MCP Microsoft Graph Server
An MCP (Model Context Protocol) server that provides secure access to Microsoft Entra ID (Azure AD) resources via Microsoft Graph API.
Features
- Users: Read user profiles, groups, licenses, and department information
- Devices: Access device inventory with OS and sign-in information
- Applications: Query application registrations and their properties
- Azure Integration: Logs all activities to Azure Blob Storage for audit purposes
- Security: Uses application permissions with client credentials flow
Prerequisites
- Azure tenant with admin access
- Python 3.8+
- Azure Storage account for logging
Setup
1. Azure App Registration
- Go to Azure Portal → Microsoft Entra ID → App registrations → New registration
- Configure:
- Name:
MCP-MSGraph-Server
- Account types:
Single tenant
- No redirect URI needed
- Name:
- Note the Application (client) ID and Directory (tenant) ID
2. API Permissions
Add these Application permissions in API permissions:
User.Read.All
Group.Read.All
Directory.Read.All
Device.Read.All
Application.Read.All
Important: Click "Grant admin consent" after adding permissions.
3. Client Secret
- Go to Certificates & secrets → New client secret
- Set expiration to 24 months (recommended)
- Copy the secret value immediately
4. Azure Storage Setup
Create a storage account for logging:
- Create storage account in Azure Portal
- Get the connection string from Access keys
- Container
mcp-logs
will be created automatically
Installation
Configuration
- Copy
.env.example
to.env
:
- Update
.env
with your values:
Usage
Running the Server
Available Tools
1. get_entra_users
Get Microsoft Entra ID users with profile information.
Response includes:
- Display name and email
- Department information
- Group memberships
- Assigned licenses
2. get_entra_devices
Get registered devices in your tenant.
Response includes:
- Device name and OS
- Last sign-in timestamp
- Device ID
3. get_entra_applications
Get application registrations.
Response includes:
- Application name and ID
- Creation date
- Sign-in audience
OData Filtering
All tools support OData filter queries:
startswith(displayName,'John')
- Name starts with "John"mail eq 'user@domain.com'
- Exact email matchoperatingSystem eq 'Windows'
- Windows devices onlycreatedDateTime ge 2024-01-01T00:00:00Z
- Created after date
Logging
All API calls and operations are logged to Azure Blob Storage:
- Location:
logs/YYYY/MM/DD/timestamp.json
- Format: Structured JSON with timestamp, level, message, and metadata
- Levels: INFO, ERROR
- Includes: Request details, response counts, error information
Security Best Practices
✅ Implemented:
- Application permissions (no user context required)
- Client credentials flow
- Token caching with expiration
- Secure environment variable configuration
- Comprehensive audit logging
- Request timeout protection
🔄 Recommended:
- Rotate client secrets every 24 months
- Monitor blob storage logs regularly
- Use Azure Key Vault for secrets in production
- Implement IP restrictions if needed
- Set up alerting on failed authentication attempts
Troubleshooting
Common Issues
- "Insufficient privileges"
- Verify admin consent was granted for API permissions
- Check that application permissions (not delegated) were added
- "Authentication failed"
- Verify tenant ID, client ID, and client secret
- Check that client secret hasn't expired
- "Blob storage errors"
- Verify storage connection string
- Ensure storage account is accessible
Debugging
Enable verbose logging by checking blob storage logs:
- Authentication attempts
- API request details
- Error messages with context
License
This project follows security best practices for enterprise deployments.
This server cannot be installed
remote-capable server
The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.
Provides secure access to Microsoft Entra ID (Azure AD) resources including users, devices, and applications through Microsoft Graph API. Enables querying organizational data with comprehensive audit logging to Azure Blob Storage.
Related MCP Servers
- AsecurityAlicenseAqualityThis server provides a convenient API for interacting with Azure DevOps services, enabling AI assistants and other tools to manage work items, code repositories, boards, sprints, and more. Built with the Model Context Protocol, it provides a standardized interface for communicating with Azure DevOpsLast updated -963343TypeScriptMIT License
- -securityAlicense-qualityEnables management of Azure Cloud PCs using the Microsoft Graph API, allowing users to list available Cloud PCs in their tenant through Claude Desktop.Last updated -PythonMIT License
- -security-license-qualityA Model Context Protocol server that connects to Microsoft Graph API, allowing AI assistants to query and access data from Microsoft Entra ID (formerly Azure Active Directory).Last updated -1Python
- AsecurityFlicenseAqualityEnables AI systems to analyze documents and extract form data through Azure Form Recognizer/Document Intelligence, supporting various document types including receipts, invoices, and ID documents.Last updated -26682TypeScript