eait1200/entraid-mcp-server
3.2
If you are the rightful owner of entraid-mcp-server and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.
The EntraID MCP Server is an enhanced FastMCP server designed for comprehensive interaction with the Microsoft Graph API, focusing on user lifecycle management and identity operations.
Tools
5
Resources
0
Prompts
0
EntraID MCP Server (Enhanced with User Lifecycle Management)
This project provides a comprehensive, modular FastMCP server for interacting with Microsoft Graph API. It is designed for extensibility, maintainability, and security, supporting advanced queries for users, sign-in logs, MFA status, privileged users, and complete user lifecycle management.
āØ Enhanced Features
š Complete User Lifecycle Management
- Create, update, and delete users
- Enable/disable user accounts
- Manage user properties (department, job title, office location, manager, etc.)
- Set manager relationships
- Bulk user operations
š Comprehensive Identity Operations
- Modular Resource Structure: Each resource (users, groups, applications, etc.) is implemented in its own module under
src/msgraph_mcp_server/resources/ - Centralized Graph Client: Handles authentication and client initialization, shared by all resource modules
- Full Group Lifecycle & Membership Management: Create, read, update, delete groups; manage members and owners
- Application & Service Principal Management: Complete CRUD operations for app registrations and service principals
- Sign-in Log Operations: Query and analyze user sign-in patterns
- MFA Operations: Monitor and assess multi-factor authentication status
- Password Management: Reset passwords with secure generation options
- Permissions Helper: Get Microsoft Graph permission recommendations
- Error Handling & Logging: Consistent error handling and progress reporting via FastMCP context
Project Structure
src/msgraph_mcp_server/
āāā auth/ # Authentication logic (GraphAuthManager)
āāā resources/ # Resource modules
ā āāā users.py # āØ Enhanced: Complete user lifecycle management
ā āāā groups.py # Group operations and membership management
ā āāā applications.py # Application (app registration) operations
ā āāā service_principals.py # Service principal operations
ā āāā signin_logs.py # Sign-in log operations
ā āāā mfa.py # MFA status operations
ā āāā managed_devices.py # Device management operations
ā āāā conditional_access.py # Conditional access policy operations
ā āāā audit_logs.py # Directory audit log operations
ā āāā password_auth.py # Password authentication methods
ā āāā permissions_helper.py # Graph permissions utilities
āāā utils/ # Core GraphClient and utilities
ā āāā graph_client.py # Microsoft Graph client wrapper
ā āāā password_generator.py # Secure password generation
āāā server.py # āØ Enhanced: FastMCP server with new user management tools
āāā __init__.py # Package marker
š Getting Started
1. Setup
- Clone this enhanced repository
- Create a
config/.envfile with your Azure AD credentials:TENANT_ID=your-tenant-id CLIENT_ID=your-client-id CLIENT_SECRET=your-client-secret - Install dependencies:
uv syncorpip install -e .
2. Azure AD App Permissions
Required Microsoft Graph API Permissions:
| Permission | Type | Description |
|---|---|---|
AuditLog.Read.All | Application | Read all audit log data |
AuthenticationContext.Read.All | Application | Read authentication context |
DeviceManagementManagedDevices.Read.All | Application | Read Intune devices |
Directory.Read.All | Application | Read directory data |
Group.ReadWrite.All | Application | Full group management |
Policy.Read.All | Application | Read policies |
RoleManagement.Read.Directory | Application | Read directory RBAC |
UserAuthenticationMethod.Read.All | Application | Read user auth methods |
Application.ReadWrite.All | Application | Manage applications and service principals |
š User.ReadWrite.All | Application | Complete user lifecycle management |
3. Testing & Development
Test your enhanced MCP server directly using the FastMCP CLI:
fastmcp dev '/path/to/src/msgraph_mcp_server/server.py'
š ļø Available Tools
š Enhanced User Management Tools
search_users(query, ctx, limit=10)ā Search users by name/emailget_user_by_id(user_id, ctx)ā Get user details by IDget_privileged_users(ctx)ā List all users in privileged directory rolesget_user_roles(user_id, ctx)ā Get all directory roles assigned to a userget_user_groups(user_id, ctx)ā Get all groups for a user- š
update_user(user_id, ctx, user_data)ā Update user properties (department, job title, etc.) - š
enable_user(user_id, ctx)ā Enable a user account - š
disable_user(user_id, ctx)ā Disable a user account - š
create_user(ctx, user_data)ā Create a new user - š
delete_user(user_id, ctx)ā Delete a user - š
set_user_manager(user_id, manager_id, ctx)ā Set a user's manager - š
