Skip to content
May 14, 2026 Mid-Level (3-5 years) Deep Dive

Microsoft MCP Server for Enterprise: What IT Pros Actually Need to Know

Microsoft's MCP Server for Enterprise lets AI agents query Entra and Graph with natural language. Here's how it works, how to set it up, and what to watch out for.

Updated: May 14, 2026

Microsoft MCP Server for Enterprise: What IT Pros Actually Need to Know

If you’ve been paying attention to AI tooling in 2026, you’ve seen “MCP” everywhere. Most of the coverage is aimed at developers: how to write servers, how to wire up Claude Desktop, how to publish your Stripe connector to a registry. For IT pros managing Microsoft environments, the story is more specific and considerably more actionable: Microsoft shipped its own MCP Server that lets AI agents talk directly to Microsoft Graph, Entra ID, and eventually Intune. In plain English.

This is worth understanding properly. Not because it will replace your scripts tomorrow, but because it changes what you can ask AI to do on your behalf, and it does so inside your existing tenant permissions. Here is what it is, how to enable it, and where the sharp edges are.

What MCP Is and Why the Architecture Matters

The Model Context Protocol is an open specification, introduced by Anthropic in November 2024, that standardizes how AI applications connect to external tools and data sources. Before MCP, every AI product had to build bespoke integrations. A Copilot plugin here, a custom API wrapper there. MCP replaces that fragmentation with a common pattern: you build a server that exposes tools, and any MCP-compatible host (Claude Desktop, VS Code, Cursor, or similar hosts) can discover and invoke those tools.

The three core pieces are the host (the AI app — say, GitHub Copilot in VS Code), the client (the protocol layer inside the host that handles communication), and the server (the thing that actually holds the tools and exposes them). When you ask “which users haven’t signed in for 90 days?” the host routes that to the MCP server, which figures out the right Graph query, runs it under your delegated permissions, and returns data the model turns into a natural language answer.

Microsoft’s enterprise offering is exactly this pattern, applied to Microsoft Graph. The server lives at https://mcp.svc.cloud.microsoft/enterprise and it speaks standard MCP over HTTPS.

What the Microsoft MCP Server for Enterprise Does

Right now the server is in public preview, and its scope is deliberately narrow: read-only access to Entra identity and directory data. That covers users, groups, applications, devices, licenses, conditional access policies, role assignments, sign-in risk events, and administrative reporting. It does not currently write data, and it does not cover Intune configuration resources directly, though that surface area is likely to expand.

The server exposes three tools:

microsoft_graph_suggest_queries takes your natural language input and does RAG against a curated catalog of Graph API examples. It converts your question into embeddings, searches for matching queries, and returns candidate API calls with context. Think of it as the “what should I run?” layer.

microsoft_graph_get executes the actual read-only Graph API call selected by the model. It enforces your existing delegated permissions. If you don’t have User.Read.All granted, the call will fail, full stop. It also respects Graph throttling limits, which matter when you’re running bulk queries across a large tenant.

microsoft_graph_list_properties retrieves schema information for Graph entities so the model understands what properties and relationships are available before constructing requests. This is what prevents the model from hallucinating a property that doesn’t exist on a user object.

The six-step workflow the server runs under the hood: NLP parsing → RAG-based query suggestion → LLM selects the best candidate → microsoft_graph_get executes it → Graph returns JSON → model converts it to prose. You see the answer; the intermediate API calls are surfaced too, which is useful for learning or for pulling the exact query into a script.

Setting It Up: Provisioning and Authentication

This is a one-time operation per tenant. You need the Application Administrator or Cloud Application Administrator role in Entra.

Step 1: Install the PowerShell module

Install-Module Microsoft.Entra.Beta -Force -AllowClobber

Step 2: Authenticate and consent

Connect-Entra -Scopes 'Application.ReadWrite.All', 'Directory.Read.All', 'DelegatedPermissionGrant.ReadWrite.All'

Run Get-EntraContext after this to confirm you’re in the right tenant. It sounds obvious, but in a multi-tenant management scenario, confirming context before running consent grants is non-negotiable.

Step 3: Provision the server and grant VS Code permissions

Grant-EntraBetaMCPServerPermission -ApplicationName VisualStudioCode

This registers two service principals in your tenant: the MCP Server itself (e8c77dc2-69b3-43f4-bc51-3213c9d915b4) and VS Code (aebc6443-996d-45c2-90f0-388ff96faa56). You can verify both exist with a quick Graph query:

GET https://graph.microsoft.com/v1.0/servicePrincipals?$select=id,appId,displayName&$filter=appId in('e8c77dc2-69b3-43f4-bc51-3213c9d915b4','aebc6443-996d-45c2-90f0-388ff96faa56')

Step 4: Connect VS Code

Click the install link from Microsoft Learn’s get-started page. Authenticate, then open Copilot Chat in Agent mode. Ask “How many users are in my tenant?” and you should get a real answer with the Graph query surfaced below it.

For non-VS Code clients (Claude Code, Claude Desktop, or custom tooling), you register your own app in Entra, note the client ID and tenant ID, then grant it the MCP scopes you need:

Grant-EntraBetaMCPServerPermission -ApplicationId "<your-app-client-id>" -Scopes "MCP.User.Read.All", "MCP.Device.Read.All"

MCP scopes follow a predictable pattern: MCP.{Graph-scope-name}. If you know the Graph permission, you already know the MCP scope.

