cipp-mcp
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| LOG_LEVEL | No | error, warn, info (default), or debug | |
| CIPP_API_KEY | No | Static Bearer token (use this OR the OAuth trio) | |
| CIPP_BASE_URL | No | Your CIPP deployment URL (e.g. https://cipp.yourdomain.com) | |
| MCP_HTTP_PORT | No | Port for HTTP mode (default: 8080) | |
| MCP_TRANSPORT | No | stdio (default) or http | |
| CIPP_CLIENT_ID | No | OAuth client ID issued by CIPP's API Client Management page | |
| CIPP_TENANT_ID | No | Entra tenant ID that owns the CIPP API-client app registration | |
| CIPP_TOKEN_URL | No | Override OAuth token endpoint (sovereign clouds only) | |
| CIPP_TOKEN_SCOPE | No | Override OAuth scope (default: <clientId>/.default) | |
| CIPP_CLIENT_SECRET | No | OAuth client secret paired with CIPP_CLIENT_ID |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": true
} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| cipp_list_tenantsA | List all tenants managed in CIPP |
| cipp_get_tenant_detailsB | Get detailed information about a specific tenant |
| cipp_list_usersB | List users in a tenant |
| cipp_create_userA | ⚠ HIGH-IMPACT. Creates a new user account in the tenant, which grants directory presence and may include initial credentials and license/role eligibility. Reversible by deleting or disabling the user. Confirm with the user before invoking. |
| cipp_edit_userA | ⚠ HIGH-IMPACT. Edits an existing user's properties, which can include directory attributes, usage location, and may grant or revoke roles or license eligibility. Reversible by editing again. Confirm with the user before invoking. |
| cipp_disable_userA | ⚠ HIGH-IMPACT. Disables a user account, blocking sign-in. Reversible by re-enabling the account. Confirm with the user before invoking. |
| cipp_reset_passwordA | ⚠ HIGH-IMPACT. Resets a user's password, invalidating their current password. Reversible by setting a new password. Confirm with the user before invoking. |
| cipp_reset_mfaA | ⚠ HIGH-IMPACT. Resets all MFA methods for a user, requiring them to re-register their authentication methods. Reversible by re-enabling MFA. Confirm with the user before invoking. |
| cipp_revoke_sessionsA | ⚠ HIGH-IMPACT. Revokes all active sessions for a user, forcing them to re-authenticate. Reversible by the user signing in again. Confirm with the user before invoking. |
| cipp_offboard_userA | ⚠ DESTRUCTIVE — IRREVERSIBLE. Completely offboards a user by disabling their account, revoking sessions, removing group memberships, and optionally transferring data. This comprehensive action cannot be easily undone. Confirm with the user before invoking. |
| cipp_bec_checkB | Run a Business Email Compromise check on a user |
| cipp_list_mfa_usersA | List users and their MFA status in a tenant |
| cipp_list_user_devicesB | List devices enrolled by a user |
| cipp_list_user_groupsB | List groups a user is a member of |
| cipp_list_groupsC | List groups in a tenant |
| cipp_create_groupA | ⚠ HIGH-IMPACT. Creates a new group in the tenant, which can be used for security policy assignments (RBAC, Conditional Access) or mail distribution. Reversible by deleting the group. Confirm with the user before invoking. |
| cipp_list_mailboxesC | List mailboxes in a tenant |
| cipp_list_mailbox_permissionsB | List permissions on a specific mailbox |
| cipp_set_out_of_officeA | ⚠ HIGH-IMPACT. Configures the out-of-office / auto-reply for a mailbox, which causes automated messages to be sent to internal and/or external senders. Reversible by disabling the auto-reply. Confirm with the user before invoking. |
| cipp_set_email_forwardingA | ⚠ HIGH-IMPACT. Configures email forwarding on a mailbox, silently redirecting the user's incoming mail to another address. This is a common data-exfiltration vector. Reversible by removing the forwarding rule. Confirm with the user before invoking. |
| cipp_list_conditional_access_policiesC | List Conditional Access policies for a tenant |
| cipp_list_named_locationsC | List named locations (trusted IPs) for a tenant |
| cipp_list_enterprise_appsA | List enterprise applications (service principals) in a tenant — including third-party SaaS apps that customers have integrated via OAuth (Slack, Salesforce, Zoom, etc.). Returns appId, displayName, publisher, owner-org, signInAudience, tags, and creation date. Use tenantFilter='allTenants' for cross-tenant fan-out — CIPP handles per-tenant errors inline, so a 403 from one opt-out tenant returns as an error row rather than failing the call. Excludes Microsoft-built-in apps by default (owner org f8cdef31-…); pass includeBuiltIn=true to include them. |
| cipp_list_standardsB | List compliance standards configured for a tenant |
| cipp_run_standards_checkC | Trigger a standards compliance check for a tenant |
| cipp_list_standard_templatesA | List the CIPP Standards Templates configured across the partner tenant. |
| cipp_get_tenant_driftA | Report standards drift — settings that deviate from a tenant's assigned Standards Template. Omit tenantFilter to report drift across all tenants. |
| cipp_get_tenant_alignmentA | Report each tenant's alignment percentage against its assigned Standards Templates — the key signal for deciding which standards are safe to promote to Remediate. Omit tenantFilter to report on all tenants. |
| cipp_create_standard_templateA | ⚠ HIGH-IMPACT. Creates or updates a CIPP Standards Template (upsert by GUID). A template assigned to tenants with any Remediate-action standard WILL modify those tenants on the next standards run. Confirm with the user before invoking. |
| cipp_delete_standard_templateA | ⚠ HIGH-IMPACT. Permanently deletes a CIPP Standards Template by ID. Tenants assigned to it lose the standards it enforced. Confirm with the user before invoking. |
| cipp_list_bpaC | Get Best Practice Analyser results for a tenant |
| cipp_list_domain_healthA | Check domain health (DMARC, DKIM, SPF) for a tenant |
| cipp_list_licensesB | List license assignments and usage for a tenant |
| cipp_list_csp_licensesA | List all CSP licenses across tenants |
| cipp_list_audit_logsC | List audit log entries for a tenant |
| cipp_list_alert_queueA | List queued alerts across all tenants |
| cipp_list_gdap_rolesA | List available GDAP (Granular Delegated Admin Privileges) roles |
| cipp_list_gdap_invitesB | List pending GDAP relationship invites |
| cipp_list_scheduled_itemsA | List scheduled tasks in CIPP |
| cipp_add_scheduled_itemC | Create a new scheduled task |
| cipp_pingA | Check CIPP API connectivity |
| cipp_get_versionA | Get CIPP version information |
| cipp_list_logsC | List CIPP application logs |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/wyre-technology/cipp-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server