matt-taylor.tech
← Back to projects

Work · National food brokerage · 2026

IT Ops MCP server

Python FastMCP Azure Container Apps Entra OAuth (OBO) Microsoft Graph Freshservice ScreenConnect Cisco Meraki Dell TechDirect

A Model Context Protocol server, deployed and running on Azure Container Apps, that puts the IT team's live operational systems behind one connector Claude and Cowork attach to by URL. Freshservice, ScreenConnect, Cisco Meraki, Dell TechDirect warranty, and Microsoft Graph are exposed through a single namespaced server (35 tools) instead of a separate integration per system. It complements the internal AI-augmented IT operations platform: that platform owns the analyzable Supabase mirror and the autonomous agent, while this server answers the questions a periodically-synced mirror cannot, in real time (is this machine online right now, the current state of a ticket, a site's live uplink).

What it exposes

  • Freshservice read across tickets, assets, agents, and groups, plus governed ticket write actions.
  • ScreenConnect find sessions, read live session state (online, last activity, host, OS, serial) and chat history, plus governed session actions.
  • Cisco Meraki device and uplink status, network clients, and client lookup for network-side context.
  • Dell TechDirect warranty lookup by service tag plus a fleet warranty audit that cross-references Freshservice assets to surface machines whose warranty is expiring soon.
  • Microsoft Graph read plus governed directory and account write actions, run delegated on-behalf-of so each call is scoped to the signed-in user's own roles.

Security model

The surface is read-heavy with a set of governed write tools, so the guardrail for who can reach the tools lives at the identity and hosting layer, not in the model.

  • Two privilege models, one connector. Microsoft Graph runs delegated on-behalf-of, so every Graph call is scoped to the signed-in user's own Entra roles. The other systems authenticate with shared service credentials, so the assigned connector group is the trust boundary for those tools.
  • Identity-gated access. An Entra OAuth connector means only users assigned in Entra can connect; a static bearer-token gate is the in-app floor, layered with Container App network controls.
  • Secrets stay server-side. API keys and shared secrets come from environment variables, never from chat and never committed.

Stack

Python on FastMCP, served over streamable HTTP (stateless) by uvicorn with a /healthz probe, containerized and deployed to Azure Container Apps; stdio transport for local development. Delegated Graph uses an on-behalf-of token exchange; an optional Supabase trail audits ScreenConnect commands.