Why does Copilot CLI show MCP policy error despite --disable-builtin-mcps in GitHub Actions?

[You-saku]

I am using the GitHub Copilot CLI in GitHub Actions.
Even though I have added the disable-builtin-mcps option, I still get the following error:

! Third-party MCP servers are disabled by your organization's Copilot policy.
  Only built-in servers are available.

What could be causing this?

The workflow YAML is defined as follows:

- name: Run Copilot Issue Review
  env:
    COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
  run: |
    copilot \
      --disable-builtin-mcps \
      -p "prompt"

[Nickalus12]

I've seen this happen because --disable-builtin-mcps only tells the CLI not to load the local default tools (like git or shell), but it doesn't skip the server-side policy handshake.

The CLI performs a capability check against your organization's settings the moment you use a prompt (-p). If your GitHub Org has "Third-party MCP servers" disabled under Organization Settings > Copilot > Policies, the backend returns that restriction and the CLI surface-level error triggers immediately—even if you aren't actually trying to call a third-party server.

To fix this, you'll likely need an admin to toggle that policy to "Enabled" or "Unverified" in the GitHub web UI. IIRC, the CLI currently treats the agentic harness initialization as a "third-party" request context in some environments, so it hits that wall before it even processes your local flags.

If you can't change the Org policy, check if you can run the command without the prompt flag to see if it's purely the agentic path causing the trigger, though for your use case that might not be an option.

[You-saku]

@Nickalus12
Thanks！ that makes a lot of sense.

"Third-party MCP servers"

Could you clarify what exactly “third-party MCP servers” refers to in this context? I need to explain this to our organization admin before requesting a policy change.

I need to explain this clearly to our organization admin before requesting a policy change.If there’s any official documentation describing this, it would be very helpful if you could share a URL as well.