MCP is no longer experimental. Microsoft has published an official MCP server catalog and Copilot Studio now supports MCP tools natively. This significantly expands both the capability and the attack surface of enterprise agents.
Microsoft publishes a formal catalog of official MCP server implementations at github.com/microsoft/mcp. These include servers for Azure, GitHub, SharePoint, Teams, Outlook, SQL Server, and more. Copilot Studio agents can now use MCP tools directly β each tool added extends the agent's action surface to everything that MCP server can reach. The security implications scale with the permissions of the MCP server's connected services.
MCP defines how AI agents discover, connect to, and invoke tools, data sources, and services across a standard protocol. With Microsoft's official server catalog, MCP is now enterprise infrastructure β not a prototype technology.
When a Copilot Studio agent is configured with MCP tools, the agent authenticates to those MCP servers using maker credentials by default. This means:
| Attack | How It Works | Impact | Primary Control |
|---|---|---|---|
| Tool Poisoning | Malicious MCP server returns poisoned tool descriptions. Agent reads descriptions to decide which tool to invoke β poisoned descriptions redirect agent to attacker-controlled tools. | CRITICAL Full agent hijack | Foundry Guardrails (whitelist); Defender for Cloud Apps (MCP server governance) |
| MCP Server Impersonation | Attacker substitutes a malicious MCP server (DNS hijack, supply chain, local server swap). Agent connects to attacker's server and receives malicious tool outputs. | CRITICAL Data exfiltration, action hijack | Defender for Cloud Apps (MCP server registry); no cryptographic binding standard in MCP spec |
| Indirect Prompt Injection via MCP | Malicious instructions embedded in data returned by an MCP tool. Agent treats the embedded text as legitimate instruction and acts on it using maker credentials. | CRITICAL Data exfiltration, lateral movement | Prompt Shields (XPIA detection); Entra Internet Access Prompt Injection Protection (GA Mar 31 2026) |
| OAuth Scope Abuse | Agent inherits overly broad OAuth scopes from maker credentials when connecting to MCP-backed SaaS. Broad token enables lateral movement across multiple services. | HIGH Lateral movement across SaaS | Defender for Cloud Apps OAuth governance; enforce end-user auth per agent |
| Unauthenticated MCP Server | Many community MCP servers have no authentication. Any agent or attacker on the network can call them without credentials. | HIGH Unauthorised tool execution | Network segmentation; Entra Internet Access; security review of MCP server implementations |
| MCP Supply Chain Attack | Malicious package in MCP server registry. Enterprise deploys a compromised MCP server β attacker gains persistent access to the agent's tool layer. | HIGH Persistent backdoor in agent tooling | Defender for Cloud (supply chain scanning); Security Dashboard AI Inventory; GitHub Advanced Security |
| Unreviewed MCP Tool in Copilot Studio | Developer adds a community MCP server to a Copilot Studio agent without security review. Agent runs with maker credentials against unvetted tool surface. | HIGH Uncontrolled action surface | "MCP Tool Configured" Advanced Hunting query; enforce MCP tool lifecycle reviews |
The MCP specification (as of early 2026) does not mandate strong cryptographic authentication for MCP server-to-client binding. Microsoft's official MCP catalog servers use standard OAuth where supported, but third-party and community servers vary widely. There is no platform-enforced way to guarantee the MCP server an agent connects to is the legitimate, unmodified server it expects. This requires defence-in-depth at the network, CASB, and orchestration layers β no single product closes it.
| Layer | What It Covers | Microsoft Control | Status |
|---|---|---|---|
| Catalog governance | Vetting which MCP servers are approved for use; lifecycle reviews | Internal policy + "MCP Tool Configured" Advanced Hunting query | Process control β no product enforcement |
| Network | Control which MCP servers agents can reach; block malicious prompts | Entra Internet Access | GA Mar 31 2026 |
| Identity | Authenticate which agents can invoke which MCP tools; prevent maker credential blast radius | Enforce end-user auth (Power Platform admin) | Available now |
| Orchestration | Whitelist allowed tools per agent (Foundry only) | Foundry Guardrails | Preview Β· Foundry only |
| Content Inspection | Detect adversarial instructions in MCP tool outputs | Prompt Shields | GA |
| Runtime Protection | Block tool invocations during suspicious Copilot Studio agent activity | Defender for Cloud Apps real-time protection | Preview Β· Copilot Studio only |
| SaaS Governance | OAuth scope governance; anomalous API usage detection | Defender for Cloud Apps | GA |
| Inventory & Posture | Discover all MCP servers; assess risk | Security Dashboard for AI | Now GA |
| Investigation | NL querying of MCP entity relationships in Sentinel | Sentinel MCP Entity Analyzer | GA April |
While MCP governs how agents connect to external tools and data sources, A2A (Agent-to-Agent) is an emerging protocol for authenticated communication between agents themselves. Microsoft's Entra Agent ID platform now supports A2A for agent-to-agent discovery and authorisation β enabling orchestration agents to delegate tasks to sub-agents with verified identities. This is separate from MCP and addresses a different attack surface: the communication channels between agents in multi-agent architectures.
