Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into aca/migrate-functions

Author: craigshoemaker

articles/app-service/configure-authentication-ai-foundry-openapi-tool.md

@@ -7,6 +7,7 @@ author: cephalin
 ms.author: cephalin
 ms.service: azure-app-service
 ms.collection: ce-skilling-ai-copilot
+ms.update-cycle: 180-days
 ---
 
 # Secure OpenAPI endpoints for Azure AI Foundry Agent Service

articles/app-service/configure-authentication-mcp-server-vscode.md

@@ -0,0 +1,169 @@
+---
+title: Secure MCP servers with Microsoft Entra authentication
+description: Configure Microsoft Entra authentication to secure your MCP server on Azure App Service and access it from Visual Studio Code.
+ms.topic: how-to
+ms.date: 11/18/2025
+author: cephalin
+ms.author: cephalin
+ms.service: azure-app-service
+ms.collection: ce-skilling-ai-copilot
+ms.update-cycle: 180-days
+---
+
+# Secure Model Context Protocol calls to Azure App Service from Visual Studio Code with Microsoft Entra authentication
+
+This article shows you how to secure your Model Context Protocol (MCP) server hosted on Azure App Service using Microsoft Entra authentication. By enabling authentication, you ensure that only users authenticated with Microsoft Entra can access your MCP server through Copilot agent mode in Visual Studio Code.
+
+For other authentication methods and general MCP server security concepts, see [Secure a Model Context Protocol server in Azure App Service](configure-authentication-mcp.md).
+
+## Prerequisites
+
+An App Service app that hosts an MCP server. If you need to create one, see one of the following tutorials:
+
+- [Integrate an App Service app as an MCP Server for GitHub Copilot Chat (.NET)](tutorial-ai-model-context-protocol-server-dotnet.md)
+- [Integrate an App Service app as an MCP Server for GitHub Copilot Chat (Java)](tutorial-ai-model-context-protocol-server-java.md)
+- [Integrate an App Service app as an MCP Server for GitHub Copilot Chat (Python)](tutorial-ai-model-context-protocol-server-python.md)
+- [Integrate an App Service app as an MCP Server for GitHub Copilot Chat (Node.js)](tutorial-ai-model-context-protocol-server-node.md)
+
+## Enable Microsoft Entra authentication
+
+1. In the [Azure portal](https://portal.azure.com), navigate to your App Service app.
+
+1. In the left menu, select **Settings** > **Authentication**, and then select **Add identity provider**.
+
+1. On the **Add an identity provider** page, select **Microsoft** as the **Identity provider**.
+
+1. Under **App Service authentication settings**, for **Client secret expiration**, select an expiration period (for example, **6 months**).
+
+1. Accept all other default values and select **Add** to create the identity provider.
+
+   This creates a new app registration in Microsoft Entra ID with a client secret and configures your App Service app to use it for authentication.
+
+## Authorize Visual Studio Code in App Service authentication
+
+After enabling authentication, you need to authorize Visual Studio Code to access your MCP server.
+
+1. On the **Authentication** page of your App Service app, under **Identity provider**, select **Edit** (the pencil icon) next to the Microsoft provider you created.
+
+1. On the **Edit identity provider** page, under **Additional checks** > **Client application requirement**, select **Allow requests from specific client applications**.
+
+1. Select the pencil widget to edit the allowed applications.
+
+1. In the **Allowed client applications** field, add the Visual Studio Code client ID: `aebc6443-996d-45c2-90f0-388ff96faa56`.
+
+1. Select **OK**, then select **Save**.
+
+## Authorize Visual Studio Code in the app registration
+
+Next, you need to configure the app registration to expose your API to Visual Studio Code.
+
+1. Go back to the **Authentication** page of your App Service app.
+
+1. Select the Microsoft provider in the **Identity provider** column to open the app registration page.
+
+1. In the app registration page, select **Manage** > **Expose an API** from the left menu.
+
+1. Under **Authorized client applications**, select **Add a client application**.
+
+1. In the **Client ID** field, enter the Visual Studio Code client ID: `aebc6443-996d-45c2-90f0-388ff96faa56`.
+
+1. Select the checkbox next to the **user_impersonation** scope to authorize this scope.
+
+1. Select **Add application**.
+
+1. Under **Scopes defined by this API**, find and copy the full scope value. It should look like `api://<app-registration-app-id>/user_impersonation`.
+
+   You need this scope value in the next section.
+
+## Enable protected resource metadata by setting the authorization scope
+
+To enable MCP server authorization, you need to configure the protected resource metadata (PRM) by setting the authorization scope in an app setting. This allows MCP clients to discover the authentication requirements through the `/.well-known/oauth-protected-resource` endpoint.
+
+1. In the Azure portal, go back to your App Service app page.
+
+1. In the left menu, select **Settings** > **Environment variables**.
