Skip to main content

fastmcp.server.auth.providers.azure

Azure (Microsoft Entra) OAuth provider for FastMCP. This provider implements Azure/Microsoft Entra ID OAuth authentication using the OAuth Proxy pattern for non-DCR OAuth flows.

Functions

EntraOBOToken 

EntraOBOToken(scopes: list[str]) -> str
Exchange the user’s Entra token for a downstream API token via OBO. This dependency performs a Microsoft Entra On-Behalf-Of (OBO) token exchange, allowing your MCP server to call downstream APIs (like Microsoft Graph) on behalf of the authenticated user. Args: Returns:
  • A dependency that resolves to the downstream API access token string
Raises:
  • ImportError: If fastmcp[azure] is not installed
  • RuntimeError: If no access token is available, provider is not Azure, or OBO exchange fails

Classes

AzureProvider

Azure (Microsoft Entra) OAuth provider for FastMCP. This provider implements Azure/Microsoft Entra ID authentication using the OAuth Proxy pattern. It supports both organizational accounts and personal Microsoft accounts depending on the tenant configuration. Scope Handling:
  • required_scopes: Provide unprefixed scope names (e.g., [“read”, “write”]) → Automatically prefixed with identifier_uri during initialization → Validated on all tokens and advertised to MCP clients
  • additional_authorize_scopes: Provide full format (e.g., [“User.Read”]) → NOT prefixed, NOT validated, NOT advertised to clients → Used to request Microsoft Graph or other upstream API permissions
Features:
  • OAuth proxy to Azure/Microsoft identity platform
  • JWT validation using tenant issuer and JWKS
  • Supports tenant configurations: specific tenant ID, “organizations”, or “consumers”
  • Custom API scopes and Microsoft Graph scopes in a single provider
Setup:
  1. Create an App registration in Azure Portal
  2. Configure Web platform redirect URI: http://localhost:8000/auth/callback (or your custom path)
  3. Add an Application ID URI under “Expose an API” (defaults to api://)
  4. Add custom scopes (e.g., “read”, “write”) under “Expose an API”
  5. Set access token version to 2 in the App manifest: “requestedAccessTokenVersion”: 2
  6. Create a client secret
  7. Get Application (client) ID, Directory (tenant) ID, and client secret
Methods:

authorize 

authorize(self, client: OAuthClientInformationFull, params: AuthorizationParams) -> str
Start OAuth transaction and redirect to Azure AD. Override parent’s authorize method to filter out the ‘resource’ parameter which is not supported by Azure AD v2.0 endpoints. The v2.0 endpoints use scopes to determine the resource/audience instead of a separate parameter. Args:
  • client: OAuth client information
  • params: Authorization parameters from the client
Returns:
  • Authorization URL to redirect the user to Azure AD

create_obo_credential 

create_obo_credential(self, user_assertion: str) -> OnBehalfOfCredential
Create an OnBehalfOfCredential for OBO token exchange. Uses the AzureProvider’s configuration (client_id, client_secret, tenant_id, authority) to create a credential that can exchange the user’s token for downstream API tokens. Args:
  • user_assertion: The user’s access token to exchange via OBO.
Returns:
  • A configured OnBehalfOfCredential ready for get_token() calls.
Raises:
  • ImportError: If azure-identity is not installed (requires fastmcp[azure]).

AzureJWTVerifier

JWT verifier pre-configured for Azure AD / Microsoft Entra ID. Auto-configures JWKS URI, issuer, audience, and scope handling from your Azure app registration details. Designed for Managed Identity and other token-verification-only scenarios where AzureProvider’s full OAuth proxy isn’t needed. Handles Azure’s scope format automatically:
  • Validates tokens using short-form scopes (what Azure puts in scp claims)
  • Advertises full-URI scopes in OAuth metadata (what clients need to request)
Example:: from fastmcp.server.auth import RemoteAuthProvider from fastmcp.server.auth.providers.azure import AzureJWTVerifier from pydantic import AnyHttpUrl verifier = AzureJWTVerifier( client_id=“your-client-id”, tenant_id=“your-tenant-id”, required_scopes=[“access_as_user”], ) auth = RemoteAuthProvider( token_verifier=verifier, authorization_servers=[ AnyHttpUrl(“https://login.microsoftonline.com/your-tenant-id/v2.0”) ], base_url=“https://my-server.com”, ) Methods:

scopes_supported 

scopes_supported(self) -> list[str]
Return scopes with Azure URI prefix for OAuth metadata. Azure tokens contain short-form scopes (e.g., read) in the scp claim, but clients must request full URI scopes (e.g., api://client-id/read) from the Azure authorization endpoint. This property returns the full-URI form for OAuth metadata while required_scopes retains the short form for token validation.