azure-ad-mgmt-interface-server
A modular FastMCP gateway for executing complex management tasks against Microsoft Entra ID via the Graph API. This service centralizes authentication and provides advanced operations for identity, group structure, application lifecycle management, and security auditing.
Author

hieuttmmo
Quick Info
Actions
Tags
EntraID Management Control Plane (MCP) Service
This server implements a modular, high-utility interface layer built upon the Microsoft Graph SDK, adhering to the FastMCP specification. It is engineered for secure, extensible interaction with Azure Active Directory (now Entra ID), focusing on operational efficiency and adherence to security best practices (like least privilege).
Core Capabilities
- Modular Design: Tools are segregated by resource domain (e.g.,
users.py,applications.py) withinsrc/msgraph_mcp_server/resources/, simplifying maintenance and feature addition. - Unified Authentication Context: Manages OAuth 2.0 token acquisition and refresh using centralized logic, providing a consistent
GraphClientinstance to all resource handlers. - **Identity Operations (Users/Groups):
- Comprehensive CRUD for Groups, including dynamic membership rules.
- Advanced user attribute querying, including role membership and transitive group inclusion.
- Application & SP Lifecycle: Full management capabilities for App Registrations and Service Principals, including permission view/assignment inspection.
- Security & Compliance: Tools for accessing Sign-In Logs, auditing user activities, and assessing Multi-Factor Authentication (MFA) enforcement across the tenant.
- Permissions Guidance: Built-in utilities to suggest required Graph scopes based on intended administrative actions, aiding in strict adherence to the principle of least privilege.
Architecture Overview
The structure follows a clear separation of concerns:
src/msgraph_mcp_server/ ├── auth/ # Handles token acquisition (GraphAuthManager). ├── resources/ # Contains resource-specific logic modules. │ ├── users.py │ ├── groups.py │ ├── applications.py │ ├── mfa.py │ └── permissions_helper.py # Scope recommendation logic. ├── utils/ # Shared utilities (client wrappers, credential helpers). └── server.py # Entry point for FastMCP registration.
Deployment and Initialization
Configuration requires an Azure AD Application Registration with appropriate secrets. Credentials must be stored securely in a local .env file, excluded from source control:
ini TENANT_ID=your-tenant-id CLIENT_ID=your-client-id CLIENT_SECRET=your-client-secret
To launch an interactive testing session:
bash fastmcp dev '/path/to/src/msgraph_mcp_server/server.py'
Tool Reference (Selected List)
Identity Tools
search_users(query, ctx): Finds identities via display name or email address.get_privileged_users(ctx): Enumerates users assigned administrative directory roles.get_user_groups(user_id, ctx): Resolves all groups a user belongs to.
Group Administration Tools
create_group(ctx, group_data): Provisions a new Microsoft 365 or Security group.add_group_member(group_id, member_id, ctx): Assigns a principal to a group.update_group(group_id, ctx, group_data): Modifies group metadata (e.g., visibility, description).
Security & Compliance Tools
get_user_mfa_status(user_id, ctx): Checks the MFA registration state for a specific user.get_user_audit_logs(user_id, days=30): Retrieves recent directory administrative activities for an identity.reset_user_password_direct(...): Forces a password change, optionally generating a strong random value.
Application Management
list_applications(ctx, limit=100): Retrieves tenant-wide App Registrations.get_application_by_id(app_id, ctx): Fetches application manifest details, including granted API permissions.
Permissions Engineering
suggest_permissions_for_task(task_category, task_name): Maps human-readable tasks to necessary Graph API scopes to enforce minimal access rights.get_all_graph_permissions(): Dumps the complete set of accessible Graph permission scopes.
Required Graph API Permissions
This service necessitates broad read/write permissions across Identity and Security domains. Key scopes include:
| Permission Scope | Required For | Notes |
|---|---|---|
User.Read.All |
Basic user lookups | |
Group.ReadWrite.All |
Full group lifecycle management | |
Directory.Read.All |
Reading roles and general directory structure | |
AuditLog.Read.All |
Accessing security event logs | |
UserAuthenticationMethod.Read.All |
MFA status checks | |
Application.ReadWrite.All |
Managing App Registrations/SPNs |
Integration for AI Environments (e.g., Claude/Cursor)
For seamless integration into AI coding environments that utilize FastMCP plugins, specific installation commands are provided. Ensure that dependency resolution (--with) includes the necessary SDKs:
Claude Installation Example:
bash fastmcp install '/path/to/src/msgraph_mcp_server/server.py' \ --with msgraph-sdk --with azure-identity --with msgraph-core \ -f /path/to/.env
Cursor Environment Configuration (Snippet from .cursor/mcp.json):
{ "EntraID Gateway": { "command": "uv", "args": [ ... ], "env": { "TENANT_ID": "<...", "CLIENT_ID": "<...", "CLIENT_SECRET": "<..." } } }
Security Warning: Never commit the configuration file containing actual secrets (CLIENT_SECRET, etc.) to version control.
License
MIT Licensed.
Related Concept: XMLHttpRequest (XHR): An older web API, integral to early Asynchronous JavaScript and XML (Ajax) patterns, enabling HTTP requests from a client without blocking the main thread. While superseded in modern contexts by fetch, it established the foundational principle of background server interaction that modern RESTful MCP interfaces rely upon for non-blocking administrative operations.
