Entra Permissions MCP Server

An MCP server that exposes this repo's Microsoft Entra ID / Microsoft Graph permissions data to AI agents (Claude Code, Claude Desktop, Cursor, …).

It serves the canonical permissions JSON — the same data the permissions/ React app bundles — through MCP tools and resources.

Where the data comes from

Remote-first, local fallback. At startup the server fetches the three JSON datasets from the public jsDelivr CDN, served from the dedicated public data store repo mjendza/entra-id-permissions-mcp:

https://cdn.jsdelivr.net/gh/mjendza/entra-id-permissions-mcp@main/data/<file>.json

The data is refreshed by this repo's scrape.yaml pipeline, which generates the JSON and pushes it to the store repo's data/ folder. Serving from the CDN means a deployed/serverless MCP host needs no bundled data and pays no egress to host ~2 MB of JSON — jsDelivr caches it globally. If the fetch fails (offline, CDN down, or remote disabled) the server falls back to the local data/ files in this repo.

Prerequisite: the pipeline must have published the three *.json files to the store repo's data/ folder on main at least once. Until then the server transparently uses the local fallback.

Related MCP server: MCP Microsoft Graph Server

Datasets

Tools

Search tools return { totalMatches, returned, results } and accept an optional limit (default 25, max 200) so large result sets stay bounded.

Resources

• entra://graph/application-permissions

• entra://graph/delegated-permissions

• entra://microsoft-apps

Each returns the full raw dataset as application/json.

Build

cd mcp-server
npm install
npm run build

Run

stdio (local clients):

npm run start:stdio      # node dist/stdio.js

Streamable HTTP (network / serverless hosting):

npm run start:http       # node dist/http.js  -> http://localhost:3000/mcp

GET /health returns 200 {"status":"ok"}. The HTTP transport runs stateless (no session id) which keeps serverless hosting simple; switch to session mode by supplying a sessionIdGenerator in src/http.ts if you need server-initiated streams.

Config

• ENTRA_DATA_BASE_URL — override the remote base URL (defaults to the jsDelivr CDN path above). Set to an empty string to disable remote fetching.

• ENTRA_DATA_LOCAL_ONLY — set to any value to skip the network entirely and read local files.

• ENTRA_DATA_DIR — override the local fallback directory (defaults to the repo's data/).

• PORT — HTTP port (default 3000).

Register with a client

Claude Code (stdio):

claude mcp add entra-permissions -- node /absolute/path/to/mcp-server/dist/stdio.js

Claude Desktop (claude_desktop_config.json):

{
  "mcpServers": {
    "entra-permissions": {
      "command": "node",
      "args": ["/absolute/path/to/mcp-server/dist/stdio.js"]
    }
  }
}

Inspect / debug

npx @modelcontextprotocol/inspector node dist/stdio.js

Refreshing the data

The datasets are generated by the PowerShell scripts in ../src (Export-GraphPermissions.ps1, Export-MicrosoftApps.ps1). Re-run those to refresh data/*.json; this server picks up the new data on next start.