How to add EntraID MCP Server (Microsoft Graph) to Cursor
Manage Microsoft Entra ID via Graph API — users, groups, apps, MFA, sign-in logs, conditional access and more. Paste the config into ~/.cursor/mcp.json and restart Cursor.
Last updated June 14, 2026 · 39★ · stdio · apikey
Cursor config for EntraID MCP Server (Microsoft Graph)
fastmcp install '/path/to/src/msgraph_mcp_server/server.py' --with msgraph-sdk --with azure-identity --with azure-core --with msgraph-core -f /path/to/.env{
"mcpServers": {
"entraid-mcp-server-microsoft-graph": {
"command": "uv",
"args": [
"run",
"--with",
"azure-core",
"--with",
"azure-identity",
"--with",
"fastmcp",
"--with",
"msgraph-core",
"--with",
"msgraph-sdk",
"fastmcp",
"run",
"/path/to/src/msgraph_mcp_server/server.py"
],
"env": {
"TENANT_ID": "<your-tenant-id>",
"CLIENT_ID": "<your-client-id>",
"CLIENT_SECRET": "<your-client-secret>"
}
}
}
}Setup steps
- 1Open Cursor → Settings → MCP → Add new MCP server (or edit ~/.cursor/mcp.json directly).
- 2Paste the EntraID MCP Server (Microsoft Graph) config below into the "mcpServers" object.
- 3Fill in placeholder secrets, then save.
- 4Cursor reloads MCP servers automatically — check Settings → MCP for a green status dot.
- 5Ask Cursor to use one of EntraID MCP Server (Microsoft Graph)'s tools to confirm it's connected.
Before you start
- An Azure AD (Microsoft Entra ID) tenant
- An Azure AD app registration with TENANT_ID, CLIENT_ID and CLIENT_SECRET (or certificate-based auth)
- Appropriate Microsoft Graph application permissions granted and admin-consented (e.g. User.Read.All, Group.Read.All / Group.ReadWrite.All, Directory.Read.All, Policy.Read.All, AuditLog.Read.All, Application.ReadWrite.All, etc.)
- Python with uv and FastMCP, plus msgraph-sdk, azure-identity, azure-core and msgraph-core dependencies
What EntraID MCP Server (Microsoft Graph) can do in Cursor
search_usersSearch users by name/email (optional limit).
get_user_by_idGet user details by ID.
get_privileged_usersList all users in privileged directory roles.
get_user_rolesGet all directory roles assigned to a user.
get_user_groupsGet all groups (including transitive memberships) for a user.
get_all_groupsGet all groups, with paging (optional limit).
get_group_by_idGet a specific group by its ID.
search_groups_by_nameSearch for groups by display name.
Security
Authenticates with an Azure AD application using TENANT_ID, CLIENT_ID and CLIENT_SECRET. Never commit secrets — `.env` and secret files are gitignored. Grant only the least-privileged Microsoft Graph permissions your tasks require. Note the server can perform high-impact write operations (reset user passwords, create/update/delete groups, applications and service principals, manage members/owners), so scope its app registration carefully.
EntraID MCP Server (Microsoft Graph) + Cursor FAQ
Where is the Cursor config file?
Cursor reads MCP servers from ~/.cursor/mcp.json. Paste the EntraID MCP Server (Microsoft Graph) config there under the "mcpServers" key and restart the client.
Is EntraID MCP Server (Microsoft Graph) safe to use with Cursor?
Authenticates with an Azure AD application using TENANT_ID, CLIENT_ID and CLIENT_SECRET. Never commit secrets — `.env` and secret files are gitignored. Grant only the least-privileged Microsoft Graph permissions your tasks require. Note the server can perform high-impact write operations (reset user passwords, create/update/delete groups, applications and service principals, manage members/owners), so scope its app registration carefully.
Is this an official Microsoft server?
No. It is a community project by GitHub user hieuttmmo that wraps the Microsoft Graph API; it is not published by Microsoft.
How does it authenticate?
With an Azure AD app registration using TENANT_ID, CLIENT_ID and CLIENT_SECRET provided via environment variables or a config/.env file. Certificate-based auth is also optionally supported.
Which Microsoft Graph permissions are required?
Grant only what you need. The README lists application permissions such as User.Read.All, Directory.Read.All, Group.Read.All/Group.ReadWrite.All, Policy.Read.All, AuditLog.Read.All, RoleManagement.Read.Directory, UserAuthenticationMethod.Read.All, User-PasswordProfile.ReadWrite.All, DeviceManagementManagedDevices.Read.All and Application.ReadWrite.All. Read-only group queries only need Group.Read.All and GroupMember.Read.All.