Azure · souvikghosh04 · Feb 26, 2026 · Feb 26, 2026 · Feb 26, 2026 · Copilot
@@ -49,6 +49,8 @@ steps:
 
 - task: NuGetAuthenticate@1
   displayName: 'NuGet Authenticate'
+  inputs:
+    nuGetServiceConnections: 'EngThriveNugetFeedAccessForSqlDab'
 
 # The .NET CLI commands in proceeding tasks use the .NET SDK version specified ("selected") here.
 # Per Microsoft Learn Docs, "Selecting the .NET SDK version is independent from 

@@ -42,6 +42,8 @@ jobs:
   steps:
   - task: NuGetAuthenticate@1
     displayName: 'NuGet Authenticate'
+    inputs:
+      nuGetServiceConnections: 'EngThriveNugetFeedAccessForSqlDab'
 
   # The .NET CLI commands in proceeding tasks use the .NET SDK version specified ("selected") here.
   # Per Microsoft Learn Docs, "Selecting the .NET SDK version is independent from 
@@ -170,6 +172,8 @@ jobs:
 
   - task: NuGetAuthenticate@1
     displayName: 'NuGet Authenticate'
+    inputs:
+      nuGetServiceConnections: 'EngThriveNugetFeedAccessForSqlDab'
 
   # The .NET CLI commands in proceeding tasks use the .NET SDK version specified ("selected") here.
   # Per Microsoft Learn Docs, "Selecting the .NET SDK version is independent from 

@@ -43,6 +43,8 @@ jobs:
   steps:
   - task: NuGetAuthenticate@1
     displayName: 'NuGet Authenticate'
+    inputs:
+      nuGetServiceConnections: 'EngThriveNugetFeedAccessForSqlDab'
 
   # The .NET CLI commands in proceeding tasks use the .NET SDK version specified ("selected") here.
   # Per Microsoft Learn Docs, "Selecting the .NET SDK version is independent from 
@@ -174,6 +176,8 @@ jobs:
 
   - task: NuGetAuthenticate@1
     displayName: 'NuGet Authenticate'
+    inputs:
+      nuGetServiceConnections: 'EngThriveNugetFeedAccessForSqlDab'
 
   # The .NET CLI commands in proceeding tasks use the .NET SDK version specified ("selected") here.
   # Per Microsoft Learn Docs, "Selecting the .NET SDK version is independent from 

@@ -41,6 +41,8 @@ jobs:
   steps:
   - task: NuGetAuthenticate@1
     displayName: 'NuGet Authenticate'
+    inputs:
+      nuGetServiceConnections: 'EngThriveNugetFeedAccessForSqlDab'
 
   # The .NET CLI commands in proceeding tasks use the .NET SDK version specified ("selected") here.
   # Per Microsoft Learn Docs, "Selecting the .NET SDK version is independent from 

@@ -36,6 +36,8 @@ jobs:
   steps:
   - task: NuGetAuthenticate@1
     displayName: 'NuGet Authenticate'
+    inputs:
+      nuGetServiceConnections: 'EngThriveNugetFeedAccessForSqlDab'
 
   # The .NET CLI commands in proceeding tasks use the .NET SDK version specified ("selected") here.
   # Per Microsoft Learn Docs, "Selecting the .NET SDK version is independent from 

@@ -9,6 +9,8 @@
 steps:
 - task: NuGetAuthenticate@1
   displayName: 'NuGet Authenticate'
+  inputs:
+    nuGetServiceConnections: 'EngThriveNugetFeedAccessForSqlDab'
 
 # If this is a release, do not append the build number at the end as it will 
 # generate the prerelease nuget version.

@@ -16,6 +16,8 @@ jobs:
   steps:
   - task: NuGetAuthenticate@1
     displayName: 'NuGet Authenticate'
+    inputs:
+      nuGetServiceConnections: 'EngThriveNugetFeedAccessForSqlDab'
 
   - checkout: self  # self represents the repo where the initial Pipelines YAML file was found
     clean: true  # if true, execute `execute git clean -ffdx && git reset --hard HEAD` before fetching

