MCP server for Azure Entra PIM — list eligible assignments and activate group/role assignments

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mnaser from gravatar.com mnaser

Unverified details

These details have not been verified by PyPI
Meta
Report project as malware

Project description

entra-pim-mcp-server

An MCP (Model Context Protocol) server for Azure Entra PIM (Privileged Identity Management). List eligible assignments and activate group or Entra role assignments — all through your MCP-compatible AI client.

Features

  • List eligible PIM assignments — view all Group and Entra Role assignments you're eligible for, with their activation status
  • Activate PIM assignments — activate group or role assignments by name or ID, with a justification and optional duration
  • Automatic browser authentication — opens your browser automatically when login is needed, with persistent token caching
  • No app registration required — uses the Microsoft Graph PowerShell well-known client ID, no setup needed
  • No secrets required — uses delegated authentication, no client secret necessary

Prerequisites

  • Python 3.10 or later (or uv to run without installing Python manually)
  • An Azure Entra ID tenant with PIM enabled

Environment Variables

Variable Required Description
AZURE_TENANT_ID Yes Your Azure AD tenant ID

Usage

Run directly with uvx

AZURE_TENANT_ID="your-tenant-id" uvx entra-pim-mcp-server

Run from source

git clone https://github.com/vexxhost/entra-pim-mcp-server.git
cd entra-pim-mcp-server
uv sync
AZURE_TENANT_ID="..." uv run entra-pim-mcp-server

MCP Client Configuration

Claude Desktop

Add to your Claude Desktop configuration (~/Library/Application Support/Claude/claude_desktop_config.json on macOS, %APPDATA%\Claude\claude_desktop_config.json on Windows):

{
  "mcpServers": {
    "entra-pim": {
      "command": "uvx",
      "args": ["entra-pim-mcp-server"],
      "env": {
        "AZURE_TENANT_ID": "your-tenant-id"
      }
    }
  }
}

VS Code / GitHub Copilot

Add to your .vscode/mcp.json:

{
  "servers": {
    "entra-pim": {
      "command": "uvx",
      "args": ["entra-pim-mcp-server"],
      "env": {
        "AZURE_TENANT_ID": "your-tenant-id"
      }
    }
  }
}

Cursor

Add to your Cursor MCP settings (.cursor/mcp.json):

{
  "mcpServers": {
    "entra-pim": {
      "command": "uvx",
      "args": ["entra-pim-mcp-server"],
      "env": {
        "AZURE_TENANT_ID": "your-tenant-id"
      }
    }
  }
}

Authentication

This server uses interactive browser authentication. When you first call any PIM tool:

  1. Your default browser opens automatically to the Microsoft Entra ID login page
  2. You sign in and grant consent
  3. The browser shows "Authentication complete" — you can close the tab
  4. The token and authentication record are cached locally

On subsequent calls (and server restarts), the cached token is used silently — no re-authentication needed until the token expires.

Available Tools

list_eligible

Lists all eligible PIM assignments (both Group and Entra Role) for the authenticated user.

Returns structured JSON with an assignments array, where each assignment has:

  • typeGroup or EntraRole
  • name — Group or role display name
  • id — Group or role definition ID
  • role — Access level (e.g., member, owner) or role name
  • memberType — Membership type (e.g., Direct)
  • statusActive (currently activated) or Eligible (available to activate)
  • endTime — When the eligibility expires

activate

Activates a PIM assignment for a group or Entra role.

Parameters:

Parameter Type Required Description
name string Yes Name of the group or Entra role to activate (case-insensitive)
justification string Yes Reason for activation
duration number No Duration in hours (defaults to policy maximum)
directory_scope_id string No Directory scope for Entra roles (default: /)

Architecture

┌─────────────┐     stdio      ┌──────────────────┐    Graph API    ┌──────────────┐
│  MCP Client │ ◄────────────► │  MCP Server      │ ──────────────► │ Microsoft    │
│  (Claude,   │                │  (this project)  │                 │ Graph API    │
│   Cursor,   │                │                  │                 │              │
│   VS Code)  │                └──────────────────┘                 └──────────────┘
└─────────────┘                        │
                                       │ Auto Browser Login
                                       ▼
                                ┌──────────────┐
                                │ Microsoft    │
                                │ Entra ID     │
                                └──────────────┘
  1. MCP client starts the server as a subprocess (stdio transport)
  2. When a PIM tool is called and no cached token exists, the browser opens for Entra ID login
  3. After authentication, the token and auth record are cached locally
  4. All MCP tool calls use this token for Microsoft Graph PIM operations
  5. On restart, the cached token is used silently

License

Apache License 2.0 — see LICENSE for details.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mnaser from gravatar.com mnaser

Unverified details

These details have not been verified by PyPI
Meta

Release history Release notifications | RSS feed

This version

1.0.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

entra_pim_mcp_server-1.0.0.tar.gz (116.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

entra_pim_mcp_server-1.0.0-py3-none-any.whl (11.4 kB view details)

Uploaded Python 3

File details

Details for the file entra_pim_mcp_server-1.0.0.tar.gz.

File metadata

  • Download URL: entra_pim_mcp_server-1.0.0.tar.gz
  • Upload date:
  • Size: 116.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for entra_pim_mcp_server-1.0.0.tar.gz
Algorithm Hash digest
SHA256 f0bde077dd3f05e234d315dd3332c5a69019acd3f59a93150234a6a8ca130add
MD5 625a1ae8609d5c4e368a9afa53a2deff
BLAKE2b-256 fcc39fb2bb5323eee58ee2c00f66c50698e622eae3d7c9207b7a757c6d9e8b7d

See more details on using hashes here.

Provenance

The following attestation bundles were made for entra_pim_mcp_server-1.0.0.tar.gz:

Publisher: release.yml on vexxhost/entra-pim-mcp-server

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file entra_pim_mcp_server-1.0.0-py3-none-any.whl.

File metadata

File hashes

Hashes for entra_pim_mcp_server-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 ad8f95a278127476ee36ff31e6babd038b5b8ea472cbd54c7b9e4fdbc8644ae4
MD5 5542ba4cff83bf3b0accf5cec17a60b6
BLAKE2b-256 29a59bdcc5525deb87585b7e56913c802f0c0fa9db51ad0eeb013b1907466c8e

See more details on using hashes here.

Provenance

The following attestation bundles were made for entra_pim_mcp_server-1.0.0-py3-none-any.whl:

Publisher: release.yml on vexxhost/entra-pim-mcp-server

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page