Skip to content

Add documentation about Entra limitations preventing service principal OBO as captured in issue #2192.#2196

Open
vukelich wants to merge 1 commit intomainfrom
users/vukelich/spobodocs
Open

Add documentation about Entra limitations preventing service principal OBO as captured in issue #2192.#2196
vukelich wants to merge 1 commit intomainfrom
users/vukelich/spobodocs

Conversation

@vukelich
Copy link
Copy Markdown
Member

@vukelich vukelich commented Mar 24, 2026

What does this PR do?

No functional changes. This PR adds clear documentation to reference #2192. The Entra limitations are a potential unintuitive pitfall for self-hosting remote MCP users, so we should provide transparent warnings and suggestions to users.

GitHub issue number?

References without fixing #2192

Pre-merge Checklist

  • Required for All PRs
    • Read contribution guidelines
    • PR title clearly describes the change
    • Commit history is clean with descriptive messages (cleanup guide)
    • Added comprehensive tests for new/modified functionality
    • Created a changelog entry if the change falls among the following: new feature, bug fix, UI/UX update, breaking change, or updated dependencies. Follow the changelog entry guide
  • For MCP tool changes:
    • One tool per PR: This PR adds or modifies only one MCP tool for faster review cycles
    • Updated servers/Azure.Mcp.Server/README.md and/or servers/Fabric.Mcp.Server/README.md documentation
    • Validate README.md changes running the script ./eng/scripts/Process-PackageReadMe.ps1. See Package README
    • For new or modified tool descriptions, ran ToolDescriptionEvaluator and obtained a score of 0.4 or more and a top 3 ranking for all related test prompts
    • For tools with new names, including new tools or renamed tools, update consolidated-tools.json
    • For renamed tools, follow the Tool Rename Checklist and tag the PR with the breaking-change label
    • For new tools associated with Azure services or publicly available tools/APIs/products, add URL to documentation in the PR description
  • Extra steps for Azure MCP Server tool changes:
    • Updated command list in servers/Azure.Mcp.Server/docs/azmcp-commands.md
    • Ran ./eng/scripts/Update-AzCommandsMetadata.ps1 to update tool metadata in azmcp-commands.md (required for CI)
    • Updated test prompts in servers/Azure.Mcp.Server/docs/e2eTestPrompts.md
    • 👉 For Community (non-Microsoft team member) PRs:
      • Security review: Reviewed code for security vulnerabilities, malicious code, or suspicious activities before running tests (crypto mining, spam, data exfiltration, etc.)
      • Manual tests run: added comment /azp run mcp - pullrequest - live to run Live Test Pipeline

@vukelich vukelich requested review from a team as code owners March 24, 2026 23:20
Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR documents a Microsoft Entra ID limitation affecting Azure MCP Server’s UseOnBehalfOf outgoing auth strategy when callers use application-only tokens (service principals / managed identities), referencing issue #2192 to help remote/self-hosting scenarios avoid a common pitfall.

Changes:

  • Adds consistent warnings across Azure MCP Server docs that OBO requires delegated (user) tokens and does not work with app-only callers.
  • Adds troubleshooting guidance for the AADSTS7000114 error.
  • Adds in-code XML documentation noting the OBO limitation for maintainers.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Show a summary per file
File Description
servers/Azure.Mcp.Server/docs/new-command.md Adds an OBO limitation note in remote server/auth strategy guidance.
servers/Azure.Mcp.Server/docs/azmcp-commands.md Expands --outgoing-auth-strategy UseOnBehalfOf docs with an OBO limitation warning and issue link.
servers/Azure.Mcp.Server/azd-templates/README.md Adds a note warning that OBO requires delegated tokens for the OBO azd template.
servers/Azure.Mcp.Server/TROUBLESHOOTING.md Adds a dedicated troubleshooting section for AADSTS7000114 with explanation and link to #2192.
docs/Authentication.md Updates supported auth matrix and adds a warning block explaining why Application + OBO is unsupported.
core/Microsoft.Mcp.Core/src/Services/Azure/Authentication/HttpOnBehalfOfTokenCredentialProvider.cs Adds XML docs describing the OBO delegated-token requirement and expected failure mode for app-only callers.
core/Microsoft.Mcp.Core/src/Areas/Server/Options/OutgoingAuthStrategy.cs Adds XML remarks documenting the OBO delegated-token requirement on the enum value.

@vcolin7 vcolin7 requested a review from anuchandy March 27, 2026 22:47
jongio
jongio approved these changes Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@jongio jongio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean PR. Checked content accuracy against Entra docs, consistency across all 7 files, XML doc structure, and troubleshooting placement - nothing to flag.

@github-project-automation github-project-automation bot moved this from Untriaged to In Progress in Azure MCP Server Apr 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jongio jongio jongio approved these changes

@joshfree joshfree Awaiting requested review from joshfree joshfree is a code owner automatically assigned from microsoft/azure-mcp

@xiangyan99 xiangyan99 Awaiting requested review from xiangyan99 xiangyan99 is a code owner automatically assigned from microsoft/azure-mcp

@JonathanCrd JonathanCrd Awaiting requested review from JonathanCrd JonathanCrd is a code owner automatically assigned from microsoft/azure-mcp

@msalaman msalaman Awaiting requested review from msalaman msalaman is a code owner automatically assigned from microsoft/azure-mcp

@chidozieononiwu chidozieononiwu Awaiting requested review from chidozieononiwu chidozieononiwu is a code owner automatically assigned from microsoft/azure-mcp

@alzimmermsft alzimmermsft Awaiting requested review from alzimmermsft alzimmermsft is a code owner automatically assigned from microsoft/azure-mcp

@jairmyree jairmyree Awaiting requested review from jairmyree jairmyree is a code owner automatically assigned from microsoft/azure-mcp

@anuchandy anuchandy Awaiting requested review from anuchandy

Assignees

No one assigned

Labels

None yet

Projects

Azure MCP Server
Status: In Progress

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vukelich @jongio