Skip to content

Add user_config to Azure MCP Bundle #2618

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pl4nty wants to merge 3 commits into
base: main
Choose a base branch
from
+121 −3
Open

Add user_config to Azure MCP Bundle #2618

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ddc3f09
Add user_config to Azure MCP Bundle
pl4nty May 10, 2026
61f78a0
Revert Azure MCP Bundle version to 0.3
pl4nty May 10, 2026
51a1997
Flag sensitive values in Azure MCP Bundle config
pl4nty May 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
124 changes: 121 additions & 3 deletions servers/Azure.Mcp.Server/mcpb/manifest.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{
"$schema": "https://raw.githubusercontent.com/modelcontextprotocol/mcpb/refs/heads/main/schemas/mcpb-manifest-v0.3.schema.json",
"manifest_version": "0.3",
"name": "Azure.Mcp.Server",
"display_name": "Azure MCP Server",
Expand Down Expand Up @@ -28,8 +29,31 @@
}
},
"command": "${__dirname}/server/azmcp",
"args": [ "server", "start" ],
"env": {}
"args": [
"server",
"start",
"--mode",
"${user_config.mode}",
"--debug",
"${user_config.debug}",
"--read-only",
"${user_config.read_only}",
Copy link
Copy Markdown
Contributor

@jongio jongio May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When user_config.debug is false (the default), this expands to --debug false. System.CommandLine parses it fine, but it means every launch always includes --debug false --read-only false --dangerously-disable-elicitation false which is noisy. Not blocking, but if mcpb supports conditional arg inclusion (only add when true), that'd be cleaner.

Copy link
Copy Markdown
Author

@pl4nty pl4nty May 14, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Conditional inclusion would be ideal, but I couldn't find any docs nor get it working with common syntax. I may end up writing a feature request on the spec repo for it

"--dangerously-disable-elicitation",
"${user_config.dangerously_disable_elicitation}"
],
"env": {
"AZURE_TENANT_ID": "${user_config.azure_tenant_id}",
"AZURE_CLIENT_ID": "${user_config.azure_client_id}",
"AZURE_CLIENT_SECRET": "${user_config.azure_client_secret}",
"AZURE_SUBSCRIPTION_ID": "${user_config.azure_subscription_id}",
"AZURE_CLOUD": "${user_config.azure_cloud}",
"AZURE_TOKEN_CREDENTIALS": "${user_config.azure_token_credentials}",
"AZURE_MCP_COLLECT_TELEMETRY": "${user_config.azure_mcp_collect_telemetry}",
"AZURE_MCP_COLLECT_TELEMETRY_MICROSOFT": "${user_config.azure_mcp_collect_telemetry_microsoft}",
"AZURE_MCP_ONLY_USE_BROKER_CREDENTIAL": "${user_config.azure_mcp_only_use_broker_credential}",
"AZURE_MCP_ENABLE_OTLP_EXPORTER": "${user_config.azure_mcp_enable_otlp_exporter}",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "${user_config.applicationinsights_connection_string}"
Comment thread
pl4nty marked this conversation as resolved.
Copy link
Copy Markdown
Contributor

@jongio jongio May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The server reads AZURE_MCP_COLLECT_TELEMETRY at ServiceStartCommand.cs:967-969. Empty/whitespace is treated as true (telemetry enabled). So empty string defaults for string env vars are safe and won't override existing user env in a harmful way.

But boolean-typed user_config values always resolve to a concrete true/false string. If a user previously set AZURE_MCP_COLLECT_TELEMETRY=false in their shell profile and the bundle sets it to true (from the manifest default), their opt-out is silently overridden. Worth documenting this behavior in the description fields, something like 'Overrides any existing environment variable when configured.'

Copy link
Copy Markdown
Author

@pl4nty pl4nty May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the server isn't run from a shell, so envvar overrides shouldn't be an issue. But I can mention just in case if you'd like

}
}
},
"tools": [],
Expand Down Expand Up @@ -94,6 +118,100 @@
"quick reference",
"cli"
],
"user_config": {
"azure_tenant_id": {
"type": "string",
"title": "Entra Tenant ID",
"description": "Entra tenant ID. Use this to authenticate against a specific tenant. Example: 00000000-0000-0000-0000-000000000000",
"default": ""
Copy link
Copy Markdown
Author

@pl4nty pl4nty May 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While implementing microsoft/fabric-rti-mcp#172, I noticed Claude Desktop only substitutes string variables if a value is provided. This can cause server issues like trying to parse a guid from raw ${user_config.azure_tenant_id}, so I've set default values

