What are the requirements for Azure Security MCP Agent?

Azure Security MCP Agent requires the following environment variables: GROQ_API_KEY (required), AZURE_SUBSCRIPTION_ID (required). You'll also need a compatible MCP client like Claude Desktop or Claude Code.

Is Azure Security MCP Agent free to use?

Yes, Azure Security MCP Agent is open source and free to use. You can find the source code on GitHub.

What MCP clients support Azure Security MCP Agent?

Azure Security MCP Agent works with any MCP-compatible client including Claude Desktop (Anthropic's official desktop app), Claude Code (CLI tool), Cursor, and other editors with MCP support.

How do I configure Azure Security MCP Agent?

Configure Azure Security MCP Agent by adding it to your MCP client's config file. For Claude Desktop, edit claude_desktop_config.json and add the server configuration. See the Configuration section above for a ready-to-use example.

Azure Security MCP Agent MCP Server

Q: What tools does Azure Security MCP Agent provide?

azure_list_resource_groups: Lists all resource groups in the Azure subscription.. azure_list_nsgs: Lists all Network Security Groups.. azure_list_storage_accounts: Lists all storage accounts.. azure_list_resources: Lists all resources in the subscription.. azure_check_nsg_rules: Analyzes NSGs for dangerous rules.. azure_check_storage_security: Audits storage accounts for insecure configuration.. azure_list_public_ips: Lists public IPs and identifies exposed assets.. azure_check_vm_security: Checks basic VM security posture..

Q: How do I install Azure Security MCP Agent?

Install Azure Security MCP Agent by running: pip install -r requirements.txt

Local setup required. This server has to be cloned and prepared on your machine before you register it in Claude Code.

Set the server up locally

Run this once to clone and prepare the server before adding it to Claude Code.

Run in terminal

pip install -r requirements.txt

Register it in Claude Code

After the local setup is done, run this command to point Claude Code at the built server.

Run in terminal

claude mcp add -e "GROQ_API_KEY=${GROQ_API_KEY}" -e "AZURE_SUBSCRIPTION_ID=${AZURE_SUBSCRIPTION_ID}" azure-security-agent -- python "<FULL_PATH_TO_SECURITY_MCP_AGENT>/dist/index.js"

Replace <FULL_PATH_TO_SECURITY_MCP_AGENT>/dist/index.js with the actual folder you prepared in step 1.

Required:GROQ_API_KEYAZURE_SUBSCRIPTION_ID

README.md

An AI-powered agent that analyzes the security of your Azure infrastructure.

Azure Security MCP Agent

An AI-powered agent that uses Model Context Protocol (MCP) tools and a Groq LLM to analyze the security of your Azure infrastructure.

The design is inspired by the YouTube example yt-mcp-agent `github.com/ShawhinT/yt-mcp-agent` but adapted for cloud security and Azure.

Overview

This project shows how to build a security-focused AI agent that can:

Discover resources across an Azure subscription
Analyze Network Security Groups (NSGs) for dangerous rules
Audit storage accounts for insecure configuration
List public IPs and identify exposed assets
Check basic VM security posture
Explain risks and relate them to CIS Azure best practices (you can reference the included CIS PDF)

There are three main entry points:

main.py – OpenAI Agents SDK + MCP tools (Groq model) – recommended path
agent.py – LangChain/LangGraph ReAct-style agent using the same MCP tools
demo.py – Offline Groq-only demo using mock Azure data (no Azure access required)

Architecture

┌──────────────────────────────┐
│        Groq LLM API          │   (llama-3.3-70b-versatile via OpenAI-compatible API)
└───────────────┬──────────────┘
                │
                ▼
┌─────────────────────────────────────────────┐
│  Agent Clients                              │
│  - main.py  (OpenAI Agents SDK + MCP tools) │
│  - agent.py (LangChain / LangGraph)         │
└───────────────┬─────────────────────────────┘
                │  (MCP JSON-RPC over stdio)
                ▼
┌─────────────────────────────────────────────┐
│  MCP Server (FastMCP)                       │
│  - server.py                                │
│  - exposes azure_* tools                    │
└───────────────┬─────────────────────────────┘
                │
                ▼
┌─────────────────────────────────────────────┐
│  Azure SDK for Python                       │
│  - azure-identity / mgmt-resource/network   │
│  - mgmt-storage / mgmt-compute              │
└─────────────────────────────────────────────┘