@@ -3,7 +3,22 @@
   <packageSources>
     <clear />
     <add key="data_api_builder_build_packages" value="https://pkgs.dev.azure.com/sqldab/fcb212b3-b288-4c9e-b55a-5842a268b16d/_packaging/data_api_builder_build_packages/nuget/v3/index.json" />
+    <add key="EngThrive-MCP" value="https://pkgs.dev.azure.com/msazure/One/_packaging/EngThrive-MCP/nuget/v3/index.json" />
   </packageSources>
+  <packageSourceMapping>
+    <packageSource key="data_api_builder_build_packages">
+      <package pattern="*" />
+    </packageSource>
+    <packageSource key="feed-data_api_builder_build_packages">
+      <package pattern="*" />
+    </packageSource>
+    <packageSource key="EngThrive-MCP">
+      <package pattern="Microsoft.ModelContextProtocol.*" />
+      <package pattern="ModelContextProtocol" />
+      <package pattern="ModelContextProtocol.*" />
+      <package pattern="Microsoft.Identity.ServiceEssentials.*" />
+    </packageSource>
+  </packageSourceMapping>
   <disabledPackageSources>
     <clear />
   </disabledPackageSources>

@@ -11,8 +11,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="ModelContextProtocol" />
-    <PackageReference Include="ModelContextProtocol.AspNetCore" />
+    <PackageReference Include="Microsoft.ModelContextProtocol.HttpServer" />
   </ItemGroup>
 
   <ItemGroup>

@@ -6,6 +6,9 @@
 using Azure.DataApiBuilder.Core.Configurations;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Routing;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.ModelContextProtocol.HttpServer;
 
 namespace Azure.DataApiBuilder.Mcp.Core
 {
@@ -16,6 +19,8 @@ public static class McpEndpointRouteBuilderExtensions
     {
         /// <summary>
         /// Maps the MCP endpoint to the specified <see cref="IEndpointRouteBuilder"/> if MCP is enabled in the runtime configuration.
+        /// Uses Microsoft MCP endpoint mapping (with auth/rate-limiting) when Entra ID is configured,
+        /// otherwise falls back to base MCP endpoint mapping.
         /// </summary>
         public static IEndpointRouteBuilder MapDabMcp(
             this IEndpointRouteBuilder endpoints,
@@ -29,8 +34,16 @@ public static IEndpointRouteBuilder MapDabMcp(
 
             string mcpPath = mcpOptions.Path ?? McpRuntimeOptions.DEFAULT_PATH;
 
-            // Map the MCP endpoint
-            endpoints.MapMcp(mcpPath);
+            // Use Microsoft MCP endpoint mapping when Entra ID is configured, otherwise use base MCP
+            IConfiguration configuration = endpoints.ServiceProvider.GetRequiredService<IConfiguration>();
+            if (McpServerConfiguration.IsEntraIdConfigured(configuration))
+            {
+                endpoints.MapMicrosoftMcpServer(mcpPath);
+            }
+            else
+            {
+                endpoints.MapMcp(mcpPath);
+            }
 
             return endpoints;
         }

@@ -4,9 +4,12 @@
 using System.Text.Json;
 using Azure.DataApiBuilder.Mcp.Model;
 using Azure.DataApiBuilder.Mcp.Utils;
+using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.ModelContextProtocol.HttpServer;
 using ModelContextProtocol;
 using ModelContextProtocol.Protocol;
+using ModelContextProtocol.Server;
 
