Microsoft Cloud — Security Tools
The 25 security tools cover Microsoft 365 Defender alerts, Conditional Access, named locations, Identity Protection (risky users and risk detections), sign-in and audit logs, Defender for Endpoint, Defender Advanced Hunting (KQL queries against the XDR data lake), BitLocker recovery keys, LAPS credentials, and Secure Score.
All tools accept an optional connection_id. Omit it to use the default Entra connection. See entra_connection_list for multi-tenant scenarios.
WARNING
BitLocker recovery keys, LAPS passwords, and Secure Score profile content are sensitive. Confirm caller intent before retrieving them, and avoid logging the actual key/password values into insights or artifacts.
Defender Alerts
mscloud_security_list_alerts
Lists unified security alerts (alerts_v2) from Microsoft 365 Defender. Covers endpoint, identity, email, and cloud app alerts. Filter by severity (high, medium, low, informational) or status (new, inProgress, resolved).
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
filter | string | — | OData $filter, e.g. severity eq 'high'. |
orderby | string | — | OData $orderby. |
select | string | — | Comma-separated property list. |
top | number | — | Page size, max 100. |
skiptoken | string | — | From the previous response. |
Example prompt.
"List all high-severity Defender alerts that are still new."
mscloud_security_get_alert
Returns a single alert by ID — full details including evidence, affected entities, and recommended actions.
| Parameter | Type | Required | Description |
|---|---|---|---|
alert_id | string | ✓ | Security alert ID. |
connection_id | string | — | Target Entra tenant. |
select | string | — | Comma-separated property list. |
Example prompt.
"Show me everything about alert
<id>, including affected entities and evidence."
Conditional Access & Named Locations
mscloud_security_list_ca_policies
Lists all Conditional Access policies. Critical for security posture assessment — review policy state (enabled, disabled, enabledForReportingButNotEnforced), conditions, and grant controls. Compose with mscloud_security_list_named_locations and mscloud_security_get_ca_policy.
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
filter | string | — | OData $filter. |
Example prompt.
"List all Conditional Access policies — flag any that are still in report-only mode."
mscloud_security_get_ca_policy
Returns a single Conditional Access policy by ID — full configuration including user/group inclusions and exclusions, app conditions, location conditions, and grant/session controls.
| Parameter | Type | Required | Description |
|---|---|---|---|
policy_id | string | ✓ | Policy ID (GUID). |
connection_id | string | — | Target Entra tenant. |
Example prompt.
"Show me the full configuration of the 'Require MFA for admins' Conditional Access policy."
mscloud_security_list_named_locations
Lists named locations used in Conditional Access. Includes IP-based and country-based locations. Review to ensure trusted locations match corporate network boundaries. Takes only an optional connection_id.
Example prompt.
"List all named locations and flag any marked as trusted."
mscloud_security_get_named_location
Returns a single named location by location_id — location type (IP ranges or countries) and trust configuration.
Example prompt.
"What IP ranges are in the 'Corporate HQ' named location?"
Identity Protection
mscloud_security_list_risky_users
Lists users flagged as risky by Identity Protection. Filter by riskLevel (high, medium, low) and riskState (atRisk, confirmedCompromised, dismissed). Cross-reference with mscloud_identity_list_directory_role_members to flag any privileged users at risk.
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
filter | string | — | OData $filter, e.g. riskLevel eq 'high'. |
orderby | string | — | OData $orderby. |
select | string | — | Comma-separated property list. |
top | number | — | Page size, max 100. |
skiptoken | string | — | From the previous response. |
Example prompt.
"List all users currently flagged as high risk."
mscloud_security_get_risky_user
Returns a single risky user by ID — risk details, risk history, and current risk state.
| Parameter | Type | Required | Description |
|---|---|---|---|
user_id | string | ✓ | User ID. |
connection_id | string | — | Target Entra tenant. |
select | string | — | Comma-separated property list. |
Example prompt.
"Show me the risk history for this user."
mscloud_security_list_risk_detections
Lists risk detection events from Identity Protection. Each event describes a specific risk signal — anonymized IP, impossible travel, leaked credentials, and so on. Filter by riskType or riskLevel to focus on critical detections.
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
filter | string | — | OData $filter, e.g. riskType eq 'anonymizedIPAddress'. |
orderby | string | — | OData $orderby. |
select | string | — | Comma-separated property list. |
top | number | — | Page size, max 100. |
skiptoken | string | — | From the previous response. |
Example prompt.
"List all impossible-travel risk detections from the last 30 days."
Sign-In & Audit Logs
mscloud_security_list_sign_ins
Lists sign-in logs (interactive and non-interactive). Essential for authentication analysis — detect suspicious patterns, MFA gaps, and legacy auth usage.
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
filter | string | — | OData $filter. |
orderby | string | — | OData $orderby. |
select | string | — | Comma-separated property list. |
top | number | — | Page size, max 100. |
skiptoken | string | — | From the previous response. |
Example prompt.
