npx mcpbar@latest edit -c claude

Latest Enhancements (June 16, 2025)

Extended Resources and Prompts (40 Resources + 5 Comprehensive Prompts):

• Added 40 additional Microsoft 365 resources covering security, compliance, device management, and collaboration
• Implemented 5 intelligent prompts for automated analysis and recommendations:
  • Security Assessment: Comprehensive security posture analysis with recommendations
  • Compliance Review: Framework-specific compliance gap analysis (SOC2, ISO27001, NIST, GDPR, HIPAA)
  • User Access Review: Individual and organization-wide access rights analysis
  • Device Compliance Analysis: Intune device management and compliance assessment
  • Collaboration Governance: Teams and SharePoint governance analysis
• Enhanced resource coverage includes:
  • Security alerts, incidents, and conditional access policies
  • Intune device management, apps, and compliance policies
  • Extended user, group, and team information
  • Information protection and DLP policies
  • Audit logs and privileged access data

For detailed information about all new resources and prompts, see EXTENDED_FEATURES.md.

Recent Enhancements (June 7, 2025)

TypeScript Error Resolution & Compliance Module Enhancements:

• Resolved all TypeScript errors in src/server.ts and src/handlers/compliance-handler.ts related to incorrect tool registration syntax and type mismatches.
• Enhanced the compliance module to include comprehensive support for CIS (Center for Internet Security) controls.
• Updated ComplianceFrameworkArgs to recognize 'cis' as a valid framework.
• Corrected parameter parsing in compliance handler functions to properly handle string-to-number conversions for implementation groups.

Conditional Access Policy Review & Reporting:

• Implemented functionality to retrieve and review Microsoft Entra Conditional Access policies.

Recent Enhancements (May 3, 2025)

MCP and HTTP Streaming Updates:

• Updated MCP SDK to version 1.12.0
• Enhanced HTTP streaming support with both stateful and stateless modes
• Added environment variables for configuring HTTP transport options

Previous Enhancements (April 4, 2025)

Added several new tools to expand Microsoft Entra ID management and Security & Compliance capabilities:

Entra ID Management:

• manage_azuread_roles: Manage Entra ID directory roles and assignments.
• manage_azuread_apps: Manage Entra ID application registrations (list, view, owners).
• manage_azuread_devices: Manage Entra ID device objects (list, view, enable/disable/delete).
• manage_service_principals: Manage Entra ID Service Principals (list, view, owners).

Generic API Access:

• dynamicendpoints m365 assistant: Call arbitrary Microsoft Graph (including Entra APIs) or Azure Resource Management API endpoints.

Security & Compliance:

• search_audit_log: Search the Entra ID Unified Audit Log.
• manage_alerts: List and view security alerts from Microsoft security products.

Note: Ensure the associated Entra ID App Registration has the necessary Graph API permissions and Azure RBAC roles for these tools to function correctly.

---

Microsoft 365 Core MCP Server

An MCP server that provides tools for managing Microsoft 365 core services including:

• Distribution Lists
• Security Groups
• Microsoft 365 Groups
• Exchange Settings
• User Management
• Offboarding Processes
• SharePoint Sites and Lists

Features

Core Microsoft 365 Management

• Distribution Lists: Create, delete, manage membership and settings
• Security Groups: Full lifecycle management with mail-enabled options
• Microsoft 365 Groups: Create, configure, and manage owners/members
• Exchange Settings: Mailbox, transport, organization, and retention policies
• User Management: Get and update user settings and configurations
• Offboarding Processes: Automated user offboarding with configurable options

SharePoint Management

• Site Management: Create, update, delete sites with template support
• List Management: Create, configure, and manage SharePoint lists
• Item Management: Add, update, and retrieve list items
• Permissions: Manage site users and permissions
• Settings: Configure site-level and organization settings

Azure AD Management

• Role Management: Assign and manage directory roles and role assignments
• Application Management: Manage app registrations, owners, and settings
• Device Management: Enable, disable, delete Azure AD devices
• Service Principals: Manage service principal objects and ownership

Security & Compliance

• Audit Logging: Search and analyze Microsoft 365 Unified Audit Log
• Security Alerts: List, view, and manage security alerts across Microsoft products
• Data Loss Prevention: Create, configure, and manage DLP policies and incidents
• Sensitivity Labels: Manage Microsoft Purview sensitivity labels and policies
• Compliance Frameworks: Support for HITRUST, ISO27001, SOC2, CIS Controls
• Assessment & Monitoring: Automated compliance assessments and continuous monitoring
• Evidence Collection: Automated evidence gathering for compliance audits
• Gap Analysis: Cross-framework compliance gap analysis and remediation planning

