cipp-mcp
CIPP MCP Server
MCP (Model Context Protocol) server for CIPP — the CyberDrain Improved Partner Portal. Provides AI assistants with structured access to CIPP's M365 multi-tenant management capabilities.
Features
37 tools across 11 categories
Tenant, user, group, and mailbox management
Security: Conditional Access policies, named locations
Standards & compliance: BPA, domain health, drift detection
License reporting (per-tenant and CSP-wide)
Alerts, audit logs, and scheduled tasks
GDAP role and invite management
Stdio and HTTP transport modes
MCP Gateway compatible
Prerequisites
Node.js 18+
A running CIPP deployment
CIPP API Key (generated from CIPP Settings → API Client Management)
Installation
Via npm (once published)
npx cipp-mcpFrom source
git clone https://github.com/wyre-technology/cipp-mcp
cd cipp-mcp
npm install
npm run buildConfiguration
Set these environment variables (or copy .env.example to .env):
Variable | Required | Description |
| Yes | Your CIPP deployment URL (e.g. |
| One of | Static Bearer token. Use this or the OAuth trio below. |
| One of | Entra tenant ID that owns the CIPP API-client app registration. |
| One of | OAuth client ID issued by CIPP's API Client Management page. |
| One of | OAuth client secret paired with |
| No | Override OAuth scope (default: |
| No | Override OAuth token endpoint (sovereign clouds only). |
| No |
|
| No | Port for HTTP mode (default: 8080) |
| No |
|
Usage with Claude Desktop
Add to your claude_desktop_config.json:
{
"mcpServers": {
"cipp": {
"command": "node",
"args": ["/path/to/cipp-mcp/dist/entry.js"],
"env": {
"CIPP_BASE_URL": "https://cipp.yourdomain.com",
"CIPP_API_KEY": "your-api-key"
}
}
}
}Tools
Category | Tools |
Tenants | list_tenants, get_tenant_details |
Users | list_users, create_user, edit_user, disable_user, reset_password, reset_mfa, revoke_sessions, offboard_user, bec_check, list_mfa_users, list_user_devices, list_user_groups |
Groups | list_groups, create_group |
Mailboxes | list_mailboxes, list_mailbox_permissions, set_out_of_office, set_email_forwarding |
Security | list_conditional_access_policies, list_named_locations |
Standards | list_standards, run_standards_check, list_bpa, list_domain_health |
Licenses | list_licenses, list_csp_licenses |
Alerts | list_audit_logs, list_alert_queue |
GDAP | list_gdap_roles, list_gdap_invites |
Scheduler | list_scheduled_items, add_scheduled_item |
Core | ping, get_version, list_logs |
Authentication Setup
CIPP's API Client Management page provisions an Entra ID app registration and returns an OAuth client ID + client secret (not a long-lived Bearer token). The server exchanges these for a short-lived access token on each request using the OAuth 2.0 client-credentials flow, and caches the token until just before its expiry.
In CIPP, go to Settings → CIPP Settings → Integrations → CIPP-API
Create a new API client
Copy the Client ID and Client Secret — you will not be able to retrieve the secret later
Configure the server:
CIPP_BASE_URL=https://cipp.yourdomain.com CIPP_TENANT_ID=<your-entra-tenant-id> CIPP_CLIENT_ID=<client-id-from-cipp> CIPP_CLIENT_SECRET=<client-secret-from-cipp>
If you already have a static Bearer token (older CIPP deployments), set
CIPP_API_KEY instead and leave the OAuth variables unset. When both are
provided, CIPP_API_KEY wins.
License
Apache-2.0 — see LICENSE
Contributing
Issues and PRs welcome. This server is tracked against wyre-technology/msp-claude-plugins#24.
This server cannot be installed
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/wyre-technology/cipp-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server