Skip to main content
Glama

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault
LOG_LEVELNoerror, warn, info (default), or debug
CIPP_API_KEYNoStatic Bearer token (use this OR the OAuth trio)
CIPP_BASE_URLNoYour CIPP deployment URL (e.g. https://cipp.yourdomain.com)
MCP_HTTP_PORTNoPort for HTTP mode (default: 8080)
MCP_TRANSPORTNostdio (default) or http
CIPP_CLIENT_IDNoOAuth client ID issued by CIPP's API Client Management page
CIPP_TENANT_IDNoEntra tenant ID that owns the CIPP API-client app registration
CIPP_TOKEN_URLNoOverride OAuth token endpoint (sovereign clouds only)
CIPP_TOKEN_SCOPENoOverride OAuth scope (default: <clientId>/.default)
CIPP_CLIENT_SECRETNoOAuth client secret paired with CIPP_CLIENT_ID

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": true
}

Tools

Functions exposed to the LLM to take actions

NameDescription
cipp_list_tenantsA

List all tenants managed in CIPP

cipp_get_tenant_detailsB

Get detailed information about a specific tenant

cipp_list_usersB

List users in a tenant

cipp_create_userA

⚠ HIGH-IMPACT. Creates a new user account in the tenant, which grants directory presence and may include initial credentials and license/role eligibility. Reversible by deleting or disabling the user. Confirm with the user before invoking.

cipp_edit_userA

⚠ HIGH-IMPACT. Edits an existing user's properties, which can include directory attributes, usage location, and may grant or revoke roles or license eligibility. Reversible by editing again. Confirm with the user before invoking.

cipp_disable_userA

⚠ HIGH-IMPACT. Disables a user account, blocking sign-in. Reversible by re-enabling the account. Confirm with the user before invoking.

cipp_reset_passwordA

⚠ HIGH-IMPACT. Resets a user's password, invalidating their current password. Reversible by setting a new password. Confirm with the user before invoking.

cipp_reset_mfaA

⚠ HIGH-IMPACT. Resets all MFA methods for a user, requiring them to re-register their authentication methods. Reversible by re-enabling MFA. Confirm with the user before invoking.

cipp_revoke_sessionsA

⚠ HIGH-IMPACT. Revokes all active sessions for a user, forcing them to re-authenticate. Reversible by the user signing in again. Confirm with the user before invoking.

cipp_offboard_userA

⚠ DESTRUCTIVE — IRREVERSIBLE. Completely offboards a user by disabling their account, revoking sessions, removing group memberships, and optionally transferring data. This comprehensive action cannot be easily undone. Confirm with the user before invoking.

cipp_bec_checkB

Run a Business Email Compromise check on a user

cipp_list_mfa_usersA

List users and their MFA status in a tenant

cipp_list_user_devicesB

List devices enrolled by a user

cipp_list_user_groupsB

List groups a user is a member of

cipp_list_groupsC

List groups in a tenant

cipp_create_groupA

⚠ HIGH-IMPACT. Creates a new group in the tenant, which can be used for security policy assignments (RBAC, Conditional Access) or mail distribution. Reversible by deleting the group. Confirm with the user before invoking.

cipp_list_mailboxesC

List mailboxes in a tenant

cipp_list_mailbox_permissionsB

List permissions on a specific mailbox

cipp_set_out_of_officeA

⚠ HIGH-IMPACT. Configures the out-of-office / auto-reply for a mailbox, which causes automated messages to be sent to internal and/or external senders. Reversible by disabling the auto-reply. Confirm with the user before invoking.

cipp_set_email_forwardingA

⚠ HIGH-IMPACT. Configures email forwarding on a mailbox, silently redirecting the user's incoming mail to another address. This is a common data-exfiltration vector. Reversible by removing the forwarding rule. Confirm with the user before invoking.

cipp_list_conditional_access_policiesC

List Conditional Access policies for a tenant

cipp_list_named_locationsC

List named locations (trusted IPs) for a tenant

cipp_list_enterprise_appsA

List enterprise applications (service principals) in a tenant — including third-party SaaS apps that customers have integrated via OAuth (Slack, Salesforce, Zoom, etc.). Returns appId, displayName, publisher, owner-org, signInAudience, tags, and creation date. Use tenantFilter='allTenants' for cross-tenant fan-out — CIPP handles per-tenant errors inline, so a 403 from one opt-out tenant returns as an error row rather than failing the call. Excludes Microsoft-built-in apps by default (owner org f8cdef31-…); pass includeBuiltIn=true to include them.

cipp_list_standardsB

List compliance standards configured for a tenant

cipp_run_standards_checkC

Trigger a standards compliance check for a tenant

cipp_list_standard_templatesA

List the CIPP Standards Templates configured across the partner tenant.

cipp_get_tenant_driftA

Report standards drift — settings that deviate from a tenant's assigned Standards Template. Omit tenantFilter to report drift across all tenants.

cipp_get_tenant_alignmentA

Report each tenant's alignment percentage against its assigned Standards Templates — the key signal for deciding which standards are safe to promote to Remediate. Omit tenantFilter to report on all tenants.

cipp_create_standard_templateA

⚠ HIGH-IMPACT. Creates or updates a CIPP Standards Template (upsert by GUID). A template assigned to tenants with any Remediate-action standard WILL modify those tenants on the next standards run. Confirm with the user before invoking.

cipp_delete_standard_templateA

⚠ HIGH-IMPACT. Permanently deletes a CIPP Standards Template by ID. Tenants assigned to it lose the standards it enforced. Confirm with the user before invoking.

cipp_list_bpaC

Get Best Practice Analyser results for a tenant

cipp_list_domain_healthA

Check domain health (DMARC, DKIM, SPF) for a tenant

cipp_list_licensesB

List license assignments and usage for a tenant

cipp_list_csp_licensesA

List all CSP licenses across tenants

cipp_list_audit_logsC

List audit log entries for a tenant

cipp_list_alert_queueA

List queued alerts across all tenants

cipp_list_gdap_rolesA

List available GDAP (Granular Delegated Admin Privileges) roles

cipp_list_gdap_invitesB

List pending GDAP relationship invites

cipp_list_scheduled_itemsA

List scheduled tasks in CIPP

cipp_add_scheduled_itemC

Create a new scheduled task

cipp_pingA

Check CIPP API connectivity

cipp_get_versionA

Get CIPP version information

cipp_list_logsC

List CIPP application logs

Prompts

Interactive templates invoked by user choice

NameDescription

No prompts

Resources

Contextual data attached and managed by the client

NameDescription

No resources

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/wyre-technology/cipp-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server