This document explains how to deploy the Azure MCP Server 2.0-beta as a remote MCP server accessible over HTTPS. This enables AI agents from Microsoft Foundry and Microsoft Copilot Studio to securely invoke MCP tool calls that perform Azure operations on your behalf.
This reference Azure Developer CLI (azd) template shows how to host the server on Azure Container Apps with storage tools enabled, using managed identity authentication for secure access to Azure Storage.
- Azure subscription with Owner or User Access Administrator permissions
- Azure Developer CLI (azd)
- The list of Azure MCP Server tool areas (namespaces) you wish to enable (see azmcp-commands.md). This reference template uses the
storagenamespace
This reference template deploys the Azure MCP Server with read-only Azure Storage tools enabled, accessible over HTTPS transport. For details on customizing server startup flags and configuration, see Azure MCP Server documentation.
azd upYou'll be prompted for:
- Storage Account Resource ID - The Azure resource ID of the storage account the MCP server will access
- Microsoft Foundry Project Resource ID - The Azure resource ID of the Microsoft Foundry project for agent integration
- Container App - Runs Azure MCP Server with storage namespace
- Role Assignments - Container App managed identity granted roles for outbound authentication to the storage account specified by the input storage resource ID:
- Reader (read-only access to storage account properties)
- Storage Blob Data Reader (read-only access to blob data)
- Entra App Registration - For incoming OAuth 2.0 authentication from clients (e.g., agents) with
Mcp.Tools.ReadWrite.Allrole. This role is assigned to the managed identity of the Microsoft Foundry project specified by the input Microsoft Foundry resource ID - Application Insights - Telemetry and monitoring
After deployment, retrieve azd outputs:
azd env get-valuesAmong the output there are useful values for the subsequent steps. Here is an example of these values.
CONTAINER_APP_URL="https://azure-mcp-storage-server.wonderfulazmcp-a9561afd.eastus2.azurecontainerapps.io"
ENTRA_APP_CLIENT_ID="c3248eaf-3bdd-4ca7-9483-4fcf213e4d4d"
ENTRA_APP_IDENTIFIER_URI="api://c3248eaf-3bdd-4ca7-9483-4fcf213e4d4d"
ENTRA_APP_OBJECT_ID="a89055df-ccfc-4aef-a7c6-9561bc4c5386"
ENTRA_APP_ROLE_ID="3e60879b-a1bd-5faf-bb8c-cb55e3bfeeb8"
ENTRA_APP_SERVICE_PRINCIPAL_ID="31b42369-583b-40b7-a535-ad343f75e463"
Once deployed, connect your Microsoft Foundry agent to the Azure MCP Server running on Azure Container Apps. The agent will authenticate using its managed identity and gain access to the configured Azure Storage tools.
- Get your Container App URL from
azdoutput:CONTAINER_APP_URL - Get Entra App Client ID from
azdoutput:ENTRA_APP_CLIENT_ID - Navigate to your Foundry project: https://ai.azure.com/nextgen
- Go to Build → Create agent
- Select the + Add in the tools section
- Select the Custom tab
- Choose Model Context Protocol as the tool and click Create
- Configure the MCP connection
- Enter the
CONTAINER_APP_URLvalue as the Remote MCP Server endpoint. - Select Microsoft Entra → Project Managed Identity as the authentication method
- Enter your
ENTRA_APP_CLIENT_IDas the audience. - Click Connect to associate this connection to the agent
- Enter the
Your agent is now ready to assist you! It can answer your questions and leverage tools from the Azure MCP Server to perform Azure operations on your behalf.
azd downThe azd template consists of the following Bicep modules:
main.bicep- Orchestrates the deployment of all resourcesaca-infrastructure.bicep- Deploys Container App hosting the Azure MCP Serveraca-role-assignment-resource-storage.bicep- Assigns Azure storage RBAC roles to the Container App managed identity on the storage account specified by the input storage resource IDentra-app.bicep- Creates Entra App registration with custom app role for OAuth 2.0 authenticationfoundry-role-assignment-entraapp.bicep- Assigns Entra App role to the managed identity of the Microsoft Foundry project specified by the input Microsoft Foundry resource ID for the Azure MCP Server accessapplication-insights.bicep- Deploys Application Insights for telemetry and monitoring (conditional deployment)