entraid-mcp-server

patst/entraid-mcp-server

3.2

If you are the rightful owner of entraid-mcp-server and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.

This document provides a structured summary of an MCP-Server secured with EntraID, detailing its features, tools, resources, usage, and FAQs.

EntraID secured MCP-Server demo

This demo shows how to secure an MCP-Server using EntraID (Azure AD). It uses the ModelContextProtocol SDK to create a Streamable HTTP server that implements the MCP-Server API.

The server can be accessed in an unauthenticated mode by adding the header x-use-anonymous: true to the request. This will provide only the tools that do not require authentication.

Could be an example to provide read-only access to some tools, while other tools require authentication.

For more details see the medium article at https://medium.com/@pat-st/securing-a-model-context-protocol-server-with-entraid-47a0fea72a76

Prerequisites

  • Node.js v18 or later

EntraID Setup

Create an EntraID App Registration:

az ad app create --display-name "MCP-Server Demo" --requested-access-token-version "2" --sign-in-audience "AzureADMyOrg"

Create a .env file in the root of the project with the following content:

AZURE_TENANT_ID=
AZURE_CLIENT_ID=
BASE_URL=http://localhost:3001

Use your tenantId and the clientId of the app registration you just created.

  • Under Expose an API, expose a scope named user_impersonation for the app registration
  • Under Expose an API, add the ClientIds as preauthorized client applications:
    1. aebc6443-996d-45c2-90f0-388ff96faa56 - default Client ID for VSCode
    2. 04b07795-8ddb-461a-bbee-02f9e1bf7b46 - Default Client ID for Azure CLI, allows fetching of token for test purposes

Run the server

Just execute npm run dev to start the server. It will be available at http://localhost:3001/mcp.

The .vscode/mcp.json file already contains the required configuration to connect to the server using VSCode.

If everything is set up correctly, you should be able to connect to the server using VSCode and will be prompted to authenticate using EntraID.

Then two tools will appear.

If you are starting the server in unauthenticated mode with this mcp.json file, you will only see one tool being presented:

{
	"servers": {
		"local-mcp-server": {
			"url": "http://localhost:3001/mcp",
			"type": "http",
            "headers": {
                "x-use-anonymous": "true"
            }
		}
	},
	"inputs": []
}