"Show me the last 50 sign-ins for
stefan.hayduk@example.com."
mscloud_security_get_sign_in
Returns a single sign-in log entry by ID — full details including authentication methods, Conditional Access results, device info, and location.
| Parameter | Type | Required | Description |
|---|---|---|---|
sign_in_id | string | ✓ | Sign-in log entry ID. |
connection_id | string | — | Target Entra tenant. |
select | string | — | Comma-separated property list. |
Example prompt.
"Show me the full details of sign-in
<id>— auth method, location, and CA result."
mscloud_security_list_directory_audits
Lists directory audit logs (user, group, app changes, and so on). Tracks configuration changes for compliance — who added a user to Global Admins, when Conditional Access policies were modified, who consented to an app.
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
filter | string | — | OData $filter, e.g. activityDisplayName eq 'Add user'. |
orderby | string | — | OData $orderby, e.g. activityDateTime desc. |
select | string | — | Comma-separated property list. |
top | number | — | Page size, max 100. |
skiptoken | string | — | From the previous response. |
Example prompt.
"Show every change to a Conditional Access policy in the last 30 days."
mscloud_security_get_directory_audit
Returns a single directory audit log entry by ID — full audit details including initiator, target resources, and modified properties.
| Parameter | Type | Required | Description |
|---|---|---|---|
audit_id | string | ✓ | Directory audit log entry ID. |
connection_id | string | — | Target Entra tenant. |
select | string | — | Comma-separated property list. |
Example prompt.
"Show me the full audit detail for log entry
<id>."
Defender for Endpoint
The Defender tools live in their own mscloud_defender_* namespace and require the AdvancedHunting.Read.All application permission on the Microsoft Threat Protection API in addition to the WindowsDefenderATP permissions used by the machine tools. See Connecting Entra ID for the full list.
mscloud_defender_list_machines
Lists machines onboarded to Microsoft Defender for Endpoint. Filter by OS platform, health status, or machine name. Compose with mscloud_defender_get_machine_recommendations and mscloud_defender_get_machine_logon_users.
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
os_platform | string | — | Comma-separated platforms (e.g. Windows10,Windows11,WindowsServer2022). |
machine_name | string | — | Filter computerDnsName starting with this value. |
active_only | boolean | — | Only healthStatus = Active machines. |
filter | string | — | Custom OData $filter (overrides the simpler params). |
top | number | — | Page size, max 100. |
skiptoken | string | — | From the previous response. |
Example prompt.
"List all active Windows 11 machines onboarded to Defender."
mscloud_defender_get_machine_recommendations
Returns security recommendations for a specific machine — software vulnerabilities and configuration weaknesses. Filter by remediation_type to separate software patches from configuration changes.
| Parameter | Type | Required | Description |
|---|---|---|---|
machine_id | string | ✓ | Machine ID (GUID) from Defender. |
connection_id | string | — | Target Entra tenant. |
remediation_type | string | — | Software (Update/Upgrade/Uninstall) or Configuration. |
Example prompt.
"Show me all software-update recommendations for machine
<id>."
mscloud_defender_get_machine_logon_users
Returns logon users for a specific machine — useful for identifying shared workstations and mapping attack surfaces.
| Parameter | Type | Required | Description |
|---|---|---|---|
machine_id | string | ✓ | Machine ID (GUID). |
connection_id | string | — | Target Entra tenant. |
Example prompt.
"Which users have logged onto machine
<id>recently?"
Defender Advanced Hunting
These tools query the Microsoft 365 Defender XDR data lake — the same tables you can hunt against in the Defender portal. Two typed tools cover the most common pivots; a third accepts arbitrary KQL for joins, summaries, and tables not exposed via the typed shapes.
Responses are wrapped in an envelope with rowCount, totalRowCount, truncated, columns, and rows. Up to 200 rows are returned per call — narrow your time window or add filters when truncated is true. Throttled responses (HTTP 429) surface as a clear "Retry after N seconds" hint so Claude can pace follow-up calls.
WARNING
Advanced Hunting accesses raw telemetry — process command lines, alert evidence, and entity links. Treat results like any other security data: avoid persisting command-line strings or evidence payloads beyond the assessment they were collected for.
mscloud_defender_query_device_process_events
Typed shape for the most common security pivot — process creation events on a specific device, with optional command-line filtering. Use this instead of the generic KQL tool when you know the device and want recent process executions.
| Parameter | Type | Required | Description |
|---|---|---|---|
device_id | string | ✓ | Defender device ID. |
connection_id | string | — | Target Entra tenant. |
lookback_hours | number | — | Window in hours (default 24, max 720). |
command_line_contains | string | — | Substring match against ProcessCommandLine. |
top | number | — | Row cap, max 200. |
Example prompt.