A Practical Helpdesk and Reporting Workflow

Here’s the kind of work this opens up for a mid-sized IT team. Instead of opening Graph Explorer, searching for the right endpoint, constructing a filter, and formatting the output, you ask:

  • “Which users have the Global Administrator role and haven’t signed in for more than 30 days?”
  • “Show me all guest accounts that have a Copilot license assigned.”
  • “Are there any conditional access policies currently in report-only mode?”
  • “How many devices in the tenant are running a Windows build older than 22H2?”
  • “List all applications with IdentityRiskyUser read permissions granted.”

The server handles the translation. It shows you what it ran, so if the answer surprises you, you can verify the exact API call. That auditability matters: you’re not trusting a black box, you have the query to cross-check or reuse.

For reporting workflows, the pattern works well as a prototyping layer. Ask the question conversationally, get the API call, then drop it into a scheduled PowerShell script or Logic App for recurring execution. It’s not a replacement for Graph automation. It’s a shortcut to finding the right query in the first place.

Governance, Permissions, and Audit

A few things to get right before you hand this to your team.

Permissions are delegated, not application-level. The MCP server only supports delegated permissions. It acts as the signed-in user. There’s no app-only flow. This means what the AI can see is bounded by what the user running the client can see. An L1 helpdesk analyst with limited Entra read permissions will get limited results. An admin who consented to MCP.AuditLog.Read.All can pull audit logs. Principle of least privilege applies here as much as anywhere.

Audit trail exists if you enable it. All MCP server requests go through Microsoft Graph, so they appear in Microsoft Graph activity logs. The MCP server’s appId (e8c77dc2-69b3-43f4-bc51-3213c9d915b4) is your filter. The Kusto query from the official docs:

MicrosoftGraphActivityLogs
| where TimeGenerated >= ago(30d)
| where AppId == "e8c77dc2-69b3-43f4-bc51-3213c9d915b4"
| project RequestId, TimeGenerated, UserId, RequestMethod, RequestUri, ResponseStatusCode

If you’re in a regulated environment, set this up before you enable broad access.

Rate limits apply. 100 calls per minute per user, plus standard Graph throttling. For ad-hoc querying this is fine. If you’re building a dashboard that polls continuously via MCP, you’ll hit limits. Use Graph directly for high-frequency polling.

Disabling the server. You can’t delete the service principal because it’s Microsoft-owned, but you can disable it:

$mcpServerSp = Get-EntraBetaServicePrincipal -Filter "AppId eq 'e8c77dc2-69b3-43f4-bc51-3213c9d915b4'"
Set-EntraBetaServicePrincipal -ServicePrincipalId $mcpServerSp.Id -AccountEnabled $false

Or toggle it off in the Entra portal under Enterprise apps.

Current Limitations Worth Knowing

Read-only, Entra-scoped for now. You cannot use the Microsoft MCP Server to create users, update devices, push Intune policies, or modify conditional access. Those write surfaces don’t exist in the preview. Community-built MCP servers (such as the open-source mcp-m365-mgmt project) do expose some Intune management via Graph, but they require your own app registration with write permissions and come with the usual warnings around community code in production tenants.

Preview quality. This is public preview. Tools can change, scopes can shift, and behavior may not match what the docs say on any given week. Don’t build critical production automation on top of it today.

No Intune-native tooling yet. The scopes list covers identity data thoroughly but Intune-specific resources (devices, compliance policies, app assignments) are not exposed through the enterprise MCP server as of May 2026. For Intune scenarios you’re either back to raw Graph or a community server.

MCP client compatibility varies. VS Code with GitHub Copilot has first-class support. Claude Desktop requires manual mcpServers config in claude_desktop_config.json. Claude Code works with HTTP transport MCP servers but requires auth configuration. Test your specific client before building a workflow around it.

Where This Is Going

Microsoft’s June 2026 roadmap has Microsoft Defender providing asset context mapping for AI agents, covering the devices they run on, the MCP servers they’re configured to use, and the identities and cloud resources associated with them. Policy-based controls and runtime blocking will flow through Agent 365 via Intune and Defender. That’s the governance layer catching up to the capability layer, which is the right order.

The MCP ecosystem more broadly has over 500 public servers as of early 2026, with all three major AI labs committed to the standard. Once write support arrives for the Microsoft MCP Server (and community pressure suggests it will), the shape of AI-assisted endpoint management changes significantly.

For now, the read-only Entra surface is genuinely useful for ad-hoc querying and administrative reporting. It’s worth setting up in your tenant, understanding what it can see, and establishing the audit log baseline before your team starts using it at scale.

Getting Started Today

The provisioning takes ten minutes if you have Application Administrator rights. The main things to do: run the setup PowerShell, verify the service principals registered correctly, enable Microsoft Graph activity logs for auditing, and scope your team’s access to the minimum permissions they need for their actual use cases.

The MCP scopes list maps one-to-one with Graph permissions you already understand. Start narrow, validate the audit trail is working, then expand.

Documentation: Microsoft MCP Server for Enterprise overview · Get started guide

#mcp #microsoft-graph #entra-id #ai-agents #intune #security
Was this helpful?

Comments

Comments are coming soon. Have feedback? Reach out via the About page.