MCP Servers for M365

TL;DR: You will connect a Model Context Protocol (MCP) server to a Copilot Studio agent, wire up OAuth 2.0 authentication, and scope its tools to least privilege so the agent reaches enterprise data and actions through one auditable, governed boundary.

What you will learn

How MCP exposes tools and resources that a Copilot Studio agent can discover and call.
How to connect an existing MCP server to an agent using the MCP onboarding wizard.
How to configure OAuth 2.0 (or API key) authentication so each request is identity-bound.
How to scope an MCP server to least privilege and keep its tool surface auditable.
Which governance controls to apply before exposing an MCP server to production agents.

Prerequisites

A Microsoft 365 Copilot licence and access to Copilot Studio.
The Copilot Studio author role (or equivalent) on the target environment, plus permission to create connections.
Microsoft Entra ID access to register an app and configure OAuth 2.0, with Entra ID P2 recommended for Conditional Access and access reviews on the resulting identities.
An existing MCP server reachable over a Streamable HTTP endpoint (Copilot Studio no longer supports SSE transport after August 2025).
Generative orchestration enabled on the agent, which is required to use MCP.
Completion of an earlier agent-building tutorial so you already have a working Copilot Studio agent.

Understand what an MCP server gives your agent

An MCP server publishes three kinds of capabilities: resources (file-like data the agent reads for context), tools (functions the model can call to perform an action), and prompts (predefined templates). Copilot Studio currently supports MCP tools and resources.

The server itself supplies each tool’s name, description, inputs, and outputs. Copilot Studio reflects changes dynamically, so when you add, update, or remove a tool on the server, every agent that consumes it picks up the change without republishing. This is the key governance property: you manage the action surface in one place rather than per agent.

Connect the MCP server to your agent

Step 1: Start the MCP onboarding wizard

Open your agent in Copilot Studio and go to the Tools page.
Select Add a tool, then New tool.
Select Model Context Protocol. The MCP onboarding wizard appears.

Step 2: Configure the server details

Enter the Server name and Server URL for your MCP endpoint.
Write a clear, specific Server description. The agent orchestrator uses this text to decide whether to call the server at runtime, so a precise description is both a quality and a governance control.
Choose the authentication type: None, API key, or OAuth 2.0. For enterprise data, prefer OAuth 2.0 so calls are bound to a user identity rather than a shared secret.

Configure authentication and least-privilege scoping

Step 3: Wire up OAuth 2.0

Select OAuth 2.0 as the authentication type.
Pick the OAuth flavour your server supports: Dynamic discovery (OAuth 2.0 Dynamic Client Registration with a discovery endpoint, the simplest), Dynamic (DCR without discovery, so you supply endpoints manually), or Manual.
For Manual or Dynamic, provide the authorisation URL, token URL, client ID, client secret, and scopes from your Entra ID app registration.
Select Create. Copilot Studio returns a callback URL.
Add that callback URL as a redirect URI on your Entra ID app registration so the identity provider can return the user after sign-in and consent.

Request only the minimum scopes the server’s tools actually need. Each scope you grant is a permission the agent can exercise on behalf of the signed-in user, so over-scoping here is the most common way agents leak access.

If your server uses an API key instead, choose whether the key travels in a request Header or Query parameter, name that field, and treat the key as a shared secret: rotate it on a schedule and never embed it in prompts or topics.

Step 4: Add and scope the tools

Complete the connection, then select Add and configure. The MCP server’s settings page opens with its published tools and resources.
Review every tool the server exposes. Enable only those this agent needs for its job; a server can publish many tools, and the agent gets access to each one by default.
Save the configuration. The orchestrator now considers these tools at runtime based on the descriptions the server supplied.

Step 5: Test before you ship

Use the Copilot Studio test pane to prompt the agent in a way that should trigger an MCP tool.
Confirm the OAuth consent prompt appears, that the action runs against the correct enterprise data, and that an unauthorised user is denied.
Check that removing a tool on the server removes it from the agent, confirming your single point of control works as expected.

Governance call-outs

Identity and least privilege: Prefer OAuth 2.0 so every call is bound to the signed-in user and governed by Conditional Access. Grant the narrowest scopes possible and enable only the tools the agent genuinely needs.
Data leakage: A connected server can return enterprise data into the conversation. Classify what each tool can read, apply sensitivity labels and DLP at the source, and never expose tools that return data the agent’s audience should not see.
Third-party responsibility: When you connect to a non-Microsoft or external MCP server, you own the tools and resources you reach through it. Vet the server’s owner, transport security, and data handling before connecting.
Audit trails: Treat the MCP server as a logged boundary. Capture which user invoked which tool with which inputs, and reconcile those logs against Copilot Studio and Entra ID sign-in activity.
Compliance gates and change control: Because tool changes propagate to every consuming agent automatically, put the server behind change review. Rotate API keys and client secrets on a schedule and run periodic access reviews on the OAuth app registration.

Next step

Continue with the next tutorial.

Sources

Licensed under CC BY 4.0 by Educ4te .