Important: This document reflects the latest MCP Specification 2025-11-25 security requirements and official MCP Security Best Practices. Always refer to the current specification for the most up-to-date guidance.
For practical implementation experience, we recommend the MCP Security Summit Workshop (Sherpa) - a comprehensive guided expedition to securing MCP servers in Azure. The workshop covers all OWASP MCP Top 10 risks through a "vulnerable → exploit → fix → validate" methodology.
All practices in this document align with the OWASP MCP Azure Security Guide for Azure-specific implementation guidance.
The Model Context Protocol introduces unique security challenges that extend beyond traditional software security. These practices address both foundational security requirements and MCP-specific threats including prompt injection, tool poisoning, session hijacking, confused deputy problems, and token passthrough vulnerabilities.
Critical Requirements from MCP Specification:
Critical Requirements from MCP Specification:
MUST NOT: MCP servers MUST NOT accept any tokens that were not explicitly issued for the MCP server
MUST: MCP servers implementing authorization MUST verify ALL inbound requests
MUST NOT: MCP servers MUST NOT use sessions for authentication
MUST: MCP proxy servers using static client IDs MUST obtain user consent for each dynamically registered client
Authentication & Authorization Controls:
- Rigorous Authorization Review: Conduct comprehensive audits of MCP server authorization logic to ensure only intended users and clients can access resources
- External Identity Provider Integration: Use established identity providers like Microsoft Entra ID rather than implementing custom authentication
- Token Audience Validation: Always validate that tokens were explicitly issued for your MCP server - never accept upstream tokens
- Proper Token Lifecycle: Implement secure token rotation, expiration policies, and prevent token replay attacks
Protected Token Storage:
- Use Azure Key Vault or similar secure credential stores for all secrets
- Implement encryption for tokens both at rest and in transit
- Regular credential rotation and monitoring for unauthorized access
Secure Session Practices:
- Cryptographically Secure Session IDs: Use secure, non-deterministic session IDs generated with secure random number generators
- User-Specific Binding: Bind session IDs to user identities using formats like
<user_id>:<session_id>to prevent cross-user session abuse - Session Lifecycle Management: Implement proper expiration, rotation, and invalidation to limit vulnerability windows
- HTTPS/TLS Enforcement: Mandatory HTTPS for all communication to prevent session ID interception
Transport Layer Security:
- Configure TLS 1.3 where possible with proper certificate management
- Implement certificate pinning for critical connections
- Regular certificate rotation and validity verification
Prompt Injection Defense:
- Microsoft Prompt Shields: Deploy AI Prompt Shields for advanced detection and filtering of malicious instructions
- Input Sanitization: Validate and sanitize all inputs to prevent injection attacks and confused deputy problems
- Content Boundaries: Use delimiter and datamarking systems to distinguish between trusted instructions and external content
Tool Poisoning Prevention:
- Tool Metadata Validation: Implement integrity checks for tool definitions and monitor for unexpected changes
- Dynamic Tool Monitoring: Monitor runtime behavior and set up alerting for unexpected execution patterns
- Approval Workflows: Require explicit user approval for tool modifications and capability changes
Principle of Least Privilege:
- Grant MCP servers only minimum permissions required for intended functionality
- Implement role-based access control (RBAC) with fine-grained permissions
- Regular permission reviews and continuous monitoring for privilege escalation
Runtime Permission Controls:
- Apply resource limits to prevent resource exhaustion attacks
- Use container isolation for tool execution environments
- Implement just-in-time access for administrative functions
Content Safety Implementation:
- Azure Content Safety Integration: Use Azure Content Safety to detect harmful content, jailbreak attempts, and policy violations
- Behavioral Analysis: Implement runtime behavioral monitoring to detect anomalies in MCP server and tool execution
- Comprehensive Logging: Log all authentication attempts, tool invocations, and security events with secure, tamper-proof storage
Continuous Monitoring:
- Real-time alerting for suspicious patterns and unauthorized access attempts
- Integration with SIEM systems for centralized security event management
