Back to Browse
Free
Server data from the Official MCP Registry
MCP server for CIPP — M365 multi-tenant management for MSPs (users, tenants, policies).
About
MCP server for CIPP — M365 multi-tenant management for MSPs (users, tenants, policies).
Security Report
5.7
Moderate5.7Moderate RiskThis is a well-structured MCP server for CIPP with proper authentication and reasonable security practices. It implements OAuth 2.0 client-credentials flow for token management and stores credentials in environment variables. However, several moderate-severity issues exist: incomplete input validation on destructive operations, potential data exfiltration vectors (email forwarding, password transmission), overly broad error messages that could leak tenant information, and missing HTTPS enforcement for the CIPP base URL. The permissions are appropriate for the multi-tenant management purpose. Supply chain analysis found 2 known vulnerabilities in dependencies (0 critical, 1 high severity).
4 files analyzed · 10 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
Permissions Required
This plugin requests these system permissions. Most are normal for its category.
What You'll Need
Set these up before or after installing:
Base URL of your CIPP API instance (e.g. https://cipp-api.example.com)
Environment variable: CIPP_API_URL
Entra ID application (client) ID used to authenticate to CIPP
Environment variable: CIPP_CLIENT_ID
Entra ID client secret for the CIPP applicationRequired
Environment variable: CIPP_CLIENT_SECRET
Entra ID tenant ID hosting the CIPP application registration
Environment variable: CIPP_TENANT_ID
Transport mode for the server. Set to 'stdio' for local CLI use; the image defaults to 'http' for gateway hosting.
Environment variable: MCP_TRANSPORT
Credential source: 'env' reads vars locally, 'gateway' expects header injection from the WYRE MCP Gateway.
Environment variable: AUTH_MODE
Log verbosity: debug, info, warn, error
Environment variable: LOG_LEVEL
How to Install
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-wyre-technology-cipp-mcp": {
"env": {
"AUTH_MODE": "your-auth-mode-here",
"LOG_LEVEL": "your-log-level-here",
"CIPP_API_URL": "your-cipp-api-url-here",
"MCP_TRANSPORT": "your-mcp-transport-here",
"CIPP_CLIENT_ID": "your-cipp-client-id-here",
"CIPP_TENANT_ID": "your-cipp-tenant-id-here",
"CIPP_CLIENT_SECRET": "your-cipp-client-secret-here"
},
"args": [
"-y",
"cipp-mcp"
],
"command": "npx"
}
}
}Documentation
View on GitHubFrom the project's GitHub README.
CIPP MCP Server
MCP (Model Context Protocol) server for CIPP — the CyberDrain Improved Partner Portal. Provides AI assistants with structured access to CIPP's M365 multi-tenant management capabilities.
Features
- 37 tools across 11 categories
- Tenant, user, group, and mailbox management
- Security: Conditional Access policies, named locations
- Standards & compliance: BPA, domain health, drift detection
- License reporting (per-tenant and CSP-wide)
- Alerts, audit logs, and scheduled tasks
- GDAP role and invite management
- Stdio and HTTP transport modes
- MCP Gateway compatible
Prerequisites
- Node.js 18+
- A running CIPP deployment
- CIPP API Key (generated from CIPP Settings → API Client Management)
Installation
Via npm (once published)
npx cipp-mcp
From source
git clone https://github.com/wyre-technology/cipp-mcp
cd cipp-mcp
npm install
npm run build
Configuration
Set these environment variables (or copy .env.example to .env):
| Variable | Required | Description |
|---|---|---|
CIPP_BASE_URL | Yes | Your CIPP deployment URL (e.g. https://cipp.yourdomain.com) |
CIPP_API_KEY | One of | Static Bearer token. Use this or the OAuth trio below. |
