📢 v1.0.0: This guide shows examples for both
mark3labs/mcp-goand officialmodelcontextprotocol/go-sdk. See examples/README.md for complete setup guide.
Azure AD (Microsoft Entra ID) provider uses OIDC/JWKS for JWT validation. Ideal for Microsoft 365 integration and enterprise authentication.
✅ Good for:
- Microsoft 365 / Azure integration
- Enterprise SSO with Azure AD
- Applications for corporate Microsoft users
- Multi-tenant SaaS applications
- Go to Azure Portal
- Navigate to Microsoft Entra ID (formerly Azure Active Directory)
- Select App registrations → New registration
- Configure:
- Name: Your MCP Server
- Supported account types:
- Single tenant (your org only)
- Multi-tenant (any Azure AD)
- Multi-tenant + personal Microsoft accounts
- Redirect URI: (for proxy mode)
- Type: Web
- URI:
https://your-server.com/oauth/callback
- Click Register
After registration, copy:
- Application (client) ID - This is your Client ID
- Directory (tenant) ID - Used in issuer URL
- In your app, go to Certificates & secrets
- Click New client secret
- Add description: "MCP Server OAuth"
- Choose expiration (recommend: 6-12 months)
- Click Add
- Copy the secret value immediately (shown only once!)
- Go to API permissions
- Click Add a permission
- Select Microsoft Graph
- Choose Delegated permissions
- Add permissions:
openid(sign users in)profile(user profile)email(user email)
- Click Grant admin consent (if you're admin)
For custom audience claim:
- Go to Token configuration
- Click Add optional claim
- Select ID token type
- Add claims as needed
When: Client handles OAuth with Azure AD directly
oauth.WithOAuth(mux, &oauth.Config{
Provider: "azure",
Issuer: "https://login.microsoftonline.com/{tenant-id}/v2.0",
Audience: "api://your-app-id", // Or Application ID
})Replace {tenant-id} with:
- Your Directory (tenant) ID, OR
commonfor multi-tenant appsorganizationsfor any Azure AD userconsumersfor personal Microsoft accounts only
When: Server proxies OAuth flow
oauth.WithOAuth(mux, &oauth.Config{
Provider: "azure",
Issuer: "https://login.microsoftonline.com/{tenant-id}/v2.0",
Audience: "api://your-app-id",
ClientID: "12345678-1234-1234-1234-123456789012", // Application ID
ClientSecret: "secret~from~azure", // Client secret
ServerURL: "https://your-server.com",
RedirectURIs: "https://your-server.com/oauth/callback",
})Azure AD is flexible with audience:
Audience: "12345678-1234-1234-1234-123456789012" // Your Application IDAzure tokens automatically include Application ID in aud claim.
- In Azure portal, go to App registrations → Your app
- Navigate to Expose an API
- Set Application ID URI:
api://your-server - Click Save
Then configure:
Audience: "api://your-server" // Matches Application ID URIexport AZURE_TENANT_ID="your-tenant-id"
export AZURE_CLIENT_ID="your-app-id"
export AZURE_CLIENT_SECRET="your-secret"
# Build issuer URL
export AZURE_ISSUER="https://login.microsoftonline.com/${AZURE_TENANT_ID}/v2.0"oauth.WithOAuth(mux, &oauth.Config{
Provider: "azure",
Issuer: os.Getenv("AZURE_ISSUER"),
Audience: os.Getenv("AZURE_CLIENT_ID"),
ClientID: os.Getenv("AZURE_CLIENT_ID"),
ClientSecret: os.Getenv("AZURE_CLIENT_SECRET"),
ServerURL: "https://your-server.com",
RedirectURIs: "https://your-server.com/oauth/callback",
})# Test OAuth flow
curl https://your-server.com/.well-known/oauth-authorization-server
# Test with token
curl -X POST https://your-server.com/mcp \
-H "Authorization: Bearer <azure-token>" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"hello","arguments":{}}}'Azure AD ID tokens include:
{
"sub": "AAAAAAAAAAAAAAAAAAAAAIkzqFVrSaSaFHy782bbtaQ",
"name": "John Doe",
"email": "john.doe@company.com",
"preferred_username": "john.doe@company.com",
"aud": "api://your-server",
"iss": "https://login.microsoftonline.com/{tenant}/v2.0",
"exp": 1234567890,
"iat": 1234567890,
"tid": "tenant-id"
}oauth-mcp-proxy extracts:
sub→ User.Subjectemail→ User.Emailpreferred_usernameoremail→ User.Username
For SaaS applications serving multiple Azure AD tenants:
oauth.WithOAuth(mux, &oauth.Config{
Provider: "azure",
Issuer: "https://login.microsoftonline.com/common/v2.0", // Note: "common"
Audience: "api://your-server",
})Validates tokens from any Azure AD tenant. Extract tenant from tid claim if needed.
- Check: Issuer URL format correct (ends with
/v2.0) - Check: Tenant ID is correct
- Check: Network can reach
login.microsoftonline.com
- Check:
Config.Audiencematches token'saudclaim - Check: Application ID URI configured in Azure if using custom audience
AADSTS50011: Redirect URI mismatch - check Azure portal configurationAADSTS700016: Application not found - check Client IDAADSTS7000215: Invalid client secret - regenerate secret
- Use HTTPS for all endpoints
- Store ClientSecret in Azure Key Vault or environment
- Configure appropriate token lifetimes in Azure AD
- Enable Conditional Access policies
- Set up Azure AD monitoring and alerts
- Configure API permissions with least privilege
- Test token expiration and refresh flows
- Document tenant onboarding for multi-tenant apps