- Regular security audits and penetration testing of MCP implementations
Component Verification:
- Dependency Scanning: Use automated vulnerability scanning for all software dependencies and AI components
- Provenance Validation: Verify the origin, licensing, and integrity of models, data sources, and external services
- Signed Packages: Use cryptographically signed packages and verify signatures before deployment
Secure Development Pipeline:
- GitHub Advanced Security: Implement secret scanning, dependency analysis, and CodeQL static analysis
- CI/CD Security: Integrate security validation throughout automated deployment pipelines
- Artifact Integrity: Implement cryptographic verification for deployed artifacts and configurations
OAuth 2.1 Implementation:
- PKCE Implementation: Use Proof Key for Code Exchange (PKCE) for all authorization requests
- Explicit Consent: Obtain user consent for each dynamically registered client to prevent confused deputy attacks
- Redirect URI Validation: Implement strict validation of redirect URIs and client identifiers
Proxy Security:
- Prevent authorization bypass through static client ID exploitation
- Implement proper consent workflows for third-party API access
- Monitor for authorization code theft and unauthorized API access
Rapid Response Capabilities:
- Automated Response: Implement automated systems for credential rotation and threat containment
- Rollback Procedures: Ability to quickly revert to known-good configurations and components
- Forensic Capabilities: Detailed audit trails and logging for incident investigation
Communication & Coordination:
- Clear escalation procedures for security incidents
- Integration with organizational incident response teams
- Regular security incident simulations and tabletop exercises
Regulatory Compliance:
- Ensure MCP implementations meet industry-specific requirements (GDPR, HIPAA, SOC 2)
- Implement data classification and privacy controls for AI data processing
- Maintain comprehensive documentation for compliance auditing
Change Management:
- Formal security review processes for all MCP system modifications
- Version control and approval workflows for configuration changes
- Regular compliance assessments and gap analysis
Zero Trust Architecture:
- Never Trust, Always Verify: Continuous verification of users, devices, and connections
- Micro-segmentation: Granular network controls isolating individual MCP components
- Conditional Access: Risk-based access controls adapting to current context and behavior
Runtime Application Protection:
- Runtime Application Self-Protection (RASP): Deploy RASP techniques for real-time threat detection
- Application Performance Monitoring: Monitor for performance anomalies that may indicate attacks
- Dynamic Security Policies: Implement security policies that adapt based on current threat landscape
Comprehensive Microsoft Security:
- Microsoft Defender for Cloud: Cloud security posture management for MCP workloads
- Azure Sentinel: Cloud-native SIEM and SOAR capabilities for advanced threat detection
- Microsoft Purview: Data governance and compliance for AI workflows and data sources
Identity & Access Management:
- Microsoft Entra ID: Enterprise identity management with conditional access policies
- Privileged Identity Management (PIM): Just-in-time access and approval workflows for administrative functions
- Identity Protection: Risk-based conditional access and automated threat response
Staying Current:
- Specification Monitoring: Regular review of MCP specification updates and security guidance changes
- Threat Intelligence: Integration of AI-specific threat feeds and indicators of compromise
- Security Community Engagement: Active participation in MCP security community and vulnerability disclosure programs
Adaptive Security:
- Machine Learning Security: Use ML-based anomaly detection for identifying novel attack patterns
- Predictive Security Analytics: Implement predictive models for proactive threat identification
- Security Automation: Automated security policy updates based on threat intelligence and specification changes
- OWASP MCP Azure Security Guide - Comprehensive OWASP MCP Top 10 with Azure implementation
- OWASP MCP Top 10 - Official OWASP MCP security risks
- MCP Security Summit Workshop (Sherpa) - Hands-on security training for MCP on Azure
- OAuth 2.0 Security Best Practices (RFC 9700)
- OWASP Top 10 for Large Language Models
- NIST AI Risk Management Framework
Security Notice: MCP security practices evolve rapidly. Always verify against the current MCP specification and official security documentation before implementation.
- Read: MCP Security Controls 2025
- Return to: Security Module Overview
- Continue to: Module 3: Getting Started