Lokka
by
Query and manage Azure and Microsoft 365 tenants using natural language through Microsoft Graph and Azure Resource Management APIs.
Lokka Overview
What is Lokka about?
Lokka provides an MCP server that bridges AI models (e.g., Claude Desktop) with Microsoft Graph and Azure RM APIs, enabling natural‑language commands to perform tenant administration, data retrieval, and cost analysis.
How to use Lokka?
- Install – run the server with
npx -y @merill/lokka(or add the configuration to your Claude DesktopmcpServerssection). - Configure authentication – choose one of the supported methods (interactive login, app‑only with certificate or client secret, or client‑provided token) via environment variables.
- Interact – issue natural‑language requests to the AI client; Lokka translates them into Graph or Azure API calls and returns the results.
Key Features of Lokka
- Supports multiple authentication flows (interactive, certificate, client secret, token‑forwarding).
- Unified toolset:
Lokka-Microsoftfor generic API calls,set-access-token,get-auth-status, andadd-graph-permission. - Graph API version control (beta by default, optional switch to v1.0).
- Works with any MCP‑compatible client, allowing seamless integration with Claude Desktop or custom agents.
- Handles both Microsoft Graph (Entra) and Azure Resource Management endpoints.
Use Cases of Lokka
- Security administration – create dynamic security groups, list conditional access policies, manage Intune configurations.
- Cost monitoring – retrieve the most expensive Azure services for a given period.
- Tenant inventory – fetch users, groups, subscriptions, and device configurations.
- Automation – embed Lokka in scripted workflows to provision resources or enforce policies via natural language.
FAQ
Q: Which authentication method should I use? A: Interactive auth is simplest for personal use. For production, prefer app‑only with a certificate or client secret. Use client‑provided token if your platform already handles token acquisition.
Q: How do I switch from beta to stable Graph API?
A: Set the environment variable USE_GRAPH_BETA=false before starting the server.
Q: Can I call Azure RM APIs as well as Graph?
A: Yes, specify apiType as azure and provide apiVersion and subscriptionId in the request payload.
Q: What tools are available for token management?
A: set-access-token to update a token, get-auth-status to inspect the current auth mode, and add-graph-permission to request extra scopes.
Q: Is Lokka compatible with VS Code extensions? A: One‑click install badges are provided for both VS Code and VS Code Insiders on Windows, macOS, and Linux.
Lokka's README
Lokka
Lokka is a model-context-protocol server for the Microsoft Graph and Azure RM APIs that allows you to query and manage your Azure and Microsoft 365 tenants with AI.
Please see Lokka.dev for how to use Lokka with your favorite AI model and chat client.
Lokka lets you use Claude Desktop, or any MCP Client, to use natural language to accomplish things in your Azure and Microsoft 365 tenant through the Microsoft APIs.
e.g.:
Create a new security group called 'Sales and HR' with a dynamic rule based on the department attribute.Find all the conditional access policies that haven't excluded the emergency access accountShow me all the Intune device configuration policies assigned to the 'Call center' groupWhat was the most expensive service in Azure last month?
Authentication Methods
Lokka now supports multiple authentication methods to accommodate different deployment scenarios:
Interactive Auth
For user-based authentication with interactive login, you can use the following configuration:
This is the simplest config and uses the default Lokka app.
{
"mcpServers": {
"Lokka-Microsoft": {
"command": "npx",
"args": ["-y", "@merill/lokka"]
}
}
}
Interactive auth with custom app
If you wish to use a custom Microsoft Entra app, you can create a new app registration in Microsoft Entra and configure it with the following environment variables:
{
"mcpServers": {
"Lokka-Microsoft": {
"command": "npx",
"args": ["-y", "@merill/lokka"],
"env": {
"TENANT_ID": "<tenant-id>",
"CLIENT_ID": "<client-id>",
"USE_INTERACTIVE": "true"
}
}
}
}
App-Only Auth
Traditional app-only authentication. You can use either certificate (recommended) or client secret authentication with the following configuration.
See Install Guide for more details on how to create an Entra app.
