A detailed walkthrough of building an authenticated MCP server using Python's FastMCP library and Microsoft Entra ID, targeting pre-authorized clients like VS Code. Covers the MCP auth spec (pre-registration, CIMD, DCR), Entra app registration via the MS Graph SDK, credential options (client secret, certificate, managed identity as federated identity credential), FastMCP's RemoteAuthProvider and AzureJWTVerifier setup, middleware for extracting user identity from JWT claims, and using the On-Behalf-Of (OBO) flow to call Microsoft Graph for admin group membership checks. Includes code for both local development and production Azure Container Apps deployments, with a link to the full open-source repository.
Table of contents
MCP authRegistering the MCP server with EntraUsing FastMCP servers with EntraUsing OBO flow in FastMCP serverAll together nowSort: