Microsoft-Graph

This MCP server provides secure access to the Microsoft Graph API for AI assistants. It supports two authentication modes: a read-only mode using the Device Code Flow, which requires no client secret and is suitable for exploring data with user-delegated permissions; and a write-enabled App Registration mode that uses a client secret and supports application permissions for automated tasks. Once the container is running, your AI assistant can request Graph data (like user profiles, groups, devices, mail, calendars, and more) through the MCP interface, with permissions configured in your Azure AD app registration. You can choose to run the container with environment variables for your Azure AD app and optionally mount a persistent store for logs and temporary data. See the configuration examples for Docker usage and how to pass Azure AD credentials. The server supports both read and write operations depending on the permissions granted by your app registration.

Prerequisites:

• Docker installed on your host (Docker Desktop or equivalent)
• Access to an Azure AD tenant and the ability to register an app (or use an existing app)
• Optional: a persistent volume for graph-mcp-server data

Step-by-step:

1. Create a Docker volume for MCP server data (optional but recommended):

docker volume create graph-mcp-server

2. Prepare Azure AD app registration (choose mode):

• Read-Only (Device Code Flow): no client secret needed. Ensure the app has delegated permissions for the data you want to read.
• App Registration (Client Secret Flow): create an app, note the client ID (AZURE_CLIENT_ID), tenant ID (AZURE_TENANT_ID), and client secret (AZURE_CLIENT_SECRET).

3. Run the MCP server using Docker with environment variables:

• Read-Only (Device Code Flow):

docker run --rm -i --init \
  -e LOG_LEVEL=INFO \
  -v graph-mcp-server:/tmp \
  ghcr.io/jackinsightsv2/microsoft-graph-mcp:latest

• With Client Secret (Write Mode):

docker run --rm -i --init \
  -e AZURE_CLIENT_ID=your-client-id \
  -e AZURE_TENANT_ID=your-tenant-id \
  -e AZURE_CLIENT_SECRET=your-client-secret \
  -v graph-mcp-server:/tmp \
  ghcr.io/jackinsightsv2/microsoft-graph-mcp:latest

4. Integrate the MCP with your MCP client configuration (Claude Warp, Claude Desktop, etc.) by referencing the graph-mcp server configuration shown in the Quick Setup sections.

Tips and notes:

• Ensure the Azure AD app permissions align with the capabilities you intend to expose (e.g., User.ReadWrite.All for user management, Group.ReadWrite.All for groups).
• In App Registration mode, keep the client secret secure and rotate regularly.
• If using Docker-based deployment, you can pass AZURE_* environment variables directly or via your MCP config as shown in the examples.
• The read-only mode is ideal for exploration and read operations; write access requires appropriate application permissions and consent in Azure AD.
• Use the graph-mcp-server:/tmp volume to persist logs and temporary data between restarts if needed.
• When using Kubernetes or other orchestrators, map the same environment variables and volume mounts accordingly.
• Review and adjust the list of requested permissions to minimize risk and align with the principle of least privilege.