Microsoft 365

What is Lokka?

Lokka is an MCP (Model Context Protocol) server designed to bridge AI models with Microsoft Graph and Azure Resource Management (ARM) APIs. It allows users to manage and query their Microsoft 365 and Azure tenants using natural language, effectively turning natural language commands into API calls.

How to use Lokka?

Lokka can be used with any MCP Client, such as Claude Desktop. To set it up, you need to configure the mcpServers section in your client's configuration file (e.g., claude_desktop_config.json). This involves specifying the command, args, and env variables, including TENANT_ID, CLIENT_ID, and CLIENT_SECRET for client credentials authentication. Lokka also supports interactive authentication and client-provided token authentication, offering flexibility in deployment scenarios. Once configured, you can send natural language commands to your AI model, which Lokka translates into actions within your Microsoft environment.

Key Features of Lokka

• Natural Language Interaction: Query and manage Microsoft 365 and Azure using plain English commands.
• Microsoft Graph & Azure API Integration: Seamlessly interacts with both Microsoft Graph and Azure Resource Management APIs.
• Multiple Authentication Methods: Supports Client Credentials (service-to-service), Interactive Authentication (user-based login), and Client-Provided Token authentication.
• Token Management Tools: Includes set-access-token to update access tokens and get-auth-status to check authentication status.
• Flexible Deployment: Can be integrated with various MCP-compatible AI models and chat clients.

Use Cases of Lokka

Lokka is ideal for IT administrators, developers, and power users who want to streamline their management tasks within Microsoft 365 and Azure using AI. Example use cases include:

• Creating new security groups with dynamic rules.
• Finding specific conditional access policies.
• Listing Intune device configuration policies assigned to a group.
• Querying Azure for cost analysis of services.

FAQ about Lokka

Q: What is MCP? A: MCP stands for Model Context Protocol, a protocol that allows AI models to interact with external services and data.

Q: What authentication methods does Lokka support? A: Lokka supports Client Credentials, Interactive Authentication, and Client-Provided Token authentication.

Q: Can Lokka modify resources in Microsoft 365 and Azure? A: Yes, Lokka supports updates to resources if the provided credentials have the necessary permissions.

Q: Where can I find more detailed documentation? A: You can find comprehensive documentation, including installation and developer guides, on Lokka.dev.

Lokka

Lokka is a model-context-protocol server for the Microsoft Graph and Azure RM APIs that allows you to query and managing your Azure and Microsoft 365 tenants with AI.

Please see Lokka.dev for how to use Lokka with your favorite AI model and chat client.

Lokka lets you use Claude Desktop, or any MCP Client, to use natural language to accomplish things in your Azure and Microsoft 365 tenant through the Microsoft APIs.

e.g.:

• Create a new security group called 'Sales and HR' with a dynamic rule based on the department attribute.
• Find all the conditional access policies that haven't excluded the emergency access account
• Show me all the Intune device configuration policies assigned to the 'Call center' group
• What was the most expensive service in Azure last month?

Authentication Methods (Enhanced in v0.2.0)

Lokka now supports multiple authentication methods to accommodate different deployment scenarios:

1. Client Credentials (Service-to-Service)

Traditional app-only authentication using client credentials:

{
  "mcpServers": {
    "Lokka-Microsoft": {
      "command": "npx",
      "args": ["-y", "@merill/lokka"],
      "env": {
        "TENANT_ID": "<tenant-id>",
        "CLIENT_ID": "<client-id>",
        "CLIENT_SECRET": "<client-secret>"
      }
    }
  }
}

2. Interactive Authentication (New)

User-based authentication with interactive login:

{
  "mcpServers": {
    "Lokka-Microsoft": {
      "command": "npx",
      "args": ["-y", "@merill/lokka"],
      "env": {
        "TENANT_ID": "<tenant-id>",
        "CLIENT_ID": "<client-id>",
        "USE_INTERACTIVE": "true",
        "REDIRECT_URI": "http://localhost:3000"
      }
    }
  }
}