+
+1. Select **Add** to create a new application setting.
+
+1. For **Name**, enter `WEBSITE_AUTH_PRM_DEFAULT_WITH_SCOPES`.
+
+1. For **Value**, paste the scope you copied from the app registration: `api://<app-registration-app-id>/user_impersonation`.
+
+1. Select **Apply**, then select **Apply** again to confirm and restart your app.
+
+   This setting configures the PRM to include the required scope for MCP server authorization.
+
+## Connect from Visual Studio Code
+
+Now you can connect to your secured MCP server from Visual Studio Code.
+
+1. Open Visual Studio Code on your local machine.
+
+1. Open or create an MCP configuration file (`mcp.json`). For a workspace scoped MCP configuration, create it in the *.vscode* directory of your workspace.
+
+1. Add your MCP server configuration:
+
+   ```json
+   {
+     "servers": {
+       "my-app-service-mcp": {
+         "type": "http",
+         "url": "https://<your-app-url>.azurewebsites.net/api/mcp"
+       }
+     }
+   }
+   ```
+
+   Replace `<your-app-url>` with your actual App Service app URL. You can find your app's default domain on the **Overview** page in the Azure portal. In this example, the path is `/api/mcp`, but the actual path depends on your MCP code.
+
+1. In Visual Studio Code, open the Command Palette (`Ctrl+Shift+P` or `Cmd+Shift+P` on macOS).
+
+1. Type **MCP: List Servers** and press Enter.
+
+1. Select your MCP server from the list and choose **Start Server**.
+
+1. Visual Studio Code automatically prompts you to sign in with Microsoft Entra ID. Follow the authentication prompts.
+
+   The MCP extension handles the OAuth flow using the scope you configured, and Visual Studio Code obtains the necessary access token to call your MCP server.
+   
+   > [!TIP]
+   > If you see an unexpected authentication prompt or encounter errors, see [Troubleshooting](#troubleshooting).
+
+1. Once authenticated, your MCP server is connected and ready to use in GitHub Copilot Chat agent mode or other MCP clients.
+
+## Test the connection
+
+To verify that your MCP server is properly secured and accessible:
+
+1. Open GitHub Copilot Chat in Visual Studio Code (`Ctrl+Alt+I` or `Cmd+Option+I` on macOS).
+
+1. Try using a feature from your MCP server. For example, if you're using the Todos sample:
+
+   ```
+   Show me all my tasks
+   ```
+
+1. GitHub Copilot should successfully call your MCP server, and you should see the results in the chat. If you encounter any issues, see [Troubleshooting](#troubleshooting).
+
+## Troubleshooting
+
+When you start the MCP server in Visual Studio Code, the authentication prompt you see indicates whether your configuration is correct:
+
+- **Correct configuration**: Visual Studio Code prompts you to **authenticate with Microsoft**. This means the protected resource metadata (PRM) is configured properly, and Visual Studio Code successfully discovered the authorization server and scope from the `/.well-known/oauth-protected-resource` endpoint.
+
+- **Incorrect configuration**: Visual Studio Code prompts you to authenticate with an `/authorize` endpoint on your App Service app (for example, `https://<your-app-url>.azurewebsites.net/authorize`). This means the PRM is not configured properly. Visual Studio Code cannot find the authorization server and authorization scope, so it falls back to using your app's URL as the authorization endpoint, which doesn't exist.
+
+If you see the incorrect authentication prompt, verify that:
+- Your app setting `WEBSITE_AUTH_PRM_DEFAULT_WITH_SCOPES` is correctly configured with the full scope value `api://<app-registration-app-id>/user_impersonation`.
+- The App Service app has fully restarted after adding the app setting. It might take a few minutes to complete the restart.
+
+If you see authentication errors after signing in, verify that:
+- The Visual Studio Code client ID (`aebc6443-996d-45c2-90f0-388ff96faa56`) is added to both the App Service authentication configuration (allowed client applications) and in the app registration (authorized client applications in **Expose an API**).
+- The scope value in the app setting matches exactly what's defined in your app registration.
+
+## Related content
+
+- [Secure a Model Context Protocol server in Azure App Service](configure-authentication-mcp.md)
+- [Configure your App Service or Azure Functions app to use Microsoft Entra sign-in](configure-authentication-provider-aad.md)
+- [Configure the Microsoft Entra provider with a managed identity instead of a secret (preview)](configure-authentication-provider-aad.md#use-a-managed-identity-instead-of-a-secret-preview)
+- [What is Model Context Protocol?](https://modelcontextprotocol.io/)

articles/app-service/configure-language-python.md

@@ -26,10 +26,7 @@ ms.custom:
 
 This article describes how [Azure App Service](overview.md) runs Python apps, how you can migrate existing apps to Azure, and how you can customize the behavior of App Service when you need to. Python apps must be deployed with all the required [pip](https://pypi.org/project/pip/) modules.
 
