Microsoft Entra ID SSO configuration for MCP

This guide explains how to configure Microsoft Entra ID (formerly Azure Active Directory) as your Single Sign-On (SSO) provider for Model Context Protocol (MCP) servers on the Cequence AI Gateway using OAuth 2.0 authentication. You'll learn how to register an application in Microsoft Entra ID and integrate the application with the Cequence AI Gateway.

Configuration scope and reusability

Single application, multiple MCP servers: You need to create only one Entra application that can authenticate users across all your MCP servers. The same client ID and secret can be reused for multiple MCP servers within your organization, simplifying management and reducing configuration overhead.

When to create separate applications: Consider creating separate Entra applications only if you need different access controls, user assignments, or security policies for different groups of MCP servers.

Prerequisites

Before you start, confirm you have:

Azure Portal access with application registration permissions
Microsoft Entra ID tenant (Azure AD directory)
Your application's redirect URI: https://auth.aigateway.cequence.ai/v1/outbound/oauth/callback
Basic understanding of OAuth 2.0 and OpenID Connect

Register your application

Registering an application in Microsoft Entra ID creates the OAuth 2.0 connection between your identity provider and the Cequence AI Gateway. This process involves accessing the Azure Portal, creating the registration, and configuring basic settings.

Access Azure portal

Navigate to the Azure Portal
Sign in with your administrator credentials
Confirm you're in the correct tenant/directory (check top-right corner)

Create application registration

In the Azure Portal, search for Microsoft Entra ID
Select Microsoft Entra ID from the services
In the Microsoft Entra ID left sidebar, select App registrations
Click + New registration

Configure basic settings

Fill in the application registration form:

Field	Value	Notes
Name	`Cequence AI Gateway`	Use a descriptive name for your organization
Supported account types	Single tenant (recommended)	Choose based on your access requirements
Redirect URI	Platform: Web URI: `https://auth.aigateway.cequence.ai/v1/outbound/oauth/callback`	Must match exactly

Click Register to create the application.

Configure authentication

Authentication settings define how users sign in and what tokens your application receives. You'll configure platform settings, token types, and account support options.

Platform configuration

In your app registration, navigate to Authentication in the left sidebar
Under Platform configurations, verify your Web platform settings:
- Redirect URI: https://auth.aigateway.cequence.ai/v1/outbound/oauth/callback
- Additional redirect URIs can be added for different environments

Advanced settings

Configure these authentication options:

Setting	Recommended value	Purpose
Access tokens	Unchecked	Not needed for authorization code flow
ID tokens	Checked	Required for OpenID Connect
Allow public client flows	No	Maintains security for web applications

Click Save to apply changes.

Configure API permissions

API permissions determine what user information your application can access. You'll add the required permissions and optionally grant admin consent for your organization.

Add required permissions

In the application registration's left sidebar, navigate to API permissions
Click + Add a permission
Select Microsoft Graph
Choose Delegated permissions
Add these permissions:
- openid - Sign users in
- profile - View users' basic profile
- email - View users' email address
- User.Read - Sign in and read user profile

When your organization requires admin consent:

Click Grant admin consent for [Your Organization]
Confirm the action
Verify all permissions show "Granted" status

Admin consent pre-authorizes the application for all users in your organization, eliminating individual user consent prompts.

Create client secret

Client secrets authenticate your application to Microsoft Entra ID. You'll generate a new secret and store the secret securely for your MCP server configuration.

Generate new secret

In the application registration's left sidebar, navigate to Certificates & secrets
Click + New client secret
Configure the secret:
- Description: MCP Server Secret
- Expires: Choose a time span between 6 and 24 months, based on your security policy
Click Add

Save secret value

warning

Copy the secret value immediately - you cannot display the value again after leaving this page.

Field	Action
Secret value	Copy and store securely
Secret ID	Note for reference
Expires	Record expiration date for rotation planning

Gather configuration details

After creating your application, collect the credentials and endpoints needed for MCP server configuration. You'll find these values in the application overview and endpoints sections.

Application information

From the application registration's Overview page, collect:

Field	Purpose
Application (client) ID	Unique identifier for authentication
Directory (tenant) ID	Your Azure AD tenant identifier
Client secret	Authentication secret (saved earlier)

OAuth 2.0 endpoints

In the application registration's Overview page, click Endpoints at the top to find:

Endpoint	URL format
Authorization endpoint (v2)	`https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize`
Token endpoint (v2)	`https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token`

Replace {tenant-id} with your actual tenant ID.

Configure MCP servers in the Cequence AI Gateway

Use the Microsoft Entra ID credentials to configure authentication across all your MCP servers in the Cequence AI Gateway that need SSO access.