"Show me PowerShell processes started on device
<id>in the last 24 hours where the command line contains-EncodedCommand."
mscloud_defender_query_alert_evidence
Typed shape for "what entities are linked to this alert?" — returns the rows from the AlertEvidence table for a given alert. Use this to expand from an alert ID into the affected users, devices, files, and IPs.
| Parameter | Type | Required | Description |
|---|---|---|---|
alert_id | string | ✓ | Defender alert ID. |
connection_id | string | — | Target Entra tenant. |
top | number | — | Row cap, max 200. |
Example prompt.
"List every entity Defender linked to alert
<id>— users, devices, files, IPs."
mscloud_defender_advanced_hunting_query
Generic KQL passthrough for joins, summarize, and any table the typed tools do not expose (Email, Identity, CloudApp, plus cross-product correlations). The query string is sent to api.security.microsoft.com/api/advancedhunting/run as-is — write it the same way you would in the Defender portal hunting console.
| Parameter | Type | Required | Description |
|---|---|---|---|
query | string | ✓ | KQL statement. |
connection_id | string | — | Target Entra tenant. |
top | number | — | Row cap, max 200. |
Example prompt.
"Run this hunting query:
DeviceLogonEvents | where Timestamp > ago(1h) | summarize count() by AccountName."
BitLocker Keys
mscloud_security_list_bitlocker_keys
Lists BitLocker recovery keys stored in Entra ID. Returns key metadata (device ID, creation date, volume type) but not the actual recovery key. Use mscloud_security_get_bitlocker_key to retrieve the key value.
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
filter | string | — | OData $filter, e.g. deviceId eq 'device-guid'. |
select | string | — | Comma-separated property list. |
top | number | — | Page size, max 100. |
skiptoken | string | — | From the previous response. |
Example prompt.
"List BitLocker recovery keys stored for device
<device-id>."
mscloud_security_get_bitlocker_key
Returns a single BitLocker recovery key by ID. By default returns metadata only — include key in select to retrieve the actual recovery key value. Requires BitlockerKey.Read.All permission.
| Parameter | Type | Required | Description |
|---|---|---|---|
key_id | string | ✓ | BitLocker recovery key ID (GUID). |
connection_id | string | — | Target Entra tenant. |
select | string | — | Use key to include the actual recovery key. |
WARNING
Including key in select returns the actual BitLocker recovery key. Confirm caller intent and avoid persisting the value beyond the immediate response.
Example prompt.
"Retrieve the BitLocker recovery key for ID
<id>— I need to unlock the drive."
LAPS Credentials
mscloud_security_list_laps_credentials
Lists device local credentials (LAPS) for Entra ID-joined devices. Returns metadata about which devices have LAPS passwords managed by Entra. Use mscloud_security_get_laps_credential to retrieve the actual password.
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
filter | string | — | OData $filter, e.g. deviceName eq 'DESKTOP-ABC123'. |
orderby | string | — | OData $orderby. |
select | string | — | Comma-separated property list. |
top | number | — | Page size, max 100. |
skiptoken | string | — | From the previous response. |
Example prompt.
"Find the LAPS entry for DESKTOP-ABC123."
mscloud_security_get_laps_credential
Returns LAPS credential details for a specific device. Use the id field from mscloud_security_list_laps_credentials as device_id — it is the Entra device object ID. Requires DeviceLocalCredential.Read.All permission.
| Parameter | Type | Required | Description |
|---|---|---|---|
device_id | string | ✓ | Entra device object ID (the id from the list call). |
connection_id | string | — | Target Entra tenant. |
select | string | — | Use credentials to include the actual password. |
WARNING
Including credentials in select returns the actual LAPS password. Confirm caller intent and avoid logging the value.
Example prompt.
"Get the LAPS password for device
<device-id>— I need to log on locally."
Secure Score
mscloud_security_get_secure_scores
Returns the tenant's Microsoft Secure Score history — point-in-time snapshots of current vs. max score. Use this when the user asks "what is our current score" or "show score trend". For improvement actions or roadmap, call mscloud_security_list_secure_score_profiles instead.
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
orderby | string | — | OData $orderby, e.g. createdDateTime desc. |
top | number | — | Number of snapshots to return. |
Example prompt.
"What's our current Secure Score and how has it changed over the last 30 days?"
mscloud_security_list_secure_score_profiles
Lists secure score control profiles — the per-control improvement actions that raise the tenant's score. Use whenever the user asks for a roadmap, improvement plan, recommendations, or "what should we do to improve our Secure Score".
| Parameter | Type | Required | Description |
|---|---|---|---|
connection_id | string | — | Target Entra tenant. |
filter | string | — | OData $filter. |
select | string | — | Comma-separated property list. |
top | number | — | Page size, max 100. |
skiptoken | string | — | From the previous response. |
Example prompt.
"What improvements would raise our Secure Score the most?"
See Also
For users, groups, directory roles, and PIM, see Microsoft Cloud — Identity. For app registrations, GDAP, and Azure platform inventory, see Microsoft Cloud — Platform. For Intune managed devices and licensing, see Microsoft Cloud — Services.