MCP server for Inforcer — read-only M365 governance: tenants, baselines, drift, secure score, audit
MCP ServersOfficial Registry0 stars0 forks● TypeScriptNOASSERTIONUpdated today
Install in Claude Code / Claude Desktop
Method: NPX · github
Claude Code CLI
claude mcp add inforcer-mcp -- npx -y githubclaude_desktop_config.json (Claude Desktop)
{
"mcpServers": {
"inforcer-mcp": {
"command": "npx",
"args": ["-y", "github"],
"env": {
"INFORCER_API_KEY": "<inforcer_api_key>"
}
}
}
}1. Run the command above in your terminal (Claude Code), or paste the JSON config into claude_desktop_config.json (Claude Desktop).
2. Replace any <placeholder> values with your API keys or paths.
3. Restart Claude. The MCP server and its tools appear automatically.
Detected environment variables
INFORCER_API_KEYUse cases
About
MCP Servers overview
# Inforcer MCP Server [](https://github.com/wyre-technology/inforcer-mcp/actions/workflows/release.yml) [](https://opensource.org/licenses/Apache-2.0) [](https://nodejs.org/) A [Model Context Protocol (MCP)](https://modelcontextprotocol.io/) server that gives AI assistants structured, **read-only** access to [Inforcer](https://www.inforcer.com) Microsoft 365 baseline-governance data — tenants, baselines, alignment/drift, policies, secure scores, identity, and audit logs — plus a single write action to trigger an assessment run. > **Note:** This project is maintained by [Wyre Technology](https://github.com/wyre-technology). ## ⚠ Community-sourced API Inforcer does not (at time of writing) publish an official REST API specification. This server wraps the [`@wyre-technology/node-inforcer`](https://github.com/wyre-technology/node-inforcer) SDK, whose API surface is **community-sourced** from [royklo/InforcerCommunity](https://github.com/royklo/InforcerCommunity). Endpoints, field shapes, and behavior may change without notice. Treat results accordingly and verify anything load-bearing against the Inforcer portal. ## Read-only scope Every tool in this server is **read-only** EXCEPT one: - `inforcer_assessments_run` — triggers an assessment run for a tenant. It is **HIGH-IMPACT** (not destructive): it kicks off real work in Inforcer and is visible to operators. It is annotated accordingly and asks for confirmation before running. **Confirm with the user before invoking.** There are **no** create/update/delete tools for policies, tenants, or baselines — those operations are not exposed by the community API and are intentionally absent here. ## Quick Start **Claude Code (CLI):** ```bash claude mcp add inforcer-mcp \ -e INFORCER_REGION=us \ -e INFORCER_API_KEY=your-api-key \ -- npx -y github:wyre-technology/inforcer-mcp ``` See [Installation](#installation) for Docker and from-source methods. ## Features - **🔌 MCP Protocol Compliance**: Full support for MCP tools and prompts - **🛡️ Governance Coverage (read-only)**: Tenants, baselines, alignment/drift, policies, Microsoft Secure Score, Entra ID identity, and the audit log - **🔍 Decision-Tree Navigation**: Start with `inforcer_navigate` to explore domains, then call domain-specific tools - **🧭 Flexible Tenant Resolution**: Most tools accept a `tenant` as a numeric Client Tenant ID, a tenant DNS name, an Azure AD GUID, or a friendly name — resolved automatically - **🔒 Secure Authentication**: `Inf-Api-Key` header auth, region-scoped - **🌐 Dual Transport**: stdio (local) and HTTP Streamable (gateway/Docker) - **🐳 Docker Ready**: Containerized deployment with HTTP transport and health checks - **📊 Structured Logging**: Configurable levels, credentials never logged ## Table of Contents - [Installation](#installation) - [Configuration](#configuration) - [Tenant identifiers](#tenant-identifiers) - [Domains and tools](#domains-and-tools) - [Gateway connection](#gateway-connection) - [Docker Deployment](#docker-deployment) - [Development](#development) - [Testing](#testing) - [Contributing](#contributing) - [License](#license) ## Installation ### Option 1: Claude Code (CLI) ```bash claude mcp add inforcer-mcp \ -e INFORCER_REGION=us \ -e INFORCER_API_KEY=your-api-key \ -- npx -y github:wyre-technology/inforcer-mcp ``` ### Option 2: Docker ```bash docker compose up ``` Or pull the pre-built image: ```bash docker run -d \ -e INFORCER_REGION=us \ -e INFORCER_API_KEY=your-key \ -p 8080:8080 \ ghcr.io/wyre-technology/inforcer-mcp:latest ``` ### Option 3: From Source ```bash git clone https://github.com/wyre-technology/inforcer-mcp.git cd inforcer-mcp export NODE_AUTH_TOKEN=$(gh auth token) # to install @wyre-technology/* from GitHub Packages npm ci npm run build ``` ## Configuration | Variable | Description | Default | |----------|-------------|---------| | `INFORCER_REGION` | **Required.