PowerShell admins already know the hard part: the automation logic, the module landscape, the quirks of Graph permissions and Intune policy scopes. The bottleneck is time spent digging through documentation, piecing together the right sequence of cmdlets, and debugging the third parameter on a function you use twice a year. MCP changes that dynamic. By exposing your live PowerShell session as a set of tools an AI agent can call, you get an assistant that can draft, execute, and iterate on scripts in your actual environment while you stay in control of every step.
What the PowerShell MCP server does
The MCP server acts as a bridge between an AI client (Claude Code, Claude Desktop, Cursor) and a persistent PowerShell console running on your machine. The AI does not get a sandbox or a simulated shell; it talks to your real session with your credentials and your modules loaded.
Five core tools are exposed to the client:
- start_powershell_console – launches and attaches to a console
- get_current_location – returns the working directory and provider
- invoke_expression – runs any PowerShell expression and returns output
- wait_for_completion – waits for a long-running command to finish
- generate_agent_id – creates a unique ID for parallel agent operations
Because the session is persistent, you authenticate once (to Azure, Exchange, Graph, whatever) and that authentication survives across every subsequent command in the conversation. No re-prompting for credentials mid-workflow.
Installing PowerShell.MCP
Microsoft announced an official PowerShell MCP server as part of their 2026 roadmap, but it has not shipped yet. The community server by yotsuda/PowerShell.MCP is the production-ready option available today. It is distributed through PowerShell Gallery:
Install-PSResource PowerShell.MCP
Get-MCPProxyPathThe second command returns the path to the proxy executable. You will need this for the client configuration. Requirements are PowerShell 7.4 or later and any MCP-compatible client.
Configuring it with Claude Code
Claude Code reads MCP server configurations from ~/.claude/claude_desktop_config.json. Add an entry under mcpServers using the path returned by Get-MCPProxyPath:
{
"mcpServers": {
"powershell": {
"command": "C:\Users\yourname\AppData\Local\Microsoft\PowerShell\7\Modules\PowerShell.MCP\..\proxy.exe",
"args": []
}
}
}On macOS or Linux the path will be under the user’s .local or home directory instead. After saving the file, restart Claude Code. The PowerShell tools appear in the tool picker and the agent can start a console on first use.
Claude Desktop uses the same config format and the same file path, so you can share the configuration between the two clients.
Practical examples
Entra ID bulk operations. The Microsoft Graph PowerShell module exposes the full Graph API surface through cmdlets. Instead of looking up Get-MgGroupMember parameters and the right filter syntax, you can describe what you need: “list all users in the Azure AD group ‘Finance UK’ who have not logged in for 90 days, and export them to CSV.” The agent writes the cmdlets, runs them against your session, shows you the output, and only proceeds to the next step after you confirm. If permissions are missing, it tells you exactly which Graph scope to add and how to consent to it.
Intune compliance reports. Pulling a cross-device compliance report through the Intune portal is slow and hard to customise. With Graph PowerShell through MCP, the agent can query Get-MgDeviceManagementManagedDevice with whatever filters you need, join it against device categories or assignment groups, and format the result as a table or CSV in one pass. A workflow that would normally take 20 minutes of portal navigation and export clicks runs in under a minute.
Module discovery. When you need to automate something you do not do often, the first step is usually “which module handles this, and how do I connect?” Ask the agent: “I need to manage Exchange Online transport rules.” It installs ExchangeOnlineManagement if it is not already present, runs Connect-ExchangeOnline, and drafts the first cmdlet in the workflow. You stay in the same terminal session throughout.
Security considerations
The MCP server runs under your own identity. There is no privilege escalation and no hidden execution: every command the agent runs appears in your PowerShell history and is subject to whatever logging policy is in place on the machine. If you have Script Block Logging or Constrained Language Mode configured, those controls apply to MCP-invoked commands the same as any other script.
The practical implication is that the server inherits whatever the console has access to. If you open it as a global admin on a production tenant, the agent can do global-admin-level things. Use a least-privilege account or a separate console profile for sensitive environments.
For teams that want to expose PowerShell to AI without giving free-form shell access, PowerShell Universal offers an enterprise MCP server where you define a curated set of tools (specific functions with parameter constraints) and enforce role-based access control. The AI only sees the tools you choose to publish, nothing else.
Microsoft’s own work on the official PowerShell MCP server is focused on this same problem: safety and controlled execution as a first-class design goal, not an afterthought. When it ships, it will likely include native Entra ID authentication and DSC v3 tooling. The community server is a solid bridge in the meantime, and the two will probably share a compatible configuration format once the official version lands.