Key Components

server.py
FastMCP-based MCP server (FastMCP("azure-security-analyzer")) exposing tools like:
- azure_list_resource_groups
- azure_list_nsgs
- azure_list_storage_accounts
- azure_list_resources
- azure_check_nsg_rules
- azure_check_storage_security
- azure_list_public_ips
- azure_check_vm_security
  It also exposes a system_prompt via @mcp.prompt() that reads from prompts/system_instructions.md.
main.py
Uses the OpenAI Agents SDK (agents.Agent, MCPServerStdio) to:
- Start the MCP server (server.py) as a subprocess over stdio
- Attach all MCP tools to the agent automatically
- Use Groq as the model via the OpenAI-compatible API
- Provide a simple terminal loop where you type natural-language security questions
agent.py
An alternative LangChain/LangGraph implementation that:
- Connects to the same MCP server
- Wraps MCP tools into LangChain tools
- Uses a ReAct-style graph to decide which Azure tools to call
demo.py
Offline demo that feeds mock Azure findings (e.g. open NSG rules, insecure storage settings) into Groq and asks it to produce a security report. Useful when you don’t have real Azure access.
prompts/system_instructions.md
System instructions for the agent (how to interpret tool results, severity levels, report format, etc.). You can customize this to align more strictly with the CIS Microsoft Azure Compute Services Benchmark (the PDF included in this repo).

Prerequisites

Python 3.10+
Azure subscription with at least some test resources
Azure CLI (az) for local authentication
Groq account + API key (https://console.groq.com)
(Optional) Basic familiarity with CIS Azure benchmarks

Setup

1. Create and activate a virtual environment

Windows (PowerShell):

cd C:\Users\MSI\mcp_project
python -m venv venv
.\venv\Scripts\Activate.ps1
pip install -r requirements.txt

Linux / macOS:

cd /path/to/mcp_project
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

Re-activate the venv in each new terminal before running the project.

2. Authenticate to Azure

az login

# (optional) select a specific subscription
az account set --subscription "YOUR-SUBSCRIPTION-ID"

# show your current subscription id
az account show --query id -o tsv

3. Configure environment variables

Create a .env file in the project root:

GROQ_API_KEY=gsk_xxxxxxxxxxxxxxxxxxxxx
AZURE_SUBSCRIPTION_ID=your-subscription-id

These are read by both main.py and agent.py.

Running the Agent (OpenAI Agents SDK + MCP tools)

This path is closest to the yt-mcp-agent example and is the recommended way to use the

Tools (8)

azure_list_resource_groupsLists all resource groups in the Azure subscription.

azure_list_nsgsLists all Network Security Groups.

azure_list_storage_accountsLists all storage accounts.

azure_list_resourcesLists all resources in the subscription.

azure_check_nsg_rulesAnalyzes NSGs for dangerous rules.

azure_check_storage_securityAudits storage accounts for insecure configuration.

azure_list_public_ipsLists public IPs and identifies exposed assets.

azure_check_vm_securityChecks basic VM security posture.

Environment Variables

GROQ_API_KEYrequiredAPI key for Groq LLM access

AZURE_SUBSCRIPTION_IDrequiredThe Azure subscription ID to analyze

Configuration

claude_desktop_config.json

{"mcpServers": {"azure-security": {"command": "python", "args": ["/path/to/server.py"]}}}

Try it

→List all public IP addresses in my Azure subscription and identify any that are exposed.

→Audit my storage accounts for insecure configurations and suggest fixes.

→Check my Network Security Groups for any dangerous rules that allow unauthorized access.

→Perform a security posture check on my virtual machines.

→Explain the security risks of my current Azure infrastructure based on CIS benchmarks.

Frequently Asked Questions

What are the key features of Azure Security MCP Agent?

Discover and list resources across an Azure subscription. Analyze Network Security Groups for dangerous or overly permissive rules. Audit storage accounts for insecure configurations. Identify exposed assets via public IP listing. Evaluate VM security posture against CIS Azure best practices.

What can I use Azure Security MCP Agent for?

Automated security auditing of Azure cloud environments. Identifying misconfigured storage accounts before they lead to data leaks. Quickly assessing the security posture of virtual machines. Generating natural language security reports for compliance reviews.

How do I install Azure Security MCP Agent?

Install Azure Security MCP Agent by running: pip install -r requirements.txt

What MCP clients work with Azure Security MCP Agent?

Azure Security MCP Agent works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Turn this server into reusable context

Keep Azure Security MCP Agent docs, env vars, and workflow notes in Conare so your agent carries them across sessions.

Need the old visual installer? Open Conare IDE.

Open Conare

View all cloud servers →