Merge pull request #312019 from craigshoemaker/aca/mcp-content

[Container Apps] New: MCP Content

Author: JillGrant615

articles/container-apps/TOC.yml

@@ -52,6 +52,26 @@ items:
       href: ai-integration.md
     - name: Compose for agents
       href: compose-agent.md
+    - name: MCP servers
+      items:
+        - name: Overview
+          href: mcp-overview.md
+        - name: Choose a hosting option
+          href: mcp-choosing-azure-service.md
+        - name: Tutorials
+          items:
+            - name: Deploy with .NET
+              href: tutorial-mcp-server-dotnet.md
+            - name: Deploy with Python
+              href: tutorial-mcp-server-python.md
+            - name: Deploy with Node.js
+              href: tutorial-mcp-server-nodejs.md
+            - name: Deploy with Java
+              href: tutorial-mcp-server-java.md
+        - name: Authentication
+          href: mcp-authentication.md
+        - name: Troubleshooting
+          href: mcp-troubleshooting.md
     - name: GPUs
       items:
         - name: Serverless GPUs

articles/container-apps/mcp-authentication.md

@@ -0,0 +1,220 @@
+---
+title: Secure MCP servers on Azure Container Apps
+description: Learn how to authenticate and authorize MCP servers on Azure Container Apps using Microsoft Entra ID or API key authentication.
+#customer intent: As a developer, I want to secure my MCP server on Azure Container Apps so that only authorized clients can access my tools.
+ms.topic: how-to
+ms.service: azure-container-apps
+ms.collection: ce-skilling-ai-copilot
+ms.date: 02/19/2026
+author: craigshoemaker
+ms.author: cshoe
+ms.reviewer: cshoe
+---
+
+# Secure MCP servers on Azure Container Apps
+
+This article explains how to authenticate and secure MCP servers running on Azure Container Apps. The approach differs depending on whether you host a **standalone container app** or use the **platform-managed MCP server** in dynamic sessions.
+
+## Prerequisites
+
+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).
+- [Azure CLI](/cli/azure/install-azure-cli) version 2.62.0 or later.
+- An existing container app or session pool. If you don't have one, see the [MCP server tutorials](mcp-overview.md).
+
+## Authentication models overview
+
+Azure Container Apps supports two authentication models for MCP servers. The following table summarizes the key differences.
+
+| Aspect | Standalone container app | Dynamic sessions MCP |
+|--------|--------------------------|----------------------|
+| Auth mechanism | Container Apps built-in authentication with Microsoft Entra ID | API key via `x-ms-apikey` header |
+| Token type | OAuth 2.0 Bearer token | Opaque API key string |
+| Identity provider | Microsoft Entra ID | Azure Resource Manager |
+| Key/token rotation | Managed by Microsoft Entra ID | Regenerate via Azure Resource Manager API |
+| Authorization scope | Configurable per application | Session pool level |
+| Transport encryption | TLS (Container Apps ingress) | TLS (Container Apps sessions endpoint) |
+
+## Standalone container app with Microsoft Entra ID authentication
+
+When you deploy your own MCP server as a container app, you own the authentication layer. Use the Container Apps [built-in authentication](/azure/container-apps/authentication) feature backed by Microsoft Entra ID.
+
+### Configure built-in authentication
+
+The following steps register a Microsoft Entra ID application and enable built-in authentication on your container app.
