MCPAuthFuncapp

Overview

This Azure Function App implements a secure Model Context Protocol (MCP) backend service with Azure Active Directory authentication. It provides authenticated access to Microsoft Graph API through Azure API Management (APIM) and supports OAuth On-Behalf-Of (OBO) token exchange.

Architecture

[Client App] → [APIM Gateway] → [Azure Functions] → [Microsoft Graph API]
     ↓              ↓                 ↓               ↓
  Bearer Token  →  OBO Exchange  →  Graph Token  →  User Data

Features

Authentication Flow

• OAuth 2.0 On-Behalf-Of Flow: APIM policies automatically exchange user bearer tokens for Microsoft Graph API access tokens

• Azure AD Integration: Seamless authentication with Azure Active Directory

• Token Validation: Automatic token validation and refresh handled by APIM policies

Available Endpoints

1. /hello - Simple greeting endpoint

   • Returns personalized greeting message

   • Supports both query parameters and JSON body input

2. /echo - Request echo service

   • Returns the exact request body sent

   • Useful for testing and debugging

3. /tools - MCP tools discovery

   • Returns available tools and their schemas

   • Supports Model Context Protocol standards

4. /me - User profile retrieval

   • Requires Authentication: Bearer token in Authorization header

   • Retrieves authenticated user's profile from Microsoft Graph API

   • Automatic token exchange via APIM OBO flow

5. /status - Health check endpoint

   • Service status and authentication state

   • Returns user context information

Security Features

• Token-based Authentication: All sensitive endpoints require valid Bearer tokens

• APIM Policy Protection: OAuth policies protect against unauthorized access

• Pre-authorized Applications: Configured OAuth consent for trusted applications

• Secure Token Exchange: On-Behalf-Of flow maintains security boundaries

APIM Policies

The included APIM policies provide:

• OAuth Authentication: Validates incoming bearer tokens

• Token Exchange: Automatic OBO flow for Microsoft Graph access

• Error Handling: Comprehensive error responses for authentication failures

• Security Headers: Proper CORS and security headers

Configuration

Environment Variables (replace placeholders)

• {{CLIENT_ID_PLACEHOLDER}} - Azure AD Application ID

• {{CLIENT_SECRET_PLACEHOLDER}} - Azure AD Client Secret

• {{TENANT_ID_PLACEHOLDER}} - Azure AD Tenant ID

• {{APIM_GATEWAY_URL}} - APIM Gateway URL

Pre-authorized Applications

Configured in preauth.json for OAuth consent bypass (excluded from repository for security).

Development

Prerequisites

• Python 3.9+

• Azure Functions Core Tools

• Azure CLI

• Valid Azure AD App Registration

Local Development

# Install dependencies
pip install -r requirements.txt

# Start local development server
func start

Deployment

1. Deploy Azure Function App

2. Configure APIM with included policy files

3. Update policy placeholders with actual values

4. Configure OAuth app registration and permissions

MCP Integration

This service is designed to work as a backend for Model Context Protocol implementations, providing:

• Authenticated Microsoft Graph API access

• Tool discovery and execution

• Secure user context management

Security Notes

⚠️ Important:

• Never commit actual secrets, IDs, or tokens to version control

• Use Azure Key Vault for production secret management

• Regularly rotate client secrets and review OAuth permissions

• Monitor APIM analytics for unusual access patterns