** Inforcer API region — one of `anz`, `eu`, `uk`, `us`. There is no default; the server errors clearly if it is missing. | — | | `INFORCER_API_KEY` | **Required.** Inforcer API key, sent as the `Inf-Api-Key` header. | — | | `MCP_TRANSPORT` | Transport mode (`stdio` or `http`) | `stdio` | | `MCP_HTTP_PORT` | HTTP server port | `8080` | | `AUTH_MODE` | Auth mode (`env` or `gateway`) | `env` | | `LOG_LEVEL` | Log level (`debug`, `info`, `warn`, `error`) | `info` | Both `INFORCER_REGION` and `INFORCER_API_KEY` are required for any API call. Tool discovery (`tools/list`) works without them; the first real call will error if either is missing. ## Tenant identifiers Inforcer's tenant-scoped routes use an integer **Client Tenant ID** — which is **NOT** the same as the Azure AD tenant GUID (`msTenantId`). To make tools easy to use, the `tenant` argument accepts any of: - a numeric **Client Tenant ID** (e.g. `42`), - a **tenant DNS name** (e.g. `contoso.onmicrosoft.com`), - an **Azure AD tenant GUID** (`msTenantId`), or - a **friendly name** (e.g. `Contoso`). Names/DNS/GUIDs are resolved to the numeric Client Tenant ID via the SDK's `resolveTenantId` before each tenant-scoped call. If a name matches more than one tenant, the call fails with a clear "ambiguous" error — pass the numeric Client Tenant ID instead. Use `inforcer_tenants_resolve` to see exactly which Client Tenant ID an input maps to. ## Domains and tools The server uses decision-tree navigation. Start with `inforcer_navigate` to pick a domain, or call any tool directly. All tools are read-only except `inforcer_assessments_run`. | Domain | Tools | Read-only | |--------|-------|-----------| | **navigation** | `inforcer_navigate`, `inforcer_status` (live `baselines.list()` connectivity check) | ✅ | | **tenants** | `inforcer_tenants_list`, `inforcer_tenants_get`, `inforcer_tenants_resolve` | ✅ | | **baselines** | `inforcer_baselines_list` | ✅ | | **alignment** | `inforcer_alignment_scores`, `inforcer_alignment_details` (per-tenant drift) | ✅ | | **policies** | `inforcer_policies_list` (by tenant) | ✅ | | **secure-scores** | `inforcer_secure_scores_get` (by tenant) | ✅ | | **identity** | `inforcer_users_list`, `inforcer_users_get`, `inforcer_groups_list`, `inforcer_groups_get`, `inforcer_roles_list` | ✅ | | **audit** | `inforcer_audit_event_types`, `inforcer_audit_search` | ✅ | | **assessments** | `inforcer_assessments_list` (✅), `inforcer_assessments_run` (⚠ HIGH-IMPACT, **not** read-only) | mixed | ## Gateway connection When hosted behind the WYRE MCP Gateway, set `AUTH_MODE=gateway` and `MCP_TRANSPORT=http`. In this mode the server is stateless (a fresh MCP server + transport per request) and reads credentials from per-request HTTP headers injected by the gateway: | Header | Maps to | |--------|---------| | `x-inforcer-region` | `INFORCER_REGION` | | `x-inforcer-api-key` | `INFORCER_API_KEY` | When both headers are present the server updates the environment and invalidates its cached client so the next call uses the freshly-injected credentials. `tools/list` still works without credentials, so discovery is never blocked. The container image defaults to `MCP_TRANSPORT=http`; `/health` reports `ok` when credentials are configured and `degraded` otherwise. ## Docker Deployment See [docker-compose.yml](docker-compose.yml) for full configuration. Copy `.env.example` to `.env` and fill in your credentials: ```bash cp .env.example .env # Edit .env with INFORCER_REGION and INFORCER_API_KEY docker compose up -d ``` ## Development ```bash export NODE_AUTH_TOKEN=$(gh auth token) npm ci npm run build # Build the project npm run dev # Watch mode npm run test # Run tests npm run lint # Type-check npm run clean # Remove dist/ ``` ## Testing ```bash npm test # Run test suite npm run test:watch # Watch mode ``` ## Contributing See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. ## License Apache 2.0 — Copyright WYRE Technology
Topics
governanceinforcerm365mcpmodel-context-protocolmsp
Frequently asked
What people ask about inforcer-mcp
What is wyre-technology/inforcer-mcp?
