Microsoft has moved its Model Context Protocol (MCP) support for Azure Functions to General Availability, signaling a shift toward standardized, identity-secure agentic workflows. By integrating native OBO authentication and streamable HTTP transport, the update aims to solve the ‘security pain point’ that has historically prevented AI agents from accessing sensitive downstream enterprise data.
The MCP extension, which entered public preview in April 2025, now supports .NET, Java, JavaScript, Python, and TypeScript, while a new self-hosted option lets developers deploy existing MCP SDK-based servers without code changes.
The Model Context Protocol, developed by Anthropic, provides a standardized interface enabling AI agents to access external tools, data sources, and systems. Since its November 2024 launch, major AI platforms, including OpenAI, Google DeepMind, and Microsoft, have adopted the protocol, with server downloads growing from approximately 100,000 to over 8 million by April 2025.
However, as Randy Bias of Mirantis noted: “Security and compliance teams cannot allow arbitrary, unvetted ‘Shadow Agents’ running on developer laptops to access critical data systems like electronic healthcare records or customer personally identifiable information” – driving demand for managed hosting platforms with built-in governance.
The generally available MCP extension introduces several capabilities designed for production deployments. Support for the streamable HTTP transport protocol replaces the older Server-Sent Events (SSE) approach, with Microsoft recommending the newer transport unless clients specifically require SSE. The extension exposes two endpoints: /runtime/webhooks/mcp for streamable-http and /runtime/webhooks/mcp/sse for legacy SSE connections.
Built-in authentication and authorization implement the MCP authorization protocol requirements, including issuing 401 challenges and hosting Protected Resource Metadata documents. Developers can configure Microsoft Entra or other OAuth providers for server authentication. The feature also supports on-behalf-of (OBO) authentication, enabling tools to access downstream services using the user’s identity rather than a service account.
Den Delimarsky, a principal software engineer, shared insights about implementing secure MCP servers with Azure Functions and API Management in April 2025:
One of the big pain points developers have is implementing anything related to authentication and authorization. If you don’t have the security expertise, it’s inherently painful and risky. You might just misconfigure something and end up exposing all your data to people you don’t want to see it.
Victor Karabedyants, a cloud architect at Sitecore, detailed the authentication flow in practice. When a client connects to a remote MCP server, Azure Functions rejects the initial anonymous request with a 401 response, including the path to Protected Resource Metadata. The client reads this metadata, triggers a Microsoft Entra ID login flow, obtains an OAuth token, and retries the request with the token. “Your Python or Node script never sees the auth logic,” Karabedyants explained. “The platform handles the heavy lifting.”
For Java developers, the Maven Build Plugin (version 1.40.0) provides build-time parsing and verification of MCP tool annotations, automatically generating correct extension configuration. According to Microsoft, this build-time analysis prevents increased cold start times that runtime reflection would introduce in Java applications.
The new self-hosted MCP server capability, currently in public preview, allows teams to deploy MCP servers built with official SDKs to Azure Functions as custom handlers; lightweight web servers that proxy requests to the developer’s existing process. Microsoft describes this as a “lift and shift” approach requiring only a host.json configuration file to define how Functions should run the server. The capability currently supports stateless servers using streamable-http transport implemented with Python, TypeScript, C#, or Java SDKs.
(Source: Microsoft Learn)
Yohan Lasorsa, a senior cloud advocate at Microsoft, emphasized the simplicity of the self-hosted approach in a developer community blog post:
Hosting MCP servers on Azure Functions gives you the best of both worlds: the simplicity of serverless infrastructure and the power of the official Anthropic SDK. With just a straightforward configuration step, you can deploy your existing Node.js MCP server to a production-ready, auto-scaling platform.
Gaurav Rawat, in a detailed Medium article on production deployment patterns, highlighted several operational considerations for running MCP servers at scale. He noted that monitoring metrics such as P95 latency above one second, error rates exceeding 2%, and frequent SSE connection drops require immediate investigation in production environments.
Rawat also documented current limitations practitioners should be aware of: nested arrays and complex types must be serialized as comma-separated strings when integrating with Azure AI Foundry, and programmatic tool approval using require_approval=”never” is necessary for production workflows since UI-based approvals don’t persist in automated deployments.
Azure Functions offers multiple hosting plans tailored to different MCP server requirements. The Flex Consumption plan provides automatic scaling based on demand with a pay-per-execution billing model and scale-to-zero economics. When MCP tools sit idle, costs drop to zero while maintaining fast wake-up times. The Premium plan supports “always-ready” instances that remain pre-initialized, eliminating cold-start latency, which is critical for mission-critical tools where initialization delays can cause SSE connection timeouts and poor agent response times. Rawat recommends setting two to three always-ready instances for critical 24/7 tools to ensure failover capacity. Developers can also use Dedicated plans for workloads requiring predictable performance or integration with virtual networks.
Microsoft has published quickstart templates for both hosting approaches across multiple languages. The MCP extension quickstarts cover C# (.NET), Python, TypeScript (Node.js), with a Java QuickStart coming soon. The platform integrates directly with Azure AI Foundry, allowing agents to discover and invoke MCP tools without additional configuration layers.
