A Python MCP server for Microsoft Entra ID (Azure AD) directory, user, group, device, sign-in, and security operations via Microsoft Graph.
This project provides a modular, resource-oriented FastMCP server for interacting with Microsoft Graph API. It is designed for extensibility, maintainability, and security, supporting advanced queries for users, sign-in logs, MFA status, and privileged users.
src/msgraph_mcp_server/resources/
..env
and secret files are excluded from version control.src/msgraph_mcp_server/
├── auth/ # Authentication logic (GraphAuthManager)
├── resources/ # Resource modules (users, signin_logs, mfa, ...)
│ ├── users.py # User operations (search, get by ID, etc.)
│ ├── signin_logs.py # Sign-in log operations
│ ├── mfa.py # MFA status operations
│ ├── permissions_helper.py # Graph permissions utilities and suggestions
│ ├── applications.py # Application (app registration) operations
│ ├── service_principals.py # Service principal operations
│ └── ... # Other resource modules
├── utils/ # Core GraphClient and other ultilities tool, such as password generator..
├── server.py # FastMCP server entry point (registers tools/resources)
├── __init__.py # Package marker
config/.env
file with your Azure AD credentials:
TENANT_ID=your-tenant-id
CLIENT_ID=your-client-id
CLIENT_SECRET=your-client-secret
You can test and develop your MCP server directly using the FastMCP CLI:
fastmcp dev '/path/to/src/msgraph_mcp_server/server.py'
This launches an interactive development environment with the MCP Inspector. For more information and advanced usage, see the FastMCP documentation.
search_users(query, ctx, limit=10)
— Search users by name/emailget_user_by_id(user_id, ctx)
— Get user details by IDget_privileged_users(ctx)
— List all users in privileged directory rolesget_user_roles(user_id, ctx)
— Get all directory roles assigned to a userget_user_groups(user_id, ctx)
— Get all groups (including transitive memberships) for a userget_all_groups(ctx, limit=100)
— Get all groups (with paging)get_group_by_id(group_id, ctx)
— Get a specific group by its IDsearch_groups_by_name(name, ctx, limit=50)
— Search for groups by display nameget_group_members(group_id, ctx, limit=100)
— Get members of a group by group IDcreate_group(ctx, group_data)
— Create a new group (see below for group_data fields)update_group(group_id, ctx, group_data)
— Update an existing group (fields: displayName, mailNickname, description, visibility)delete_group(group_id, ctx)
— Delete a group by its IDadd_group_member(group_id, member_id, ctx)
— Add a member (user, group, device, etc.) to a groupremove_group_member(group_id, member_id, ctx)
— Remove a member from a groupadd_group_owner(group_id, owner_id, ctx)
— Add an owner to a groupremove_group_owner(group_id, owner_id, ctx)
— Remove an owner from a groupGroup Creation/Update Example:
group_data
for create_group
and update_group
should be a dictionary with keys such as:
displayName
(required for create)mailNickname
(required for create)description
(optional)groupTypes
(optional, e.g., ["Unified"]
)mailEnabled
(optional)securityEnabled
(optional)visibility
(optional, "Private" or "Public")owners
(optional, list of user IDs)members
(optional, list of IDs)membershipRule
(required for dynamic groups)membershipRuleProcessingState
(optional, "On" or "Paused")See the groups.py
docstrings for more details on supported fields and behaviors.
get_user_sign_ins(user_id, ctx, days=7)
— Get sign-in logs for a userget_user_mfa_status(user_id, ctx)
— Get MFA status for a userget_group_mfa_status(group_id, ctx)
— Get MFA status for all group membersget_all_managed_devices(filter_os=None)
— Get all managed devices (optionally filter by OS)get_managed_devices_by_user(user_id)
— Get all managed devices for a specific userget_conditional_access_policies(ctx)
— Get all conditional access policiesget_conditional_access_policy_by_id(policy_id, ctx)
— Get a single conditional access policy by its IDget_user_audit_logs(user_id, days=30)
— Get all relevant directory audit logs for a user by user_id within the last N daysreset_user_password_direct(user_id, password=None, require_change_on_next_sign_in=True, generate_password=False, password_length=12)
— Reset a user's password with a specific password value or generate a secure random passwordsuggest_permissions_for_task(task_category, task_name)
— Suggest Microsoft Graph permissions for a specific task based on common mappingslist_permission_categories_and_tasks()
— List all available categories and tasks for permission suggestionsget_all_graph_permissions()
— Get all Microsoft Graph permissions directly from the Microsoft Graph APIsearch_permissions(search_term, permission_type=None)
— Search for Microsoft Graph permissions by keywordlist_applications(ctx, limit=100)
— List all applications (app registrations) in the tenant, with pagingget_application_by_id(app_id, ctx)
— Get a specific application by its object ID (includes app role assignments and delegated permissions)create_application(ctx, app_data)