App-Only Auth with Certificate
App only authentication using a PEM-encoded client certificate:
{
"mcpServers": {
"Lokka-Microsoft": {
"command": "npx",
"args": ["-y", "@merill/lokka"],
"env": {
"TENANT_ID": "<tenant-id>",
"CLIENT_ID": "<client-id>",
"CERTIFICATE_PATH": "/path/to/certificate.pem",
"CERTIFICATE_PASSWORD": "<optional-certificate-password>",
"USE_CERTIFICATE": "true"
}
}
}
}
For comfort, in order to convert a PFX client certificate to a PEM-encoded certificate:
openssl pkcs12 -in /path/to/cert.pfx -out /path/to/cert.pem -nodes -clcerts
App-Only Auth with Client Secret
{
"mcpServers": {
"Lokka-Microsoft": {
"command": "npx",
"args": ["-y", "@merill/lokka"],
"env": {
"TENANT_ID": "<tenant-id>",
"CLIENT_ID": "<client-id>",
"CLIENT_SECRET": "<client-secret>"
}
}
}
}
Client-Provided Token
Token-based authentication where the MCP Client provides access tokens:
{
"mcpServers": {
"Lokka-Microsoft": {
"command": "npx",
"args": ["-y", "@merill/lokka"],
"env": {
"USE_CLIENT_TOKEN": "true"
}
}
}
}
When using client-provided token mode:
- Start the MCP server with
USE_CLIENT_TOKEN=true - Use the
set-access-tokentool to provide a valid Microsoft Graph access token - Use the
get-auth-statustool to verify authentication status - Refresh tokens as needed using
set-access-token
New Tools
Token Management Tools
set-access-token: Set or update access tokens for Microsoft Graph authenticationget-auth-status: Check current authentication status and capabilitiesadd-graph-permission: Request additional Microsoft Graph permission scopes interactively
Graph API Version Control
Lokka now supports controlling the default Microsoft Graph API version used for all requests:
- Default behavior: Uses
betaversion for access to latest features - Production mode: Set
USE_GRAPH_BETA=falseto force all requests to usev1.0version - Per-request override: You can still specify
graphApiVersionparameter in individual requests (unlessUSE_GRAPH_BETA=false)
When USE_GRAPH_BETA=false, all Graph API calls will use the stable v1.0 version, even if beta is explicitly requested in the graphApiVersion parameter.
Getting started
See the docs for more information on how to install and configure Lokka.
One-click install for VS Code
| Platform | VS Code | VS Code Insiders |
|---|---|---|
| Windows |  |
 |
| macOS/Linux |  |
 |
Components
Tools
-
Lokka-Microsoft- Call Microsoft Graph & Azure APIs. Supports querying Azure and Microsoft 365 tenants. Updates are also supported if permissions are provided.
- Input:
apiType(string): Type of Microsoft API to query. Options: 'graph' for Microsoft Graph (Entra) or 'azure' for Azure Resource Management.path(string): The Azure or Graph API URL path to call (e.g. '/users', '/groups', '/subscriptions').method(string): HTTP method to use (e.g., get, post, put, patch, delete)apiVersion(string): Azure Resource Management API version (required for apiType Azure)subscriptionId(string): Azure Subscription ID (for Azure Resource Management).queryParams(string): Array of query parameters like select, etc. All parameters are strings.body(JSON): The request body (for POST, PUT, PATCH)
- Returns: Results from the Azure or Graph API call.
-
set-access-token(New in v0.2.0)- Set or update an access token for Microsoft Graph authentication when using client-provided token mode.
