Using an MCP agent to query Entra with natural language.

The current AI hype I've been seeing is MCP. MCP stands for Model-Context-Protocol and, in short, is a protocol that allows a data source to provide context to an LLM. What this means is that in the context of this post: you can run a server locally that translates graph endpoints via MCP to GitHub Copilot (which is Claude in this case), and this will then allow users to ask an LLM in natural language, and output will be generated that normally would take someone familiar with admin GUI or coding could provide.

Sounds scary right? A CISO's nightmare even. However, I would argue there is even more risk giving built-in admin roles to some managers, help desk, and SOC/NOC individuals. The previously mentioned people may not be technically minded, deal with multiple clouds/idps/evergrowing list of SAAS, or not keeping up-to-date on the latest features. Not to mention the time we've all lost performing an ad-hoc data request at some middle manglement's/c-suite's whimsy – scraping the requested data and transforming it in such a way that makes them feel warm and fuzzy.

All that to say that Merill, of Maester and Graph X-Ray fame, has provided us with Lokka. I'm going to walk through installing it locally in VSCode, connecting it to my dev tenant and using GitHub's Copilot to see the types of queries and output it can do.

For the purpose of this post I'm going to set up permissions for read-only, although I've seen demo's where they allow the LLM to update information as well. Heaven forbid it works too well and we're all out jobs.

I'm using a Hyper-V Windows Dev quickstart VM for everything to go step by step. Setting that up, installing VSCode, and connecting VSCode to GitHub Copilot will be out of scope of this guide, but have been accomplished.

First thing we have to do is create an app registration in our tenant with the appropriate permissions.

Register it and then we dive into it and add the Graph API permissions we'd like to give it.

I'm going to give it User.Read.All Group.Read.All and Directory.Read.All as that should give it plenty of User/Group/License/Apps info to play with. Make sure to provide Admin consent after adding them.

Now we make a new client secret and record it for later use.

On the actual PC that we want to connect to the Lokka server, we install Node.js.

# Download and install fnm:
winget install Schniz.fnm

# Download and install Node.js:
fnm install 22

# Verify the Node.js version:
node -v # Should print "v22.14.0".

# Verify npm version:
npm -v # Should print "10.9.2".

Make sure to restart terminal for PATH to update.

Now we have to configure VSCode, make sure you are using the Insider's build as MCP features are not in the standard yet. Use the Search bar at the top and > MCP and find MCP: Add Server. Select the NPM Package option.

Now enter the following in the prompts

Package name: @merill/lokka
Select Allow
Tenant ID: (your-tenant-id)
Client ID: (your-client-id)
Client secret : (your-client-secret)
Server ID: Lokka-Microsoft

It'll then generate the settings.json and should look similar to the below. Make sure to save it.

Open the Command Palette again and type MCP and select MCP: List Servers

Select Lokka-Microsoft from the list of servers.

Select Start Server

This will start the Lokka server and you should see a message in the output window saying Connection state: Running.

Open a new window of VSCode and open up Copilot.

Change the default from Ask to Agent and from ChatGPT to Claude 3.7 if you haven't already.

You can also expand it from the sidebar to the main chat if you'd like.

Now you should be able to ask any questions and it will prompt you for confirmation before running the actual command.

You can also expand it so you can see what exactly it is running.

And now we see it provides a result.

I'm going to use the quotes to represent my queries to it and code blocks for responses.

How many licenses are there in the tenant? How many of those are not being used?

License Summary
Your tenant has two license types:

Microsoft Power Automate (FLOW_FREE)

Total licenses: 10,000
Used licenses: 2
Unused licenses: 9,998
Microsoft 365 E5 Developer (DEVELOPERPACK_E5)

Total licenses: 25
Used licenses: 20
Unused licenses: 5
Overall License Status
Total licenses across all plans: 10,025
Total used licenses: 22
Total unused licenses: 10,003
The Microsoft Power Automate Free plan has the vast majority of your available licenses (10,000), with only 2 of those currently assigned. Your Microsoft 365 E5 Developer licenses are more limited (25 total) with 20 currently in use.

Would you like more information about any specific license type or service plan included in these licenses?

Can you do a high level breakdown of the current organization structure?

Organization Overview
Your organization, "Redacted" is based in Redacted with the following key characteristics:

Organization Size: Your tenant has approximately 3,015 users (based on our previous query)
Directory Usage: Currently using 3,500 objects out of 300,000 quota
Sync Status: You have on-premises directory synchronization enabled (last synced on February 2, 2025)
Organizational Structure
To provide a more comprehensive view of your organizational structure, I need to analyze the departments and reporting relationships. Let me retrieve information about the departments and job roles in your organization:

Based on the data I've retrieved from your Microsoft tenant, here's a high-level breakdown of your organizational structure:

Organization Overview
Your organization, "Redacted" is based in Redacted with the following key characteristics:

