logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

azure-ad-mgmt-interface-server

A modular FastMCP gateway for executing complex management tasks against Microsoft Entra ID via the Graph API. This service centralizes authentication and provides advanced operations for identity, group structure, application lifecycle management, and security auditing.

Author

azure-ad-mgmt-interface-server logo

hieuttmmo

No License

Quick Info

GitHub GitHub Stars 24
NPM Weekly Downloads 0
Tools 1
Last Updated 2026-02-19

Tags

apisrequestsentraidmicrosoft graphgraph resourcesentraid mcp

EntraID Management Control Plane (MCP) Service

This server implements a modular, high-utility interface layer built upon the Microsoft Graph SDK, adhering to the FastMCP specification. It is engineered for secure, extensible interaction with Azure Active Directory (now Entra ID), focusing on operational efficiency and adherence to security best practices (like least privilege).

Core Capabilities

  • Modular Design: Tools are segregated by resource domain (e.g., users.py, applications.py) within src/msgraph_mcp_server/resources/, simplifying maintenance and feature addition.
  • Unified Authentication Context: Manages OAuth 2.0 token acquisition and refresh using centralized logic, providing a consistent GraphClient instance to all resource handlers.
  • **Identity Operations (Users/Groups):
  • Comprehensive CRUD for Groups, including dynamic membership rules.
  • Advanced user attribute querying, including role membership and transitive group inclusion.
  • Application & SP Lifecycle: Full management capabilities for App Registrations and Service Principals, including permission view/assignment inspection.
  • Security & Compliance: Tools for accessing Sign-In Logs, auditing user activities, and assessing Multi-Factor Authentication (MFA) enforcement across the tenant.
  • Permissions Guidance: Built-in utilities to suggest required Graph scopes based on intended administrative actions, aiding in strict adherence to the principle of least privilege.

Architecture Overview

The structure follows a clear separation of concerns:

src/msgraph_mcp_server/ ├── auth/ # Handles token acquisition (GraphAuthManager). ├── resources/ # Contains resource-specific logic modules. │ ├── users.py │ ├── groups.py │ ├── applications.py │ ├── mfa.py │ └── permissions_helper.py # Scope recommendation logic. ├── utils/ # Shared utilities (client wrappers, credential helpers). └── server.py # Entry point for FastMCP registration.

Deployment and Initialization

Configuration requires an Azure AD Application Registration with appropriate secrets. Credentials must be stored securely in a local .env file, excluded from source control:

ini TENANT_ID=your-tenant-id CLIENT_ID=your-client-id CLIENT_SECRET=your-client-secret

To launch an interactive testing session:

bash fastmcp dev '/path/to/src/msgraph_mcp_server/server.py'

Tool Reference (Selected List)

Identity Tools

  • search_users(query, ctx): Finds identities via display name or email address.
  • get_privileged_users(ctx): Enumerates users assigned administrative directory roles.
  • get_user_groups(user_id, ctx): Resolves all groups a user belongs to.

Group Administration Tools

  • create_group(ctx, group_data): Provisions a new Microsoft 365 or Security group.
  • add_group_member(group_id, member_id, ctx): Assigns a principal to a group.
  • update_group(group_id, ctx, group_data): Modifies group metadata (e.g., visibility, description).

Security & Compliance Tools

  • get_user_mfa_status(user_id, ctx): Checks the MFA registration state for a specific user.
  • get_user_audit_logs(user_id, days=30): Retrieves recent directory administrative activities for an identity.
  • reset_user_password_direct(...): Forces a password change, optionally generating a strong random value.

Application Management

  • list_applications(ctx, limit=100): Retrieves tenant-wide App Registrations.
  • get_application_by_id(app_id, ctx): Fetches application manifest details, including granted API permissions.

Permissions Engineering

  • suggest_permissions_for_task(task_category, task_name): Maps human-readable tasks to necessary Graph API scopes to enforce minimal access rights.
  • get_all_graph_permissions(): Dumps the complete set of accessible Graph permission scopes.

Required Graph API Permissions

This service necessitates broad read/write permissions across Identity and Security domains. Key scopes include:

Permission Scope Required For Notes
User.Read.All Basic user lookups
Group.ReadWrite.All Full group lifecycle management
Directory.Read.All Reading roles and general directory structure
AuditLog.Read.All Accessing security event logs
UserAuthenticationMethod.Read.All MFA status checks
Application.ReadWrite.All Managing App Registrations/SPNs

Integration for AI Environments (e.g., Claude/Cursor)

For seamless integration into AI coding environments that utilize FastMCP plugins, specific installation commands are provided. Ensure that dependency resolution (--with) includes the necessary SDKs:

Claude Installation Example:

bash fastmcp install '/path/to/src/msgraph_mcp_server/server.py' \ --with msgraph-sdk --with azure-identity --with msgraph-core \ -f /path/to/.env

Cursor Environment Configuration (Snippet from .cursor/mcp.json):

{ "EntraID Gateway": { "command": "uv", "args": [ ... ], "env": { "TENANT_ID": "<...", "CLIENT_ID": "<...", "CLIENT_SECRET": "<..." } } }

Security Warning: Never commit the configuration file containing actual secrets (CLIENT_SECRET, etc.) to version control.

License

MIT Licensed.


Related Concept: XMLHttpRequest (XHR): An older web API, integral to early Asynchronous JavaScript and XML (Ajax) patterns, enabling HTTP requests from a client without blocking the main thread. While superseded in modern contexts by fetch, it established the foundational principle of background server interaction that modern RESTful MCP interfaces rely upon for non-blocking administrative operations.

See Also

`