MCP server
Connect Claude, Cursor, GitHub Copilot, or any MCP-compatible agent to Permafrost so it can pull findings, identity risk, and entitlement context into your editor mid-review.
What MCP gives your agent
MCP — the Model Context Protocol — is the wire format AI coding agents speak to call external tools. Permafrost runs an MCP server at https://app.permafrostepm.com/api/mcp. Once connected, your agent can ask Permafrost about findings, identity risk, and over-permissioned role assignments as part of a normal review conversation, scoped to the customer the API key belongs to.
The server is read-only. It exposes the same capability surface as the REST API at /api/v1/* reshaped for tool-calling. Write actions (remediation, role changes) remain on the dashboard where they belong — the agent sees and reasons, the human acts.
Supported clients
Any MCP-compatible client over HTTP+JSON-RPC works. We test against:
- Claude Desktop (Anthropic)
- Cursor
- GitHub Copilot Chat (MCP preview)
- Any MCP-aware editor or agent framework
Connecting your agent
The connection target is https://app.permafrostepm.com/api/mcp. Authentication reuses the public-API bearer-key path: issue a key from Settings → API keys with the read:findings, read:identities, and read:rolesscopes, then add it to your client's MCP config.
For Claude Desktop, add the server to your config file:
{
"mcpServers": {
"permafrost": {
"url": "https://app.permafrostepm.com/api/mcp",
"headers": {
"Authorization": "Bearer pfrost_..."
}
}
}
}For Cursor and other clients, point at the same URL and supply the same bearer header. Every request is rate-limited per key (1,000 requests per 15-minute window) and isolated to the customer the key was issued under.
Available tools
The MCP server exposes five tools. Names and descriptions are surfaced to the agent verbatim, so the agent can pick the right tool for the question it's answering.
list_findingsList open security findings for the connected Azure/M365 tenant. Filters by severity and finding type. Returns up to 100 rows per call.
get_identity_riskGet the risk profile and open findings for a specific identity (user or service principal) by UPN, display name, or object ID.
list_tier0_identitiesList identities holding Tier-0 roles — Global Administrator, Privileged Role Administrator, User Access Administrator, Owner. Returns up to 50 rows per call.
get_recommended_rolesGet least-privilege role recommendations for identities with over-permissioned assignments. Optionally filter to a specific identity.
summarize_postureSummarize the overall identity security posture: open finding counts by severity, privileged identity count, top finding types.
Example conversation
A typical reviewer flow once the server is connected:
You: Claude, what are the critical findings in my tenant?
Claude: [calls summarize_posture]
You have 3 critical, 12 high, 47 medium open findings.
[calls list_findings with severity=critical]
The 3 critical findings are:
1. tier0_admin_no_ca_mfa — admin@contoso.com lacks
a Conditional Access MFA grant.
2. sp_unused_high_priv_credential — automation-deploy-sp
holds Contributor at the subscription scope but
has not signed in for 94 days.
3. guest_with_priv_role — partner@vendor.com is a guest
assigned Privileged Authentication Administrator.The agent reasons over the structured JSON each tool returns, then paraphrases for the analyst. The analyst decides what to act on; the agent never executes a write.
Tenant isolation
Every tool call is scoped to the customer that issued the API key. A key issued by customer A can never read customer B's data — the isolation check happens at the database query layer, not as a post-filter. The agent itself runs on the analyst's machine; Permafrost never sees the conversation, only the tool calls.