Require MCP Management Server for All Custom MCP Server Deployments
Implementation Effort: Low – Establishing the requirement is a policy decision; the MCP Management Server is a built-in capability of Agent 365 that development teams adopt without infrastructure provisioning.
User Impact: Low – Applies to development and platform engineering teams; end users interact with agents, not directly with MCP servers.
Overview
When development teams build custom MCP servers to give agents access to proprietary databases, internal APIs, or line-of-business systems, those servers can be deployed as standalone endpoints that agents call directly. Standalone deployment bypasses the Agent 365 control plane entirely — administrators cannot see, manage, block, or monitor these servers. Requiring that all custom MCP servers are created and published through the MCP Management Server eliminates this governance gap by making the management layer a mandatory deployment path rather than an optional one.
The MCP Management Server is an MCP server within Agent 365 that exposes tools for creating, updating, deleting, and publishing custom MCP servers. Its API-first design (CreateMCPServer, CreateToolWithConnector, UpdateTool, DeleteMCPServer, PublishMCPServer) means development teams work within the governance framework from the start — there is no initial "build standalone, register later" workflow. Servers created through the management layer are automatically visible in the Microsoft 365 admin center alongside the built-in catalog servers, and they inherit the same block/unblock controls, permission scoping, and Defender observability that govern first-party servers.
This requirement should be communicated as part of the organization's agent publishing standards and enforced through the MCP server approval policy. Development teams must understand that custom servers deployed outside the MCP Management Server will not be discoverable by agents operating within the governed Agent 365 ecosystem, and that ungoverned servers detected through network monitoring or security audits will be treated as policy violations. The requirement applies regardless of the development surface — whether teams build through Visual Studio Code, the Agent 365 SDK, or Copilot Studio, the MCP Management Server is the required creation and publishing path.
Each custom server created through the management layer must declare its capabilities, data access scope, and authentication requirements. The platform enforces these declarations at runtime, ensuring agents can only invoke the tools the server has declared and that every call is authenticated through the organization's Entra identity framework. Development teams can integrate connectors (1,500+ available including ServiceNow and JIRA), Microsoft Graph APIs, Dataverse custom APIs, and arbitrary REST endpoints as tools within their custom servers — all governed through the same management layer.
This task supports Use Least Privilege Access by requiring custom servers to declare their scope explicitly at creation time, so agents can only access the specific capabilities and data the server exposes. It supports Verify Explicitly by making the MCP Management Server the single publishing path, ensuring every custom server is known to the organization and subject to administrative controls. Organizations that allow development teams to deploy custom MCP servers outside the management framework end up with ungoverned tool endpoints that bypass the AI control plane, creating blind spots in security monitoring and administrative control.