CIPP_TENANT_ID | One of | Entra tenant ID that owns the CIPP API-client app registration. |
CIPP_CLIENT_ID | One of | OAuth client ID issued by CIPP's API Client Management page. |
CIPP_CLIENT_SECRET | One of | OAuth client secret paired with CIPP_CLIENT_ID. |
CIPP_TOKEN_SCOPE | No | Override OAuth scope (default: <clientId>/.default). |
CIPP_TOKEN_URL | No | Override OAuth token endpoint (sovereign clouds only). |
MCP_TRANSPORT | No | stdio (default) or http |
MCP_HTTP_PORT | No | Port for HTTP mode (default: 8080) |
LOG_LEVEL | No | error, warn, info (default), or debug |
Usage with Claude Desktop
Add to your claude_desktop_config.json:
{
"mcpServers": {
"cipp": {
"command": "node",
"args": ["/path/to/cipp-mcp/dist/entry.js"],
"env": {
"CIPP_BASE_URL": "https://cipp.yourdomain.com",
"CIPP_API_KEY": "your-api-key"
}
}
}
}
Tools
| Category | Tools |
|---|---|
| Tenants | list_tenants, get_tenant_details |
| Users | list_users, create_user, edit_user, disable_user, reset_password, reset_mfa, revoke_sessions, offboard_user, bec_check, list_mfa_users, list_user_devices, list_user_groups |
| Groups | list_groups, create_group |
| Mailboxes | list_mailboxes, list_mailbox_permissions, set_out_of_office, set_email_forwarding |
| Security | list_conditional_access_policies, list_named_locations |
| Standards | list_standards, run_standards_check, list_bpa, list_domain_health |
| Licenses | list_licenses, list_csp_licenses |
| Alerts | list_audit_logs, list_alert_queue |
| GDAP | list_gdap_roles, list_gdap_invites |
| Scheduler | list_scheduled_items, add_scheduled_item |
| Core | ping, get_version, list_logs |
Authentication Setup
CIPP's API Client Management page provisions an Entra ID app registration and returns an OAuth client ID + client secret (not a long-lived Bearer token). The server exchanges these for a short-lived access token on each request using the OAuth 2.0 client-credentials flow, and caches the token until just before its expiry.
- In CIPP, go to Settings → CIPP Settings → Integrations → CIPP-API
- Create a new API client
- Copy the Client ID and Client Secret — you will not be able to retrieve the secret later
- Configure the server:
CIPP_BASE_URL=https://cipp.yourdomain.com CIPP_TENANT_ID=<your-entra-tenant-id> CIPP_CLIENT_ID=<client-id-from-cipp> CIPP_CLIENT_SECRET=<client-secret-from-cipp>
If you already have a static Bearer token (older CIPP deployments), set
CIPP_API_KEY instead and leave the OAuth variables unset. When both are
provided, CIPP_API_KEY wins.
License
Apache-2.0 — see LICENSE
Contributing
Issues and PRs welcome. This server is tracked against wyre-technology/msp-claude-plugins#24.
Reviews
No reviews yet
Be the first to review this server!
More Developer Tools MCP Servers
Git
Freeby Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
80.0K
Stars
4
Installs
6.5
Security
No ratings yet
Local
Toleno
Freeby Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
137
Stars
455
Installs
8.0
Security
4.8
Local
mcp-creator-python
Freeby mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.
-
Stars
60
Installs
10.0
Security
5.0
Local
MarkItDown
Freeby Microsoft · Content & Media
Convert files (PDF, Word, Excel, images, audio) to Markdown for LLM consumption
120.0K
Stars
18
Installs
6.0
Security
5.0
Local
mcp-creator-typescript
Freeby mcp-marketplace · Developer Tools
Scaffold, build, and publish TypeScript MCP servers to npm — conversationally
-
Stars
15
Installs
10.0
Security
5.0
Local
FinAgent
Freeby mcp-marketplace · Finance
Free stock data and market news for any MCP-compatible AI assistant.
-
Stars
14
Installs
10.0
Security
No ratings yet
Local