AgentReadyHomeAgent Listing

← Microsoft Entra ID MCP Server

Microsoft Entra ID MCP Server — agentic threat model

8.9AIVSS 8.9 · High

The Microsoft Entra ID MCP Server acts as a high-value target by exposing sensitive directory, MFA, and privileged account data to LLMs. Its risk profile is heavily dependent on the Graph API permissions granted to it and the lack of native authorization controls at the MCP layer.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.45Factor sum 3.0/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.30
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.70
Persistent Memory
0.10
Contextual Awareness
0.40
Dynamic Identity
0.60
Multi-Agent Interactions
0.20
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself is model-agnostic. However, the model interacting with it is vulnerable to prompt injection, which could force the model to execute unauthorized directory queries or exfiltrate retrieved identity data.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The server does not maintain its own vector database or training pipeline, but it acts as a direct pipeline for sensitive identity and sign-in log data into the LLM's context window, risking data exfiltration.

L3 · Agent Frameworks✓ mapped

Exposes powerful query tools (users, groups, MFA status) to the agent framework. If the orchestrator lacks strict input validation, prompt injection can lead to tool abuse, allowing malicious actors to map the active directory structure.

L4 · Deployment & Infrastructure✓ mapped

As a Python-based server, it requires secure hosting. The primary infrastructure risk is the exposure of Microsoft Graph API credentials (client secrets or certificates) stored in the environment configuration.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in audit logging, query guardrails, or anomaly detection to monitor if the LLM is abusing the directory query tools.

L6 · Security & Compliance (cross-cutting)✓ mapped

The primary risk surface is the Microsoft Graph API permissions granted to the application registration. Over-permissioning (e.g., Directory.Read.All) without fine-grained, user-level authorization at the MCP layer creates a significant compliance and security gap.

L7 · Agent Ecosystem✓ mapped

In a multi-agent ecosystem, other untrusted or compromised agents could query this MCP server to harvest directory data, identify high-value targets (privileged users), or verify MFA status to plan lateral movement.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).