foundry_agents_with_obo_mcp_server

This MCP server provides a custom Atlassian MCP implementation that validates On-Behalf-Of (OBO) tokens and proxies requests to Jira and Confluence REST APIs. It enables Foundry Agents to access third-party Atlassian data on behalf of the logged-in user, enforcing least privilege and row-level security via OBO flow. After starting the server, the agent toolbox can discover and use the Atlassian MCP tool alongside the Fabric Data Agent tool, with access controlled by tool authorization middleware.

To use the tools, you’ll deploy the Foundry Agent that requests an OBO token and selects the Atlassian MCP tool when Jira/Confluence data is needed. The MCP server validates the user’s token, ensures the user has permissions for the requested Jira/Confluence operations, and then forwards the requests to the Atlassian Cloud APIs. If the request requires Fabric data access, the Fabric Data Agent MCP tool handles it with appropriate RLS enforcement. The system is designed so a Premium user sees Jira, Confluence, and Fabric Data Agent tools, while Freemium users may see a limited set. The result is an auditable, secure data access flow across multiple services via MCP tooling.

Prerequisites:

• Docker installed and running
• Access tokens/credentials for Azure AD, Atlassian, and Fabric as applicable
• Git clone of the repository containing the MCP server and prerequisites

1. Install prerequisites

• Ensure Docker is installed: follow the official guide for your OS.
• Install any required CLI tools you’ll use to manage foundry agents and MCP servers.

2. Build or pull the MCP server image

• If you have a Dockerfile in custom_jira_confluence_mcp_server, build the image: docker build -t custom_jira_confluence_mcp_server:latest -f custom_jira_confluence_mcp_server/Dockerfile .
• Alternatively, pull a prebuilt image if provided by your organization: docker pull custom_jira_confluence_mcp_server:latest

3. Configure environment and secrets

• Prepare environment variables for token validation and API access. Example placeholders: AZURE_TENANT_ID=<your-tenant-id> AZURE_CLIENT_ID=<your-client-id> AZURE_CLIENT_SECRET=<your-client-secret> ATLASIAN_API_TOKEN=<your-atlassian-api-token> FABRIC_RLS_ENABLED=true

4. Run the MCP server using Docker

• Start the server container (example): docker run -i
  -e AZURE_TENANT_ID=${AZURE_TENANT_ID}
  -e AZURE_CLIENT_ID=${AZURE_CLIENT_ID}
  -e AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET}
  -e ATLASIAN_API_TOKEN=${ATLASIAN_API_TOKEN}
  -e FABRIC_RLS_ENABLED=${FABRIC_RLS_ENABLED}
  custom_jira_confluence_mcp_server:latest

5. Verify and test

• Check container logs for startup messages and health indicators.
• Use your Foundry tooling to invoke the MCP tools and validate OBO token flow against Jira/Confluence.
• Ensure the agent can access Jira and Confluence and that Fabric RLS policies are enforced if used.

Tips and common issues:

• If tokens fail validation, verify the OBO flow configuration in your identity provider and ensure the agent is requesting an OBO token for the correct resource scope.
• Ensure the Atlassian API token has the necessary scopes for Jira and Confluence operations used by your MCP server.
• For Fabric integration, confirm the Lakehouse workspace has appropriate RLS configuration and that the Fabric Data Agent MCP tool is enabled.
• Use environment-variable placeholders in production and do not commit secrets; consider Secret Manager integration for deployment.
• If the container fails to start, inspect Docker logs and verify that the entrypoint expects the provided environment variables.