+
+1. Register an application in Microsoft Entra ID:
+
+    ```azurecli
+    APP_ID=$(az ad app create \
+        --display-name "mcp-server-auth" \
+        --sign-in-audience AzureADMyOrg \
+        --query appId -o tsv)
+    ```
+
+1. Create a service principal:
+
+    ```azurecli
+    az ad sp create --id $APP_ID
+    ```
+
+1. Add a client secret:
+
+    ```azurecli
+    CLIENT_SECRET=$(az ad app credential reset --id $APP_ID --query password -o tsv)
+    TENANT_ID=$(az account show --query tenantId -o tsv)
+    ```
+
+1. Enable built-in auth on the container app:
+
+    ```azurecli
+    az containerapp auth microsoft update \
+        --name <CONTAINER_APP_NAME> \
+        --resource-group <RESOURCE_GROUP> \
+        --client-id $APP_ID \
+        --client-secret $CLIENT_SECRET \
+        --tenant-id $TENANT_ID \
+        --issuer "https://login.microsoftonline.com/$TENANT_ID/v2.0" \
+        --yes
+    ```
+
+1. Set the unauthenticated action to require login:
+
+    ```azurecli
+    az containerapp auth update \
+        --name <CONTAINER_APP_NAME> \
+        --resource-group <RESOURCE_GROUP> \
+        --unauthenticated-client-action Return401
+    ```
+
+### Connect from an MCP client with a bearer token
+
+When your MCP server requires a bearer token, configure token retrieval in your MCP client. The following example shows a `.vscode/mcp.json` configuration for GitHub Copilot:
+
+```json
+{
+    "servers": {
+        "my-mcp-server": {
+            "type": "http",
+            "url": "https://<CONTAINER_APP_NAME>.<REGION>.azurecontainerapps.io/mcp",
+            "headers": {
+                "Authorization": "Bearer ${input:mcpBearerToken}"
+            }
+        }
+    },
+    "inputs": [
+        {
+            "id": "mcpBearerToken",
+            "type": "promptString",
+            "description": "Enter your bearer token for the MCP server",
+            "password": true
+        }
+    ]
+}
+```
+
+> [!TIP]
+> For development, get a token by using `az account get-access-token --resource $APP_ID --query accessToken -o tsv` and paste it when prompted. For automated workflows, integrate with your organization's token management system.
+
+### Configure CORS
+
+MCP clients that connect from web-based environments need CORS headers. Use the following command to configure CORS on your container app:
+
+```azurecli
+az containerapp ingress cors update \
+    --name <CONTAINER_APP_NAME> \
+    --resource-group <RESOURCE_GROUP> \
+    --allowed-origins "https://vscode.dev" "https://github.dev" \
+    --allowed-methods "GET" "POST" "OPTIONS" \
+    --allowed-headers "Content-Type" "Authorization" "Mcp-Session-Id" \
+    --max-age 3600
+```
+
+The following headers are key to allow:
+
+- `Content-Type`: required for JSON-RPC requests
+- `Authorization`: required for bearer token auth
+- `Mcp-Session-Id`: used by MCP clients for stateful sessions
+
+> [!NOTE]
+> GitHub Copilot connects to remote MCP servers from the VS Code desktop app, not from a browser. CORS is only needed if you intend to support browser-based MCP clients or VS Code for the Web. The standalone tutorials use wildcard CORS origins for simplicity; for production, restrict to specific trusted origins as shown here.
+
+### Security recommendations for standalone MCP servers
+
+Apply the following best practices to harden your standalone MCP server.
+
+- **Network restrictions**: Use [IP restrictions](/azure/container-apps/ip-restrictions) or [virtual network integration](/azure/container-apps/vnet-custom) to limit access to known client IPs.
+- **Rate limiting**: Implement rate limiting in your application code or front the app with Azure API Management.
+- **Input validation**: Validate all tool arguments in your MCP server code. MCP tool inputs are arbitrary JSON. Treat them as untrusted.
+- **Stateless design**: Prefer stateless MCP servers to avoid session-hijacking risks. In most MCP SDKs, this means disabling server-side session ID generation (for example, `sessionIdGenerator: undefined` in TypeScript or `stateless_http=True` in Python).
+- **Health probes**: Configure health probes on a separate endpoint (such as `/healthz`), not on the MCP endpoint. MCP endpoints expect JSON-RPC POST requests and return errors for plain GET probes.
+
+## Dynamic sessions with API key authentication
+
+> [!IMPORTANT]
+> The platform-managed MCP server for dynamic sessions is in **preview**. The API version `2025-02-02-preview` and `mcpServerSettings` properties are subject to change.
