fastmcp.server.auth.providers.azure

Azure (Microsoft Entra) OAuth provider for FastMCP.

This provider implements Azure/Microsoft Entra ID OAuth authentication using the OAuth Proxy pattern for non-DCR OAuth flows.

Functions

EntraOBOToken ^{<a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/providers/azure.py#L818" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a>}

EntraOBOToken(scopes: list[str]) -> str

Exchange the user's Entra token for a downstream API token via OBO.

This dependency performs a Microsoft Entra On-Behalf-Of (OBO) token exchange, allowing your MCP server to call downstream APIs (like Microsoft Graph) on behalf of the authenticated user.

Args:

• scopes: The scopes to request for the downstream API. For Microsoft Graph, use scopes like ["https://graph.microsoft.com/Mail.Read"] or ["https://graph.microsoft.com/.default"].

Returns:

• A dependency that resolves to the downstream API access token string

Raises:

• ImportError: If fastmcp[azure] is not installed
• RuntimeError: If no access token is available, provider is not Azure, or OBO exchange fails

Classes

AzureProvider ^{<a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/providers/azure.py#L39" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a>}

Azure (Microsoft Entra) OAuth provider for FastMCP.

This provider implements Azure/Microsoft Entra ID authentication using the OAuth Proxy pattern. It supports both organizational accounts and personal Microsoft accounts depending on the tenant configuration.

Scope Handling:

• required_scopes: Provide unprefixed scope names (e.g., ["read", "write"]) → Automatically prefixed with identifier_uri during initialization → Validated on all tokens and advertised to MCP clients
• additional_authorize_scopes: Provide full format (e.g., ["User.Read"]) → NOT prefixed, NOT validated, NOT advertised to clients → Used to request Microsoft Graph or other upstream API permissions

Features:

• OAuth proxy to Azure/Microsoft identity platform
• JWT validation using tenant issuer and JWKS
• Supports tenant configurations: specific tenant ID, "organizations", or "consumers"
• Custom API scopes and Microsoft Graph scopes in a single provider

Setup:

1. Create an App registration in Azure Portal
2. Configure Web platform redirect URI: http://localhost:8000/auth/callback (or your custom path)
3. Add an Application ID URI under "Expose an API" (defaults to api://{client_id})
4. Add custom scopes (e.g., "read", "write") under "Expose an API"
5. Set access token version to 2 in the App manifest: "requestedAccessTokenVersion": 2
6. Create a client secret
7. Get Application (client) ID, Directory (tenant) ID, and client secret

Methods:

from_b2c ^{<a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/providers/azure.py#L281" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a>}

from_b2c(cls, **kwargs: Any) -> AzureProvider

Create an AzureProvider pre-configured for Azure AD B2C.

Derives authority host, tenant path, and identifier URI from tenant_name and policy_name, then delegates to the standard constructor. Returns a plain AzureProvider instance.

B2C issuer validation is disabled by default (token_issuer=None) because B2C issuers embed the tenant GUID. Pass an explicit token_issuer string once you know the real iss value.

Azure AD B2C does not support OBO.

Args:

• tenant_name: Short B2C tenant name without .onmicrosoft.com (e.g. "mytenant").
• policy_name: User-flow or custom-policy name (e.g. "B2C_1_susi").
• client_id: Application (client) ID from the B2C app registration.
• client_secret: Client secret from the B2C app registration.
• required_scopes: Custom API scope names without prefix (e.g. ["mcp-access"]).
• base_url: Public base URL of this server.
• custom_domain: Custom domain for the B2C authority (e.g. "auth.mycompany.com"). Defaults to {tenant_name}.b2clogin.com.
• identifier_uri: Application ID URI. Defaults to https\://{tenant_name}.onmicrosoft.com/{client_id}.
• token_issuer: Expected iss claim. None (default) disables issuer validation.
• **kwargs: Forwarded to AzureProvider.__init__.

authorize ^{<a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/providers/azure.py#L359" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a>}

authorize(self, client: OAuthClientInformationFull, params: AuthorizationParams) -> str

Start OAuth transaction and redirect to Azure AD.

Override parent's authorize method to filter out the 'resource' parameter which is not supported by Azure AD v2.0 endpoints. The v2.0 endpoints use scopes to determine the resource/audience instead of a separate parameter.

Args:

• client: OAuth client information
• params: Authorization parameters from the client

Returns:

• Authorization URL to redirect the user to Azure AD

get_obo_credential ^{<a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/providers/azure.py#L585" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a>}

get_obo_credential(self, user_assertion: str) -> OnBehalfOfCredential

Get a cached or new OnBehalfOfCredential for OBO token exchange.

Credentials are cached by user assertion so the Azure SDK's internal token cache can avoid redundant OBO exchanges when the same user calls multiple tools with the same scopes.

Args:

• user_assertion: The user's access token to exchange via OBO.

Returns:

• A configured OnBehalfOfCredential ready for get_token() calls.

Raises:

• NotImplementedError: If OBO is not supported (e.g. Azure AD B2C).
• ImportError: If azure-identity is not installed (requires fastmcp[azure]).

close_obo_credentials ^{<a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/providers/azure.py#L642" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a>}

close_obo_credentials(self) -> None

Close all cached OBO credentials.

AzureJWTVerifier ^{<a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/providers/azure.py#L653" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a>}

JWT verifier pre-configured for Azure AD / Microsoft Entra ID.

Auto-configures JWKS URI, issuer, audience, and scope handling from your Azure app registration details. Designed for Managed Identity and other token-verification-only scenarios where AzureProvider's full OAuth proxy isn't needed.

Handles Azure's scope format automatically:

• Validates tokens using short-form scopes (what Azure puts in scp claims)
• Advertises full-URI scopes in OAuth metadata (what clients need to request)

Example::

from fastmcp.server.auth import RemoteAuthProvider
from fastmcp.server.auth.providers.azure import AzureJWTVerifier
from pydantic import AnyHttpUrl

verifier = AzureJWTVerifier(
    client_id="your-client-id",
    tenant_id="your-tenant-id",
    required_scopes=["access_as_user"],
)

auth = RemoteAuthProvider(
    token_verifier=verifier,
    authorization_servers=[
        AnyHttpUrl("https://login.microsoftonline.com/your-tenant-id/v2.0")
    ],
    base_url="https://my-server.com",
)

Methods:

scopes_supported ^{<a href="https://github.com/PrefectHQ/fastmcp/blob/main/src/fastmcp/server/auth/providers/azure.py#L733" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a>}

scopes_supported(self) -> list[str]

Return scopes with Azure URI prefix for OAuth metadata.

Azure tokens contain short-form scopes (e.g., read) in the scp claim, but clients must request full URI scopes (e.g., api://client-id/read) from the Azure authorization endpoint. This property returns the full-URI form for OAuth metadata while required_scopes retains the short form for token validation.