(group_id, ctx) — Get MFA status for all group members

Device Tools

• get_all_managed_devices(filter_os=None) — Get all managed devices (optionally filter by OS)

• get_managed_devices_by_user(user_id) — Get all managed devices for a specific user

Conditional Access Policy Tools

• get_conditional_access_policies(ctx) — Get all conditional access policies

• get_conditional_access_policy_by_id(policy_id, ctx) — Get a single conditional access policy by its ID

Audit Log Tools

• get_user_audit_logs(user_id, days=30) — Get all relevant directory audit logs for a user by user_id within the last N days

Password Management Tools

• reset_user_password_direct(user_id, password=None, require_change_on_next_sign_in=True, generate_password=False, password_length=12) — Reset a user's password with a specific password value or generate a secure random password

Permissions Helper Tools

• suggest_permissions_for_task(task_category, task_name) — Suggest Microsoft Graph permissions for a specific task based on common mappings

• list_permission_categories_and_tasks() — List all available categories and tasks for permission suggestions

• get_all_graph_permissions() — Get all Microsoft Graph permissions directly from the Microsoft Graph API

• search_permissions(search_term, permission_type=None) — Search for Microsoft Graph permissions by keyword

Application Tools

• list_applications(ctx, limit=100) — List all applications (app registrations) in the tenant, with paging

• get_application_by_id(app_id, ctx) — Get a specific application by its object ID (includes app role assignments and delegated permissions)

• create_application(ctx, app_data) — Create a new application (see below for app_data fields)

• update_application(app_id, ctx, app_data) — Update an existing application (fields: displayName, signInAudience, tags, identifierUris, web, api, requiredResourceAccess)

• delete_application(app_id, ctx) — Delete an application by its object ID

Application Creation/Update Example:

• app_data for create_application and update_application should be a dictionary with keys such as:

  • displayName (required for create)

  • signInAudience (optional)

  • tags (optional)

  • identifierUris (optional)

  • web (optional)

  • api (optional)

  • requiredResourceAccess (optional)

Service Principal Tools

• list_service_principals(ctx, limit=100) — List all service principals in the tenant, with paging

• get_service_principal_by_id(sp_id, ctx) — Get a specific service principal by its object ID (includes app role assignments and delegated permissions)

• create_service_principal(ctx, sp_data) — Create a new service principal (see below for sp_data fields)

• update_service_principal(sp_id, ctx, sp_data) — Update an existing service principal (fields: displayName, accountEnabled, tags, appRoleAssignmentRequired)

• delete_service_principal(sp_id, ctx) — Delete a service principal by its object ID

Service Principal Creation/Update Example:

• sp_data for create_service_principal and update_service_principal should be a dictionary with keys such as:

  • appId (required for create)

  • accountEnabled (optional)

  • tags (optional)

  • appRoleAssignmentRequired (optional)

  • displayName (optional)

Example Resource

• greeting://{name} — Returns a personalized greeting

Extending the Server

• Add new resource modules under resources/ (e.g., groups.py, devices.py).

• Register new tools in server.py using the FastMCP @mcp.tool() decorator.

• Use the shared GraphClient for all API calls.

Security & Best Practices

• Never commit secrets: .env and other sensitive files are gitignored.

• Use least privilege: Grant only the necessary Microsoft Graph permissions to your Azure AD app.

• Audit & monitor: Use the logging output for troubleshooting and monitoring.

Required Graph API Permissions

Note: Group.ReadWrite.All is required for group creation, update, deletion, and for adding/removing group members or owners. Group.Read.All and GroupMember.Read.All are sufficient for read-only group and membership queries.

Advanced: Using with Claude or Cursor

Using with Claude (Anthropic)

To install and run this server as a Claude MCP tool, use:

• Replace /path/to/ with your actual project path.

• The -f flag points to your .env file (never commit secrets!).

Using with Cursor

Add the following to your .cursor/mcp.json (do not include actual secrets in version control):

• Replace /path/to/ and the environment variables with your actual values.

• Never commit real secrets to your repository!

License

MIT