New in version: 2.12.0 This guide shows you how to secure your FastMCP server using Azure OAuth (Microsoft Entra ID). Since Azure doesn’t support Dynamic Client Registration, this integration uses the OAuth Proxy pattern to bridge Azure’s traditional OAuth with MCP’s authentication requirements.

​
Configuration

​
Prerequisites

Before you begin, you will need:
  1. An Azure Account with access to create App registrations
  2. Your FastMCP server’s URL (can be localhost for development, e.g., http://localhost:8000)
  3. Your Azure tenant ID (found in Azure Portal under Microsoft Entra ID)

​
Step 1: Create an Azure App Registration

Create an App registration in Azure Portal to get the credentials needed for authentication:
1

Navigate to App registrations

Go to the Azure Portal and navigate to Microsoft Entra ID → App registrations.Click “New registration” to create a new application.
2

Configure Your Application

Fill in the application details:
  • Name: Choose a name users will recognize (e.g., “My FastMCP Server”)
  • Supported account types: Choose based on your needs:
    • Single tenant: Only users in your organization
    • Multitenant: Users in any Microsoft Entra directory
    • Multitenant + personal accounts: Any Microsoft account
  • Redirect URI: Select “Web” and enter your server URL + /auth/callback (e.g., http://localhost:8000/auth/callback)
The redirect URI must match exactly. The default path is /auth/callback, but you can customize it using the redirect_path parameter. For local development, Azure allows http://localhost URLs. For production, you must use HTTPS.
If you want to use a custom callback path (e.g., /auth/azure/callback), make sure to set the same path in both your Azure App registration and the redirect_path parameter when configuring the AzureProvider.
3

Create Client Secret

After registration, navigate to Certificates & secrets in your app’s settings.
  • Click “New client secret”
  • Add a description (e.g., “FastMCP Server”)
  • Choose an expiration period
  • Click “Add”
Copy the secret value immediately - it won’t be shown again! You’ll need to create a new secret if you lose it.
4

Note Your Credentials

From the Overview page of your app registration, note:
  • Application (client) ID: A UUID like 835f09b6-0f0f-40cc-85cb-f32c5829a149
  • Directory (tenant) ID: A UUID like 08541b6e-646d-43de-a0eb-834e6713d6d5
  • Client Secret: The value you copied in the previous step
Store these credentials securely. Never commit them to version control. Use environment variables or a secrets manager in production.

​
Step 2: FastMCP Configuration

Create your FastMCP server using the AzureProvider, which handles Azure’s OAuth flow automatically:
server.py
from fastmcp import FastMCP
from fastmcp.server.auth.providers.azure import AzureProvider

# The AzureProvider handles Azure's token format and validation
auth_provider = AzureProvider(
    client_id="835f09b6-0f0f-40cc-85cb-f32c5829a149",  # Your Azure App Client ID
    client_secret="your-client-secret",                 # Your Azure App Client Secret
    tenant_id="08541b6e-646d-43de-a0eb-834e6713d6d5", # Your Azure Tenant ID (REQUIRED)
    base_url="http://localhost:8000",                   # Must match your App registration
    required_scopes=["User.Read", "email", "openid", "profile"],  # Microsoft Graph permissions
    # redirect_path="/auth/callback"                  # Default value, customize if needed
)

mcp = FastMCP(name="Azure Secured App", auth=auth_provider)

# Add a protected tool to test authentication
@mcp.tool
async def get_user_info() -> dict:
    """Returns information about the authenticated Azure user."""
    from fastmcp.server.dependencies import get_access_token
    
    token = get_access_token()
    # The AzureProvider stores user data in token claims
    return {
        "azure_id": token.claims.get("sub"),
        "email": token.claims.get("email"),
        "name": token.claims.get("name"),
        "job_title": token.claims.get("job_title"),
        "office_location": token.claims.get("office_location")
    }
Important: The tenant_id parameter is REQUIRED. Azure no longer supports using “common” for new applications due to security requirements. You must use one of:
  • Your specific tenant ID: Found in Azure Portal (e.g., 08541b6e-646d-43de-a0eb-834e6713d6d5)
  • “organizations”: For work and school accounts only
  • “consumers”: For personal Microsoft accounts only
Using your specific tenant ID is recommended for better security and control.