-The App Service deployment engine automatically activates a virtual environment and runs `pip install -r requirements.txt` when you deploy a [Git repository](deploy-local-git.md) or when you deploy a [zip package](deploy-zip.md) [with build automation enabled](deploy-zip.md#enable-build-automation-for-zip-deploy).
-
-> [!NOTE]
-> App Service currently requires `requirements.txt` in your project's root directory even if you have a `pyproject.toml`. See [Generate requirements.txt from pyproject.toml](#generate-requirementstxt-from-pyprojecttoml) for recommended approaches.
+The App Service deployment engine automatically activates a virtual environment and installs dependencies from a `requirements.txt`, `pyproject.toml`, or `setup.py` file when you deploy a [Git repository](deploy-local-git.md) or when you deploy a [zip package](deploy-zip.md) [with build automation enabled](deploy-zip.md#enable-build-automation-for-zip-deploy).
 
 This article provides key concepts and instructions for Python developers who use a built-in Linux container in App Service. If you've never used App Service, first complete the [Python quickstart](quickstart-python.md) and [Flask](tutorial-python-postgresql-app-flask.md), [Django](tutorial-python-postgresql-app-django.md), or [FastAPI](tutorial-python-postgresql-app-fastapi.md) with PostgreSQL tutorial.
 
@@ -84,7 +81,17 @@ The App Service build system, called Oryx, performs the following steps when you
 
 1. Run a custom pre-build script, if that step is specified by the `PRE_BUILD_COMMAND` setting. (The script can itself run other Python and Node.js scripts, pip and npm commands, and Node-based tools like Yarn, for example, `yarn install` and `yarn build`.)
 
-1. Run `pip install -r requirements.txt`. The *requirements.txt* file must be in the project's root folder. If it's not, the build process reports the error "Could not find setup.py or requirements.txt; Not running pip install."
+1. Install dependencies. The build system checks for the following files in the project root:
+    - *requirements.txt*: Runs `pip install -r requirements.txt`.
+    - *pyproject.toml* with *uv.lock*: Uses `uv`.
+    - *pyproject.toml* with *poetry.lock*: Uses `poetry`.
+    - *pyproject.toml*: Uses `poetry`.
+    - *setup.py*: Runs `pip install .`.
+
+    > [!NOTE]
+    > If *pyproject.toml* is present but *uv.lock* is missing, App Service defaults to using Poetry, even if *poetry.lock* is also missing. To use `uv`, you must include *uv.lock* in your deployment.
+
+    If none of these files are found, the build process reports the error "Could not find setup.py or requirements.txt; Not running pip install."
 
 1. If *manage.py* is found in the root of the repository (which indicates a Django app), run `manage.py collectstatic`. However, if the `DISABLE_COLLECTSTATIC` setting is `true`, this step is skipped.
 
@@ -112,36 +119,13 @@ For more information on how App Service runs and builds Python apps in Linux, se
 > [!NOTE]
 > Always use relative paths in all pre-build and post-build scripts because the build container in which Oryx runs is different from the runtime container in which the app runs. Never rely on the exact placement of your app project folder within the container (for example, that it's placed under *site/wwwroot*).
 
-## Generate requirements.txt from pyproject.toml
-
-Currently, App Service doesn't directly support `pyproject.toml`. If you use tools like Poetry or uv, the recommended approach is to generate a compatible *requirements.txt* file before deployment in your project's root:
-
-### Using Poetry
-
-Generate *requirements.txt* by using [Poetry](https://python-poetry.org/) with the [export plugin](https://github.com/python-poetry/poetry-plugin-export):
-
-```sh
-
-poetry export -f requirements.txt --output requirements.txt --without-hashes
-
-```
-
-### Using uv
-
-Generate *requirements.txt* by using [uv](https://docs.astral.sh/uv/concepts/projects/sync/#exporting-the-lockfile):
-
-```sh
-
-uv export --format requirements-txt --no-hashes --output-file requirements.txt
-
-```
 
 ## Migrate existing applications to Azure
 
 You can redeploy existing web applications to Azure as follows:
 
 1. **Source repository**. Maintain your source code in a suitable repository, like GitHub, which enables you to set up continuous deployment later in this process.
-    - Your *requirements.txt* file must be at the root of your repository if you want App Service to automatically install the necessary packages.
+    - Your dependency file (such as *requirements.txt*, *pyproject.toml*, or *setup.py*) must be at the root of your repository if you want App Service to automatically install the necessary packages.
 
