Building custom MCP (Model Context Protocol) Servers is becoming essential for extending AI agent applications' capabilities within enterprise ecosystems. However, exposing these servers on public or semi-public networks introduces significant risks if not secured appropriately. In this post, we explore how to leverage Microsoft Entra ID for robust OAuth-based security on your MCP Server, ensuring only authorized clients and users can access your valuable organizational resources and tools.

This article builds on the author's prior work setting up MCP Servers for consumption by Copilot Studio, adding an important security layer by integrating Microsoft Entra ID app registrations to protect the server endpoints with scopes and enforced access tokens. We'll walk through the setup, configuration, authentication flows, and testing using the popular MCP Inspector client tool, illustrating how to deploy a secure, OAuth-protected MCP Server easily.

Whether you want to rapidly prototype or productionize MCP Servers for Microsoft 365 Copilot, Claude, or other agentic platforms, this guide will give you a clear path to locking down your servers with proven Microsoft identity platform techniques while maintaining a smooth developer experience.

Architecture Overview

┌────────────────────────────────────────────┐
│Architecture                                │
├────────────────────────────────────────────┤
│• Enterprise data sources                   │
│• Foundry platform                          │
│• AI applications                           │
└────────────────────────────────────────────┘

Key Technical Observations

• Dual Entra ID Applications Enable Scoped Security
  The pattern involves creating two separate Entra ID apps: one for the MCP Server to expose APIs and scopes, and another for the MCP Client to consume those scopes. This separation allows fine-grained permission management and token issuance tailored to client-server interactions.

• Custom OAuth Scopes for Access Control
  The MCP Server app defines a custom scope mcp.tools which acts as the gatekeeper for access. Clients must request and receive tokens containing this scope to access MCP Server endpoints, ensuring authorization policies can be enforced effectively.

• Dynamic Discovery with OAuth Metadata Endpoints
  The server exposes well-known endpoints such as /.well-known/oauth-protected-resource and /.well-known/oauth-authorization-server that provide clients with vital information on authentication flows, supported parameters, and token usage. This supports dynamic client configuration and reduces manual setup errors.

• Use of Access Token Version 2
  By modifying the Entra ID app manifest to request access token version 2, the MCP Server can provide an application ID URI that aligns with client expectations (e.g., using HTTPS local URLs), enhancing compatibility with tools like MCP Inspector.

• Localhost Redirect URIs for Developer Experience
  Configuring redirect URIs such as http://localhost:6274/oauth/callback enables local development and interactive testing with MCP Inspector without deploying to Azure initially, speeding iteration and debugging.

• Stateless MCP Servers with Authentication Policy Enforcement
  Setting the MCP Server to stateless mode simplifies server scaling but requires robust authentication enforcement in middleware, typically by validating bearer tokens including the required mcp.tools scope.

How It Works

Setting up the Infrastructure

Start by cloning the secure MCP Server sample repository from GitHub (SimonDoy/microsoft365-dev-samples) to your machine. You then create two Microsoft Entra ID applications:

• MCP Server App Registration: This app exposes the API, defines the scope mcp.tools, and publishes OAuth metadata endpoints for clients' dynamic discovery.
• MCP Client App Registration: This app represents the client that will connect to the MCP Server, requesting tokens for the mcp.tools scope.

Configuring the MCP Server Entra ID App

1. In your MCP Server Entra ID app, navigate to Expose an API.
2. Take the default Application ID URI or customize it (e.g., https://localhost:7143/api/mcp).
3. Add a scope named mcp.tools to represent the permission clients need.
4. Edit the manifest to set "requestedAccessTokenVersion": 2.
5. Add redirect URIs under Authentication (e.g., http://localhost:6274/oauth/callback) to support MCP Inspector OAuth flow.
6. Assign API permissions and grant admin consent appropriately.

Configuring the MCP Client Entra ID App

1. Add the MCP Server app's mcp.tools scope as API permission.
2. Set the redirect URI as a Single Page Application type (e.g., http://localhost:6274/oauth/callback).
3. Enable Access tokens under authentication settings for implicit flow.
4. Grant admin consent.