Copilot Studio agent chains, Power Automate flows that call agents, and custom orchestration built on Microsoft Foundry typically have no formal A2A authentication. This means a compromised orchestrator can issue malicious delegations to sub-agents without any identity check. Until A2A becomes standard, treat every inter-agent boundary as an untrusted boundary and apply least-privilege scoping per agent.
As of late 2025, Microsoft has shipped or previewed several first-party MCP servers, each with different security boundaries and trust models. Understanding what each one is β and where the authoritative auth/audit lives β is critical for designing safe MCP integrations.
| MCP server | What it provides | Auth / boundary | Status |
|---|---|---|---|
| Microsoft Sentinel MCP server | Scenario-focused collections of security tools β query Sentinel data lake and Defender in natural language, build security agents, automate triage and threat hunting. Includes Security Copilot agent creation tools. | Fully hosted by Microsoft. Microsoft Entra for identity. No infrastructure deployment needed. | Available |
| Microsoft Learn MCP server | Three tools: microsoft_docs_search, microsoft_docs_fetch, microsoft_code_sample_search. Searches official Microsoft docs. | Hosted by Microsoft. Authless. | Available at learn.microsoft.com/api/mcp |
| Foundry MCP integration (client side) | Foundry agents consume remote MCP servers. Each tool added with unique server_label + server_url. Some pre-validated MCP servers (e.g. Azure DevOps) are in the Foundry Add Tools catalog. | Custom headers (including auth tokens) pass per-run only β not persisted. Foundry approval and audit mechanisms apply. | Available |
| Windows On-device Agent Registry (ODR) | Local registry of MCP servers on Windows endpoints. Apps and agents discover MCP servers via the ODR. Includes built-in connectors (e.g. File Explorer MCP). | MCP servers run in contained environment by default. User and IT admin control via Windows Settings and Intune. Logging and auditing for clientβserver interactions. | Preview |
| Copilot Studio MCP onboarding wizard | Add existing MCP servers to Copilot Studio agents via guided OAuth wizard. Generates callback URLs for identity provider registration. Handles authorization code β access token β refresh token flow. | Per-agent OAuth 2.0 configuration. Identity provider remains the trust anchor. | Available |
| Microsoft Agent Framework MCP tools | .NET/Java/Python SDKs for connecting custom agents to MCP servers, including local MCP servers. Used to build framework-based agents. | Developer chooses transport and auth; Microsoft provides SDK primitives. | Available |
Microsoft repeatedly cites two sources across all MCP-related docs: (1) MCP Security Best Practices on the Model Context Protocol website, and (2) the Microsoft Security Community Blog post Understanding and mitigating security risks in MCP implementations. Both are required reading for anyone integrating MCP into an enterprise estate.
From Microsoft's own Agent Framework documentation: "The remote MCP servers that you decide to use with the MCP tool described in this article were created by third parties, not Microsoft. Microsoft hasn't tested or verified these servers. Microsoft has no responsibility to you or others in relation to your use of any remote MCP servers." This is the framing to use when third-party MCP servers come up in governance discussions β Microsoft treats them as supply-chain risk you own. Recommended: track every MCP server added to any agent in your estate, rely on servers hosted by trusted providers (not proxies), and log all data shared with remote MCP servers for auditing.
The Windows On-device Agent Registry is the local equivalent of what Entra Agent Registry does for cloud agents β it tracks MCP servers on Windows endpoints. Key security properties: MCP servers run contained by default (separate environment, can only access approved resources), users and IT admins control access per agent via Windows Settings or Intune, and interactions between MCP clients and servers are logged and auditable. The odr.exe command-line tool lets users and admins view and manage MCP servers. For endpoints where users may install MCP-enabled apps, this is the control point to manage centrally.