This repository is a practical, step-by-step how-to to integrate Microsoft MCP Server for Enterprise into a Copilot Studio agent using a Model Context Protocol (MCP) tool with OAuth 2.0 (Manual) authentication.
At the end, your Copilot Studio agent can connect to the MCP server endpoint and retrieve Microsoft Entra tenant insights through Microsoft Graph (delegated permissions).
Primary references
- Microsoft Learn: Get started with the Microsoft MCP Server for Enterprise (official)
https://learn.microsoft.com/en-us/graph/mcp-server/get-started - GitHub repo: Microsoft MCP Server for Enterprise (MCP Registry entry)
https://github.com/mcp/microsoft/EnterpriseMCP
- What you’ll build
- Architecture
- Capabilities and limitations
- Prerequisites
- Configuration values
- 1. Provision the MCP Server for Enterprise (one-time per tenant)
- 2. Register an application in Microsoft Entra ID
- 3. Configure the registered application
- 4. Set up the MCP tool in Copilot Studio
- 5. Add the Redirect URI in Entra ID
- 6. Finalize the connection
- 7. Test the integration
- Troubleshooting
- Monitoring, limits, and auditability
- Disable the MCP Server for Enterprise (optional)
- Security notes
- Changelog
- Disclaimer
- A tenant-provisioned Microsoft MCP Server for Enterprise setup (done once per tenant)
- An Entra ID app registration (Client ID + Client Secret) used by Copilot Studio OAuth (Manual)
- An MCP Tool configured in Copilot Studio:
- Server URL:
https://mcp.svc.cloud.microsoft/enterprise - Scope style: MCP server appId
.default(e8c77dc2-69b3-43f4-bc51-3213c9d915b4/.default)
- Server URL:
- A working connection (with a validation prompt)
Copilot Studio Agent
→ MCP Tool (Model Context Protocol)
→ Microsoft MCP Server for Enterprise (https://mcp.svc.cloud.microsoft/enterprise)
↔ OAuth 2.0 (Manual) via Microsoft Entra ID authorize/token endpoints
↔ Connection/consent (often visible via Power Automate connections during troubleshooting)
From the official repo/docs, key points to keep in mind:
- Delegated permissions only (user-interactive). App-only permissions / app-only workflows aren’t supported.
- The server is designed for read-only enterprise IT scenarios during public preview, focused on Microsoft Entra identity/directory (users, groups, apps, devices, roles, policies, etc.).
- The MCP server is intentionally “atypical”: it exposes three tools and generates Microsoft Graph calls via prompting/RAG rather than exposing one tool per Graph operation:
microsoft_graph_suggest_queriesmicrosoft_graph_getmicrosoft_graph_list_properties
- Notes for MCP clients:
- Dynamic Client Registration (DCR) is not supported (see GitHub repo notes).
You typically need:
- For tenant provisioning (one-time): Application Administrator or Cloud Application Administrator
- For app registration: ability to register applications (Application Developer or admin roles)
- PowerShell Run as Administrator
- PowerShell module:
Microsoft.Entra.Beta(v1.0.13+)
- Tenant ID (GUID)
- Ability to create app registrations in Entra ID
You will use these values multiple times:
TENANT_ID— your Entra tenant ID (GUID)CLIENT_ID— Application (client) ID of your app registrationCLIENT_SECRET— client secret value (copy it at creation time)- MCP Server URL:
https://mcp.svc.cloud.microsoft/enterprise - MCP Server (appId):
e8c77dc2-69b3-43f4-bc51-3213c9d915b4 - Authorization URL template:
https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize - Token URL template:
https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token - Quick scope (broad):
e8c77dc2-69b3-43f4-bc51-3213c9d915b4/.default
Tip: Create a
.env.examplefile if you want to standardize these values for your team.
Open PowerShell as Administrator.
The GitHub quick start notes potential conflicts with Microsoft Graph PowerShell SDK modules. If you run into issues with module conflicts, consider removing Graph modules before continuing:
Install-Module Uninstall-Graph
Uninstall-Graph -AllIf you don’t have issues, you can skip this step.
Install the required module:
Install-Module Microsoft.Entra.Beta -Force -AllowClobberAuthenticate to the tenant where you want to register the MCP Server (admin role required):
Connect-Entra -Scopes 'Application.ReadWrite.All', 'Directory.Read.All', 'DelegatedPermissionGrant.ReadWrite.All'Recommended sanity-check after auth:
Get-EntraContextRegister Microsoft MCP Server for Enterprise in your tenant and grant permissions to Visual Studio Code:
Grant-EntraBetaMCPServerPermission -ApplicationName VisualStudioCode✅ At this point, tenant provisioning is complete.