- Input:
accessToken(string): The access token obtained from Microsoft Graph authenticationexpiresOn(string, optional): Token expiration time in ISO format
- Returns: Confirmation of token update
-
get-auth-status(New in v0.2.0)- Check the current authentication status and mode of the MCP Server
- Returns: Authentication mode, readiness status, and capabilities
Environment Variables
The configuration of the server is done using environment variables. The following environment variables are supported:
| Name | Description | Required |
|---|---|---|
TENANT_ID |
The ID of the Microsoft Entra tenant. | Yes (except for client-provided token mode) |
CLIENT_ID |
The ID of the application registered in Microsoft Entra. | Yes (except for client-provided token mode) |
CLIENT_SECRET |
The client secret of the application registered in Microsoft Entra. | Yes (for client credentials mode only) |
USE_INTERACTIVE |
Set to "true" to enable interactive authentication mode. | No |
USE_CLIENT_TOKEN |
Set to "true" to enable client-provided token authentication mode. | No |
USE_CERTIFICATE |
Set to "true" to enable certificate authentication mode. | No |
CERTIFICATE_PATH |
Path to the PEM-encoded certificate file for certificate authentication. | Yes (for certificate mode only) |
CERTIFICATE_PASSWORD |
Password for the certificate file (if encrypted). | No |
REDIRECT_URI |
Redirect URI for interactive authentication (default: http://localhost:3000). |
No |
ACCESS_TOKEN |
Initial access token for client-provided token mode. | No |
USE_GRAPH_BETA |
Set to "false" to force all Graph API calls to use v1.0 instead of beta (default: true, allows beta). | No |
Contributors
- Interactive and Token-based Authentication (v0.2.0) - @darrenjrobinson
- Certificate Authentication (v0.2.1) - @nitzpo
Installation
To use this server with the Claude Desktop app, add the following configuration to the "mcpServers" section of your
claude_desktop_config.json:
Interactive Authentication
{
"mcpServers": {
"Lokka-Microsoft": {
"command": "npx",
"args": ["-y", "@merill/lokka"]
}
}
}
Client Credentials Authentication
{
"mcpServers": {
"Lokka-Microsoft": {
"command": "npx",
"args": ["-y", "@merill/lokka"],
"env": {
"TENANT_ID": "<tenant-id>",
"CLIENT_ID": "<client-id>",
"CLIENT_SECRET": "<client-secret>"
}
}
}
}
Make sure to replace <tenant-id>, <client-id>, and <client-secret> with the actual values from your Microsoft Entra application. (See Install Guide for more details on how to create an Entra app and configure the agent.)
Lokka Reviews
Login Required
Please log in to share your review and rating for this MCP.
Actions
Lokka's Information
Configuration
{
"mcpServers": {
"Lokka-Microsoft": {
"command": "npx",
"args": [
"-y",
"@merill/lokka"
]
}
}
}Configure Clients
Similar MCP Servers like Lokka
Explore related MCPs that share similar capabilities and solve comparable challenges
Sequential Thinking
Officialby modelcontextprotocol
An MCP server implementation that provides a tool for dynamic and reflective problem-solving through a structured thinking process.
LibreChat
OfficialClientby danny-avila
Provides a self‑hosted ChatGPT‑style interface supporting numerous AI models, agents, code interpreter, image generation, multimodal interactions, and secure multi‑user authentication.
Goose
by block
Automates engineering tasks on local machines, executing code, building projects, debugging, orchestrating workflows, and interacting with external APIs using any LLM.
Roo Code
OfficialClientby RooCodeInc
Provides an autonomous AI coding partner inside the editor that can understand natural language, manipulate files, run commands, browse the web, and be customized via modes and instructions.
Pydantic AI
by pydantic
A Python framework that enables seamless integration of Pydantic validation with large language models, providing type‑safe agent construction, dependency injection, and structured output handling.
Mcp Agent
Clientby lastmile-ai
Build effective agents using Model Context Protocol and simple, composable workflow patterns.
Mcp Use
Clientby mcp-use
A Python SDK that simplifies interaction with MCP servers and enables developers to create custom agents with tool‑calling capabilities.
5ire
Clientby nanbingxyz
A cross‑platform desktop AI assistant that connects to major LLM providers, supports a local knowledge base, and enables tool integration via MCP servers.
Gptme
Clientby gptme
Provides a personal AI assistant that runs directly in the terminal, capable of executing code, manipulating files, browsing the web, using vision, and interfacing with various LLM providers.