Add get_user tool demonstrating OBO flow with Microsoft Graph

[Copilot]

Purpose

Implements On-Behalf-Of (OBO) flow for calling Microsoft Graph API on behalf of authenticated users. Demonstrates token exchange pattern using Azure Managed Identity and App Service authentication.

Does this introduce a breaking change?

[ ] Yes
[x] No

Pull Request Type

[ ] Bugfix
[x] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no api changes)
[ ] Documentation content changes
[ ] Other... Please describe:

How to Test

• Get the code

git clone https://github.com/Azure-Samples/mcp-sdk-functions-hosting-python.git
cd mcp-sdk-functions-hosting-python
git checkout copilot/add-get-user-tool-obo-flow

• Test locally (limited - requires Azure infrastructure)

python3 -m py_compile get_user.py

• Deploy and test OBO flow

# Update host.json to use get_user.py instead of weather.py
# Deploy to Azure
azd up

# Connect via VS Code MCP client
# Call get_current_user tool - returns Microsoft Graph /me data

What to Check

Verify that the following are valid

• get_user.py implements complete OBO token exchange flow
• Dependencies include azure-identity>=1.19.0, starlette>=0.49.1, uvicorn>=0.34.0
• No security vulnerabilities in new dependencies (CodeQL clean)
• Sensitive user data (ID, phone numbers) properly masked
• Documentation explains OBO flow steps and usage

Other Information

Implementation based on: anthonychu/mcp-sdk-functions-hosting-node-auth

OBO Flow:

1. Extract bearer token from Authorization header (App Service auth)
2. ManagedIdentityCredential obtains assertion token for exchange
3. OnBehalfOfCredential exchanges user token for Graph token
4. Call Graph API /me endpoint
5. Return masked user data

Key Files:

• get_user.py - New MCP server with get_current_user tool
• pyproject.toml - Added azure-identity, starlette, uvicorn dependencies
• README.md - OBO flow documentation and usage instructions

Infrastructure already configured for OBO (Entra app, federated identity, environment variables). Tool requires deployment to Azure - local execution returns informational message about missing auth context.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add get user tool to demo obo flow by referencing Node sample</issue_title>
<issue_description>Add a new tool that gets info of logged in user from Microsoft Graph to demonstrate OBO (on-behalf-of) flow in MCP server.

Use this Node sample as a reference: https://github.com/anthonychu/mcp-sdk-functions-hosting-node-auth

The goal is to add the new tool and related files to demo the OBO flow. Don't do anything else. Summarize what you've done. </issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Add get user tool to demo obo flow by referencing Node sample #18

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.