This demo shows how to secure an MCP-Server using EntraID (Azure AD). It uses the ModelContextProtocol SDK to create a Streamable HTTP server that implements the MCP-Server API.
The server can be accessed in an unauthenticated mode by adding the header x-use-anonymous: true to the request. This will provide only the tools that do not require authentication.
Could be an example to provide read-only access to some tools, while other tools require authentication.
For more details see the medium article at https://medium.com/@pat-st/securing-a-model-context-protocol-server-with-entraid-47a0fea72a76
- Node.js v18 or later
Create an EntraID App Registration:
az ad app create --display-name "MCP-Server Demo" --requested-access-token-version "2" --sign-in-audience "AzureADMyOrg"Create a .env file in the root of the project with the following content:
AZURE_TENANT_ID=
AZURE_CLIENT_ID=
BASE_URL=http://localhost:3001
Use your tenantId and the clientId of the app registration you just created.
- Under
Expose an API, expose a scope nameduser_impersonationfor the app registration - Under
Expose an API, add the ClientIds as preauthorized client applications:aebc6443-996d-45c2-90f0-388ff96faa56- default Client ID for VSCode04b07795-8ddb-461a-bbee-02f9e1bf7b46- Default Client ID for Azure CLI, allows fetching of token for test purposes
Just execute npm run dev to start the server. It will be available at http://localhost:3001/mcp.
The .vscode/mcp.json file already contains the required configuration to connect to the server using VSCode.
If everything is set up correctly, you should be able to connect to the server using VSCode and will be prompted to authenticate using EntraID.
Then two tools will appear.
If you are starting the server in unauthenticated mode with this mcp.json file, you will only see one tool being presented:
{
"servers": {
"local-mcp-server": {
"url": "http://localhost:3001/mcp",
"type": "http",
"headers": {
"x-use-anonymous": "true"
}
}
},
"inputs": []
}