+
+The platform-managed MCP server in dynamic sessions uses API key authentication. The key is scoped to the session pool and grants access to all tools and sessions in the pool.
+
+### API key authentication flow
+
+The following steps describe how API key authentication works for dynamic sessions.
+
+1. The client sends a JSON-RPC request with the `x-ms-apikey` header.
+1. The session pool proxy validates the key against the Azure control plane.
+1. If the key is valid, the request is forwarded to the session. If not, an authentication error is returned.
+
+### Retrieve the API key
+
+Use the following command to fetch the API key for your session pool.
+
+```azurecli
+API_KEY=$(az rest --method POST \
+    --uri "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.App/sessionPools/<SESSION_POOL_NAME>/fetchMCPServerCredentials" \
+    --uri-parameters api-version=2025-02-02-preview \
+    --query "apiKey" -o tsv)
+```
+
+### Rotate and cache the API key
+
+You can regenerate the API key at any time. The platform caches validation results for up to five minutes, so previously valid keys might continue to work after regeneration until the cache expires.
+
+To rotate the API key, call the `regenerateCredentials` action on the session pool:
+
+```azurecli
+az rest --method POST \
+    --uri "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.App/sessionPools/<SESSION_POOL_NAME>/regenerateCredentials" \
+    --uri-parameters api-version=2025-02-02-preview
+```
+
+After regeneration, retrieve the new key by using `fetchMCPServerCredentials` as shown earlier.
+
+### Security recommendations for dynamic sessions
+
+Apply the following best practices to secure your dynamic sessions MCP deployment.
+
+- **API key scope**: The API key grants access to the entire session pool. Any client with the key can create environments and execute code. Don't share the key with untrusted parties.
+- **Environment isolation**: Each session runs in a Hyper-V-isolated container. Code execution in one session can't access another session's data.
+- **Network egress**: Control whether sessions can access the internet by using `sessionNetworkConfiguration.status`. Set to `EgressDisabled` if the sessions don't need external network access.
+- **Session lifetime**: Configure `coolDownPeriodInSeconds` to automatically destroy idle sessions. This setting limits the window of exposure if a session is compromised.
+- **Secret storage**: Store the API key in [Azure Key Vault](/azure/key-vault/general/overview) or [Container Apps secrets](/azure/container-apps/manage-secrets) rather than in code or configuration files.
+
+## Common authentication mismatches
+
+A common mistake is using the API key header (`x-ms-apikey`) with a standalone container app, or using a bearer token with the sessions MCP endpoint. The following table shows what happens when you mix them up.
+
+| Mismatch | Result |
+|----------|--------|
+| `x-ms-apikey` header sent to standalone app | Header is ignored; request hits built-in authentication and returns `401` if auth is enabled |
+| `Authorization: Bearer` sent to sessions MCP | Key validation fails and returns `401` |
+
+Make sure your MCP client configuration matches the hosting model you deployed.
+
+## Related content
+
+- [MCP servers on Azure Container Apps overview](mcp-overview.md)
+- [Authentication and authorization in Azure Container Apps](/azure/container-apps/authentication)
+- [Microsoft Entra ID authentication](/azure/container-apps/authentication-azure-active-directory)
+- [Dynamic sessions overview](/azure/container-apps/sessions)
+- [Manage secrets in Container Apps](/azure/container-apps/manage-secrets)
+- [Configure CORS for Container Apps](/azure/container-apps/cors)
+- [Troubleshoot MCP servers on Container Apps](mcp-troubleshooting.md)

articles/container-apps/mcp-choosing-azure-service.md

@@ -0,0 +1,142 @@
+---
+title: Choose an Azure service for your MCP server
+description: Compare Azure Container Apps, App Service, and Azure Functions for hosting MCP servers and pick the best fit for your workload.
+#customer intent: As a developer, I want to understand how Azure hosting options compare for MCP servers so that I can pick the right service for my workload.