Fire Up and Configure the MCP Server

Update the appsettings.Development.json in your MCP Server project:

{
  "AzureAd": {
    "TenantId": "",
    "Audience": "",
    "ClientId": "",
    "RequiredScope": "mcp.tools"
  }
}

Compile and run the MCP Server locally on HTTPS port 7143.

Testing Authentication with MCP Inspector

Install MCP Inspector globally with npx @modelcontextprotocol/inspector. Connect it to https://localhost:7143/api/mcp using your MCP Client Client ID and scope (https://localhost:7143/api/mcp/mcp.tools).

Open Auth Settings → Quick OAuth Flow, sign in, and observe the access token acquisition. Once authenticated, MCP Inspector can successfully discover server tools and APIs protected by Entra ID.

Why This Approach?

The usage of the .NET MCP SDK simplifies the server codebase but requires additional manual setup to achieve full dynamic discovery compatibility seen in Microsoft Dataverse MCP Server. The blog author had to implement custom endpoints to mimic /.well-known/oauth-protected-resource and /.well-known/oauth-authorization-server since the SDK’s default support was limited.

This manual approach allowed a closer conformance to OAuth standards needed by MCP clients like MCP Inspector that rely on dynamic OAuth metadata for a smooth authentication experience.

Quick Tips & Tricks

1. Define a Clear Naming Convention for Entra ID Apps
   Use consistent, descriptive names such as [OrgName] MCP Server (Dev) and [OrgName] MCP Client (Dev) to avoid confusion when managing multiple app registrations.

2. Use Access Token Version 2 for Better URI Flexibility
   Updating the Entra ID app manifest's "requestedAccessTokenVersion" to 2 lets you customize Application ID URIs, which can be critical for local development and testing.

3. Include Localhost Redirect URIs for Development
   Add http://localhost:6274/oauth/callback as a redirect URI in both MCP Server and Client apps to enable smooth local OAuth testing with tools like MCP Inspector.

4. Grant Admin Consent Early in Setup
   Always grant admin consent for API permissions after configuration to prevent frustrating access token errors during client authentication.

5. Test with MCP Inspector Before Deploying
   Using MCP Inspector locally helps debug authentication issues, validate OAuth flows, and ensures your MCP Server configuration is correct before moving to cloud deployments.

6. Consider Stateful vs Stateless MCP Servers Carefully
   Stateless mode simplifies architecture but may cause issues with some clients; plan to test stateful configurations if you encounter authentication or usage anomalies.

Conclusion

Securing your MCP Server with Microsoft Entra ID is a critical step in enabling safe and scalable AI integrations with Microsoft 365 Copilot and related platforms. This approach leverages proven OAuth standards, custom scopes, and dynamic discovery to tightly control access to your agentic extensions and business capabilities.

By following the configuration and testing steps outlined here, you can rapidly get a secured MCP Server running locally, verify authentication flows with MCP Inspector, and prepare for deployment to production. The use of the .NET MCP SDK combined with Entra ID app registrations sets up a robust foundation for further innovation in AI agent tooling.

Looking ahead, the MCP Server security landscape will only become more essential as organizations embrace federated, multi-tenant AI scenarios. Microsoft Entra ID’s evolving features promise continued enhancements in seamless authentication and authorization flows tailored for next-gen AI infrastructure.

---

References

1. Building a Custom MCP Server secured by Entra ID | Simon Doy's Blog — Original detailed walkthrough and source code.
2. Microsoft 365 & Power Platform weekly call – 26th of May, 2026 (YouTube) — Microsoft community call referenced for MCP Server and Entra ID insights.
3. Microsoft365-dev-samples / copilot-secure-mcp-azure-containers GitHub — Secure MCP Server sample repository.
4. How to: Build a Custom MCP Server with the .NET MCP SDK, host as an Azure Container and connect to Copilot Studio — Guide on hosting MCP Server in Azure.
5. Microsoft Identity Platform Documentation — Official Microsoft docs on app registrations, OAuth flows, and token management.

Profile photo of Simon Doy, author and Microsoft 365 architect.