OAuth 2.0 configuration

The Cequence AI Gateway wizard for creating a new MCP server or editing an existing MCP server includes an Authentication step. When the wizard is at the Authentication step, select OAuth 2.0 as the authentication type and click +Add New OAuth 2.0 Client Credentials to add a new OAuth token. Fill in the fields with the following information:

Parameter	Value
Token Name	Name your token
Token URL	`"https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token"`
Client ID	Your client ID
Client Secret	Your client secret
Scopes	`["email", "profile", "openid", "User.Read"]`
Additional Parameters	A comma-separated list of the following parameters and values: `tenantID`=Your tenant ID `authorizationUrl`=`"https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/authorize"` `redirectUri`=`https://auth.aigateway.cequence.ai/v1/outbound/oauth/callback`

Configuration reuse: The same client ID, client secret, and endpoint URLs can be used across multiple MCP servers, reducing complexity and maintenance overhead.

The Getting Started section provides complete information on creating MCP servers on the Cequence AI Gateway.

Advanced configuration

Advanced configuration options allow you to customize your Microsoft Entra ID integration beyond the default settings. You can configure multi-tenant support, custom domains, or specialized authentication scenarios.

Multi-tenant applications

When you configure a multi-tenant application, replace the string YOUR_TENANT_ID in the Token URL and Authorization URL with the string common instead of your Tenant ID.

Custom domains

When using a custom domain for your tenant, replace the string microsoftonline.com in the Token URL and Authorization URL with the custom domain name. For example, to use the custom domain standard.example, replace https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/authorize with https://login.standard.example/YOUR_TENANT_ID/oauth2/v2.0/authorize.

Configure user access

User access controls determine who can authenticate through your application to access MCP servers. These assignments must be configured in the Azure Portal, not in the Cequence AI Gateway dashboard. Without proper assignments, users will receive authentication errors when attempting to access MCP servers, even if those servers are visible in the AI Gateway dashboard.

Enterprise application settings

In Microsoft Entra ID, navigate to Enterprise applications
Find your application by name
Click on your application

User assignment

To restrict access to specific users or groups:

In the enterprise application, navigate to Properties
Set Assignment required? to Yes
In the enterprise application, navigate to Users and groups
Click + Add user/group
Select users or groups who should have access
Click Assign

When "Assignment required" is set to No, all users in your directory can access the application without explicit assignment.

Test your configuration

Testing ensures your Microsoft Entra ID integration works correctly before deploying to production. You'll verify the complete authentication flow and troubleshoot any common configuration issues.

Verify OAuth flow

Initiate authentication from your MCP client
Confirm redirection to Microsoft's login page
Sign in with your Microsoft Entra ID credentials
Verify successful redirect to the callback URL
Confirm the MCP server receives and processes the authorization code

Common troubleshooting

Problem	Solution
AADSTS50011: Redirect URI mismatch	Verify the URI in Azure matches your MCP configuration exactly
AADSTS700016: Invalid client ID	Double-check the Application (client) ID is copied correctly
AADSTS7000215: Invalid client secret	Confirm secret hasn't expired and is copied correctly
AADSTS50105: User not assigned	Add user to the enterprise application or disable assignment requirement
AADSTS65001: Consent required	User or admin needs to consent to the requested permissions

Security best practices

Implementing proper security measures protects your OAuth integration and user data. Focus on three key areas: managing credentials securely, controlling user access appropriately, and monitoring authentication activity for potential threats.

Credential management

Rotate secrets regularly before expiration
Use Azure Key Vault for production secret storage
Set up expiration alerts to avoid service disruption
Never commit secrets to source control

Access control

Apply least privilege principles for user assignments
Use groups for easier user management
Review access assignments regularly
Configure Conditional Access policies for enhanced security

Monitoring

Enable sign-in logs in Azure Monitor
Set up alerts for suspicious activities
Review audit logs regularly
Use Identity Protection for risk detection

Additional resources

Next steps

After successful Microsoft Entra ID SSO configuration:

Test integration with representative users
Configure Conditional Access policies
Implement monitoring and alerting
Document your configuration for team reference
Plan for secret rotation and maintenance
Consider automated user provisioning with SCIM

Configuration scope and reusability​

Prerequisites​

Register your application​

Access Azure portal​

Create application registration​

Configure basic settings​

Configure authentication​

Platform configuration​

Advanced settings​

Configure API permissions​

Add required permissions​

Grant admin consent​

Create client secret​

Generate new secret​

Save secret value​

Gather configuration details​

Application information​

OAuth 2.0 endpoints​

Configure MCP servers in the Cequence AI Gateway​

OAuth 2.0 configuration​

Advanced configuration​

Multi-tenant applications​

Custom domains​

Configure user access​

Enterprise application settings​

User assignment​

Test your configuration​

Verify OAuth flow​

Common troubleshooting​

Security best practices​

Credential management​

Access control​

Monitoring​

Additional resources​

Next steps​