remove_user_manager(user_id, ctx)ā Remove a user's manager
Group Management Tools
get_all_groups(ctx, limit=100)ā Get all groupsget_group_by_id(group_id, ctx)ā Get specific group detailssearch_groups_by_name(name, ctx, limit=50)ā Search groups by nameget_group_members(group_id, ctx, limit=100)ā Get group memberscreate_group(ctx, group_data)ā Create new groupsupdate_group(group_id, ctx, group_data)ā Update existing groupsdelete_group(group_id, ctx)ā Delete groupsadd_group_member(group_id, member_id, ctx)ā Add members to groupsremove_group_member(group_id, member_id, ctx)ā Remove members from groups
Security & Compliance Tools
get_user_sign_ins(user_id, ctx, days=7)ā Get sign-in logsget_user_mfa_status(user_id, ctx)ā Get MFA status for usersget_group_mfa_status(group_id, ctx)ā Get MFA status for group membersget_conditional_access_policies(ctx)ā Get conditional access policiesget_user_audit_logs(user_id, days=30)ā Get audit logs for usersreset_user_password_direct(user_id, password, ctx)ā Reset user passwords
Application Management Tools
list_applications(ctx, limit=100)ā List app registrationsget_application_by_id(app_id, ctx)ā Get application detailscreate_application(ctx, app_data)ā Create applicationsupdate_application(app_id, ctx, app_data)ā Update applicationsdelete_application(app_id, ctx)ā Delete applications
Device Management Tools
get_all_managed_devices(ctx, filter_os=None)ā Get managed devicesget_managed_devices_by_user(user_id, ctx)ā Get devices for specific users
šÆ Usage Examples with Claude
With the enhanced user management capabilities, you can now ask Claude to perform comprehensive HR and IT administration tasks:
User Onboarding:
- "Create a new user account for Sarah Wilson joining as HR Director in the Seattle office"
- "Set up accounts for these 5 new hires in the Engineering department"
User Management:
- "Change John Doe's department to Finance and set Alice Johnson as his manager"
- "Update all Marketing team members to work from Building B, Floor 3"
- "Move the entire Sales team to the new Dallas office location"
User Offboarding:
- "Disable Mike Davis's account and remove his manager assignment"
- "Show me all disabled users from the last 30 days"
- "Disable all users in the Marketing department who haven't signed in for 90 days"
Bulk Operations:
- "Update job titles for all users in the Finance department"
- "Set usage location to 'US' for all users without a location"
- "Enable all previously disabled intern accounts"
Organizational Changes:
- "Show me all users reporting to John Smith and reassign them to Jane Doe"
- "Find all users in the IT department and update their office location"
š§ Using with Claude or Cursor
Using with Claude (Anthropic)
fastmcp install '/path/to/src/msgraph_mcp_server/server.py' \\
--with msgraph-sdk --with azure-identity --with azure-core --with msgraph-core \\
-f /path/to/.env
Using with Cursor
Add to your .cursor/mcp.json:
{
"EntraID MCP Server": {
"command": "uv",
"args": [
"run",
"--with", "azure-core",
"--with", "azure-identity",
"--with", "fastmcp",
"--with", "msgraph-core",
"--with", "msgraph-sdk",
"fastmcp",
"run",
"/path/to/src/msgraph_mcp_server/server.py"
],
"env": {
"TENANT_ID": "<your-tenant-id>",
"CLIENT_ID": "<your-client-id>",
"CLIENT_SECRET": "<your-client-secret>"
}
}
}
š Security & Best Practices
- Never commit secrets:
.envfiles are gitignored - Use least privilege: Grant only necessary Microsoft Graph permissions
- Audit & monitor: All operations are logged in Azure AD audit logs
- Input validation: All user inputs are validated and sanitized
- Error handling: Comprehensive error handling with proper user feedback
š What's New in This Enhanced Version
ā Complete User Lifecycle Management
- Create users with full profile information
- Update any user property (department, job title, contact info, etc.)
- Enable/disable accounts for onboarding/offboarding
- Manage manager relationships and organizational hierarchy
- Delete users when necessary
ā Enterprise-Ready Operations
- Bulk user operations for organizational changes
- Comprehensive error handling and validation
- Audit trail support for compliance
- Integration with existing group and role management
ā Claude AI Integration
- Natural language user management through conversational AI
- Intelligent bulk operations based on criteria
- Automated workflow suggestions
- Context-aware user administration
š¤ Contributing
This enhanced version builds on the excellent foundation of the original EntraID MCP Server. Contributions are welcome! Please ensure:
- All new features include proper error handling
- User management operations are thoroughly tested
- Security best practices are followed
- Documentation is updated for new capabilities
š License
MIT
ā” Ready to transform your identity management with AI-powered automation!