Intune Device Management (macOS Focus)

• Device Inventory: List, filter, and manage macOS devices in Intune
• Policy Management: Create, deploy, and monitor macOS configuration policies
• Application Management: Deploy and manage macOS applications via Intune
• Compliance Monitoring: Track and enforce macOS device compliance policies

Advanced Features

• Dynamic API Access: Call arbitrary Microsoft Graph and Azure Resource Management APIs
• Real-time Capabilities: Server-sent events, progress reporting, streaming responses
• Intelligent Prompts: 5 comprehensive analysis prompts for security, compliance, and governance
• Extended Resources: 44 resources covering security, compliance, device management, and collaboration
• Modern MCP Features: Enhanced error handling, response validation, lazy loading

Setup

Installing via Smithery

To install Microsoft 365 Core Server for Claude Desktop automatically via Smithery:

npx -y @smithery/cli install @DynamicEndpoints/m365-core-mcp --client claude

Installing Manually

1. Clone the repository

2. Install dependencies:

   npm install
   

3. Create a .env file based on .env.example:

   MS_TENANT_ID=your-tenant-id
   MS_CLIENT_ID=your-client-id
   MS_CLIENT_SECRET=your-client-secret
   
   # Optional Configuration
   # LOG_LEVEL=info    # debug, info, warn, error
   # PORT=3000         # Port for HTTP server if needed
   # USE_HTTP=true     # Set to 'true' to use HTTP transport instead of stdio
   # STATELESS=false   # Set to 'true' to use stateless HTTP mode (no session management)
   

4. Register an application in Azure AD:

   • Required Microsoft Graph permissions:

     • Directory.ReadWrite.All
     • Group.ReadWrite.All
     • User.ReadWrite.All
     • Mail.ReadWrite
     • MailboxSettings.ReadWrite
     • Organization.ReadWrite.All
     • Sites.ReadWrite.All
     • Sites.Manage.All
     • SecurityEvents.ReadWrite.All
     • SecurityActions.ReadWrite.All
     • Device.ReadWrite.All
     • DeviceManagementConfiguration.ReadWrite.All
     • DeviceManagementManagedDevices.ReadWrite.All
     • DeviceManagementApps.ReadWrite.All
     • InformationProtectionPolicy.ReadWrite.All
     • Policy.ReadWrite.ConditionalAccess
     • RoleManagement.ReadWrite.Directory
     • AuditLog.Read.All
     • Reports.Read.All
     • ThreatIndicators.ReadWrite.OwnedBy
     • IdentityRiskyUser.ReadWrite.All
     • IdentityRiskEvent.Read.All

   • Required Azure RBAC roles (for Azure Resource Management):

     • Security Admin (for security-related operations)
     • Compliance Administrator (for compliance management)
     • Intune Administrator (for device management)
     • Reports Reader (for audit and reporting functions)

5. Build the server:

   npm run build
   

6. Start the server:

   npm start
   

Transport Options

The server supports multiple transport options for MCP communication:

stdio Transport

By default, the server uses stdio transport, which is ideal for:

• Command-line tools and direct integrations
• Local development and testing
• Integration with Smithery and other MCP clients that support stdio

HTTP Transport

The server also supports HTTP transport with two modes:

Stateful Mode (With Session Management)

This is the default HTTP mode when USE_HTTP=true and STATELESS=false:

• Maintains session state between requests
• Supports server-to-client notifications via GET requests
• Handles session termination via DELETE requests
• Ideal for long-running sessions and interactive applications
• Provides better performance for multiple requests in the same session

Stateless Mode

Enable this mode by setting USE_HTTP=true and STATELESS=true:

• Creates a new server instance for each request
• No session state is maintained between requests
• Only supports POST requests (GET and DELETE are not supported)
• Ideal for RESTful scenarios where each request is independent
• Better for horizontally scaled deployments without shared session state
• Simpler API wrappers where session management isn't needed

To configure the transport options, set the appropriate environment variables in your .env file:

USE_HTTP=true     # Use HTTP transport instead of stdio
STATELESS=false   # Use stateful mode with session management (default)
PORT=3000         # Port for the HTTP server

Usage

The server provides MCP tools and resources that can be used to manage various aspects of Microsoft 365. Each tool accepts specific parameters and returns structured responses.