 namespace Azure.DataApiBuilder.Mcp.Core
 {
@@ -16,80 +19,108 @@ namespace Azure.DataApiBuilder.Mcp.Core
     internal static class McpServerConfiguration
     {
         /// <summary>
-        /// Configures the MCP server with tool capabilities
+        /// Determines whether Entra ID (AzureAd) is configured for Microsoft MCP authentication.
         /// </summary>
-        internal static IServiceCollection ConfigureMcpServer(this IServiceCollection services)
+        internal static bool IsEntraIdConfigured(IConfiguration configuration)
         {
-            services.AddMcpServer(options =>
+            string? clientId = configuration["AzureAd:ClientId"];
+            return !string.IsNullOrEmpty(clientId);
+        }
+
+        /// <summary>
+        /// Configures the MCP server with tool capabilities.
+        /// Uses Microsoft MCP server (with MISE/Entra ID auth) when AzureAd is configured,
+        /// otherwise falls back to base MCP server without enterprise auth.
+        /// </summary>
+        internal static IServiceCollection ConfigureMcpServer(this IServiceCollection services, IConfiguration configuration)
+        {
+            IMcpServerBuilder builder;
+
+            if (IsEntraIdConfigured(configuration))
             {
-                options.ServerInfo = new() { Name = McpProtocolDefaults.MCP_SERVER_NAME, Version = McpProtocolDefaults.MCP_SERVER_VERSION };
-                options.Capabilities = new()
+                // Use Microsoft MCP server with MISE/Entra ID authentication
+                builder = services.AddMicrosoftMcpServer(configuration, options =>
                 {
-                    Tools = new()
-                    {
-                        ListToolsHandler = (request, ct) =>
-                        {
-                            McpToolRegistry? toolRegistry = request.Services?.GetRequiredService<McpToolRegistry>();
-                            if (toolRegistry == null)
-                            {
-                                throw new InvalidOperationException("Tool registry is not available.");
-                            }
-
-                            List<Tool> tools = toolRegistry.GetAllTools().ToList();
+                    options.ResourceHost = "https://localhost";
-                    options.ResourceHost = "https://localhost";
+                    // Prefer a configured ResourceHost, fall back to localhost for development.
+                    string? configuredResourceHost = configuration["Mcp:ResourceHost"];
+                    options.ResourceHost = string.IsNullOrEmpty(configuredResourceHost)
+                        ? "https://localhost"
+                        : configuredResourceHost;
-                    options.ResourceHost = "https://localhost";
+                    // Prefer a configured ResourceHost, fall back to localhost for development.
+                    string? configuredResourceHost = configuration["Mcp:ResourceHost"];
+                    options.ResourceHost = string.IsNullOrEmpty(configuredResourceHost)
+                        ? "https://localhost"
+                        : configuredResourceHost;
+                });
+            }
+            else
+            {
+                // Fall back to base MCP server without enterprise auth
+                builder = services.AddMcpServer();
+            }
 
-                            return ValueTask.FromResult(new ListToolsResult
-                            {
-                                Tools = tools
-                            });
-                        },
-                        CallToolHandler = async (request, ct) =>
-                        {
-                            McpToolRegistry? toolRegistry = request.Services?.GetRequiredService<McpToolRegistry>();
-                            if (toolRegistry == null)
-                            {
-                                throw new InvalidOperationException("Tool registry is not available.");
-                            }
+            builder
+            .WithListToolsHandler((RequestContext<ListToolsRequestParams> request, CancellationToken ct) =>
+            {
+                McpToolRegistry? toolRegistry = request.Services?.GetRequiredService<McpToolRegistry>();
+                if (toolRegistry == null)
+                {
+                    throw new InvalidOperationException("Tool registry is not available.");
+                }
 
-                            string? toolName = request.Params?.Name;
-                            if (string.IsNullOrEmpty(toolName))
-                            {
-                                throw new McpException("Tool name is required.");
-                            }
+                List<Tool> tools = toolRegistry.GetAllTools().ToList();
 
-                            if (!toolRegistry.TryGetTool(toolName, out IMcpTool? tool))
-                            {
-                                throw new McpException($"Unknown tool: '{toolName}'");
-                            }
+                return ValueTask.FromResult(new ListToolsResult
+                {
+                    Tools = tools
+                });
+            })
+            .WithCallToolHandler(async (RequestContext<CallToolRequestParams> request, CancellationToken ct) =>
+            {
+                McpToolRegistry? toolRegistry = request.Services?.GetRequiredService<McpToolRegistry>();
+                if (toolRegistry == null)
+                {
+                    throw new InvalidOperationException("Tool registry is not available.");
+                }
 
-                            JsonDocument? arguments = null;
-                            try
-                            {
-                                if (request.Params?.Arguments != null)
-                                {
-                                    // Convert IReadOnlyDictionary<string, JsonElement> to JsonDocument
-                                    Dictionary<string, object?> jsonObject = new();
-                                    foreach (KeyValuePair<string, JsonElement> kvp in request.Params.Arguments)
-                                    {
-                                        jsonObject[kvp.Key] = kvp.Value;
-                                    }
+                string? toolName = request.Params?.Name;
+                if (string.IsNullOrEmpty(toolName))
+                {
+                    throw new McpException("Tool name is required.");
+                }
 
-                                    string json = JsonSerializer.Serialize(jsonObject);
-                                    arguments = JsonDocument.Parse(json);
-                                }
+                if (!toolRegistry.TryGetTool(toolName, out IMcpTool? tool))
+                {
+                    throw new McpException($"Unknown tool: '{toolName}'");
+                }
 
-                                return await McpTelemetryHelper.ExecuteWithTelemetryAsync(
-                                    tool!, toolName, arguments, request.Services!, ct);
-                            }
-                            finally
-                            {
-                                arguments?.Dispose();
-                            }
+                JsonDocument? arguments = null;
+                try
+                {
+                    if (request.Params?.Arguments != null)
+                    {
+                        // Convert IReadOnlyDictionary<string, JsonElement> to JsonDocument
+                        Dictionary<string, object?> jsonObject = new();
+                        foreach (KeyValuePair<string, JsonElement> kvp in request.Params.Arguments)
+                        {
+                            jsonObject[kvp.Key] = kvp.Value;
                         }
+
+                        string json = JsonSerializer.Serialize(jsonObject);
+                        arguments = JsonDocument.Parse(json);
                     }
-                };
+
+                    return await McpTelemetryHelper.ExecuteWithTelemetryAsync(
+                        tool!, toolName, arguments, request.Services!, ct);
+                }
+                finally
+                {
+                    arguments?.Dispose();
+                }
             })
             .WithHttpTransport();
 
+            // Configure underlying MCP server options
+            services.Configure<McpServerOptions>(options =>
+            {
+                options.ServerInfo = new() { Name = McpProtocolDefaults.MCP_SERVER_NAME, Version = McpProtocolDefaults.MCP_SERVER_VERSION };
+                options.Capabilities = new()
+                {
+                    Tools = new()
+                };
+            });
+
             return services;
         }
     }

@@ -5,6 +5,7 @@
 using Azure.DataApiBuilder.Config.ObjectModel;
 using Azure.DataApiBuilder.Core.Configurations;
 using Azure.DataApiBuilder.Mcp.Model;
+using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 
 namespace Azure.DataApiBuilder.Mcp.Core
@@ -14,10 +15,20 @@ namespace Azure.DataApiBuilder.Mcp.Core
     /// </summary>
     public static class McpServiceCollectionExtensions
     {
+        /// <summary>
+        /// Determines whether Entra ID (AzureAd) is configured for Microsoft MCP authentication.
+        /// When configured, the Microsoft MCP server with MISE auth is used.
+        /// When not configured, the base MCP server without enterprise auth is used.
+        /// </summary>
+        public static bool IsEntraIdConfigured(IConfiguration configuration)
+        {
+            return McpServerConfiguration.IsEntraIdConfigured(configuration);
+        }
+
         /// <summary>
         /// Adds MCP server and related services to the service collection
         /// </summary>
-        public static IServiceCollection AddDabMcpServer(this IServiceCollection services, RuntimeConfigProvider runtimeConfigProvider)
+        public static IServiceCollection AddDabMcpServer(this IServiceCollection services, RuntimeConfigProvider runtimeConfigProvider, IConfiguration configuration)
         {
             if (!runtimeConfigProvider.TryGetConfig(out RuntimeConfig? runtimeConfig))
             {
@@ -42,7 +53,7 @@ public static IServiceCollection AddDabMcpServer(this IServiceCollection service
             RegisterCustomTools(services, runtimeConfig);
 
             // Configure MCP server
-            services.ConfigureMcpServer();
+            services.ConfigureMcpServer(configuration);
 
             return services;
         }

@@ -37,6 +37,14 @@ public void RegisterTool(IMcpTool tool)
             // Check for duplicate tool names (case-insensitive)
             if (_tools.TryGetValue(toolName, out IMcpTool? existingTool))
             {
+                // If the same tool instance is already registered, skip silently.
+                // This can happen when both McpToolRegistryInitializer (hosted service)
+                // and McpStdioHelper register tools during stdio mode startup.
+                if (ReferenceEquals(existingTool, tool))
+                {
+                    return;
+                }
+
                 string existingToolType = existingTool.ToolType == ToolType.BuiltIn ? "built-in" : "custom";
                 string newToolType = tool.ToolType == ToolType.BuiltIn ? "built-in" : "custom";