synitio/ad-mcp

By synitio

Updated about 23 hours ago

Secure, read-only MCP access to Active Directory for AI agents and automation.

Image
Integration & delivery
API management
Machine learning & AI
0

173

synitio/ad-mcp repository overview

synit.io - AD MCP

Controlled Active Directory Context for AI Agents

Product Overview

Synit AD MCP gives AI agents, service desk assistants and automation tools controlled, read-only access to Active Directory through the Model Context Protocol.

Agents can search for users and groups, inspect object attributes, resolve identities, analyse memberships and understand the effective Active Directory schema without receiving LDAP write permissions.

The service is deliberately separated from any write execution path. It can help an agent understand what exists in Active Directory and prepare a structured change request, but it cannot modify the directory, create an execution plan or apply a change.

This creates a clear operating model:

Agents can investigate and prepare. They cannot write.

Synit AD MCP is designed for organisations that want to make Active Directory context available to AI-assisted workflows without exposing privileged service accounts or building a separate collection of LDAP query scripts.

The standalone service supports structured MCP tools, response redaction, audit records, rate limiting, schema inspection and optional side-effect-free mutation drafts.

Built for interactive investigation

Active Directory questions often evolve during a conversation.

An initial request might ask whether a user exists. The next question may concern group membership, manager information, account attributes or whether a specific field is valid for the object class.

Synit AD MCP supports this interactive workflow by allowing agents to perform multiple structured read operations while retaining the read-only boundary.

An agent can:

  1. Search for an object using an account name, email address or attribute.
  2. Resolve the result to a distinguished name and object GUID.
  3. Retrieve additional object information.
  4. Inspect group membership.
  5. Review the applicable class and attribute schema.
  6. Prepare a structured draft for a separately governed workflow.

No LDAP-specific code needs to be generated by the agent.

One service for controlled directory context

Synit AD MCP is intended for:

  • AI assistants used by service desk teams
  • IAM investigation and support workflows
  • Platform engineering agents
  • Internal developer assistants
  • Security operations research
  • Directory inventory and analysis
  • Onboarding preparation
  • Group and entitlement investigation
  • Schema-aware request generation
  • Controlled agentic automation

The service can be exposed through Streamable HTTP for network-based agents or through standard input and output for local integrations.

Frequently Asked Questions

What customer problem does it solve?

Organisations increasingly use AI agents to support IT operations, but Active Directory context is usually available only through:

  • Direct LDAP access
  • PowerShell scripts
  • Manual administrative tools
  • Custom query APIs
  • Privileged service accounts
  • Human handoffs

These approaches make it difficult to provide agents with useful context without giving them unnecessary access or creating another custom integration.

Synit AD MCP provides a standardised read-only interface for this purpose.

Who is the product for?

Primary users include:

  • Service desk teams using AI assistants
  • IAM engineering teams
  • Platform and automation teams
  • Security operations teams
  • Enterprise architects
  • Internal AI platform teams
  • Developers building directory-aware assistants
What can an agent do with Synit AD MCP?

Depending on the available schema and configuration, an agent can:

  • Search for users by sAMAccountName
  • Search for users by email address
  • Search objects by attribute
  • Retrieve an object by distinguished name
  • List members of a group
  • Expand nested group membership recursively
  • Retrieve the groups associated with a user
  • Resolve a selector to a distinguished name, object GUID and object class
  • Inspect supported API operations
  • Inspect Active Directory object classes
  • Inspect Active Directory attribute metadata
  • Prepare a structured mutation request draft
What types of objects can be queried?

The service can work with users, groups and other Active Directory objects exposed through the configured directory and schema policies.

Object access remains subject to:

  • The permissions of the Active Directory bind account
  • Configured query scope
  • Attribute redaction
  • Attribute allow and deny lists
  • Base-DN policies
  • Recursive depth limits
  • Rate limits
Does Synit AD MCP modify Active Directory?

No.

The MCP tools do not perform Active Directory mutations.

Mutation operation names such as password changes, attribute updates, object deletion or account disablement are rejected by the read-only query path.

Can the service secretly write while resolving an object?

No.

Object lookup and schema discovery are read-only operations. They do not create plans, apply changes or resolve selectors through hidden directory writes.


Synit AD MCP is built and maintained by synit.io.

License: Synit Repository License Product and service information: Synit AD MCP

Tag summary

Content type

Image

Digest

sha256:3b7713025

Size

4.5 MB

Last updated

about 23 hours ago

docker pull synitio/ad-mcp