Tools

The server provides 29 comprehensive tools for Microsoft 365 management:

Core Management Tools

• manage_distribution_lists - Create, delete, and manage distribution lists and membership
• manage_security_groups - Create, delete, and manage security groups and membership
• manage_m365_groups - Create, delete, and manage Microsoft 365 groups and membership
• manage_exchange_settings - Configure mailbox, transport, organization, and retention settings
• manage_user_settings - Get and update user settings and configurations
• manage_offboarding - Automated user offboarding processes with configurable options

SharePoint Management Tools

• manage_sharepoint_sites - Create, update, delete SharePoint sites and manage users
• manage_sharepoint_lists - Create, update, delete SharePoint lists and manage items

Azure AD Management Tools

• manage_azuread_roles - Manage Azure AD directory roles and role assignments
• manage_azuread_apps - Manage Azure AD application registrations and owners
• manage_azuread_devices - Manage Azure AD device objects (enable, disable, delete)
• manage_service_principals - Manage Azure AD Service Principals and ownership

Security & Compliance Tools

• search_audit_log - Search the Microsoft 365 Unified Audit Log
• manage_alerts - List and view security alerts from Microsoft security products
• manage_dlp_policies - Manage Data Loss Prevention policies and configurations
• manage_dlp_incidents - Handle DLP policy violations and incident management
• manage_sensitivity_labels - Manage Microsoft Purview sensitivity labels

Intune Device Management Tools

• manage_intune_macos_devices - Manage Intune macOS devices and enrollment
• manage_intune_macos_policies - Configure and deploy macOS device policies
• manage_intune_macos_apps - Deploy and manage macOS applications via Intune
• manage_intune_macos_compliance - Monitor and enforce macOS device compliance

Compliance Framework Tools

• manage_compliance_frameworks - Configure compliance frameworks (HITRUST, ISO27001, SOC2)
• manage_compliance_assessments - Run and manage compliance assessments
• manage_compliance_monitoring - Monitor compliance status and configure alerts
• manage_evidence_collection - Collect and manage compliance evidence
• manage_gap_analysis - Perform compliance gap analysis and remediation planning
• manage_cis_compliance - Manage CIS Controls compliance and benchmarks

Audit & Reporting Tools

• generate_audit_reports - Generate comprehensive audit reports for various frameworks

Dynamic API Access

• dynamicendpoints m365 assistant - Call arbitrary Microsoft Graph or Azure Resource Management API endpoints

Resources

The server provides 44 comprehensive resources covering security, compliance, device management, and collaboration:

Core Resources

• sharepoint_sites - SharePoint site information and configuration
• sharepoint_lists - SharePoint list structures and metadata
• sharepoint_list_items - Items within SharePoint lists
• security_incidents - Microsoft security incidents and details

Extended Security Resources (20 resources)

• Security alerts and incidents from Microsoft Defender
• Conditional access policies and assignments
• Privileged access management data
• Threat intelligence and vulnerability assessments
• Identity protection risks and policies
• Authentication methods and security defaults
• Compliance policies and their status
• Data governance and retention policies
• Insider risk management insights
• Security baselines and configurations

Device Management Resources (10 resources)

• Intune device inventories and compliance status
• Mobile application management policies
• Device configuration profiles and assignments
• Compliance policies for various platforms
• App protection policies and status
• Device enrollment configurations
• Update policies and deployment rings
• Certificate profiles and management
• Wi-Fi and VPN configuration profiles
• Endpoint protection policies

Collaboration Resources (10 resources)

• Microsoft Teams structures and policies
• Exchange Online configurations and settings
• Calendar and scheduling information
• OneDrive storage and sharing policies
• Planner tasks and project management
• Viva Engage (Yammer) communities
• Power Platform environments and apps
• Booking services and appointments
• Whiteboard collaboration data
• Stream video content and policies

Extended Dynamic Resources

All resources support URI templates for specific object access:

• m365://security/alerts/{alertId} - Specific security alert details
• m365://devices/{deviceId} - Individual device information
• m365://users/{userId}/compliance - User-specific compliance status
• m365://teams/{teamId}/governance - Team governance and policies

Intelligent Prompts

The server provides 5 comprehensive prompts for automated analysis and recommendations:

Security Assessment Prompt

• Purpose: Comprehensive security posture analysis with actionable recommendations
• Scope: Security policies, access controls, threat detection, identity protection
• Output: Risk assessment, security gaps, remediation roadmap

