Microsoft Entra ID MCP Integration

Weldable's Azure AD MCP integration connects your AI agents to Microsoft Entra ID (formerly Azure Active Directory) through the Microsoft Graph API. Your agent can manage users, groups, applications, and security configurations through natural language. Microsoft has invested heavily in MCP support across Azure, and Weldable brings that capability into a multi-integration platform where identity management actions can chain with Slack notifications, Google Sheets reporting, and other connected services.

Use cases

User and group management

Your agent creates user accounts in Entra ID, assigns them to security groups and Microsoft 365 groups, and sets profile attributes like department, job title, and manager. When someone changes teams, your agent updates their group memberships and access assignments in a single command. Pair with Slack to notify the hiring manager when a new account is provisioned and ready.

Conditional access policy audits

Your agent reads all conditional access policies in your tenant and checks them against your security baseline. It flags policies that allow legacy authentication, skip MFA for certain user groups, or permit access from untrusted locations. The findings go into a Google Doc with specific remediation steps, giving your security team a clear action list instead of a raw policy dump.

Application registration management

When your development team needs a new app registration for a microservice or internal tool, your agent creates it with the correct redirect URIs, API permissions, and certificate credentials. It configures the token lifetime, sets up the required Graph API permissions, and posts the client ID and tenant details to the team's Slack channel. No one needs to click through the Azure portal.

License assignment and tracking

Your agent queries Entra ID for all assigned Microsoft 365 licenses, identifies users with licenses they are not using (no sign-in activity in 90 days), and generates a report in Google Sheets. This helps your IT team reclaim unused licenses and reduce costs. For new hires, your agent assigns the appropriate license tier based on their role and department.

Security incident investigation

When a sign-in risk event is detected, your agent pulls the user's recent sign-in logs from the Graph API, including IP addresses, device details, and risk levels. It compiles a timeline and posts it to your security team's Slack channel. For confirmed compromises, your agent can revoke all refresh tokens, force a password reset, and block the account until the investigation is complete.

How it works

Connect your Microsoft Entra ID tenant through OAuth. Weldable authenticates using Microsoft's identity platform and requests only the Graph API permissions your agent needs, such as User.ReadWrite.All, Group.ReadWrite.All, or Application.ReadWrite.All. Access is governed by Azure Role-Based Access Control, and every action is logged in Entra ID's audit logs.

Tell your agent what you need in plain language. Say "list all users in the Engineering security group" or "create an app registration for our new API service" and Weldable maps your intent to the correct Microsoft Graph API call. Your agent returns structured results and confirms destructive actions before executing them.

Tips

Microsoft renamed Azure AD to Microsoft Entra ID. The APIs and functionality are the same, but the branding changed in 2023. Your agent understands both names. Documentation and portal references now use "Entra ID" consistently.

Use security groups for access control, not Microsoft 365 groups. Security groups control access to applications and resources. Microsoft 365 groups are designed for collaboration (Teams, SharePoint). Your agent can manage both, but mixing them up leads to overly broad access grants.

Graph API permissions come in two types: delegated and application. Delegated permissions act on behalf of a signed-in user. Application permissions act without a user context and are more powerful. Your agent uses application permissions for automated workflows. Grant only the minimum required scope.

Sign-in logs are available for 30 days on most plans. Entra ID retains sign-in data for 30 days (7 days on free tier). If your agent needs longer history for compliance, export the logs to a Google Sheet or external storage on a regular schedule.

Conditional access policies can lock you out. Test new policies in report-only mode before enforcing them. Your agent can create policies in report-only mode so you can see which sign-ins would be affected without actually blocking anyone. Switch to enforcement only after confirming the impact is as expected.