MCP Microsoft Graph Server
An MCP (Model Context Protocol) server that provides secure access to Microsoft Entra ID (Azure AD) resources via Microsoft Graph API.
Features
- Users: Read user profiles, groups, licenses, and department information
- Devices: Access device inventory with OS and sign-in information
- Applications: Query application registrations and their properties
- Azure Integration: Logs all activities to Azure Blob Storage for audit purposes
- Security: Uses application permissions with client credentials flow
Prerequisites
- Azure tenant with admin access
- Python 3.8+
- Azure Storage account for logging
Setup
1. Azure App Registration
- Go to Azure Portal → Microsoft Entra ID → App registrations → New registration
- Configure:
- Name:
MCP-MSGraph-Server
- Account types:
Single tenant
- No redirect URI needed
- Name:
- Note the Application (client) ID and Directory (tenant) ID
2. API Permissions
Add these Application permissions in API permissions:
User.Read.All
Group.Read.All
Directory.Read.All
Device.Read.All
Application.Read.All
Important: Click "Grant admin consent" after adding permissions.
3. Client Secret
- Go to Certificates & secrets → New client secret
- Set expiration to 24 months (recommended)
- Copy the secret value immediately
4. Azure Storage Setup
Create a storage account for logging:
- Create storage account in Azure Portal
- Get the connection string from Access keys
- Container
mcp-logs
will be created automatically
Installation
Configuration
- Copy
.env.example
to.env
:
- Update
.env
with your values:
Usage
Running the Server
Available Tools
1. get_entra_users
Get Microsoft Entra ID users with profile information.
Response includes:
- Display name and email
- Department information
- Group memberships
- Assigned licenses
2. get_entra_devices
Get registered devices in your tenant.
Response includes:
- Device name and OS
- Last sign-in timestamp
- Device ID
3. get_entra_applications
Get application registrations.
Response includes:
- Application name and ID
- Creation date
- Sign-in audience
OData Filtering
All tools support OData filter queries:
startswith(displayName,'John')
- Name starts with "John"mail eq 'user@domain.com'
- Exact email matchoperatingSystem eq 'Windows'
- Windows devices onlycreatedDateTime ge 2024-01-01T00:00:00Z
- Created after date
Logging
All API calls and operations are logged to Azure Blob Storage:
- Location:
logs/YYYY/MM/DD/timestamp.json
- Format: Structured JSON with timestamp, level, message, and metadata
- Levels: INFO, ERROR
- Includes: Request details, response counts, error information
Security Best Practices
✅ Implemented:
- Application permissions (no user context required)
- Client credentials flow
- Token caching with expiration
- Secure environment variable configuration
- Comprehensive audit logging
- Request timeout protection
🔄 Recommended:
- Rotate client secrets every 24 months
- Monitor blob storage logs regularly
- Use Azure Key Vault for secrets in production
- Implement IP restrictions if needed
- Set up alerting on failed authentication attempts
Troubleshooting
Common Issues
- "Insufficient privileges"
- Verify admin consent was granted for API permissions
- Check that application permissions (not delegated) were added
- "Authentication failed"
- Verify tenant ID, client ID, and client secret
- Check that client secret hasn't expired
- "Blob storage errors"
- Verify storage connection string
- Ensure storage account is accessible
Debugging
Enable verbose logging by checking blob storage logs:
- Authentication attempts
- API request details
- Error messages with context
License
This project follows security best practices for enterprise deployments.
This server cannot be installed
remote-capable server
The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.
Provides secure access to Microsoft Entra ID (Azure AD) resources including users, devices, and applications through Microsoft Graph API. Enables querying organizational data with comprehensive audit logging to Azure Blob Storage.
Related MCP Servers
- -securityAlicense-qualityEnables management of Azure Cloud PCs using the Microsoft Graph API, allowing users to list available Cloud PCs in their tenant through Claude Desktop.Last updated -MIT License
- -security-license-qualityA Model Context Protocol server that connects to Microsoft Graph API, allowing AI assistants to query and access data from Microsoft Entra ID (formerly Azure Active Directory).Last updated -1
- -securityFlicense-qualityA modular server for interacting with Microsoft Graph API that enables management of users, groups, applications, sign-in logs, MFA status, and other Azure AD resources through natural language commands.Last updated -16
- -securityAlicense-qualityA comprehensive server that enables AI applications to interact with Microsoft 365 and Azure AD services through standardized Model Context Protocol interfaces.Last updated -1MIT License