MCP (Model Context Protocol) server for CIPP — the CyberDrain Improved Partner Portal. Provides AI assistants with structured access to CIPP's M365 multi-tenant management capabilities.
- 37 tools across 11 categories
- Tenant, user, group, and mailbox management
- Security: Conditional Access policies, named locations
- Standards & compliance: BPA, domain health, drift detection
- License reporting (per-tenant and CSP-wide)
- Alerts, audit logs, and scheduled tasks
- GDAP role and invite management
- Stdio and HTTP transport modes
- MCP Gateway compatible
- Node.js 18+
- A running CIPP deployment
- CIPP API Key (generated from CIPP Settings → API Client Management)
npx cipp-mcpgit clone https://github.com/wyre-technology/cipp-mcp
cd cipp-mcp
npm install
npm run buildSet these environment variables (or copy .env.example to .env):
| Variable | Required | Description |
|---|---|---|
CIPP_BASE_URL |
Yes | Your CIPP deployment URL (e.g. https://cipp.yourdomain.com) |
CIPP_API_KEY |
One of | Static Bearer token. Use this or the OAuth trio below. |
CIPP_TENANT_ID |
One of | Entra tenant ID that owns the CIPP API-client app registration. |
CIPP_CLIENT_ID |
One of | OAuth client ID issued by CIPP's API Client Management page. |
CIPP_CLIENT_SECRET |
One of | OAuth client secret paired with CIPP_CLIENT_ID. |
CIPP_TOKEN_SCOPE |
No | Override OAuth scope (default: <clientId>/.default). |
CIPP_TOKEN_URL |
No | Override OAuth token endpoint (sovereign clouds only). |
MCP_TRANSPORT |
No | stdio (default) or http |
MCP_HTTP_PORT |
No | Port for HTTP mode (default: 8080) |
LOG_LEVEL |
No | error, warn, info (default), or debug |
Add to your claude_desktop_config.json:
{
"mcpServers": {
"cipp": {
"command": "node",
"args": ["/path/to/cipp-mcp/dist/entry.js"],
"env": {
"CIPP_BASE_URL": "https://cipp.yourdomain.com",
"CIPP_API_KEY": "your-api-key"
}
}
}
}| Category | Tools |
|---|---|
| Tenants | list_tenants, get_tenant_details |
| Users | list_users, create_user, edit_user, disable_user, reset_password, reset_mfa, revoke_sessions, offboard_user, bec_check, list_mfa_users, list_user_devices, list_user_groups |
| Groups | list_groups, create_group |
| Mailboxes | list_mailboxes, list_mailbox_permissions, set_out_of_office, set_email_forwarding |
| Security | list_conditional_access_policies, list_named_locations |
| Standards | list_standards, run_standards_check, list_bpa, list_domain_health |
| Licenses | list_licenses, list_csp_licenses |
| Alerts | list_audit_logs, list_alert_queue |
| GDAP | list_gdap_roles, list_gdap_invites |
| Scheduler | list_scheduled_items, add_scheduled_item |
| Core | ping, get_version, list_logs |
CIPP's API Client Management page provisions an Entra ID app registration and returns an OAuth client ID + client secret (not a long-lived Bearer token). The server exchanges these for a short-lived access token on each request using the OAuth 2.0 client-credentials flow, and caches the token until just before its expiry.
- In CIPP, go to Settings → CIPP Settings → Integrations → CIPP-API
- Create a new API client
- Copy the Client ID and Client Secret — you will not be able to retrieve the secret later
- Configure the server:
CIPP_BASE_URL=https://cipp.yourdomain.com CIPP_TENANT_ID=<your-entra-tenant-id> CIPP_CLIENT_ID=<client-id-from-cipp> CIPP_CLIENT_SECRET=<client-secret-from-cipp>
If you already have a static Bearer token (older CIPP deployments), set
CIPP_API_KEY instead and leave the OAuth variables unset. When both are
provided, CIPP_API_KEY wins.
Apache-2.0 — see LICENSE
Issues and PRs welcome. This server is tracked against wyre-technology/msp-claude-plugins#24.