mcp-gateway

Azure Entra ID Application Roles Setup

Follow these steps to enable application roles, assign them to identities, and pass the role value into adapter/tool definitions for authorization.

1. Enable and Configure Roles on the App Registration

2. Assign Roles to Identities

3. Provide the Role Value When Creating Adapters or Tools

4. Authorize Built-in Agent Tools (bash, read_file, write_file)

The in-process built-in tools run shell commands and read/write files inside the gateway pod, so they are treated as a privileged capability rather than an ordinary resource. Unlike adapters/tools, they have no per-resource requiredRoles; access is gated on the caller’s role — at agent create/update time and again at run time (tool resolution and invocation) — with no creator bypass. Even the author of an agent must hold the required role to reference or invoke a built-in.