},
"azure_client_id": {
"type": "string",
"title": "Entra Client ID",
"description": "Client ID of a service principal or user-assigned managed identity. Example: 00000000-0000-0000-0000-000000000000",
"default": ""
},
"azure_client_secret": {
"type": "string",
"title": "Entra Client Secret",
"description": "Client secret for service principal authentication. Used together with AZURE_TENANT_ID and AZURE_CLIENT_ID for non-interactive environments.",
Comment thread
pl4nty marked this conversation as resolved.
"default": "",
"sensitive": true
},
"azure_subscription_id": {
"type": "string",
"title": "Azure Subscription ID",
"description": "Default Azure subscription ID or name to use when no subscription is specified in a command. Example: 00000000-0000-0000-0000-000000000000",
"default": ""
},
"azure_cloud": {
"type": "string",
"title": "Azure Cloud Environment",
"description": "Azure cloud environment to connect to. Examples: AzureCloud (default public cloud), AzureChinaCloud, AzureUSGovernment.",
"default": ""
},
"azure_token_credentials": {
"type": "string",
"title": "Azure Token Credentials",
"description": "Credential chain to use for authentication. Values: 'dev' (VS/VSCode/CLI/PowerShell/AzureDeveloperCLI + browser fallback), 'prod' (Workload Identity + Managed Identity, no interactive fallback), or a specific provider name such as 'AzureCliCredential' or 'ManagedIdentityCredential'.",
"default": ""
},
"azure_mcp_collect_telemetry": {
"type": "boolean",
"title": "Collect Telemetry",
"description": "Whether to allow Azure MCP Server to collect anonymous usage telemetry. Set to false to opt out.",
"default": true
Copy link
Copy Markdown
Author

@pl4nty pl4nty May 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Booleans in Claude Desktop are non-nullable and currently default to false

},
"azure_mcp_collect_telemetry_microsoft": {
"type": "boolean",
"title": "Collect Microsoft Telemetry",
"description": "Whether to allow Azure MCP Server to send anonymous usage telemetry to Microsoft. Enabled by default in release builds. Set to false to opt out of Microsoft-owned telemetry while keeping other telemetry settings unchanged.",
"default": true
},
"azure_mcp_only_use_broker_credential": {
"type": "boolean",
"title": "Only Use Broker Credential",
"description": "When set to true, restricts authentication to the broker credential only (e.g. Windows Web Account Manager). Useful in environments where only broker-based authentication is permitted.",
"default": false
},
"azure_mcp_enable_otlp_exporter": {
"type": "boolean",
"title": "Enable OTLP Exporter",
"description": "When set to true, enables the OpenTelemetry Protocol (OTLP) exporter for traces, metrics, and logs. Configure the exporter endpoint via standard OTEL_EXPORTER_OTLP_ENDPOINT environment variables.",
"default": false
},
"applicationinsights_connection_string": {
"type": "string",
"title": "Application Insights Connection String",
"description": "Azure Application Insights connection string for custom telemetry reporting.",
Comment thread
pl4nty marked this conversation as resolved.
"default": "",
"sensitive": true
},
"debug": {
"type": "boolean",
"title": "Debug",
"description": "Enable debug mode with verbose logging to stderr. Default: false.",
"default": false
},
"dangerously_disable_elicitation": {
"type": "boolean",
"title": "Disable User Confirmation (Not Recommended)",
"description": "Disable user confirmation (elicitation) before allowing high risk commands to run, such as returning secrets (passwords) from KeyVault. When enabled, tools that handle secrets, credentials, or sensitive data will execute without user confirmation. This removes an important security layer designed to prevent unauthorized access to sensitive information. Only use this option in trusted, automated environments where user interaction isn't possible. Never use this option in production environments or when handling untrusted input. Default: false.",
"default": false
},
"mode": {
"type": "string",
"title": "Mode",
"description": "Server mode: namespace, consolidated, all, or single. Default: namespace.",
"default": "namespace"
},
"read_only": {
"type": "boolean",
"title": "Read Only",
"description": "Whether the MCP server should be read-only. If true, no write operations are allowed. Default: false.",
"default": false
}
},
"license": "MIT",
"privacy_policies": [
"https://www.microsoft.com/privacy/privacystatement"
Expand All @@ -106,4 +224,4 @@
"linux"
]
}
}
}