Active Directory MCP Server

Local setup required. This server has to be cloned and prepared on your machine before you register it in Claude Code.
1

Set the server up locally

Run this once to clone and prepare the server before adding it to Claude Code.

Run in terminal
git clone git@github.com:fredriksknese/mcp-activedirectory.git
cd mcp-activedirectory
npm install
npm run build
2

Register it in Claude Code

After the local setup is done, run this command to point Claude Code at the built server.

Run in terminal
claude mcp add -e "AD_HOST=${AD_HOST}" -e "AD_BIND_DN=${AD_BIND_DN}" -e "AD_BIND_PASSWORD=${AD_BIND_PASSWORD}" -e "AD_BASE_DN=${AD_BASE_DN}" -e "AZURE_TENANT_ID=${AZURE_TENANT_ID}" -e "AZURE_CLIENT_ID=${AZURE_CLIENT_ID}" -e "AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET}" mcp-activedirectory -- node "<FULL_PATH_TO_MCP_ACTIVEDIRECTORY>/dist/index.js"

Replace <FULL_PATH_TO_MCP_ACTIVEDIRECTORY>/dist/index.js with the actual folder you prepared in step 1.

Required:AD_HOSTAD_BIND_DNAD_BIND_PASSWORDAD_BASE_DNAZURE_TENANT_IDAZURE_CLIENT_IDAZURE_CLIENT_SECRET+ 3 optional
README.md

Unified access to on-prem Active Directory and Azure AD / Entra ID

mcp-activedirectory

A Model Context Protocol (MCP) server for Microsoft Active Directory, providing AI assistants with access to on-prem AD (via LDAP) and Azure AD / Entra ID (via Microsoft Graph API).

Features

Supports two modes simultaneously:

  • On-prem Active Directory — connects to a domain controller via LDAP/LDAPS using the ldapts library
  • Azure AD / Entra ID — connects via the Microsoft Graph API using OAuth2 Client Credentials

18 tools across five categories:

User Management

Tool Description
list_users List users with optional name, email, or department filter
get_user Get full user details including decoded UAC flags (on-prem) or full profile (Azure AD)
get_user_groups List all groups a user is a member of
search_users Advanced search by name, email, department, title, phone, or UPN

Group Management

Tool Description
list_groups List groups with optional name filter
get_group Get group details including member count and decoded group type
get_group_members List all group members; supports recursive nested group expansion (on-prem)
search_groups Search groups by name or description

Computer Accounts (On-prem AD only)

Tool Description
list_computers List computer accounts with OS, last logon (human-readable), and OU
get_computer Get full computer account details
search_computers Search by name, OS, OU path, DNS hostname, or description

Organizational Units (On-prem AD only)

Tool Description
list_ous List OUs with full path, sorted by depth
get_ou Get OU details
search_ous Search OUs by name, description, or parent path

Azure AD / Entra ID (Azure AD only)

Tool Description
list_devices List Entra ID registered/joined devices with OS and compliance status
get_device Get full device details by object ID
list_service_principals List app registrations and service principals
get_user_sign_in_activity Get last sign-in information for a user

Installation

git clone git@github.com:fredriksknese/mcp-activedirectory.git
cd mcp-activedirectory
npm install
npm run build

Configuration

The server is configured via environment variables. At least one of AD_HOST or AZURE_TENANT_ID must be set.

On-prem Active Directory (LDAP)

Variable Required Default Description
AD_HOST Yes Domain controller hostname or IP address
AD_PORT No 389 LDAP port (636 for LDAPS)
AD_USE_SSL No false Use LDAPS (true/false)
AD_BIND_DN Yes Bind DN, e.g. CN=svc-mcp,OU=Service Accounts,DC=corp,DC=example,DC=com
AD_BIND_PASSWORD Yes Bind account password
AD_BASE_DN Yes Base DN for all searches, e.g. DC=corp,DC=example,DC=com
AD_ALLOW_SELF_SIGNED No true Accept self-signed TLS certificates

Azure AD / Entra ID (Microsoft Graph API)

Variable Required Default Description
AZURE_TENANT_ID Yes Azure AD tenant ID (GUID)
AZURE_CLIENT_ID Yes App registration (client) ID
AZURE_CLIENT_SECRET Yes App registration client secret

Required Permissions

On-prem Active Directory

The service account (AD_BIND_DN) needs read access to the directory. The minimum required permissions are:

  • Read on User objects (all attributes listed below)
  • Read on Group objects
  • Read on Computer objects
  • Read on OrganizationalUnit objects

Recommended: add the service account to the built-in Domain Users group and grant Read delegated permissions on the domain root, or use the built-in Read-only Domain Controllers access pattern.

