Microsoft Entra ID Integration Options
Microsoft Entra ID (formerly Azure Active Directory) can be integrated with MCP servers in two different ways, each designed for specific use cases and architectural requirements. Choose the approach that best fits your organization's needs.
Integration Approaches Overview
🔗 Direct SSO Integration
Architecture: Two-tier (MCP Client → MCP Server → Microsoft Graph)
Best for:
- Web-based MCP servers with browser-based clients
- Simple authentication flows without token delegation
- Standard OAuth 2.0 security requirements
- Single-tenant scenarios with direct user access
Setup complexity: Simple (single application registration)
📖 View Direct SSO Integration Guide →
🔄 AI Gateway OAuth Proxy Integration
Architecture: Three-tier (MCP Client → AI Gateway OAuth Proxy → MCP Server → Microsoft Graph)
Best for:
- Desktop/CLI MCP clients requiring server-side token management
- Enterprise scenarios requiring secure token delegation
- Complex authentication flows with multiple token exchanges
- Enhanced security with token proxy and delegation
Setup complexity: Advanced (dual application setup with public/confidential clients)
📖 View AI Gateway OAuth Proxy Integration Guide →
Detailed Comparison
| Feature | Direct SSO Integration | AI Gateway OAuth Proxy Integration |
|---|---|---|
| Client Types | Single confidential client | Public client + Confidential client |
| Token Flow | Standard OAuth 2.0 authorization code | Authorization Code + PKCE + On-Behalf-Of (OBO) |
| Authentication Architecture | Direct user authentication | Proxy-based with token delegation |
| Suitable For | Web applications, simple flows | Desktop/CLI clients, enterprise scenarios |
| Security Model | Standard OAuth security | Enhanced security with token proxy |
| Setup Complexity | Simple | Advanced |
| Token Management | Direct token handling | Server-side token management |
| User Context | Direct user identity | Preserved through OBO flow |
Decision Matrix
Use this matrix to determine which integration approach fits your requirements:
Choose Direct SSO Integration if:
✅ You have web-based MCP clients (browser applications)
✅ You want simple setup with minimal configuration
✅ You're comfortable with direct token handling in your application
✅ You have standard OAuth 2.0 security requirements
✅ You don't need token delegation between services
Choose AI Gateway OAuth Proxy Integration if:
✅ You have desktop or CLI MCP clients
✅ You need server-side token management
✅ You require token delegation using On-Behalf-Of flow
✅ You want enhanced security with token proxying
✅ You're building enterprise-grade authentication flows
✅ You need to preserve user context through multiple service layers
Architecture Diagrams
Direct SSO Integration Flow
graph LR
A[MCP Client<br/>Web Browser] --> B[MCP Server]
B --> C[Microsoft Graph]
A -.->|OAuth 2.0 Flow| D[Microsoft Entra ID]
D -.->|Access Token| A
B -.->|User Token| C
AI Gateway OAuth Proxy Integration Flow
graph LR
A[MCP Client<br/>Desktop/CLI] --> B[AI Gateway<br/>OAuth Proxy]
B --> C[MCP Server]
C --> D[Microsoft Graph]
A -.->|Auth Code + PKCE| E[Microsoft Entra ID]
E -.->|User Token| A
C -.->|OBO Token Exchange| E
E -.->|Graph Token| C
Implementation Considerations
Direct SSO Integration
Pros:
- Simple single-application setup
- Standard OAuth 2.0 flow
- Lower complexity and maintenance
- Faster implementation
Cons:
- Limited to web-based clients
- Direct token exposure
- No token delegation capabilities
- Less suitable for complex enterprise scenarios
AI Gateway OAuth Proxy Integration
Pros:
- Supports desktop/CLI clients
- Enhanced security with token proxying
- Proper user context preservation
- Enterprise-grade architecture
- Token delegation via OBO flow
Cons:
- More complex setup (dual applications)
- Requires understanding of OBO flow
- Higher maintenance overhead
- Additional configuration steps
Getting Started
- Review your requirements using the decision matrix above
- Choose your integration approach based on your architecture needs
- Follow the specific guide for your chosen approach:
Additional Resources
- Microsoft Entra ID Documentation
- OAuth 2.0 in Microsoft identity platform
- On-Behalf-Of flow
- Cequence AI Gateway Documentation
Next Steps
After completing your Microsoft Entra ID integration:
- Test the authentication flow with representative users
- Configure appropriate permissions for your Microsoft Graph API access
- Set up monitoring and logging for authentication events
- Document your configuration for team reference
- Plan for credential rotation and maintenance procedures