+ms.topic: conceptual
+ms.service: azure-container-apps
+ms.collection: ce-skilling-ai-copilot
+ms.custom: cross-service
+ms.date: 02/19/2026
+author: craigshoemaker
+ms.author: cshoe
+ms.reviewer: cshoe
+---
+
+# Choose an Azure service for your MCP server
+
+You can use several Azure services to host Model Context Protocol (MCP) servers. This guide helps you choose the right service based on your workload requirements, team expertise, and operational needs.
+
+> [!NOTE]
+> This article compares multiple Azure services to help you make a hosting decision. For Container Apps-specific details, see [MCP servers on Azure Container Apps](mcp-overview.md).
+
+## Hosting options overview
+
+Azure provides four ways to host an MCP server. Each option targets a different mix of flexibility, simplicity, and isolation.
+
+### Azure Container Apps (standalone)
+
+Deploy any MCP server you build as a container with HTTP ingress. Container Apps gives you full control over the runtime, supports any language with an MCP SDK, and includes features like autoscaling with scale-to-zero, Dapr integration, and service-to-service networking.
+
+### Azure Container Apps dynamic sessions
+
+Use platform-managed session pools with built-in MCP tooling for sandboxed code execution. You don't write or deploy MCP server code. The platform provides predefined tools for Python and shell environments, with Hyper-V isolation between sessions.
+
+### Azure App Service
+
+Add an MCP endpoint to an existing or new web app. App Service supports code-based deployment without a Dockerfile and integrates with Microsoft Entra ID for authentication.
+
+### Azure Functions
+
+Map function triggers to MCP tools by using the [Azure Functions MCP extension](/azure/azure-functions/scenario-custom-remote-mcp-server). Azure Functions is optimized for stateless, event-driven tool execution with per-invocation pricing.
+
+## Compare hosting options
+
+The following table summarizes the key differences between hosting options.
+
+| Consideration | Container Apps (standalone) | Container Apps (sessions) | App Service | Azure Functions |
+|---|---|---|---|---|
+| **Custom tools** | Yes | No (platform-defined only) | Yes | Yes |
+| **Language support** | Any (containerized) | Python and shell only | .NET, Python, Node.js, Java | .NET, Python, Node.js, Java |
+| **MCP transport** | Streamable HTTP | JSON-RPC over HTTP | Streamable HTTP | MCP extension or self-hosted |
+| **Authentication** | Built-in auth (Microsoft Entra ID) or custom | API key (`x-ms-apikey`) | App Service auth (Microsoft Entra ID) | Function keys or Microsoft Entra ID |
+| **Isolation** | Container-level | Hyper-V per session | App-level | Function-level |
+| **Scaling** | Revision autoscale, scale-to-zero | Per-session, pool-managed | App Service Plan | Consumption or Premium plan |
+| **Cold start** | Yes (mitigate with min replicas) | Subsecond (prewarmed pool) | Depends on plan | Yes (Consumption plan) |
+| **Microservices** | Native (environments, Dapr) | No | Limited | Limited |
+| **Operational overhead** | Medium (Dockerfile, registry) | Low (platform-managed) | Low (code deployment) | Low (function deployment) |
+| **Pricing model** | Per vCPU-second, per GiB-second | Per session (consumption) | App Service Plan | Per execution |
+
+## Choose by scenario
+
+Use the following guidance to narrow your decision based on common workload patterns.
+
+### Build a custom MCP server with Azure
+
+**Recommended: Azure Container Apps (standalone) or Azure App Service**
+
+Both services let you build an MCP server with any official MCP SDK and expose it over streamable HTTP. Choose between them based on your deployment model and feature needs.
+
+- **Container Apps**: Prefer containers, need autoscaling with scale-to-zero, want Dapr integration, or are building a microservices architecture with multiple MCP servers. For interactive MCP clients (like GitHub Copilot), set a minimum replica count of 1 to avoid cold-start latency.
+- **App Service**: Prefer code-based deployment without a Dockerfile, have an existing App Service Plan, or want the simplicity of `az webapp up`.