Confirm the service principals exist
Microsoft Learn provides two appIds you should see after provisioning:
- Microsoft MCP Server for Enterprise:
e8c77dc2-69b3-43f4-bc51-3213c9d915b4 - Visual Studio Code:
aebc6443-996d-45c2-90f0-388ff96faa56
Using Microsoft Graph (example):
GET https://graph.microsoft.com/v1.0/servicePrincipals?$select=id,appId,displayName&$filter=appId in('e8c77dc2-69b3-43f4-bc51-3213c9d915b4','aebc6443-996d-45c2-90f0-388ff96faa56')Using Entra PowerShell:
$mcpClientSp = Get-EntraBetaServicePrincipal -Select id,appId,displayName -Filter "appId eq 'aebc6443-996d-45c2-90f0-388ff96faa56'"
$mcpServerSp = Get-EntraBetaServicePrincipal -Select id,appId,displayName -Filter "appId eq 'e8c77dc2-69b3-43f4-bc51-3213c9d915b4'"
$mcpClientSp, $mcpServerSp | Format-Table id, appId, displayName -AutoSizeConfirm permissions granted to your MCP clients
Graph example:
GET https://graph.microsoft.com/v1.0/oauth2PermissionGrants?$select=id,clientId,resourceId,scope&$filter=clientId eq '{mcp-client-servicePrincipal}' and resourceId eq '{mcp-server-servicePrincipal}'PowerShell example:
$grant = Get-EntraBetaServicePrincipalOAuth2PermissionGrant -ServicePrincipalId $mcpClientSp.Id
$grant.Scope -split ' '---
## 2. Register an application in Microsoft Entra ID
1. Sign in to the **Microsoft Entra admin center**
2. Navigate to: **Entra ID > App registrations > New registration**
3. Enter a name (example: `Copilot-MCP-Server`)
4. Suggested:
- **Single tenant**
- Add platform/redirect URI later (after Copilot Studio generates it)
5. Click **Register**
6. Save:
- **Application (client) ID**
- **Directory (tenant) ID**
---
## 3. Configure the registered application
### 3.1 Create a client secret
1. Go to: **Certificates & secrets > Client secrets > New client secret**
2. Add a description, set expiration, click **Add**
3. Copy the **client secret value** immediately (you won’t be able to see it again)
### 3.2 Configure permissions/scopes
Least privilege (recommended for enterprise)
Microsoft Learn describes MCP scopes that map to Graph scopes.
1. Go to **API permissions** > **Add a permission** > **APIs my organization uses.**
2. Search for **'Microsoft MCP Server for Enterprise'** and select it.
4. Expand all permissions and check all boxes.
- Sign in to Copilot Studio
- Create a new agent
- Add a tool and choose Model Context Protocol
- Fill in the configuration below
- Server Name:
MS MCP Server Enterprise(example) - Server URL:
https://mcp.svc.cloud.microsoft/enterprise - Authentication:
OAuth 2.0 (Manual) - Client ID: your Entra Application (client) ID
- Client Secret: your Entra client secret value
- Authorization URL:
https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize - Token URL:
https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token - Scopes (quick start):
e8c77dc2-69b3-43f4-bc51-3213c9d915b4/.default
- Click Create
- Copy the Redirect URL and wait before clicking Next
- In Entra admin center, go to App registrations > your app
- Add the Redirect URI copied from Copilot Studio
- Enable:
- ✅ Access tokens
- ✅ ID tokens
- Return to Copilot Studio
- Complete the connection flow
If everything is correct, the tool should be available in the agent.
In Copilot Studio chat, try:
get my tenant detailed information.
If you hit connection/consent errors:
- In Copilot Studio, go to Tools (left menu)
- Click your MCP tool to open its related connector details
- Go to the Power Automate custom connector page (by clicking your connector)
- Select the connection shortcut from the left menu
- Find your connection, then select:
- Reconnect
- Allow Access
- Return to Copilot Studio and select your tool again
- Tenant ID mismatch in URLs:
.../<TENANT_ID>/oauth2/v2.0/authorize.../<TENANT_ID>/oauth2/v2.0/token
- Redirect URI not copied correctly or added to the wrong app registration
- Access tokens / ID tokens not enabled
- Missing MCP scopes / admin consent (depending on tenant policy)
- Wrong client secret value (or secret expired)
- Connection cache: needs refresh/reconnect in the connection manager
Highlights from the official repo:
- Requests are limited to 100 requests per minute per user (and Graph throttling still applies).
- Operations are auditable because they execute under a known AppId. You can filter logs by MCP Server appId:
e8c77dc2-69b3-43f4-bc51-3213c9d915b4
Example Kusto query shown in the repo (adjust time range as needed):
MicrosoftGraphActivityLogs
| where TimeGenerated >= ago(30d)
| where AppId == "e8c77dc2-69b3-43f4-bc51-3213c9d915b4"
| project RequestId, TimeGenerated, UserId, RequestMethod, RequestUri, ResponseStatusCodeMicrosoft Learn notes you can’t delete the Microsoft-owned service from your tenant, but you can disable it if needed by setting the service principal’s accountEnabled to false.
Graph example:
PATCH https://graph.microsoft.com/v1.0/servicePrincipals(appId='e8c77dc2-69b3-43f4-bc51-3213c9d915b4')
{
"accountEnabled": false
}PowerShell example:
$mcpServerSp = Get-EntraBetaServicePrincipal -Select id,appId,displayName -Filter "appId eq 'e8c77dc2-69b3-43f4-bc51-3213c9d915b4'"
Set-EntraBetaServicePrincipal -ServicePrincipalId $mcpServerSp.Id -AccountEnabled $false- Store secrets in a secure vault (do not commit secrets to Git)
- Rotate secrets regularly and document ownership
- Prefer least-privilege permissions when moving from POC → production
v1.0— Initial published guide
This is community documentation intended to help reproduce a working configuration. It is not official Microsoft documentation.