Activate Approved MCP Servers and Manage Tool Access
Implementation Effort: Medium – Requires evaluating the Agent 365 MCP server catalog against the organization's approval policy, activating approved servers, configuring scoped Entra permissions per agent, and managing Connected Agents for Researcher.
User Impact: Medium – Determines which tools and connected agents are available; agents gain or lose capabilities based on which servers are activated, which permissions are granted, and which connected agents are approved.
Overview
After the organization defines its MCP server and tool approval policy, this task executes that policy through the Microsoft 365 admin center. There are two complementary control surfaces that together determine what external capabilities agents can access at runtime: the Tools page for MCP server management, and the Connected Agents configuration for Researcher orchestration.
The Tools page is the primary admin surface for managing MCP servers. The Agent 365 catalog includes Microsoft-built servers for Outlook Mail, Outlook Calendar, Teams, SharePoint and OneDrive, Word, Dataverse, Copilot Search, and User Profile, among others. Each server exposes granular tools — such as createMessage, getEvents, createFolder, uploadFile — that agents invoke to perform deterministic, auditable actions across Microsoft 365 services. Activating a server makes its tools available to agents; leaving it inactive means no agent in the organization can use those tools regardless of its permissions or configuration. Administrators review which MCP servers are available by default, enable or disable specific servers, and control whether agents can discover and use new tool integrations without explicit approval.
The activation decision is not a blanket on/off. Each server should be evaluated against the approval policy's risk classification criteria: what data does the server access, what actions can its tools perform, and what is the blast radius if an agent misuses those tools? A server that reads user profile information carries a different risk than one that can send emails or modify SharePoint content. The security team or review board evaluates each server and makes an explicit activation decision, documenting the rationale.
Beyond activation, each MCP server requires scoped permission grants. In Agent 365, each MCP server is represented as a permission on the Agent 365 application. When an agent is onboarded, the administrator grants the required permissions — only after this consent does the agent gain access to that server's tools. Permissions should be granted per-agent based on the agent's declared purpose and data access scope, not globally across all agents. An agent built to manage calendar scheduling should receive permission to the Calendar MCP server but not to the Mail or SharePoint servers. This per-agent scoping is the Entra-level enforcement of the least privilege principle for tool access.
For third-party MCP servers published by ISVs, the same activation and scoping process applies, but with additional vendor risk assessment as defined in the approval policy. Third-party servers should be evaluated for the same criteria as first-party servers, plus vendor security posture, data handling practices, and contractual obligations.
Connected Agents for Researcher controls which third-party and custom agents can plug into Copilot's Researcher capability. Researcher orchestrates multiple agents to perform deep research tasks, and the connected agents configuration determines which agents are allowed to participate. Administrators review the list of available connected agents, approve or block specific agents, and control whether new connected agents are automatically available or require explicit admin approval. A research workflow that only needs first-party data should not have third-party agents connected — each connected agent expands the data access surface and must be evaluated against the same risk criteria applied to MCP servers.
Both control surfaces should be reviewed during initial deployment and revisited on a recurring cadence as Microsoft updates catalog servers and new connected agents become available. This task supports Use Least Privilege Access by ensuring agents only receive permissions to the specific MCP servers and connected agents they need, rather than inheriting access to all activated capabilities. It supports Verify Explicitly by requiring explicit activation and permission grant decisions for each server-agent combination, creating an auditable record of what was approved and why. Organizations that activate all catalog servers by default, grant blanket permissions, or allow unrestricted connected agent access give every agent access to every tool and orchestration partner, violating least privilege and expanding the blast radius if any single agent is compromised.
Consolidation note: This task incorporates the previous Manage agent tools and connected agents in Agent 365 (AI_127), which covered the same admin center control surfaces — the Tools page for MCP server management and the Connected Agents configuration for Researcher. These are now consolidated because they represent a single administrative workflow for executing the MCP server approval policy.