Microsoft-Graph-MCP

JackInSightsV2/Microsoft-Graph-MCP

3.2

If you are the rightful owner of Microsoft-Graph-MCP and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to dayong@mcphub.com.

The Microsoft Graph MCP Server provides AI assistants with secure access to Microsoft Graph API, enabling them to manage user data, Azure AD resources, and perform administrative tasks.

Microsoft Graph MCP Server

An MCP (Model Context Protocol) server that provides AI assistants with secure access to Microsoft Graph API. Access user data, manage Azure AD resources, and perform administrative tasks through your AI assistant.

Authentication Modes

🔍 Read-Only Mode (Device Code Flow)

  • No client secret required
  • Opens browser for user authentication
  • Limited to user-delegated permissions
  • Perfect for exploring data and read-only operations

✏️ App Registration Mode (Client Secret Flow)

  • Requires Azure AD app registration with client secret
  • Full administrative capabilities
  • Application permissions for automated operations
  • Can be scoped to specific permissions you need

Quick Setup

Claude Desktop

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "graph-mcp": {
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "--init",
        "-e",
        "LOG_LEVEL=INFO",
        "-v",
        "graph-mcp-server:/tmp",
        "ghcr.io/jackinsightsv2/microsoft-graph-mcp:latest"
      ]
    }
  }
}

Warp AI

Add to your MCP configuration:

{
  "graph-mcp": {
    "command": "docker",
    "args": [
      "run",
      "--rm",
      "-i",
      "--init",
      "-e",
      "LOG_LEVEL=INFO",
      "-v",
      "graph-mcp-server:/tmp",
      "ghcr.io/jackinsightsv2/microsoft-graph-mcp:latest"
    ],
    "env": {},
    "working_directory": null,
    "start_on_launch": true
  }
}

Configuration Options

Environment Variables

Set these in your MCP configuration or Docker environment:

  • AZURE_CLIENT_ID: Your Azure AD application client ID
  • AZURE_TENANT_ID: Your Azure AD tenant ID
  • AZURE_CLIENT_SECRET: Your client secret (optional, for app permissions)

With Client Secret in MCP Config

{
  "mcpServers": {
    "graph-mcp": {
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "--init",
        "-e",
        "AZURE_CLIENT_ID=your-client-id",
        "-e",
        "AZURE_TENANT_ID=your-tenant-id",
        "-e",
        "AZURE_CLIENT_SECRET=your-client-secret",
        "-v",
        "graph-mcp-server:/tmp",
        "ghcr.io/jackinsightsv2/microsoft-graph-mcp:latest"
      ]
    }
  }
}

Without Client Secret (Write Mode - but will ask for secret every time you launch the MCP server)

{
  "mcpServers": {
    "graph-mcp": {
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "--init",
        "-e",
        "AZURE_CLIENT_ID=your-client-id",
        "-e",
        "AZURE_TENANT_ID=your-tenant-id",
        "-v",
        "graph-mcp-server:/tmp",
        "ghcr.io/jackinsightsv2/microsoft-graph-mcp:latest"
      ]
    }
  }
}

Azure AD App Registration Setup

Required App Registration Permissions

For full write access, configure these application permissions in your Azure AD app registration:

User Management
  • User.ReadWrite.All - Read and write all users' full profiles
  • User.ManageIdentities.All - Manage user identities
  • UserAuthenticationMethod.ReadWrite.All - Read and write authentication methods
Group Management
  • Group.ReadWrite.All - Read and write all groups
  • GroupMember.ReadWrite.All - Read and write group memberships
Device Management
  • Device.ReadWrite.All - Read and write devices
  • DeviceManagementConfiguration.ReadWrite.All - Read and write device configuration
  • DeviceManagementManagedDevices.ReadWrite.All - Read and write managed devices
Application Management
  • Application.ReadWrite.All - Read and write applications
  • AppRoleAssignment.ReadWrite.All - Read and write app role assignments
Directory Management
  • Directory.ReadWrite.All - Read and write directory data
  • RoleManagement.ReadWrite.Directory - Read and write directory roles
Security & Compliance
  • SecurityEvents.ReadWrite.All - Read and write security events
  • IdentityRiskEvent.ReadWrite.All - Read and write identity risk events
Mail & Calendar (if needed)
  • Mail.ReadWrite - Read and write mail
  • Calendars.ReadWrite - Read and write calendars
Files & Sites (if needed)
  • Files.ReadWrite.All - Read and write files
  • Sites.ReadWrite.All - Read and write sites

Scoped Permissions

You can scope your app registration to only the permissions you need. For example, for user management only:

  • User.ReadWrite.All
  • Group.ReadWrite.All
  • Directory.Read.All

What It Does

  • User Management - Create, update, delete, and manage Azure AD users
  • Group Management - Manage groups and group memberships
  • Device Management - Monitor and manage devices
  • Application Management - Manage Azure AD applications and service principals
  • Security Operations - Access security events and risk data
  • Directory Operations - Read and write directory information
  • Mail & Calendar - Access user mail and calendar data (with permissions)

License

MIT License - see file for details.