Define MCP Server and Tool Approval Policy

Implementation Effort: Low – Policy definition task requiring alignment between security, platform engineering, and compliance teams; no infrastructure changes.
User Impact: Low – Applies to administrators and development teams; end users are not affected.

Overview

MCP (Model Context Protocol) servers give agents access to tools that perform real actions — sending emails, querying databases, calling external APIs, modifying records. Agents discover and invoke these tools at runtime, and the scope of what an agent can do is directly determined by which MCP servers are available to it. Without a formal approval policy, MCP servers enter the environment through three uncoordinated paths: Microsoft activates new servers in the Agent 365 catalog, ISVs publish third-party servers, and internal development teams build custom servers through the MCP Management Server. Each path introduces tool endpoints that agents can call, and none of them requires security review by default.

An MCP server approval policy defines the criteria and process for evaluating servers from all three sources before they are activated for organizational use. The policy should establish:

• Risk classification criteria for evaluating MCP servers based on what data they access, what actions they can perform, and whether they call external systems. A server that reads calendar metadata is fundamentally different from one that can send emails on behalf of users or write to a production database.
• Review process specifying who evaluates new servers (security team, platform engineering, or a joint review board), what evidence is required (data access scope, authentication method, audit trail capabilities), and what approval gates must be passed before activation.
• Source-specific requirements acknowledging that built-in Agent 365 catalog servers, third-party ISV servers, and custom-built servers carry different risk profiles and require different levels of scrutiny. Microsoft's pre-certified catalog servers have undergone testing for accuracy, latency, and reliability. Third-party servers require additional vendor risk assessment. Custom servers require code review and architecture review in addition to the standard criteria.
• Scoped permission requirements specifying that each MCP server must be granted only the Entra permissions required for its declared capabilities, and that permission grants are made per-agent rather than globally. The Agent 365 platform represents each MCP server as a permission on the Agent 365 application — the policy must require that these permissions are evaluated and granted deliberately at agent onboarding, not blanket-approved.
• Ongoing review cadence defining how frequently approved servers are re-evaluated, particularly when Microsoft updates catalog servers or when custom servers are modified by development teams.

This task supports Use Least Privilege Access by requiring that every MCP server's data access scope and action capabilities are evaluated before agents can use it, preventing agents from inheriting access to tools they do not need. It supports Verify Explicitly by creating a deliberate approval gate where each server is assessed against documented criteria rather than activated by default. Organizations that do not define an approval policy allow MCP servers to proliferate without security review, and each ungoverned server represents an additional tool endpoint that a compromised agent can invoke to access data or perform actions that were never evaluated for risk.

Reference

• Agent 365 tooling servers overview
• Manage tools for agents
• Agents for Microsoft 365 overview
• Agent 365 Identity
• Microsoft 365 Copilot licensing