EntraID MCP Server (Microsoft Graph)
Manage Microsoft Entra ID via Graph API — users, groups, apps, MFA, sign-in logs, conditional access and more.
Add to your client
Copy the config for your MCP client and paste it into its config file.
fastmcp install '/path/to/src/msgraph_mcp_server/server.py' --with msgraph-sdk --with azure-identity --with azure-core --with msgraph-core -f /path/to/.envPaste into ~/Library/Application Support/Claude/claude_desktop_config.json
{
"mcpServers": {
"entraid-mcp-server-microsoft-graph": {
"command": "uv",
"args": [
"run",
"--with",
"azure-core",
"--with",
"azure-identity",
"--with",
"fastmcp",
"--with",
"msgraph-core",
"--with",
"msgraph-sdk",
"fastmcp",
"run",
"/path/to/src/msgraph_mcp_server/server.py"
],
"env": {
"TENANT_ID": "<your-tenant-id>",
"CLIENT_ID": "<your-client-id>",
"CLIENT_SECRET": "<your-client-secret>"
}
}
}
}Step-by-step guides: Add to Claude Desktop · Add to Cursor · Add to Windsurf
Before you start
- An Azure AD (Microsoft Entra ID) tenant
- An Azure AD app registration with TENANT_ID, CLIENT_ID and CLIENT_SECRET (or certificate-based auth)
- Appropriate Microsoft Graph application permissions granted and admin-consented (e.g. User.Read.All, Group.Read.All / Group.ReadWrite.All, Directory.Read.All, Policy.Read.All, AuditLog.Read.All, Application.ReadWrite.All, etc.)
- Python with uv and FastMCP, plus msgraph-sdk, azure-identity, azure-core and msgraph-core dependencies
About EntraID MCP Server (Microsoft Graph)
EntraID MCP Server is a FastMCP-based server that wraps the Microsoft Graph API to administer Microsoft Entra ID (Azure AD). It provides a broad set of tools for managing users, groups, applications, service principals, devices, conditional access policies, MFA status, sign-in and audit logs, and password resets, plus a permissions helper for discovering and applying least-privilege Graph permissions. Resources are organized into modules for maintainability and easy extension.
Tools & capabilities (39)
search_usersSearch users by name/email (optional limit).
get_user_by_idGet user details by ID.
get_privileged_usersList all users in privileged directory roles.
get_user_rolesGet all directory roles assigned to a user.
get_user_groupsGet all groups (including transitive memberships) for a user.
get_all_groupsGet all groups, with paging (optional limit).
get_group_by_idGet a specific group by its ID.
search_groups_by_nameSearch for groups by display name.
get_group_membersGet members of a group by group ID.
create_groupCreate a new group from a group_data dictionary (displayName, mailNickname, groupTypes, etc.).
update_groupUpdate an existing group (displayName, mailNickname, description, visibility).
delete_groupDelete a group by its ID.
add_group_memberAdd a member (user, group, device, etc.) to a group.
remove_group_memberRemove a member from a group.
add_group_ownerAdd an owner to a group.
remove_group_ownerRemove an owner from a group.
get_user_sign_insGet sign-in logs for a user for the last X days (default 7).
get_user_mfa_statusGet MFA status for a user.
get_group_mfa_statusGet MFA status for all members of a group.
get_all_managed_devicesGet all managed (Intune) devices, optionally filtered by OS.
get_managed_devices_by_userGet all managed devices for a specific user.
get_conditional_access_policiesGet all conditional access policies.
get_conditional_access_policy_by_idGet a single conditional access policy by its ID.
get_user_audit_logsGet all relevant directory audit logs for a user within the last N days (default 30).
reset_user_password_directReset a user's password with a specific value or an auto-generated secure password; optionally require change on next sign-in.
suggest_permissions_for_taskSuggest Microsoft Graph permissions for a specific task based on common mappings.
list_permission_categories_and_tasksList all available categories and tasks for permission suggestions.
get_all_graph_permissionsGet all Microsoft Graph permissions directly from the Microsoft Graph API.
search_permissionsSearch for Microsoft Graph permissions by keyword (optional permission_type).
list_applicationsList all applications (app registrations) in the tenant, with paging.
get_application_by_idGet a specific application by object ID, including app role assignments and delegated permissions.
create_applicationCreate a new application from an app_data dictionary (displayName required).
update_applicationUpdate an existing application (displayName, signInAudience, tags, identifierUris, web, api, requiredResourceAccess).
delete_applicationDelete an application by its object ID.
list_service_principalsList all service principals in the tenant, with paging.
get_service_principal_by_idGet a specific service principal by object ID, including app role assignments and delegated permissions.
create_service_principalCreate a new service principal from an sp_data dictionary (appId required).
update_service_principalUpdate an existing service principal (displayName, accountEnabled, tags, appRoleAssignmentRequired).
delete_service_principalDelete a service principal by its object ID.
What this server can do
EntraID MCP Server (Microsoft Graph) provides tools for these capabilities — tap one to see every MCP server that does the same:
When to use it
- Audit and investigate identity activity — pull a user's sign-in logs, directory audit logs, roles, group memberships and MFA status.
- Manage Entra ID groups end to end: create, update, delete, and add/remove members and owners.
- Administer app registrations and service principals, including reviewing app role assignments and delegated permissions.
- Reset user passwords with custom or auto-generated secure values during incident response.
- Review tenant security posture by listing conditional access policies and privileged users.
- Discover and apply least-privilege Microsoft Graph permissions for a given administrative task.
Security notes
Authenticates with an Azure AD application using TENANT_ID, CLIENT_ID and CLIENT_SECRET. Never commit secrets — `.env` and secret files are gitignored. Grant only the least-privileged Microsoft Graph permissions your tasks require. Note the server can perform high-impact write operations (reset user passwords, create/update/delete groups, applications and service principals, manage members/owners), so scope its app registration carefully.
EntraID MCP Server (Microsoft Graph) FAQ
Is this an official Microsoft server?
No. It is a community project by GitHub user hieuttmmo that wraps the Microsoft Graph API; it is not published by Microsoft.
How does it authenticate?
With an Azure AD app registration using TENANT_ID, CLIENT_ID and CLIENT_SECRET provided via environment variables or a config/.env file. Certificate-based auth is also optionally supported.
Which Microsoft Graph permissions are required?
Grant only what you need. The README lists application permissions such as User.Read.All, Directory.Read.All, Group.Read.All/Group.ReadWrite.All, Policy.Read.All, AuditLog.Read.All, RoleManagement.Read.Directory, UserAuthenticationMethod.Read.All, User-PasswordProfile.ReadWrite.All, DeviceManagementManagedDevices.Read.All and Application.ReadWrite.All. Read-only group queries only need Group.Read.All and GroupMember.Read.All.
How do I run it with Claude or Cursor?
For Claude, use the `fastmcp install` command pointing at server.py with the required --with dependencies and -f for your .env. For Cursor, add the provided config block to .cursor/mcp.json using `uv run ... fastmcp run /path/to/server.py` and set the TENANT_ID/CLIENT_ID/CLIENT_SECRET env vars.
Alternatives to EntraID MCP Server (Microsoft Graph)
Compare all alternatives →
GitHub's official server for repos, issues, PRs, and Actions — local Docker or hosted remote.
Official AWS Labs server that lets agents call any AWS API via the AWS CLI surface.
Bulk Kubernetes port forwarding with an MCP server that lets AI assistants forward services, inspect pods, and monitor traffic.
Compare EntraID MCP Server (Microsoft Graph) with: