Connection from Azure AI Foundry Agent to MCP server fails when Entra ID authentication is enabled in DAB configuration #3109
Description
Issue Summary
I am unable to connect to my MCP server (built using Data API Builder and hosted on Azure Container Apps) when Microsoft Entra ID authentication is enabled in the dab-config.json file.
The same MCP server works correctly when authentication is disabled.
Environment Setup
MCP server implemented using Data API Builder
Hosted on Azure Container Apps
SQL access through User Assigned Managed Identity (UAMI)
Azure AI Foundry Agent calling the MCP endpoint
Authentication mode set to MicrosoftEntraAuthentication in dab-config.json
What I configured
Added Entra ID configuration in dab-config.json, including:
"allowed-audiences"
"issuer"
"clientId"
Created a User Assigned Managed Identity (UAMI) for the MCP server
Assigned SQL permissions to the UAMI
Added UAMI to the Container App
Added API permissions and exposed API on the App Registration
Configured MCP Tool in Azure AI Foundry with:
MCP endpoint
Audience
Entra ID authentication
Required permission scope
“Require approval” set to Never
Verified that the AI Foundry Agent receives a token
What I tried
Tested local DAB app without Entra and anonymous flow → works
When testing from Azure AI Foundry Agent having Entra ID enabled, the request fails with:
Error: Authentication failed when connecting to the MCP server.
Response status code does not indicate success: 401 Unauthorized.
Removed Entra ID block → Agent can connect successfully
Used different values for audience: api://clientId, actual clientId, etc. → still fails
reconfigured App Registration → no result
Verified that the MCP server is actually sending back 401 for the AI Agent-generated token
Confirmed that the UAMI does not issue tokens, so nothing to configure there
Expected Behavior
AI Foundry Agent should be able to fetch tools from the MCP server using a valid Entra ID token generated by Azure AI Foundry project identity.
Actual Behavior
AI Foundry Agent consistently receives 401 Unauthorized when Entra ID authentication is enabled in DAB configuration.
Key Questions / Clarifications Needed
What should the correct “audience” value be for MCP authentication?
Should it be the App Registration App ID URI?
Or the Client ID directly?
Does the Azure AI Foundry Agent support calling DAB MCP endpoints using Entra ID tokens?
Is there a sample DAB + Entra ID + MCP configuration that works with AI Foundry?
Is there any limitation in DAB MCP authentication with Entra ID tokens from AI Foundry?
Logs / Error
Error: Authentication failed when connecting to the MCP server:
https:///mcp.
Response status code: 401 Unauthorized
Dab Config:
"authentication": {
"provider": "EntraID",
"jwt": {
"audience": "api://",
"issuer": "https://login.microsoftonline.com//v2.0"
}
}
App Registration:
Exposed API without scope, empty redirect URI.
Created a UAMI for SQL connection and one for Foundry project assigned AI user role in Container APP where MCP is hosted.