Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
To start using the Microsoft MCP Server for Enterprise, you must enable it in your tenant. This process currently provisions both the MCP Server and Visual Studio Code. After provisioning, you can configure your MCP client to connect to the MCP Server.
This article describes how to provision the MCP server and configure both VS Code and custom MCP clients to connect to the Microsoft MCP Server for Enterprise.
Provision the MCP Server and VS Code (only required once per tenant)
Start PowerShell in Administrator mode and install Microsoft.Entra.Beta PowerShell module (version 1.0.13 or later):
Install-Module Microsoft.Entra.Beta -Force -AllowClobberAuthenticate into the tenant where you'd like to register the MCP Server. You must be assigned either the Application Administrator or Cloud Application Administrator role to consent to the required permissions:
Connect-Entra -Scopes 'Application.ReadWrite.All', 'Directory.Read.All', 'DelegatedPermissionGrant.ReadWrite.All'Tip
Run
Get-EntraContextafter authentication to confirm the account, tenant, and scopes currently in use.Register the Microsoft MCP Server for Enterprise in your tenant and grant all permissions to Visual Studio Code:
Grant-EntraBetaMCPServerPermission -ApplicationName VisualStudioCode
Confirm the MCP server registration
Verify that both applications exist by using Microsoft Graph, Microsoft Entra PowerShell, or the Microsoft Entra portal.
| Name | Globally unique appId (client ID) |
|---|---|
| Microsoft MCP Server for Enterprise | e8c77dc2-69b3-43f4-bc51-3213c9d915b4 |
| Visual Studio Code | aebc6443-996d-45c2-90f0-388ff96faa56 |
- Microsoft Graph - verify registration
- Microsoft Entra PowerShell - verify registration
- Admin portal - verify registration
GET https://graph.microsoft.com/v1.0/servicePrincipals?$select=id,appId,displayName&$filter=appId in('e8c77dc2-69b3-43f4-bc51-3213c9d915b4','aebc6443-996d-45c2-90f0-388ff96faa56')
Confirm permissions granted to your MCP clients
Validate the Microsoft MCP Server permissions that were granted to each MCP client.
- Microsoft Graph - verify permissions
- Microsoft Entra PowerShell - verify permissions
- Admin portal - verify permissions
GET https://graph.microsoft.com/v1.0/oauth2PermissionGrants?$select=id,clientId,resourceId,scope&$filter=clientId eq '{mcp-client-servicePrincipal}' and resourceId eq '{mcp-server-servicePrincipal}'
Connect your MCP client to the MCP Server
- Click Install Microsoft MCP Server for Enterprise to open VS Code's MCP install page.
- Select Install in VS Code and authenticate with an administrator account.
- Open Copilot Chat in Agent mode and ask a tenant-specific question such as "How many users are in my tenant?"
- Review the MCP Server response, which includes:
- The tools that were invoked to understand the intent.
- The Microsoft Graph REST API call that was executed.
- A natural language answer that summarizes the tenant data.
- Review the MCP Server response, which includes:
View supported MCP Server scopes
The MCP Server supports only delegated permissions for user-interactive scenarios. App-only permissions or app-only workflows aren't supported. Use one of the following options (requires at least the DelegatedPermissionGrant.Read.All delegated permission) to inspect the available MCP scopes, and focus on scopes where isEnabled is true.
- Microsoft Graph - list MCP scopes
- Microsoft Entra PowerShell - list MCP scopes
- Admin center - list MCP scopes
GET https://graph.microsoft.com/v1.0/servicePrincipals(appId='e8c77dc2-69b3-43f4-bc51-3213c9d915b4')/oauth2PermissionScopes
List of MCP Server scopes
The naming of MCP scopes follows the pattern MCP.{microsoft-graph-scope-name}. For example, the User.Read.All Microsoft Graph scope is exposed as MCP.User.Read.All on the MCP Server. To understand what each scope allows, refer back to the Microsoft Graph permissions reference.
- MCP.AccessReview.Read.All
- MCP.AdministrativeUnit.Read.All
- MCP.Application.Read.All
- MCP.AuditLog.Read.All
- MCP.AuthenticationContext.Read.All
- MCP.Device.Read.All
- MCP.DirectoryRecommendations.Read.All
- MCP.Domain.Read.All
- MCP.EntitlementManagement.Read.All
- MCP.GroupMember.Read.All
- MCP.HealthMonitoringAlert.Read.All
- MCP.IdentityRiskEvent.Read.All
- MCP.IdentityRiskyServicePrincipal.Read.All
- MCP.IdentityRiskyUser.Read.All
- MCP.LicenseAssignment.Read.All
- MCP.LifecycleWorkflows.Read.All
- MCP.LifecycleWorkflows-CustomExt.Read.All
- MCP.LifecycleWorkflows-Reports.Read.All
- MCP.LifecycleWorkflows-Workflow.Read.All
- MCP.LifecycleWorkflows-Workflow.ReadBasic.All
- MCP.NetworkAccess.Read.All
- MCP.NetworkAccess-Reports.Read.All
- MCP.Organization.Read.All
- MCP.Policy.Read.All
- MCP.Policy.Read.ConditionalAccess
- MCP.ProvisioningLog.Read.All
- MCP.Reports.Read.All
- MCP.RoleAssignmentSchedule.Read.Directory
- MCP.RoleEligibilitySchedule.Read.Directory
- MCP.RoleManagement.Read.Directory
- MCP.Synchronization.Read.All
- MCP.User.Read.All
- MCP.UserAuthenticationMethod.Read.All
- MCP.GroupSettings.Read.All
Disable the MCP Server for Enterprise
Because the MCP Server for Enterprise is a Microsoft-owned service, you can't delete it from your tenant. However, you can disable it if needed.
- Microsoft Graph - disable MCP server
- Microsoft Entra PowerShell - disable MCP server
- Admin center - disable MCP server
PATCH https://graph.microsoft.com/v1.0/servicePrincipals(appId='e8c77dc2-69b3-43f4-bc51-3213c9d915b4')
{
"accountEnabled": false
}