The on-behalf-of (OBO) flow enables MCP servers to use a user's identity to call other APIs like Microsoft Graph. This guide demonstrates implementing Entra authentication with OBO in Python FastMCP servers, covering app registration setup, admin consent configuration, and token exchange. The implementation uses FastMCP's AzureProvider with an OAuth proxy pattern for dynamic client registration, MSAL SDK for token management, and includes practical examples like checking group membership and storing user-specific data in Cosmos DB.
Table of contents
How MCP servers can use Entra authenticationRegistering the server with EntraUsing FastMCP servers with EntraAll together nowSort: