How to add EntraID MCP Server (Microsoft Graph) to Claude Desktop
Manage Microsoft Entra ID via Graph API — users, groups, apps, MFA, sign-in logs, conditional access and more. Paste the config into ~/Library/Application Support/Claude/claude_desktop_config.json and restart Claude Desktop.
Last updated June 14, 2026 · 39★ · stdio · apikey
Claude Desktop config for EntraID MCP Server (Microsoft Graph)
fastmcp install '/path/to/src/msgraph_mcp_server/server.py' --with msgraph-sdk --with azure-identity --with azure-core --with msgraph-core -f /path/to/.env{
"mcpServers": {
"entraid-mcp-server-microsoft-graph": {
"command": "uv",
"args": [
"run",
"--with",
"azure-core",
"--with",
"azure-identity",
"--with",
"fastmcp",
"--with",
"msgraph-core",
"--with",
"msgraph-sdk",
"fastmcp",
"run",
"/path/to/src/msgraph_mcp_server/server.py"
],
"env": {
"TENANT_ID": "<your-tenant-id>",
"CLIENT_ID": "<your-client-id>",
"CLIENT_SECRET": "<your-client-secret>"
}
}
}
}Setup steps
- 1Open Claude Desktop → Settings → Developer → Edit Config (this opens ~/Library/Application Support/Claude/claude_desktop_config.json).
- 2Paste the EntraID MCP Server (Microsoft Graph) config below under the top-level "mcpServers" key.
- 3Fill in any placeholder secrets (API keys, paths) in the snippet.
- 4Save the file, then fully quit and reopen Claude Desktop.
- 5Open a chat and confirm EntraID MCP Server (Microsoft Graph)'s tools appear under the 🔌 tools menu.
Before you start
- An Azure AD (Microsoft Entra ID) tenant
- An Azure AD app registration with TENANT_ID, CLIENT_ID and CLIENT_SECRET (or certificate-based auth)
- Appropriate Microsoft Graph application permissions granted and admin-consented (e.g. User.Read.All, Group.Read.All / Group.ReadWrite.All, Directory.Read.All, Policy.Read.All, AuditLog.Read.All, Application.ReadWrite.All, etc.)
- Python with uv and FastMCP, plus msgraph-sdk, azure-identity, azure-core and msgraph-core dependencies
What EntraID MCP Server (Microsoft Graph) can do in Claude Desktop
search_usersSearch users by name/email (optional limit).
get_user_by_idGet user details by ID.
get_privileged_usersList all users in privileged directory roles.
get_user_rolesGet all directory roles assigned to a user.
get_user_groupsGet all groups (including transitive memberships) for a user.
get_all_groupsGet all groups, with paging (optional limit).
get_group_by_idGet a specific group by its ID.
search_groups_by_nameSearch for groups by display name.
Security
Authenticates with an Azure AD application using TENANT_ID, CLIENT_ID and CLIENT_SECRET. Never commit secrets — `.env` and secret files are gitignored. Grant only the least-privileged Microsoft Graph permissions your tasks require. Note the server can perform high-impact write operations (reset user passwords, create/update/delete groups, applications and service principals, manage members/owners), so scope its app registration carefully.
EntraID MCP Server (Microsoft Graph) + Claude Desktop FAQ
Where is the Claude Desktop config file?
Claude Desktop reads MCP servers from ~/Library/Application Support/Claude/claude_desktop_config.json. Paste the EntraID MCP Server (Microsoft Graph) config there under the "mcpServers" key and restart the client.
Is EntraID MCP Server (Microsoft Graph) safe to use with Claude Desktop?
Authenticates with an Azure AD application using TENANT_ID, CLIENT_ID and CLIENT_SECRET. Never commit secrets — `.env` and secret files are gitignored. Grant only the least-privileged Microsoft Graph permissions your tasks require. Note the server can perform high-impact write operations (reset user passwords, create/update/delete groups, applications and service principals, manage members/owners), so scope its app registration carefully.
Is this an official Microsoft server?
No. It is a community project by GitHub user hieuttmmo that wraps the Microsoft Graph API; it is not published by Microsoft.
How does it authenticate?
With an Azure AD app registration using TENANT_ID, CLIENT_ID and CLIENT_SECRET provided via environment variables or a config/.env file. Certificate-based auth is also optionally supported.
Which Microsoft Graph permissions are required?
Grant only what you need. The README lists application permissions such as User.Read.All, Directory.Read.All, Group.Read.All/Group.ReadWrite.All, Policy.Read.All, AuditLog.Read.All, RoleManagement.Read.Directory, UserAuthenticationMethod.Read.All, User-PasswordProfile.ReadWrite.All, DeviceManagementManagedDevices.Read.All and Application.ReadWrite.All. Read-only group queries only need Group.Read.All and GroupMember.Read.All.