Organization Size: Approximately 3,015 users
Directory Usage: Currently using 3,500 objects out of 300,000 quota
On-Premises Integration: You have active directory synchronization enabled (last synced on February 2, 2025)
Domains: Primary domain is Redacted.onmicrosoft.com with additional domains including sales.Redacted.onmicrosoft.com
Departmental Structure
From analyzing your user data, I can see your organization is structured into these primary departments:

Management - Led by Business Managers
Marketing - Staffed with Marketing Coordinators
Accounting - With Accounting Specialists
Legal - Consisting of Attorneys
Public Relations - With PR Specialists
Human Resources - Staffed with HR Specialists
Purchasing - With Purchasing Specialists
Operations - With Operations Specialists
Retail - With Retail Managers
IT - Includes Systems Administrators (found in earlier data)
Job Roles and Hierarchy
Your organization follows a traditional departmental structure with specialized roles in each department:

Leadership/Management Roles: Business Managers appear to be distributed across departments
Specialist Roles: Most departments have specialized staff (HR Specialists, Accounting Specialists, etc.)
Technical Roles: Systems Administrators support IT operations
Legal Team: Attorneys handle legal matters
Licensing and Technology Infrastructure
Your organization uses Microsoft 365 E5 Developer licenses (20 assigned) and Microsoft Power Automate Free licenses (2 assigned), suggesting:

Advanced collaboration tools and security features available to key staff
Some automation workflows have been implemented
Geographic Distribution
While the headquarters is in Redacted, the data doesn't show specific information about satellite offices or regional distribution of employees.

This overview represents the high-level organizational structure based on the available data. If you need more detailed information about specific departments, reporting relationships, or want to explore other aspects of your organizational structure, please let me know.

How many app registrations have a secret? Are any of those expired?

App Registrations with Secrets
Total App Registrations with Secrets: 2

Here are the details:

Test-LokkaMCP

Secret name: "lokka secret"
Created: April 2, 2025 (today)
Expires: April 2, 2027 (2 years from today)
Status: Active (not expired)
maester

Secret name: "maester"
Created: January 4, 2025
Expires: July 3, 2025 (in about 3 months)
Status: Active (not expired)
Summary of Findings
There are 4 total app registrations in your tenant
Only 2 of them have client secrets configured
Both secrets are currently active and valid
No expired secrets were found

What is the department with the most users?

I've analyzed the user department data from your Microsoft tenant. Based on the information I retrieved for the first 999 users (out of your approximately 3,015 total users), I can tell you which departments have the most users.

Here's the breakdown of departments by number of users:

Management: 167 users (16.7%)
Operations: 151 users (15.1%)
Human Resources: 129 users (12.9%)
Legal: 117 users (11.7%)
Marketing: 105 users (10.5%)
Accounting: 87 users (8.7%)
Public Relations: 85 users (8.5%)
Purchasing: 85 users (8.5%)
Information Systems: 66 users (6.6%)
Sales: 2 users (0.2%)
Retail: 1 user (0.1%)
HR: 1 user (0.1%) - This appears to be the same as Human Resources
No department assigned: 9 users (0.9%)
The data shows that Management is the department with the most users, containing 16.7% of your workforce based on this sample. Operations is a close second, followed by Human Resources and Legal departments.

Note that this analysis covers the first 999 users in your tenant. There are more users beyond this first page that would need to be counted for a complete picture, but the general distribution pattern should be relatively consistent across your organization.

Include all users not just 999

I've now retrieved more data to analyze all users in your organization by department, not just the first 999. Let me combine all the data and provide you with the complete breakdown.

After analyzing all 3,015 users in your organization, here's the comprehensive breakdown of departments by number of users:

Management: 507 users (16.8%)
Operations: 451 users (15.0%)
Human Resources: 382 users (12.7%)
Marketing: 337 users (11.2%)
Legal: 330 users (10.9%)
Accounting: 274 users (9.1%)
Purchasing: 272 users (9.0%)
Public Relations: 253 users (8.4%)
Information Systems: 170 users (5.6%)
Sales: 6 users (0.2%)
R&D: 2 users (0.1%)
Retail: 2 users (0.1%)
Engineering: 2 users (0.1%)
Manufacturing: 1 user (0.03%)
HR: 1 user (0.03%) - This appears to be the same as Human Resources
No department assigned: 25 users (0.8%)
Based on this complete analysis of all 3,015 users in your tenant, Management is clearly the department with the most users, comprising 16.8% of your total workforce. Operations is the second largest department, followed by Human Resources, Marketing, and Legal.

The distribution is fairly consistent with what we saw in the initial sample, though we can now see some smaller departments (R&D, Engineering, Manufacturing) that weren't apparent in the first batch of data.

Super interesting results and a reminder I have to check on my test DC VM and see what's going on with it's syncing lol.

Considering I leveraged all this in 5 minutes with no code needed I think this is super impressive.

Obviously don't run this in production without vetting. Everything Lokka does is FOSS and publicly available, highly recommending looking at the documentation if you plan to build it and host yourself.