Skip to main content

Documentation Index

Fetch the complete documentation index at: https://gofastmcp.com/llms.txt

Use this file to discover all available pages before exploring further.

fastmcp.server.auth.providers.azure

Azure (Microsoft Entra) OAuth provider for FastMCP. This provider implements Azure/Microsoft Entra ID OAuth authentication using the OAuth Proxy pattern for non-DCR OAuth flows.

Functions

EntraOBOToken 

EntraOBOToken(scopes: list[str]) -> str
Exchange the user’s Entra token for a downstream API token via OBO. This dependency performs a Microsoft Entra On-Behalf-Of (OBO) token exchange, allowing your MCP server to call downstream APIs (like Microsoft Graph) on behalf of the authenticated user. Args: Returns:
  • A dependency that resolves to the downstream API access token string
Raises:
  • ImportError: If fastmcp[azure] is not installed
  • RuntimeError: If no access token is available, provider is not Azure, or OBO exchange fails

Classes

AzureProvider

Azure (Microsoft Entra) OAuth provider for FastMCP. This provider implements Azure/Microsoft Entra ID authentication using the OAuth Proxy pattern. It supports both organizational accounts and personal Microsoft accounts depending on the tenant configuration. Scope Handling:
  • required_scopes: Provide unprefixed scope names (e.g., [“read”, “write”]) → Automatically prefixed with identifier_uri during initialization → Validated on all tokens and advertised to MCP clients
  • additional_authorize_scopes: Provide full format (e.g., [“User.Read”]) → NOT prefixed, NOT validated, NOT advertised to clients → Used to request Microsoft Graph or other upstream API permissions
Features:
  • OAuth proxy to Azure/Microsoft identity platform
  • JWT validation using tenant issuer and JWKS
  • Supports tenant configurations: specific tenant ID, “organizations”, or “consumers”
  • Custom API scopes and Microsoft Graph scopes in a single provider
Setup:
  1. Create an App registration in Azure Portal
  2. Configure Web platform redirect URI: http://localhost:8000/auth/callback (or your custom path)
  3. Add an Application ID URI under “Expose an API” (defaults to api://)
  4. Add custom scopes (e.g., “read”, “write”) under “Expose an API”
  5. Set access token version to 2 in the App manifest: “requestedAccessTokenVersion”: 2
  6. Create a client secret
  7. Get Application (client) ID, Directory (tenant) ID, and client secret
Methods:

from_b2c 

from_b2c(cls, **kwargs: Any) -> AzureProvider
Create an AzureProvider pre-configured for Azure AD B2C. Derives authority host, tenant path, and identifier URI from tenant_name and policy_name, then delegates to the standard constructor. Returns a plain AzureProvider instance. B2C issuer validation is disabled by default (token_issuer=None) because B2C issuers embed the tenant GUID. Pass an explicit token_issuer string once you know the real iss value. Azure AD B2C does not support OBO. Args:
  • tenant_name: Short B2C tenant name without .onmicrosoft.com (e.g. "mytenant").
  • policy_name: User-flow or custom-policy name (e.g. "B2C_1_susi").
  • client_id: Application (client) ID from the B2C app registration.
  • client_secret: Client secret from the B2C app registration.
  • required_scopes: Custom API scope names without prefix (e.g. ["mcp-access"]).
  • base_url: Public base URL of this server.
  • custom_domain: Custom domain for the B2C authority (e.g. "auth.mycompany.com"). Defaults to {tenant_name}.b2clogin.com.
  • identifier_uri: Application ID URI. Defaults to https\://{tenant_name}.onmicrosoft.com/{client_id}.
  • token_issuer: Expected iss claim. None (default) disables issuer validation.
  • **kwargs: Forwarded to AzureProvider.__init__.

authorize 

authorize(self, client: OAuthClientInformationFull, params: AuthorizationParams) -> str
Start OAuth transaction and redirect to Azure AD. Override parent’s authorize method to filter out the ‘resource’ parameter which is not supported by Azure AD v2.0 endpoints. The v2.0 endpoints use scopes to determine the resource/audience instead of a separate parameter. Args:
  • client: OAuth client information
  • params: Authorization parameters from the client
Returns:
  • Authorization URL to redirect the user to Azure AD

get_obo_credential 

get_obo_credential(self, user_assertion: str) -> OnBehalfOfCredential
Get a cached or new OnBehalfOfCredential for OBO token exchange. Credentials are cached by user assertion so the Azure SDK’s internal token cache can avoid redundant OBO exchanges when the same user calls multiple tools with the same scopes. Args:
  • user_assertion: The user’s access token to exchange via OBO.
Returns:
  • A configured OnBehalfOfCredential ready for get_token() calls.
Raises:
  • NotImplementedError: If OBO is not supported (e.g. Azure AD B2C).
  • ImportError: If azure-identity is not installed (requires fastmcp[azure]).

close_obo_credentials 

close_obo_credentials(self) -> None
Close all cached OBO credentials.

AzureJWTVerifier

JWT verifier pre-configured for Azure AD / Microsoft Entra ID. Auto-configures JWKS URI, issuer, audience, and scope handling from your Azure app registration details. Designed for Managed Identity and other token-verification-only scenarios where AzureProvider’s full OAuth proxy isn’t needed. Handles Azure’s scope format automatically:
  • Validates tokens using short-form scopes (what Azure puts in scp claims)
  • Advertises full-URI scopes in OAuth metadata (what clients need to request)
Example:: from fastmcp.server.auth import RemoteAuthProvider from fastmcp.server.auth.providers.azure import AzureJWTVerifier from pydantic import AnyHttpUrl verifier = AzureJWTVerifier( client_id=“your-client-id”, tenant_id=“your-tenant-id”, required_scopes=[“access_as_user”], ) auth = RemoteAuthProvider( token_verifier=verifier, authorization_servers=[ AnyHttpUrl(“https://login.microsoftonline.com/your-tenant-id/v2.0”) ], base_url=“https://my-server.com”, ) Methods:

scopes_supported 

scopes_supported(self) -> list[str]
Return scopes with Azure URI prefix for OAuth metadata. Azure tokens contain short-form scopes (e.g., read) in the scp claim, but clients must request full URI scopes (e.g., api://client-id/read) from the Azure authorization endpoint. This property returns the full-URI form for OAuth metadata while required_scopes retains the short form for token validation.