mcp -dotnet-entra-id
A .NET starter for building secure MCP servers integrated with Microsoft Entra ID, tested with Claude AI.
claude mcp add --transport stdio profility-be-mcp-server-dotnet-entra-id docker run -i profility-be-mcp-server-dotnet-entra-id \ --env MCP_SERVER_URL="https://YOUR-DOMAIN" \ --env JWT_SIGNING_KEY="GENERATED_SIGNING_KEY" \ --env AZURE_AD_CLIENT_ID="your-entra-id-client-id" \ --env AZURE_AD_TENANT_ID="your-entra-id-tenant-id" \ --env JWT_ENCRYPTION_KEY="GENERATED_ENCRYPTION_KEY" \ --env AZURE_AD_CLIENT_SECRET="your-client-secret"
How to use
This MCP server acts as an OAuth 2.1 proxy that sits between MCP clients (such as Claude AI and ChatGPT) and Microsoft Entra ID (Azure Active Directory). It provides a secure authentication flow, maps Entra ID tokens to MCP-compatible tokens, and exposes MCP endpoints that require valid Bearer tokens. The included WhoAmI tool demonstrates how authenticated user claims (name, email, OID, UPN) can be accessed by MCP tools to personalize interactions. To use it, configure your Entra ID app registration to allow the proxy to issue tokens with the desired scopes and audience, then run the container to start the OAuth proxy. Clients will redirect through the custom login experience, obtain a token, and call MCP endpoints with the appropriate Authorization header.
How to install
Prerequisites:
- Docker installed and running
- Optional: if you prefer running from source, .NET 8 SDK and a compatible IIS/Kestrel hosting setup
Option A — Deploy with Docker (recommended):
- Build or pull the Docker image for the MCP proxy that bridges Entra ID authentication:
- docker pull profility-be-mcp-server-dotnet-entra-id
- Run the container with required environment variables (adjust values to your environment):
- docker run -d --name profility-mcp --env AZURE_AD_TENANT_ID=YOUR_TENANT_ID --env AZURE_AD_CLIENT_ID=YOUR_CLIENT_ID --env AZURE_AD_CLIENT_SECRET=YOUR_CLIENT_SECRET --env MCP_SERVER_URL=https://YOUR-DOMAIN -p 443:443 profility-be-mcp-server-dotnet-entra-id
Option B — Run from source (.NET 8):
- Ensure .NET 8 SDK is installed.
- Clone the repository:
- git clone <your-repo-url>
- cd MCP
- Build and run locally (adjust paths as needed):
- dotnet build
- dotnet run --project path/to/YourMcpProject
- Configure environment variables for Azure AD in appsettings.json or environment before starting.
Prerequisites recap:
- Docker or .NET 8 SDK installed
- Azure Entra ID tenant and an app registration with appropriate permissions
- Networking accessible for OAuth redirects and token endpoints
Additional notes
Tips and common issues:
- Ensure your Entra ID app registration exposes the API scope used by the MCP proxy (e.g., MCP.Access) and that Redirect URIs match your deployment domain.
- The proxy uses RFC 7591 Dynamic Client Registration compatibility; if you encounter registration issues, verify app permissions and consent.
- When deploying behind a reverse proxy or TLS terminator, ensure HTTPS termination and correct forwarding headers for auth callbacks.
- If tokens fail validation, re-check signing and encryption keys and update Jwt.SigningKey and Jwt.EncryptionKey accordingly.
- Environment variables can be stored in a .env file or set directly in your container/orchestrator. Ensure sensitive values are protected.
- For development, you can test with a dev tunnel or localhost callback URLs, but remember to update Azure AD redirect URIs for production domains.
Related MCP Servers
SharpToolsMCP
A suite of MCP tools for AIs to analyze and modify C# solutions with high signal, Roslyn powered context.
mcp-dotnet-samples
A comprehensive set of samples of creating and using MCP servers and clients with .NET
mobile-dev
This is a MCP designed to manage and interact with mobile devices and simulators.
RimSearcher
A Model Context Protocol (MCP) server for fast searching and retrieval of RimWorld source code.
mcp -graph-api
Model-context-protocol (MCP) server for the Microsoft Graph API in C#
McpManager
Manage your MCP Servers for all your agents in one place!