​
Testing

​
Running the Server

Start your FastMCP server with HTTP transport to enable OAuth flows: 
fastmcp run server.py --transport http --port 8000
Your server is now running and protected by Azure OAuth authentication.

​
Testing with a Client

Create a test client that authenticates with your Azure-protected server:
test_client.py
from fastmcp import Client
import asyncio

async def main():
    # The client will automatically handle Azure OAuth
    async with Client("http://localhost:8000/mcp/", auth="oauth") as client:
        # First-time connection will open Azure login in your browser
        print("✓ Authenticated with Azure!")
        
        # Test the protected tool
        result = await client.call_tool("get_user_info")
        print(f"Azure user: {result['email']}")
        print(f"Name: {result['name']}")

if __name__ == "__main__":
    asyncio.run(main())
When you run the client for the first time:
  1. Your browser will open to Microsoft’s authorization page
  2. Sign in with your Microsoft account (work, school, or personal based on your tenant configuration)
  3. Grant the requested permissions
  4. After authorization, you’ll be redirected back
  5. The client receives the token and can make authenticated requests
The client caches tokens locally, so you won’t need to re-authenticate for subsequent runs unless the token expires or you explicitly clear the cache.

​
Environment Variables

For production deployments, use environment variables instead of hardcoding credentials.
To use the registered Azure provider, you must set FASTMCP_SERVER_AUTH=AZURE. Learn more about registered providers.

​
Provider Selection

​
FASTMCP_SERVER_AUTH
default:"Not set"
required
Set to AZURE to use the registered AzureProvider with default configuration.

​
Azure-Specific Configuration

​
FASTMCP_SERVER_AUTH_AZURE_CLIENT_ID
required
Your Azure App registration Client ID (e.g., 835f09b6-0f0f-40cc-85cb-f32c5829a149)
​
FASTMCP_SERVER_AUTH_AZURE_CLIENT_SECRET
required
Your Azure App registration Client Secret
​
FASTMCP_SERVER_AUTH_AZURE_TENANT_ID
required
Your Azure tenant ID (specific ID, “organizations”, or “consumers”)
This is REQUIRED. Find your tenant ID in Azure Portal under Microsoft Entra ID → Overview.
​
FASTMCP_SERVER_AUTH_AZURE_BASE_URL
default:"http://localhost:8000"
Public URL of your FastMCP server for OAuth callbacks
​
FASTMCP_SERVER_AUTH_AZURE_REDIRECT_PATH
default:"/auth/callback"
Redirect path configured in your Azure App registration
​
FASTMCP_SERVER_AUTH_AZURE_REQUIRED_SCOPES
Comma-separated list of required Microsoft Graph scopes
​
FASTMCP_SERVER_AUTH_AZURE_TIMEOUT_SECONDS
default:"10"
HTTP request timeout for Microsoft Graph API calls
Example .env file: 
# Use the registered Azure provider
FASTMCP_SERVER_AUTH=AZURE

# Azure OAuth credentials
FASTMCP_SERVER_AUTH_AZURE_CLIENT_ID=835f09b6-0f0f-40cc-85cb-f32c5829a149
FASTMCP_SERVER_AUTH_AZURE_CLIENT_SECRET=your-client-secret-here
FASTMCP_SERVER_AUTH_AZURE_TENANT_ID=08541b6e-646d-43de-a0eb-834e6713d6d5
FASTMCP_SERVER_AUTH_AZURE_BASE_URL=https://your-server.com
FASTMCP_SERVER_AUTH_AZURE_REQUIRED_SCOPES=User.Read,email,profile
With environment variables set, your server code simplifies to:
server.py
from fastmcp import FastMCP

# Authentication is automatically configured from environment
mcp = FastMCP(name="Azure Secured App")

@mcp.tool
async def protected_tool(query: str) -> str:
    """A tool that requires Azure authentication to access."""
    # Your tool implementation here
    return f"Processing authenticated request: {query}"