Azure API Management as AI Gateway to Remote MCP servers.
Azure API Management acts as the AI Gateway for MCP servers.
This sample implements the latest MCP Authorization specification
This is a sequence diagram to understand the flow.
Register Microsoft.App
resource provider.
az provider register --namespace Microsoft.App --wait
.Register-AzResourceProvider -ProviderNamespace Microsoft.App
. Then run (Get-AzResourceProvider -ProviderNamespace Microsoft.App).RegistrationState
after some time to check if the registration is complete.Run this azd command to provision the api management service, function app(with code) and all other required Azure resources
azd up
In a new terminal window, install and run MCP Inspector
npx @modelcontextprotocol/inspector
CTRL click to load the MCP Inspector web app from the URL displayed by the app (e.g. http://127.0.0.1:6274/#resources)
Set the transport type to SSE
Set the URL to your running API Management SSE endpoint displayed after azd up
and Connect:
https://<apim-servicename-from-azd-output>.azure-api.net/mcp/sse
List Tools. Click on a tool and Run Tool.
This solution deploys a secure MCP (Model Context Protocol) server infrastructure on Azure. The architecture implements a multi-layered security model with Azure API Management serving as an intelligent gateway that handles authentication, authorization, and request routing.
The infrastructure provisions the following Azure resources:
User-Assigned Managed Identity - Enables secure service-to-service authentication
Entra ID Application Registration - OAuth2/OpenID Connect client for authentication
vnetEnabled
is true
Azure API Management serves as the security perimeter, implementing:
Azure Functions provides:
Managed Identities eliminate the need for:
The APIM instance is configured with two primary APIs that work together to implement the MCP authorization specification:
/oauth/*
)This API implements the complete OAuth 2.0 authorization server functionality required by the MCP specification:
Authorization Endpoint (GET /authorize
)
Consent Management (GET/POST /consent
)
OAuth Metadata Endpoint (GET /.well-known/oauth-authorization-server
)
Client Registration (POST /register
)
Token Endpoint (POST /token
)
The OAuth API uses several APIM Named Values for configuration:
McpClientId
- The registered Entra ID application client IDEntraIDFicClientId
- Service identity client ID for token exchangeAPIMGatewayURL
- Base URL for callback and metadata endpointsOAuthScopes
- Requested OAuth scopes (openid
+ Microsoft Graph)EncryptionKey
/ EncryptionIV
- For session key encryption/mcp/*
)This API provides the actual MCP protocol endpoints with security enforcement:
Server-Sent Events Endpoint (GET /sse
)
Message Endpoint (POST /message
)
The MCP API applies a comprehensive security policy to all operations:
Authorization Header Validation
<check-header name="Authorization" failed-check-httpcode="401"
failed-check-error-message="Not authorized" ignore-case="false" />
Session Key Decryption
Token Cache Lookup
<cache-lookup-value key="@($"EntraToken-{context.Variables.GetValueOrDefault("decryptedSessionKey")}")"
variable-name="accessToken" />
Access Token Validation
Backend Authentication
<set-header name="x-functions-key" exists-action="override">
<value>{{function-host-key}}</value>
</set-header>
The solution implements a sophisticated multi-layer security model:
Layer 1: OAuth 2.0/PKCE Authentication
Layer 2: Session Key Encryption
Layer 3: Function-Level Security
Layer 4: Azure Platform Security
This layered approach ensures that even if one security boundary is compromised, multiple additional protections remain in place.
No configuration available
Related projects feature coming soon
Will recommend related projects based on sub-categories