How to protect APIM MCP with OAuth 2.0

Question

How to protect APIM MCP with OAuth 2.0

Naman Jain 40

According to the documents their is no other setup required but when we check from vs code it migrate to <apim-url>/authorize.

So what are the steps to secure MCP Sever / Rest API uing APIM OAuth 2.0

Siddhesh Desai 4,030 Reputation points Microsoft External Staff Moderator

2026-02-06T15:05:54.64+00:00
Hi [@Naman Jain ]

Thank you for reaching out to Microsoft Q&A.

When securing an MCP Server or REST API behind Azure API Management (APIM) using OAuth 2.0, the behavior you are observing—where the request is redirected to <apim-url>/authorize from VS Code—is expected and by design. This occurs because APIM is enforcing an OAuth 2.0 Authorization Code flow, which assumes the client is an interactive, browser-based application capable of handling redirects, user sign-in, and authorization code exchanges. However, the VS Code MCP client is a non-interactive client and does not support completing OAuth 2.0 authorization flows (such as opening a login UI or exchanging an authorization code for an access token). As a result, when the request reaches APIM without a valid access token, APIM redirects it to the configured authorization endpoint, and the flow cannot proceed further. Although the documentation states that “no additional setup is required,” this statement applies only to the backend API or MCP server (which remains unchanged), not to the client-side token acquisition process, which must still be handled explicitly.

Refer below points to resolve this issue or as a workaround:

Use Client Credentials Flow Instead of Authorization Code Flow For MCP Server and VS Code scenarios, the recommended approach is to use OAuth 2.0 Client Credentials flow. This flow does not require user interaction or browser redirects and is suitable for service-to-service or tool-based access. Configure your Azure Entra ID app registration to expose application permissions and grant the client application access using the .default scope.

Configure APIM to Validate JWT Tokens Only In Azure API Management, configure the OAuth 2.0 provider and enforce security using the validate-jwt policy. APIM should only validate the incoming Bearer token and should not rely on redirect-based authentication. Example inbound policy

<validate-jwt header-name="Authorization" failed-validation-httpcode="401"

Acquire Access Token Outside VS Code and Inject It

Since VS Code MCP does not fetch tokens automatically, you must obtain the access token manually (or via a script/CI pipeline) using the token endpoint:

POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token Content-Type

Then configure the MCP or REST client to send the token explicitly:

Authorization: Bearer <access_token>

No Changes Required on MCP Server Backend The MCP Server or REST API itself does not need any OAuth-related changes. All authentication and authorization logic is handled by APIM, which validates the token before forwarding the request to the backend.

Optional Alternatives For internal or Azure-hosted scenarios, you may also consider using Managed Identity with APIM, or API subscription keys for simpler setups, depending on security requirements.
Naman Jain 40 Reputation points

2026-02-06T15:16:06.3566667+00:00
Hey @Siddhesh Desai
So in VSCode for testing if we acquire say client credentials then what should we put in mcp.json
let say from other ways maybe script etc for testing using postman to acquire token

"my-mcp": { "url": "https://{apim)url}/{mcp_path}/mcp", "type": "http", "headers": { "Authorization": "bearer {token}" } }
Siddhesh Desai 4,030 Reputation points Microsoft External Staff Moderator

2026-02-09T18:47:25.28+00:00

Hi @naman jain

Just wanted to understand if you checked my previous response? and was it helpful?
Naman Jain 40 Reputation points

2026-02-11T08:54:11.5033333+00:00

The solution worked and resolved my issue , thanks for highlighting limitations of vscode.
Siddhesh Desai 4,030 Reputation points Microsoft External Staff Moderator

2026-02-11T10:47:38.6+00:00

Hi @Naman Jain Glad the issue is resolved,

I have posted the solution as an answer:

Please click "Accept the answer” or "Recommend this answer" and yes, this can be beneficial to other community members.

If you have any other questions, let me know in the "comments" and I would be happy to help you.
Siddhesh Desai 4,030 Reputation points Microsoft External Staff Moderator

2026-02-20T18:47:14.9+00:00

Hi @Naman Jain

Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer =>Yes, and upvote it. If you have any further queries do let us know.

1 answer

Your answer

Naman Jain 40 Reputation points

2026-02-06T15:16:06.3566667+00:00

Hey @Siddhesh Desai
So in VSCode for testing if we acquire say client credentials then what should we put in mcp.json
let say from other ways maybe script etc for testing using postman to acquire token

"my-mcp": { "url": "https://{apim)url}/{mcp_path}/mcp", "type": "http", "headers": { "Authorization": "bearer {token}" } }
Siddhesh Desai 4,030 Reputation points Microsoft External Staff Moderator

2026-02-09T18:47:25.28+00:00

Hi @naman jain

Just wanted to understand if you checked my previous response? and was it helpful?
Naman Jain 40 Reputation points

2026-02-11T08:54:11.5033333+00:00

The solution worked and resolved my issue , thanks for highlighting limitations of vscode.
Siddhesh Desai 4,030 Reputation points Microsoft External Staff Moderator

2026-02-11T10:47:38.6+00:00

Hi @Naman Jain Glad the issue is resolved,

I have posted the solution as an answer:

Please click "Accept the answer” or "Recommend this answer" and yes, this can be beneficial to other community members.

If you have any other questions, let me know in the "comments" and I would be happy to help you.
Siddhesh Desai 4,030 Reputation points Microsoft External Staff Moderator

2026-02-20T18:47:14.9+00:00

Hi @Naman Jain

Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer =>Yes, and upvote it. If you have any further queries do let us know.

Answer 1

Hi @Naman Jain

Your JSON Structure looks correct. VS Code / MCP does not acquire tokens, it only sends headers. So, you must paste the Bearer token explicitly.

How You Get {access_token} (Outside VS Code)

Option 1: Using Postman (Recommended for Testing)

POST
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token

Body (x-www-form-urlencoded):

client_id=<client-id>
client_secret=<client-secret>
grant_type=client_credentials
scope=api://<api-app-id>/.default

Response:

{
  "access_token": "xxxxxxxxxxxxxxx"
}

Option 2: Using Script (curl example)

curl -X POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token \
  -H "Content-Type: application/x-www-form-urlencoded

If the resolution was helpful, kindly take a moment to click on and click on Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

How to protect APIM MCP with OAuth 2.0

1 answer

Your answer