+
+Tutorials:
+
+- [Deploy an MCP server to Container Apps (.NET)](tutorial-mcp-server-dotnet.md)
+- [Deploy an MCP server to Container Apps (Python)](tutorial-mcp-server-python.md)
+- [Deploy an MCP server to Container Apps (Node.js)](tutorial-mcp-server-nodejs.md)
+- [Deploy an MCP server to Container Apps (Java)](tutorial-mcp-server-java.md)
+
+### Run sandboxed code for an AI agent
+
+**Recommended: Azure Container Apps dynamic sessions**
+
+Session pools with MCP enabled provide Hyper-V-isolated environments for running untrusted or LLM-generated code. The platform manages the MCP server, so you don't write or deploy server code. The built-in tools cover code execution scenarios without custom development:
+
+- `launchShell`: Creates a new environment
+- `runShellCommandInRemoteEnvironment`: Executes shell commands
+- `runPythonCodeInRemoteEnvironment`: Executes Python code
+
+Dynamic sessions maintain prewarmed instances, so you don't experience cold-start latency.
+
+Tutorials:
+
+- [Use MCP with dynamic sessions (shell)](sessions-tutorial-shell-mcp.md)
+- [Use MCP with dynamic sessions (Python)](sessions-tutorial-python-mcp.md)
+
+### Add MCP to an existing web app
+
+**Recommended: Azure App Service**
+
+If your app already runs on App Service, add the MCP SDK to your existing codebase, mount the MCP endpoint alongside your existing routes, and redeploy.
+
+- [Integrate an App Service app as an MCP server (.NET)](/azure/app-service/tutorial-ai-model-context-protocol-server-dotnet)
+- [Integrate an App Service app as an MCP server (Python)](/azure/app-service/tutorial-ai-model-context-protocol-server-python)
+
+If your existing app runs on Container Apps, follow the [standalone tutorials](#build-a-custom-mcp-server-with-azure).
+
+### Create lightweight, event-driven tool endpoints
+
+**Recommended: Azure Functions**
+
+The Azure Functions [MCP extension](/azure/azure-functions/scenario-custom-remote-mcp-server) maps function triggers to MCP tools. Azure Functions is a good fit when:
+
+- Each tool is independent and stateless.
+- You want per-invocation pricing.
+- You're integrating with [Foundry Agent Service](/azure/azure-functions/functions-mcp-foundry-tools).
+
+For interactive MCP clients, use a Functions Premium plan to avoid cold-start latency on the Consumption plan.
+
+### Run multiple MCP servers with service-to-service communication
+
+**Recommended: Azure Container Apps (standalone)**
+
+Container Apps environments support internal service discovery, Dapr sidecars, and managed identities for service-to-service calls. Deploy multiple MCP servers as separate container apps within the same environment and let them communicate securely without exposing internal endpoints to the internet. Container Apps gives you full control over the runtime and dependencies for each server, but you manage a Dockerfile and container images for each one.
+
+## Quick decision guide
+
+Use these questions to narrow your choice:
+
+1. **Do you need sandboxed code execution for untrusted or LLM-generated code?** Use Azure Container Apps dynamic sessions.
+1. **Do you already have a web app running on App Service?** Add MCP to your existing Azure App Service app.
+1. **Do you need event-driven, per-invocation tool execution?** Use Azure Functions.
+1. **Do you need full container control, custom languages, or a microservices architecture?** Use Azure Container Apps (standalone).
+1. **Not sure where to start?** Begin with Azure Container Apps (standalone), which is the most flexible default.
+
+## Related content
+
+- [MCP servers on Azure Container Apps](mcp-overview.md)
+- [Azure Container Apps overview](overview.md)
+- [Dynamic sessions in Azure Container Apps](sessions.md)
+- [Azure App Service overview](/azure/app-service/overview)
+- [Azure Functions overview](/azure/azure-functions/functions-overview)
+- [Connect an MCP server on Azure Functions to a Foundry Agent Service agent](/azure/azure-functions/functions-mcp-foundry-tools)