Audit Entra ID with Natural Language Using MCP and GitHub Copilot
I implemented Microsoft's MCP server for Microsoft 365 and created an automated setup script that lets you audit your Entra ID tenant using plain English through GitHub Copilot.
Ask questions like "How many Global Administrators do I have?" or "Export all PIM role assignments" and get instant answers. No PowerShell scripting, no Graph API syntax, no context switching.
Why This Matters
The Model Context Protocol lets AI assistants connect to enterprise data sources. Microsoft's MCP server for Microsoft 365 bridges GitHub Copilot to Microsoft Graph API.
Traditional auditing means jumping between Azure Portal, Graph Explorer, PowerShell, and Excel. With MCP, you work entirely in VS Code and ask questions in plain English.
What used to take 30 minutes of scripting now takes 30 seconds.
Get It Running
I created an automated setup script that configures everything in about 10 minutes.
Get it here: github.com/earlbellen/MSEnterpriseMCPServer
Includes setup script, VS Code configs, sample queries, and troubleshooting guide.
What You Can Audit
Users: Password age, account status, licenses, MFA enablement
Groups: Types, memberships, sync status, expiration Roles: Directory assignments, PIM schedules, service principal privileges
Governance: Access reviews, Conditional Access, administrative units
Ask questions, get answers, export to CSV. Done.
Security Risks
Natural language makes auditing easy but also makes reconnaissance easy. If an attacker compromises an admin account, they can map your entire security posture in seconds.
Mitigate with: Dedicated admin workstations only Conditional Access for privileged accounts PIM for just-in-time access Monitor Graph API audit logs Secure cached authentication tokens
This tool is powerful. Use it responsibly.
Use Cases
Incident Response: "Which accounts have Global Admin right now?"
Compliance: "List privileged users and their last sign-in"
Hygiene: "Show service principals with expired credentials"
PIM Tracking: "What percentage of roles are eligible vs permanent?"
Next step: Extend this to Azure RBAC for subscription-level role auditing across your entire Azure estate.
Bottom Line
Auditing Entra ID no longer requires PowerShell expertise or Graph API memorization. MCP and GitHub Copilot make it conversational.
But power requires responsibility. The same queries that help you audit can help attackers reconnaissance. Use proper controls: PAWs, Conditional Access, PIM, and audit monitoring.
Try it: github.com/earlbellen/MSEnterpriseMCPServer
Dave Bellen
Connect: GitHub | LinkedIn
Tech for Good.
Resources
Microsoft Learn: Get started with the MCP server for Microsoft Graph
