MCP Microsoft Entra OAuth Policy
Authenticate MCP gateway requests using a gateway-issued OAuth access token, with browser login delegated to Microsoft Entra ID.
This is an Entra-friendly wrapper around McpOAuthInboundPolicy. Provide a
tenant UUID, clientId, and clientSecret; the Microsoft identity platform v2
OIDC issuer, JWKS URL, and browser login endpoints are derived automatically.
Configuration
The configuration shows how to configure the policy in the 'policies.json' document.
config/policies.json
Policy Configuration
name<string>- The name of your policy instance. This is used as a reference in your routes.policyType<string>- The identifier of the policy. This is used by the Zuplo UI. Value should bemcp-entra-oauth-inbound.handler.export<string>- The name of the exported type. Value should beMcpEntraOAuthInboundPolicy.handler.module<string>- The module containing the policy. Value should be$import(@zuplo/runtime).handler.options<object>- The options for this policy. See Policy Options below.
Policy Options
The options for this policy are specified below. All properties are optional unless specifically marked as required.
tenantId(required)<string>- The Microsoft Entra tenant UUID. Multi-tenant aliases like common and organizations are not supported by this policy yet.clientId(required)<string>- The Microsoft Entra application (client) ID UUID registered for the gateway's browser login flow.clientSecret(required)<string>- The Microsoft Entra client secret. Use $env(...) to source from a secret environment variable.scope<string>- OIDC scopes requested during browser login. Defaults to"openid profile email".gateway<object>- Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.accessTokenTtlSeconds<integer>- Lifetime of access tokens issued by /oauth/token. Defaults to900.refreshTokenTtlSeconds<integer>- Lifetime of refresh tokens issued by /oauth/token. Defaults to2592000.cimdEnabled<boolean>- Whether to advertise client_id_metadata_document_supported in AS metadata. Defaults totrue.
browserLoginOverrides<object>- Optional overrides for the derived browser-login settings.remoteTimeoutMs<integer>- No description available. Defaults to10000.stateTtlSeconds<integer>- No description available. Defaults to900.sessionTtlSeconds<integer>- No description available. Defaults to28800.
Using the Policy
MCP Microsoft Entra OAuth Inbound
Authenticate MCP gateway requests using a gateway-issued OAuth access token, with browser login delegated to Microsoft Entra ID.
This is a thin Entra-friendly wrapper around the generic
McpOAuthInboundPolicy. Use it when you want to configure browser login with
tenant-specific Microsoft identity platform v2 fields instead of the full set of
OIDC URLs.
Derived configuration
Given a Microsoft Entra tenant UUID, the wrapper derives:
| Generic field | Derived value |
|---|---|
oidc.issuer | https://login.microsoftonline.com/{tenantId}/v2.0 |
oidc.jwksUrl | https://login.microsoftonline.com/{tenantId}/discovery/v2.0/keys |
browserLogin.url | https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize |
browserLogin.tokenUrl | https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token |
The policy intentionally requires a tenant UUID. Entra aliases like common,
organizations, and consumers have issuer semantics that do not match the
gateway's current exact issuer verification model.
Configuration
Code
tenantId must be the tenant UUID from Microsoft Entra ID. Do not pass a
verified domain, common, organizations, consumers, or a full URL.
Pairing
Pair this policy with McpTokenExchangeInboundPolicy and McpProxyHandler, the
same as McpOAuthInboundPolicy. Only one MCP OAuth policy is allowed per
project; attach the same policy by name to every MCP route.
Read more about how policies work