okta · teads-sylvain · Feb 24, 2026
diff --git a/README.md b/README.md
@@ -474,6 +474,7 @@ The Okta MCP Server provides the following tools for LLMs to interact with your
 | ----------------------------- | ------------------------------------------------- |---------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `list_applications`           | List all applications in your Okta organization  | - `Show me the applications in my Okta org` <br> - `Find applications with 'API' in their name` <br> - `What SSO applications do we have configured?`         |
 | `get_application`             | Get detailed information about a specific app    | - `Show me details for the Salesforce application` <br> - `What are the callback URLs for our mobile app?` <br> - `Get the client ID for our web application` |
+| `get_app_user`                | Get a user's assignment and profile for an app   | - `Show me the app user profile for john.doe in the Salesforce app` <br> - `What attributes are mapped for this user in our SSO app?` <br> - `Get the external ID for this user in the provisioning app` |
 | `create_application`          | Create a new application                          | - `Create a new SAML application for our HR system` <br> - `Set up a new API service application` <br> - `Add a mobile app integration`                       |
 | `update_application`          | Update an existing application                    | - `Update the callback URLs for our web app` <br> - `Change the logo for the Salesforce application` <br> - `Modify the SAML settings for our HR system`      |
 | `delete_application`          | Delete an application (requires confirmation)     | - `Delete the old legacy application` <br> - `Remove the unused test application` <br> - `Clean up deprecated integrations`                                   |

diff --git a/src/okta_mcp_server/tools/applications/applications.py b/src/okta_mcp_server/tools/applications/applications.py
@@ -123,6 +123,38 @@ async def get_application(ctx: Context, app_id: str, expand: Optional[str] = Non
         return {"error": str(e)}
 
 
+@mcp.tool()
+async def get_app_user(ctx: Context, app_id: str, user_id: str) -> Any:
+    """Get a user assignment for an application by app ID and user ID.
+
+    Parameters:
+        app_id (str, required): The ID of the application
+        user_id (str, required): The ID of the user
+
+    Returns:
+        Dictionary containing the app user profile and assignment details.
+    """
+    logger.info(f"Getting app user: app_id={app_id}, user_id={user_id}")
+
+    manager = ctx.request_context.lifespan_context.okta_auth_manager
+
+    try:
+        client = await get_okta_client(manager)
+        logger.debug(f"Calling Okta API to get app user {user_id} in app {app_id}")
+
+        app_user, _, err = await client.get_application_user(app_id, user_id)
+
+        if err:
+            logger.error(f"Okta API error while getting app user {user_id} in app {app_id}: {err}")
+            return {"error": str(err)}
+
+        logger.info(f"Successfully retrieved app user: {user_id} in app {app_id}")
+        return app_user
+    except Exception as e:
+        logger.error(f"Exception while getting app user {user_id} in app {app_id}: {type(e).__name__}: {e}")
+        return {"error": str(e)}
+
+
 @mcp.tool()
 async def create_application(ctx: Context, app_config: Dict[str, Any], activate: bool = True) -> Any:
     """Create a new application in the Okta organization.