3. Client-Provided Token (New)

Token-based authentication where the MCP Client provides access tokens:

{
  "mcpServers": {
    "Lokka-Microsoft": {
      "command": "npx",
      "args": ["-y", "@merill/lokka"],
      "env": {
        "USE_CLIENT_TOKEN": "true"
      }
    }
  }
}

When using client-provided token mode:

1. Start the MCP server with USE_CLIENT_TOKEN=true
2. Use the set-access-token tool to provide a valid Microsoft Graph access token
3. Use the get-auth-status tool to verify authentication status
4. Refresh tokens as needed using set-access-token

New Tools (v0.2.0)

Token Management Tools

• set-access-token: Set or update access tokens for Microsoft Graph authentication
• get-auth-status: Check current authentication status and capabilities

Enhanced Microsoft Graph Tool

• Lokka-Microsoft: Now supports all three authentication modes with improved error handling and token management

Getting started

See the docs for more information on how to install and configure Lokka.

• Introduction
• Install guide
• Developer guide

Components

Tools

1. Lokka-Microsoft

   • Call Microsoft Graph & Azure APIs. Supports querying Azure and Microsoft 365 tenants. Updates are also supported if permissions are provided.
   • Input:
     • apiType (string): Type of Microsoft API to query. Options: 'graph' for Microsoft Graph (Entra) or 'azure' for Azure Resource Management.
     • path (string): The Azure or Graph API URL path to call (e.g. '/users', '/groups', '/subscriptions').
     • method (string): HTTP method to use (e.g., get, post, put, patch, delete)
     • apiVersion (string): Azure Resource Management API version (required for apiType Azure)
     • subscriptionId (string): Azure Subscription ID (for Azure Resource Management).
     • queryParams (string): Array of query parameters like $filter,$select, etc. All parameters are strings.
     • body (JSON): The request body (for POST, PUT, PATCH)
   • Returns: Results from the Azure or Graph API call.

2. set-access-token (New in v0.2.0)

   • Set or update an access token for Microsoft Graph authentication when using client-provided token mode.
   • Input:
     • accessToken (string): The access token obtained from Microsoft Graph authentication
     • expiresOn (string, optional): Token expiration time in ISO format
   • Returns: Confirmation of token update

3. get-auth-status (New in v0.2.0)

   • Check the current authentication status and mode of the MCP Server
   • Returns: Authentication mode, readiness status, and capabilities

Environment Variables

The configuration of the server is done using environment variables. The following environment variables are supported:

Name	Description	Required
TENANT_ID	The ID of the Microsoft Entra tenant.	Yes (except for client-provided token mode)
CLIENT_ID	The ID of the application registered in Microsoft Entra.	Yes (except for client-provided token mode)
CLIENT_SECRET	The client secret of the application registered in Microsoft Entra.	Yes (for client credentials mode only)
USE_INTERACTIVE	Set to "true" to enable interactive authentication mode.	No
USE_CLIENT_TOKEN	Set to "true" to enable client-provided token authentication mode.	No
REDIRECT_URI	Redirect URI for interactive authentication (default: http://localhost:3000).	No
ACCESS_TOKEN	Initial access token for client-provided token mode.	No

Contributors

• Interactive and Token-based Authentication (v0.2.0) - @darrenjrobinson

Installation

To use this server with the Claude Desktop app, add the following configuration to the "mcpServers" section of your claude_desktop_config.json:

{
  "mcpServers": {
    "Lokka-Microsoft": {
      "command": "npx",
      "args": ["-y", "@merill/lokka"],
      "env": {
        "TENANT_ID": "<tenant-id>",
        "CLIENT_ID": "<client-id>",
        "CLIENT_SECRET": "<client-secret>"
      }
    }
  }
}

Make sure to replace <tenant-id>, <client-id>, and <client-secret> with the actual values from your Microsoft Entra application. (See Install Guide for more details on how to create an Entra app and configure the agent.)