Share via

How to do the OAuth authentication for the MCP exposed from REST API based on Azure API Management service

Chris Bao 20 Reputation points
2026-05-26T01:47:15.8933333+00:00

Following the doc and tutorial, now I can Expose an API as an MCP Server as follows:

PII Image

I can confirm the API works as expected without issue!

But after I get the above MCP, I tried to integrate it into my Github Copilot agent in both VS code and CLI. But I noticed that the agent failed to connect the MCP server. It seems that the MCP server need do OAuth authentication!

PII Image

The tutorial is totally ignoring this part. And all the related articles on internet also do not mentioned this. These articles are several months old, so I guess APIM did some update recently during the period of time.

Azure API Management
Azure API Management

An Azure service that provides a hybrid, multi-cloud management platform for APIs.

0 comments

Answer accepted by question author

AI answer

2026-05-26T01:47:38.02+00:00

OAuth for an MCP server exposed through Azure API Management is configured at the MCP client (Copilot) and enforced in API Management.

From the API Management side, there are two supported patterns:

  1. Key-based authentication with subscription key
    • Protect the MCP endpoint with an API Management subscription key.
    • In the MCP client configuration (for example, VS Code mcp.json or Copilot CLI config), add a headers section that sends the key:
       {
     "servers": {
       "diabetes-prediction-mcp": {
         "type": "http",
         "url": "https://<apim-service-name>.azure-api.net/diabetes-prediction-mcp/mcp",
         "headers": {
           "Ocp-Apim-Subscription-Key": "<subscription-key>"
         }
       }
     }
   }
    • API Management validates the key on inbound requests. No OAuth flow is required in Copilot; it just sends the header.
  2. Token-based authentication with Microsoft Entra ID (OAuth 2.1/JWT)
    • Configure API Management to validate Microsoft Entra tokens using the validate-azure-ad-token policy on the MCP API:
       <validate-azure-ad-token
       tenant-id="<your-entra-tenant-id>"
       header-name="Authorization"
       failed-validation-httpcode="401"
       failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
     <client-application-ids>
       <application-id><your-client-application-id></application-id>
     </client-application-ids>
   </validate-azure-ad-token>
    • The MCP client (for example, VS Code or another MCP-capable agent) must obtain an access token from Microsoft Entra ID and send it in the Authorization header. API Management then validates the token and forwards it (or another token) to the backend as needed.
    • If the backend also needs the Authorization header, explicitly forward it in the outbound policy:
       <set-header name="Authorization" exists-action="override">
     <value>@(context.Request.Headers.GetValueOrDefault("Authorization"))</value>
   </set-header>

If Copilot CLI shows OAuth: needs authentication, configure the MCP server entry it uses so that it either:

  • Sends the Ocp-Apim-Subscription-Key header (key-based), or
  • Implements an OAuth flow to acquire a Microsoft Entra access token and send it in the Authorization header (token-based).

Once the appropriate header is present, the MCP server exposed via API Management can be called from GitHub Copilot agents in VS Code or CLI, and tool invocations will succeed.

References:

AI-generated content may be incorrect. Read our transparency notes for more information.

Was this answer helpful?

1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siddhesh Desai 7,160 Reputation points Microsoft External Staff Moderator
    2026-05-27T08:30:32.3166667+00:00

    Hi @Chris Bao

    Thank you for reaching out to Microsoft Q&A.

    The issue you’re experiencing with the Custom HTML Code widget in the Azure API Management Developer Portal is primarily due to how this widget is implemented and rendered. The Custom HTML widget is designed as a lightweight mechanism and renders the provided HTML inside an iframe. Because of this iframe behavior, after publishing the page, the widget may become difficult or impossible to select using the visual editor. As a result, you may not see the “Edit widget” option or may be unable to click on the widget at all. Although the developer portal supports editing widgets after publishing, this limitation specifically affects HTML widgets due to UI interaction constraints (iframe capturing clicks, layering issues, or portal rendering behavior). This is a known usability limitation rather than a permissions issue. [learn.microsoft.com]

    Refer below points to resolve this issue or this is the workaround:

    • Select the widget from the page structure (outline/tree view instead of clicking UI) In the Developer Portal editor, use the left-side hierarchy/structure panel to locate the widget. Select it from there and then click Edit widget. This bypasses the iframe click issue.
    • Check and adjust parent containers or overlapping elements If the widget is placed inside a container or section, try selecting the parent container and repositioning or temporarily removing it. This can help expose the widget for selection.
    • Delete and recreate the widget (if editing is blocked completely) If the widget cannot be selected or edited at all, the practical workaround is to delete it and add a new Custom HTML widget with the updated content.
    • Use Custom Widgets (React/TypeScript) for advanced or editable scenarios For scenarios where you need frequent updates or better control, use a custom widget instead of the HTML widget. This approach provides proper lifecycle management and avoids iframe-related editing issues. [learn.microsoft.com]
    • Try toggling the new Developer Portal UI (if available) In some cases, enabling the newer UI experience in the portal can resolve selection or rendering issues.

    Was this answer helpful?

    1 person found this answer helpful.
  2. Chris Bao 20 Reputation points
    2026-06-01T08:43:52.0733333+00:00

    I fixed the issue by myself.

    Was this answer helpful?

    0 comments
  3. kagiyama yutaka 3,430 Reputation points
    2026-05-28T09:42:39.6066667+00:00

    I think MCP on APIM just uses the normal APIM auth, and u call it with Ocp-Apim-Subscription-Key or Authorization: Bearer <token>. nothing special added for MCP.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.