# Getting started with MCP BalkanID's MCP Server exposes the full BalkanID Identity Governance & Administration (IGA) platform to any AI assistant or agentic workflow that speaks the Model Context Protocol. Instead of building point-to-point integrations, security and IT teams can query identities, action access reviews, manage entitlements, and enforce governance policies using plain natural language — all with a complete audit trail. ## What is MCP? MCP stands for Model Context Protocol — an open standard that lets AI assistants like Claude securely connect to external platforms and take real actions on your behalf. BalkanID's MCP integration means the AI can query your identity data, action reviews, request access, and enforce policy — all with a full audit trail and without ever leaving your conversation. To learn more, see the [MCP Getting Started guide](https://modelcontextprotocol.io/docs/getting-started/intro). ## Features The BalkanID MCP Server exposes several capability areas. Each maps to a group of tools you can call from any MCP-compatible AI. ### Integration and Discovery #### Identity Discovery Get a real-time picture of every identity — human, service account, and bot — across all connected applications. Filter by type, status, application, or email. Example prompts: • "Find risky human identities — show me terminated employees with active access and any orphaned accounts across our apps." • "Show me all active service accounts in Azure that have no primary owner assigned." • "List all identities in Okta with orphaned status." • "Find all identities linked to across every integration." What you can do: • List all identities across connected apps with flexible filters (app, type, status, email, handle) • Discover terminated employees who still have active accounts • Find orphaned or unmapped identities with no HR record linkage • List all service principals and their credential expiry status • View entity relationships — which roles an identity holds, which resources a role grants access to #### Non-Human Identity & Credential Management Discover and track API keys, client secrets, OAuth tokens, X.509 certificates, and federated identity Credentials across every connected application. Example prompts: • "Show me risky non-human identities — especially service accounts with expired or unrotated credentials." • "Show me all expired credentials in Azure and flag which ones are on production service accounts." • "List all federated identity credentials and identify any with overly broad trust boundaries." • "Which service accounts have credentials expiring in the next 30 days?" What you can do: • List credentials filtered by status (active, expired, revoked), type, app, or owner • Identify expired secrets and certificates with no rotation in place • Surface federated identity credentials and review trust boundaries (issuers and subjects) • Cross-reference credentials to their owning identity and downstream resources #### Integration Mangement Manage your connected applications — all through conversation. You can also trigger a data sync on any [integration](/getting-started/setting-up-your-tenant/application-integrations.md) to pull in the latest identity changes.\ \ Example prompts: • "Show me all integrations in this tenant and their current sync status." • "Trigger a resync for the Azure integration." What you can do: • List all active integrations • Trigger an integration sync on demand ### HRIS Manage employees - List, create, onboard or edit employees, filter by department, title, manager, employment type, etc. \ \ Example prompts: • "Onboard a new contractor: , Software Engineer, reports to ." • Who reports to Jane Smith? Show direct reports and confirm reporting line. What you can do: • List, create, and edit employee records — email is the unique key (upsert on create) • Filter employees by department, title, manager, employment type, or termination status ### User Access Review (UAR) Manage the full lifecycle of [user access review (UAR)](/user-access-reviews/access-review-management.md) campaigns — from listing overdue campaigns to actioning individual reviews. See your full review queue, approve or deny individual items, bulk-approve low-risk roles, and delegate to colleagues — all with a single instruction. Example prompts: • "Show me all overdue access review campaigns and their completion rates." • "Approve the Reviewer-role items in the Q4 SOC campaign and delegate everything else to ." • "How many pending reviews do I have across all active campaigns?" What you can do: • List all campaigns with status, due dates, and completion percentages • Pull pending review items for any campaign, filtered by status • Approve or deny reviews individually or in bulk, with an optional reason recorded in the audit trail • Delegate reviews to another reviewer by email • Check your personal review queue across all campaigns and access requests ### Access Lifecycle Management Request access to business applications on behalf of yourself or colleagues through [access request](/lifecycle-management/access-requests.md) or [JITPBAC](/lifecycle-management/jitpbac.md) to eliminate standing access, track where requests are in the approval chain, and action any pending approvals assigned to you.\ Example prompts: • "Request temporary access to the BLR Manager purpose for , expiring in 7 days." • "Show me all pending access requests assigned to me for approval." What you can do: • List access requests with filters by requester, employee, status, or assignee • View full request detail including review history and current approver chain • Approve, reject, or delegate requests at the request level or individual review level • Create new purpose requests for any employee with time-window and auto-provision options • Assign or un-assign yourself from a Purpose directly (if eligible) #### JITPBAC: JITPBAC stands for Just-In-Time Privilege and Business Access Control — a security model where access is granted only when needed, for only as long as needed, and automatically expires. BalkanID MCP supports this natively through the Purposes engine. Example prompts for JITPBAC: • "Request access to the "Site Reliability Ohio Group" purpose for , expiring in 24 hours, with auto-provisioning enabled." • "Show me all purposes that are currently active." • "Approve the pending JITPBAC request for the Finance Approver purpose." {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.balkan.id/balkanid-mcp/getting-started-with-mcp.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.