 1. **Database**. If your app depends on a database, create the necessary resources on Azure as well.
 
@@ -248,9 +232,9 @@ This container has the following characteristics:
 
 - By default, the base container image includes only the Flask web framework, but the container supports other frameworks that are WSGI-compliant and compatible with Python 3.6 and later, such as Django.
 
-- To install other packages, such as Django, create a [*requirements.txt*](https://pip.pypa.io/en/stable/user_guide/#requirements-files) file in the root of your project that specifies your direct dependencies. App Service then installs those dependencies automatically when you deploy your project.
+- To install other packages, such as Django, create a [*requirements.txt*](https://pip.pypa.io/en/stable/user_guide/#requirements-files), *pyproject.toml*, or *setup.py* file in the root of your project that specifies your direct dependencies. App Service then installs those dependencies automatically when you deploy your project.
 
-    The *requirements.txt* file must be in the project root or dependencies won't be installed. If this file isn't in the root, the build process reports the error "Could not find setup.py or requirements.txt; Not running pip install." If you encounter this error, check the location of your requirements file.
+    The dependency file must be in the project root or dependencies won't be installed. If this file isn't in the root, the build process reports the error "Could not find setup.py or requirements.txt; Not running pip install." If you encounter this error, check the location of your requirements file.
 
 - App Service automatically defines an environment variable named `WEBSITE_HOSTNAME` that contains the web app's URL, such as `msdocs-hello-world.azurewebsites.net`. It also defines `WEBSITE_SITE_NAME`, which contains the name of your app, such as `msdocs-hello-world`.
 
@@ -403,7 +387,7 @@ Use the following steps to access the deployment logs:
 1. On the **Logs** tab, select the **Commit ID** for the most recent commit.
 1. On the **Log details** page that appears, select the **Show Logs** link that appears next to **Running oryx build**.
 
-Build issues, like incorrect dependencies in *requirements.txt* and errors in pre-build or post-build scripts, appear in these logs. Errors also appear if your requirements file isn't named *requirements.txt* or doesn't appear in the root folder of your project.
+Build issues, like incorrect dependencies in your dependency file and errors in pre-build or post-build scripts, appear in these logs. Errors also appear if your dependency file isn't found in the root folder of your project.
 
 ## Open SSH session in a browser
 
@@ -423,7 +407,7 @@ In general, the first step in troubleshooting is to use App Service diagnostics:
 1. Select **Availability and Performance**.
 1. Examine the information in **Application Logs**, **Container Crash**, and **Container Issues**, where the most common issues appear.
 
-Next, examine both the [deployment logs](#access-deployment-logs) and the [app logs](#access-diagnostic-logs) for any error messages. These logs often identify specific issues that can prevent app deployment or app startup. For example, the build can fail if your *requirements.txt* file has the wrong file name or isn't present in your project root folder.
+Next, examine both the [deployment logs](#access-deployment-logs) and the [app logs](#access-diagnostic-logs) for any error messages. These logs often identify specific issues that can prevent app deployment or app startup. For example, the build can fail if your dependency file isn't present in your project root folder.
 
 The following sections provide guidance for specific issues.
 
@@ -459,9 +443,9 @@ The following sections provide guidance for specific issues.
 
 #### Could not find setup.py or requirements.txt
 
-- **The log stream shows "Could not find setup.py or requirements.txt; Not running pip install."** The Oryx build process failed to find your *requirements.txt* file.
+- **The log stream shows "Could not find setup.py or requirements.txt; Not running pip install."** The Oryx build process failed to find your *requirements.txt*, *pyproject.toml*, or *setup.py* file.
 
-  - Connect to the web app's container via [SSH](#open-ssh-session-in-a-browser) and verify that *requirements.txt* is named correctly and exists directly under *site/wwwroot*. If it doesn't exist, make sure the file exists in your repository and is included in your deployment. If it exists in a separate folder, move it to the root.
+  - Connect to the web app's container via [SSH](#open-ssh-session-in-a-browser) and verify that your dependency file is named correctly and exists directly under *site/wwwroot*. If it doesn't exist, make sure the file exists in your repository and is included in your deployment. If it exists in a separate folder, move it to the root.
 
 #### ModuleNotFoundError when app starts