Server data from the Official MCP Registry
Interactive Entra ID identity relationship visualization — the 2003 polyarchy, live as an MCP App
Interactive Entra ID identity relationship visualization — the 2003 polyarchy, live as an MCP App
Valid MCP server (2 strong, 0 medium validity signals). 5 known CVEs in dependencies (0 critical, 2 high severity) Package registry verified. Imported from the Official MCP Registry. Trust signals: trusted author (3/4 approved).
6 files analyzed · 6 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-darrenjrobinson-entrapulse-polyarchy": {
"args": [
"-y",
"entrapulse-polyarchy"
],
"command": "npx"
}
}
}From the project's GitHub README.
An interactive Microsoft Entra ID identity relationship visualization, served as an MCP App.
In 2003 Microsoft demoed PolyArchy Server — a web visual over identity data showing intersecting relationship hierarchies, where clicking a datapoint flipped the whole view to that context. It never shipped. This is it, finally real: a live D3 force-graph over your Entra ID tenant that renders inside your MCP client (Claude Desktop, VS Code Copilot, M365 Copilot, ChatGPT, Cursor, Goose, Postman — anything that supports the MCP Apps extension).
Ask your assistant "show me the identity polyarchy around Rebecca" and explore:
onPremisesExtensionAttributes/extensionAttribute9The graph accumulates across dimensions: one intersecting polyarchy, not four separate charts. People are shaded by degrees of separation from the focus (blue ramp); groups, roles, apps and attribute hubs wear the colour of the relationship that connects them — matching their edges — faded with distance so the hop cue survives. Light and dark theme follow your MCP client.
{
"mcpServers": {
"entrapulse-polyarchy": {
"command": "npx",
"args": ["-y", "entrapulse-polyarchy"]
}
}
}
That's it for most tenants — no app registration needed. Be aware of what that
means: with no configuration the server signs you in through Microsoft's first-party
"Microsoft Graph Command Line Tools" public client
(client ID 14d82eec-204b-4c2f-b7e8-296a70dab67e) — the same well-known app the Graph
PowerShell/CLI tooling uses. It exists in every tenant and already has broad delegated
consent in many. Hardened environments commonly block or restrict this app (Conditional
Access, consent policies, or app management restrictions) — if that's your tenant, use
your own app registration instead;
everything else works identically.
Sign-in happens on the first tool call — and then never again:
~/.entrapulse-polyarchy/auth-record.json,
so freshly spawned server processes sign in silently — MCP clients respawn stdio
servers freely, and none of those spawns re-prompt.~/.entrapulse-polyarchy/auth.log with timings
(silent acquisitions are milliseconds; anything interactive is obvious) — the first
place to look if you ever see a prompt you didn't expect.| Mode | Configure | Notes |
|---|---|---|
| Interactive (default) | nothing — or TENANT_ID + CLIENT_ID to use your own app | System browser sign-in (random loopback port — register http://localhost portless); delegated permissions; /me is the default focus |
| Device code | USE_DEVICE_CODE=true | Headless/SSH — code printed to the server log |
| App-only | TENANT_ID + CLIENT_ID + CLIENT_SECRET | Application permissions; no /me, so always pass a person to visualize-identity |
| Client-provided token | USE_CLIENT_TOKEN=true (+ optional ACCESS_TOKEN) | The MCP client supplies/refreshes a Graph bearer token via the set-access-token tool — seamless SSO for hosts like EntraPulse that already hold one |
Other env vars: POLYARCHY_DISABLE_TOKEN_CACHE=true disables OS-keychain token
persistence; POLYARCHY_AUTH_RECORD=<path> relocates the persisted sign-in record
(delete the file to force a fresh sign-in).
| Scope | Used for |
|---|---|
User.Read.All | org hierarchy, search, attribute pivots |
Group.Read.All | group memberships and members |
RoleManagement.Read.Directory | directory roles |
Application.Read.All | app assignments |
The default first-party client typically has broad delegated consent already. Missing
consent shows up as a clear 403 message naming the scope — ask your assistant to run
get-auth-status to see exactly which app registration, scopes and account your token
contains.
Scopes and directory roles are separate gates: the token must always carry the scopes above (an admin role can't substitute for them), while on the user side plain member default permissions cover everything this app reads — no admin role required. Only tenants that restrict default user read access (or guest users) need a role that includes directory read, for which Directory Readers is the least-privileged fit.
If the Graph Command Line Tools app is blocked, unconsented, or you simply want an app you control (own Conditional Access targeting, own consent trail), point the server at your own registration — supported in both interactive and device-code modes:
http://localhost (no port!), and enable Allow public client flows if you
want device-code sign-in. The port matters: interactive sign-in listens on a random
loopback port each time (e.g. http://localhost:51106), and Entra only ignores the
port when the registered redirect is the portless http://localhost. Registering a
fixed port like :3000, or reusing an app that only has web redirects (Graph
Explorer, for instance), fails with a reply-URL mismatch.{
"mcpServers": {
"entrapulse-polyarchy": {
"command": "npx",
"args": ["-y", "entrapulse-polyarchy"],
"env": {
"TENANT_ID": "<your-tenant-guid>",
"CLIENT_ID": "<your-app-registration-client-id>"
}
}
}
}
Setting TENANT_ID alone (without CLIENT_ID) is also useful on its own: it pins
sign-in to your tenant instead of the common endpoint, which multi-tenant users and
guest accounts often want regardless of which client app is used.
The Attributes view groups people around shared values. The toolbar picker offers the
everyday pivots (Department, Job title, Company, Office, City, State, Employee type),
plus Other attributes… which opens a type-ahead over the full Graph user-attribute
catalog — all fifteen onPremisesExtensionAttributes, employeeOrgData/costCenter,
onPremisesSamAccountName, employeeId and ~50 more. Matching is forgiving (ext9
finds extensionAttribute9), free text is accepted for anything uncatalogued, and
attributes you pick join the dropdown for the rest of the session. Nested paths are
resolved server-side: the needed property is $selected on demand and cohort filters
use Graph advanced queries, with attribute paths validated before they reach an OData
filter.
| Tool | Purpose |
|---|---|
visualize-identity | Open the polyarchy focused on you, or {search: "name"} / {userId}. Ambiguous names don't guess: the tool returns the candidates (with object ids) so the assistant can ask which one you meant, then re-call with userId. A GUID passed as search is treated as an object id directly |
polyarchy-expand | Relationships for one node as a nodes/edges delta (org/groups/access/attributes; group/role members; attribute cohorts — attr accepts nested paths) |
polyarchy-search | Find people by name/UPN — returns each match with UPN, title/department and object id |
set-access-token / get-auth-status | Token passthrough + auth diagnostics |
(get-photo and get-manager also exist but are visible only to the app UI, not the model.)
npm install
npm run build # tsc (server → build/server) + vite single-file (UI → build/ui/mcp-app.html)
npm start # run the server on stdio
Test interactively with the MCPJam inspector or any
MCP Apps-capable host pointed at node build/server/index.js. The UI is one
self-contained HTML file (D3 inlined) satisfying the MCP Apps default CSP — the iframe
makes zero network calls; all Graph traffic flows through the server via tools/call.
Microsoft demoed PolyArchy Server at TechEd 2003 and never shipped it. In 2017 Darren approximated it with MIM + Power BI + Journey Chart (blog post). In 2026, MCP Apps made the real thing possible — an identity polyarchy living inside whatever AI client you already use, part of the EntraPulse family.
MIT licensed.
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.