Compliance Review Prompt

• Purpose: Framework-specific compliance gap analysis
• Frameworks: SOC2, ISO27001, NIST, GDPR, HIPAA, CIS Controls
• Scope: Control implementation status, evidence collection, audit readiness
• Output: Compliance dashboard, gap analysis, remediation plans

User Access Review Prompt

• Purpose: Individual and organization-wide access rights analysis
• Scope: Role assignments, group memberships, application access, privileged accounts
• Output: Access recommendations, risk-based prioritization, cleanup tasks

Device Compliance Analysis Prompt

• Purpose: Intune device management and compliance assessment
• Scope: Device policies, compliance status, security configurations, app management
• Output: Compliance reports, policy recommendations, deployment guidance

Collaboration Governance Prompt

• Purpose: Teams and SharePoint governance analysis
• Scope: Team structures, sharing policies, external access, data governance
• Output: Governance recommendations, policy suggestions, compliance alignment

Each prompt provides contextual analysis, actionable insights, and integration with the corresponding management tools for immediate remediation.

Example Tool Usage

// Managing a distribution list
await callTool('manage_distribution_lists', {
  action: 'create',
  displayName: 'Marketing Team',
  emailAddress: '[email protected]',
  members: ['[email protected]', '[email protected]']
});

// Managing security groups
await callTool('manage_security_groups', {
  action: 'create',
  displayName: 'IT Admins',
  description: 'IT Administration Team',
  members: ['[email protected]']
});

// Managing Azure AD roles (note: using correct tool name)
await callTool('manage_azuread_roles', {
  action: 'assign_role',
  roleId: 'role-id-here',
  principalId: 'user-id-here'
});

// Managing DLP policies
await callTool('manage_dlp_policies', {
  action: 'create',
  policyName: 'Financial Data Protection',
  rules: [{
    name: 'Block Credit Cards',
    conditions: { contentContainsSensitiveInfo: ['CreditCardNumber'] },
    actions: { blockAccess: true }
  }]
});

// Managing Intune macOS devices
await callTool('manage_intune_macos_devices', {
  action: 'list',
  filters: { complianceState: 'compliant' }
});

// Running compliance assessments
await callTool('manage_compliance_assessments', {
  action: 'run_assessment',
  framework: 'iso27001',
  scope: ['access_control', 'data_protection'],
  settings: {
    automated: true,
    generateRemediation: true
  }
});

// Generating audit reports
await callTool('generate_audit_reports', {
  framework: 'soc2',
  reportType: 'comprehensive',
  dateRange: { start: '2025-01-01', end: '2025-06-16' },
  format: 'pdf',
  includeEvidence: true
});

// Managing Exchange settings
await callTool('manage_exchange_settings', {
  action: 'update',
  settingType: 'mailbox',
  target: '[email protected]',
  settings: {
    automateProcessing: {
      autoReplyEnabled: true
    }
  }
});

// Managing SharePoint sites
await callTool('manage_sharepoint_sites', {
  action: 'create',
  title: 'Marketing Site',
  description: 'Site for marketing team',
  template: 'STS#0',
  url: 'https://contoso.sharepoint.com/sites/marketing',
  owners: ['[email protected]'],
  members: ['[email protected]', '[email protected]']
});

// Managing SharePoint lists
await callTool('manage_sharepoint_lists', {
  action: 'create',
  siteId: 'contoso.sharepoint.com,5a14e1cf-e284-4722-8f50-a5e1b2b0a8d6,9528e4bb-7660-4b11-a758-9d8fb3ca295f',
  title: 'Project Tasks',
  description: 'List of project tasks',
  columns: [
    { name: 'Title', type: 'text', required: true },
    { name: 'DueDate', type: 'dateTime' },
    { name: 'Status', type: 'choice', choices: ['Not Started', 'In Progress', 'Completed'] }
  ]
});

// Dynamic API calls for custom scenarios
await callTool('dynamicendpoints m365 assistant', {
  apiType: 'graph',
  path: '/me/messages',
  method: 'get',
  queryParams: { '$top': '10', '$filter': 'isRead eq false' }
});

Implementation Details

Schema Validation

The server uses Zod for schema validation, providing:

• Runtime type checking for all inputs
• Detailed validation error messages
• Type inference for TypeScript
• Automatic documentation of input schemas

Error Handling

The server implements comprehensive error handling:

• Input validation for all parameters
• Graph API error handling
• Token refresh management
• Detailed error messages with proper error codes

Contributing

1. Fork the repository
2. Create a feature branch
3. Commit your changes
4. Push to the branch
5. Create a Pull Request

License

MIT