+
wyre-technology/inforcer-mcp is mcp servers for the Claude AI ecosystem. MCP server for Inforcer — read-only M365 governance: tenants, baselines, drift, secure score, audit It has 0 GitHub stars and was last updated today.
How do I install inforcer-mcp?
+
You can install inforcer-mcp by cloning the repository (https://github.com/wyre-technology/inforcer-mcp) or following the README instructions on GitHub. ClaudeWave also provides quick install blocks on this page.
Is wyre-technology/inforcer-mcp safe to use?
+
wyre-technology/inforcer-mcp has not been audited yet by our security agent. Review the original repository on GitHub before using it in production.
Who maintains wyre-technology/inforcer-mcp?
+
wyre-technology/inforcer-mcp is maintained by wyre-technology. The last recorded GitHub activity is from today, with 0 open issues.
Are there alternatives to inforcer-mcp?
+
Yes. On ClaudeWave you can browse similar mcp servers at /categories/mcp, sorted by popularity or recent activity.
1-click deploy
Deploy inforcer-mcp to your cloud
Ship this repo to production in minutes. Each platform spins up its own environment with editable env vars.
Embeddable badge
Maintain this repo? Add a badge to your README
Drop the badge into your GitHub README to show it's tracked on ClaudeWave. Each badge links back to this page and reflects the live Trust Score.
[](https://claudewave.com/repo/wyre-technology-inforcer-mcp)<a href="https://claudewave.com/repo/wyre-technology-inforcer-mcp"><img src="https://claudewave.com/api/badge/wyre-technology-inforcer-mcp" alt="Featured on ClaudeWave: wyre-technology/inforcer-mcp" width="320" height="64" /></a>Related
More MCP Servers
n8n-io
n8n
today
Fair-code workflow automation platform with native AI capabilities. Combine visual building with custom code, self-host or cloud, 400+ integrations.
193k58.6kTypeScript
MCP ServersaiapisInstall
open-webui
open-webui
yesterday
User-friendly AI Interface (Supports Ollama, OpenAI API, ...)
142.1k20.4kPython
MCP ServersaillmInstall
google-gemini
gemini-cli
today
An open-source AI agent that brings the power of Gemini directly into your terminal.
105.4k14.1kTypeScript
MCP Serversaiai-agentsInstall
netdata
netdata
today
The fastest path to AI-powered full stack observability, even for lean teams.
79.3k6.5kC
MCP ServersaialertingInstall
D4Vinci
Scrapling
today
🕷️ An adaptive Web Scraping framework that handles everything from a single request to a full-scale crawl!
64.6k6.3kPython
MCP Serversaiai-scrapingInstall
sansan0
TrendRadar
5d ago
⭐AI-driven public opinion & trend monitor with multi-platform aggregation, RSS, and smart alerts.🎯 告别信息过载,你的 AI 舆情监控助手与热点筛选工具!聚合多平台热点 + RSS 订阅,支持关键词精准筛选。AI 智能筛选新闻 + AI 翻译 + AI 分析简报直推手机,也支持接入 MCP 架构,赋能 AI 自然语言对话分析、情感洞察与趋势预测等。支持 Docker ,数据本地/云端自持。集成微信/飞书/钉钉/Telegram/邮件/ntfy/bark/slack 等渠道智能推送。
59.6k24.7kPython
MCP ServersaibarkInstall