Attributes read for users: cn, sAMAccountName, displayName, mail, userPrincipalName, department, title, telephoneNumber, mobile, manager, memberOf, userAccountControl, lastLogon, whenCreated, whenChanged, description, distinguishedName, objectGUID

Azure AD / Entra ID (Microsoft Graph)

Create an App Registration in Azure AD and grant the following Application permissions (not Delegated):

Permission Scope Required for
User.Read.All Microsoft Graph Reading user profiles and group memberships
Group.Read.All Microsoft Graph Reading groups and group members
Device.Read.All Microsoft Graph Reading Entra ID registered/joined devices
AuditLog.Read.All Microsoft Graph Reading sign-in activity (signInActivity field)

Grant Admin Consent for all permissions in the Azure portal.

Usage with Claude Desktop

Add to your

Tools (18)

list_usersList users with optional name, email, or department filter
get_userGet full user details including decoded UAC flags or full profile
get_user_groupsList all groups a user is a member of
search_usersAdvanced search by name, email, department, title, phone, or UPN
list_groupsList groups with optional name filter
get_groupGet group details including member count and decoded group type
get_group_membersList all group members; supports recursive nested group expansion
search_groupsSearch groups by name or description
list_computersList computer accounts with OS, last logon, and OU
get_computerGet full computer account details
search_computersSearch by name, OS, OU path, DNS hostname, or description
list_ousList OUs with full path, sorted by depth
get_ouGet OU details
search_ousSearch OUs by name, description, or parent path
list_devicesList Entra ID registered/joined devices with OS and compliance status
get_deviceGet full device details by object ID
list_service_principalsList app registrations and service principals
get_user_sign_in_activityGet last sign-in information for a user

Environment Variables

AD_HOSTrequiredDomain controller hostname or IP address
AD_PORTLDAP port
AD_USE_SSLUse LDAPS
AD_BIND_DNrequiredBind DN for LDAP authentication
AD_BIND_PASSWORDrequiredBind account password
AD_BASE_DNrequiredBase DN for all searches
AD_ALLOW_SELF_SIGNEDAccept self-signed TLS certificates
AZURE_TENANT_IDrequiredAzure AD tenant ID
AZURE_CLIENT_IDrequiredApp registration client ID
AZURE_CLIENT_SECRETrequiredApp registration client secret

Configuration

claude_desktop_config.json
{"mcpServers": {"activedirectory": {"command": "node", "args": ["/path/to/mcp-activedirectory/build/index.js"], "env": {"AD_HOST": "dc.corp.example.com", "AD_BIND_DN": "CN=svc-mcp,OU=Service Accounts,DC=corp,DC=example,DC=com", "AD_BIND_PASSWORD": "your-password", "AD_BASE_DN": "DC=corp,DC=example,DC=com"}}}}

Try it

Find all users in the 'Engineering' department and list their group memberships.
Search for the computer account 'WS-001' and provide its full details.
List all Entra ID registered devices that are currently non-compliant.
Get the last sign-in activity for user 'jdoe@example.com'.
List all members of the 'Domain Admins' group, including nested members.

Frequently Asked Questions

What are the key features of Active Directory MCP?

Simultaneous support for on-prem LDAP and Azure AD/Entra ID Graph API. Recursive nested group expansion for on-prem Active Directory. Advanced search capabilities across users, groups, computers, and OUs. Detailed device management for Entra ID including compliance status. Support for reading sign-in activity logs from Azure AD.

What can I use Active Directory MCP for?

IT administrators querying user group memberships to troubleshoot access issues. Security audits of Entra ID device compliance and service principal registrations. Automated documentation of on-prem Organizational Unit structures. Quick lookup of user account details and last sign-in activity for helpdesk support.

How do I install Active Directory MCP?

Install Active Directory MCP by running: git clone git@github.com:fredriksknese/mcp-activedirectory.git && cd mcp-activedirectory && npm install && npm run build

What MCP clients work with Active Directory MCP?

Active Directory MCP works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Turn this server into reusable context

Keep Active Directory MCP docs, env vars, and workflow notes in Conare so your agent carries them across sessions.

Need the old visual installer? Open Conare IDE.
Open Conare
View all cloud servers →

Related MCP Servers

SSH MCP Server
Execute shell commands on remote Linux and Windows systems via SSH.
cloud346 stars
Hono MCP Server
Expose your Hono API endpoints as MCP tools.
cloud77 stars
n8n Manager for AI Agents
Manage n8n workflow automation instances through AI agent tools.
cloud54 stars
Kilntainers
Give Every Agent an Ephemeral Linux Sandbox — via MCP
cloud36 stars
AWS MCP Server
Manage and provision AWS resources using natural language prompts
cloud27 stars
Dynamics 365 Finance & Operations
Production-ready MCP server for Microsoft Dynamics 365 Finance & Operations
cloud25 stars