fastmcp.server.auth.providers.azure
Azure (Microsoft Entra) OAuth provider for FastMCP.
This provider implements Azure/Microsoft Entra ID OAuth authentication
using the OAuth Proxy pattern for non-DCR OAuth flows.
Classes
AzureProviderSettings
Settings for Azure OAuth provider.
AzureProvider
Azure (Microsoft Entra) OAuth provider for FastMCP.
This provider implements Azure/Microsoft Entra ID authentication using the
OAuth Proxy pattern. It supports both organizational accounts and personal
Microsoft accounts depending on the tenant configuration.
Scope Handling:
- required_scopes: Provide unprefixed scope names (e.g., [“read”, “write”]) → Automatically prefixed with identifier_uri during initialization → Validated on all tokens and advertised to MCP clients
- additional_authorize_scopes: Provide full format (e.g., [“User.Read”]) → NOT prefixed, NOT validated, NOT advertised to clients → Used to request Microsoft Graph or other upstream API permissions
- OAuth proxy to Azure/Microsoft identity platform
- JWT validation using tenant issuer and JWKS
- Supports tenant configurations: specific tenant ID, “organizations”, or “consumers”
- Custom API scopes and Microsoft Graph scopes in a single provider
- Create an App registration in Azure Portal
- Configure Web platform redirect URI: http://localhost:8000/auth/callback (or your custom path)
- Add an Application ID URI under “Expose an API” (defaults to api://)
- Add custom scopes (e.g., “read”, “write”) under “Expose an API”
- Set access token version to 2 in the App manifest: “requestedAccessTokenVersion”: 2
- Create a client secret
- Get Application (client) ID, Directory (tenant) ID, and client secret
authorize
client: OAuth client informationparams: Authorization parameters from the client
- Authorization URL to redirect the user to Azure AD