Skip to content

Update/Add TSG for Auth section for external mcp servers. #2575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
g2vinay wants to merge 2 commits into
base: main
Choose a base branch
from
+50 −1
Draft

Update/Add TSG for Auth section for external mcp servers. #2575

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f448c21
docs: add TSG entry for external MCP server auth failure with AzurePo…
g2vinay May 4, 2026
342c168
add tsg guidance to auth.md
g2vinay May 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 50 additions & 1 deletion docs/Authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -145,4 +145,53 @@ Each `azd` template provisions:

- Entra ID app registration(s) with the correct scopes and roles
- Managed identity with appropriate RBAC assignments
- Azure Container App configured to run the Azure MCP Server with all required environment variables and server flags
- Azure Container App configured to run the Azure MCP Server with all required environment variables and server flags

---

## Troubleshooting

### External MCP server auth fails with `AzurePowerShellCredential`

**Symptom**

When the Azure MCP Server tries to connect to an external registry server (e.g. a Foundry MCP server), you see an error like:

```
Failed to create MCP client for registry server 'foundry': The ChainedTokenCredential failed to retrieve a token from the included credentials.
- AzurePowerShellCredential is not available: Azure PowerShell authentication failed due to an unknown error...
SharedTokenCacheCredential authentication failed: AADSTS65002: Consent between first party application '1950a258-227b-4e31-a9cf-717495945fc2' and first party resource '...' must be configured via preauthorization
```

**Cause**

The credential chain tries `AzurePowerShellCredential` and it fails because the PowerShell shared token cache does not have consent configured for the target resource.

**Fix**

Use Azure CLI authentication instead.

1. Sign in with the Azure CLI:

```bash
az login
```

2. Pin the credential chain to Azure CLI only by setting the `AZURE_TOKEN_CREDENTIALS` environment variable before starting the server:

```bash
# bash / zsh
export AZURE_TOKEN_CREDENTIALS=AzureCliCredential
```

```powershell
# PowerShell
$env:AZURE_TOKEN_CREDENTIALS = "AzureCliCredential"
```

Or set it permanently in your shell profile / system environment variables.

3. Restart the Azure MCP Server (or your IDE) so it picks up the new environment variable.

> [!NOTE]
> `AZURE_TOKEN_CREDENTIALS=AzureCliCredential` skips the entire credential chain and uses `az login` credentials directly. It will fail if you are not logged in with the Azure CLI, so make sure `az account show` returns the expected account before starting the server.