— Create a new application (see below for app_data fields)update_application(app_id, ctx, app_data)
— Update an existing application (fields: displayName, signInAudience, tags, identifierUris, web, api, requiredResourceAccess)delete_application(app_id, ctx)
— Delete an application by its object IDApplication Creation/Update Example:
app_data
for create_application
and update_application
should be a dictionary with keys such as:
displayName
(required for create)signInAudience
(optional)tags
(optional)identifierUris
(optional)web
(optional)api
(optional)requiredResourceAccess
(optional)list_service_principals(ctx, limit=100)
— List all service principals in the tenant, with pagingget_service_principal_by_id(sp_id, ctx)
— Get a specific service principal by its object ID (includes app role assignments and delegated permissions)create_service_principal(ctx, sp_data)
— Create a new service principal (see below for sp_data fields)update_service_principal(sp_id, ctx, sp_data)
— Update an existing service principal (fields: displayName, accountEnabled, tags, appRoleAssignmentRequired)delete_service_principal(sp_id, ctx)
— Delete a service principal by its object IDService Principal Creation/Update Example:
sp_data
for create_service_principal
and update_service_principal
should be a dictionary with keys such as:
appId
(required for create)accountEnabled
(optional)tags
(optional)appRoleAssignmentRequired
(optional)displayName
(optional)greeting://{name}
— Returns a personalized greetingresources/
(e.g., groups.py
, devices.py
).server.py
using the FastMCP @mcp.tool()
decorator.GraphClient
for all API calls..env
and other sensitive files are gitignored.API / Permission | Type | Description |
---|---|---|
AuditLog.Read.All | Application | Read all audit log data |
AuthenticationContext.Read.All | Application | Read all authentication context information |
DeviceManagementManagedDevices.Read.All | Application | Read Microsoft Intune devices |
Directory.Read.All | Application | Read directory data |
Group.Read.All | Application | Read all groups |
GroupMember.Read.All | Application | Read all group memberships |
Group.ReadWrite.All | Application | Create, update, delete groups; manage group members and owners |
Policy.Read.All | Application | Read your organization's policies |
RoleManagement.Read.Directory | Application | Read all directory RBAC settings |
User.Read.All | Application | Read all users' full profiles |
User-PasswordProfile.ReadWrite.All | Application | Least privileged permission to update the passwordProfile property |
UserAuthenticationMethod.Read.All | Application | Read all users' authentication methods |
Application.ReadWrite.All | Application | Create, update, and delete applications (app registrations) and service principals |
Note: Group.ReadWrite.All
is required for group creation, update, deletion, and for adding/removing group members or owners. Group.Read.All
and GroupMember.Read.All
are sufficient for read-only group and membership queries.
To install and run this server as a Claude MCP tool, use:
fastmcp install '/path/to/src/msgraph_mcp_server/server.py' \
--with msgraph-sdk --with azure-identity --with azure-core --with msgraph-core \
-f /path/to/.env
/path/to/
with your actual project path.-f
flag points to your .env
file (never commit secrets!).Add the following to your .cursor/mcp.json
(do not include actual secrets in version control):
{
"EntraID MCP Server": {
"command": "uv",
"args": [
"run",
"--with", "azure-core",
"--with", "azure-identity",
"--with", "fastmcp",
"--with", "msgraph-core",
"--with", "msgraph-sdk",
"fastmcp",
"run",
"/path/to/src/msgraph_mcp_server/server.py"
],
"env": {
"TENANT_ID": "<your-tenant-id>",
"CLIENT_ID": "<your-client-id>",
"CLIENT_SECRET": "<your-client-secret>"
}
}
}
/path/to/
and the environment variables with your actual values.MIT
Location services, directions, and place details
Navigate your Aiven projects and interact with the PostgreSQL®, Apache Kafka®, ClickHouse® and OpenSearch® services
Query Amazon Bedrock Knowledge Bases using natural language to retrieve relevant information from your data sources.
Get prescriptive CDK advice, explain CDK Nag rules, check suppressions, generate Bedrock Agent schemas, and discover AWS Solutions Constructs patterns.
Core AWS MCP server providing prompt understanding and server management capabilities.
Analyze CDK projects to identify AWS services used and get pricing information from AWS pricing webpages and API.
Fetch, convert, and search AWS documentation pages, with recommendations for related content.
Generate images using Amazon Nova Canvas with text prompts and color guidance.
Deploy, configure & interrogate your resources on the Cloudflare developer platform (e.g. Workers/KV/R2/D1)
A Model Context Protocol (MCP) server that provides tools for AI, allowing it to interact with the DataWorks Open API through a standardized interface. This implementation is based on the Aliyun Open API and enables AI agents to perform cloud resources operations seamlessly.