Az
azops-mcp

Authentication

How azops-mcp authenticates with Azure.

Azure Authentication

azops-mcp uses the Azure SDK's credential classes to authenticate. The server tries credentials in a specific order and uses the first one that works.

Priority Order

1. Service Principal (AZURE_CLIENT_ID + SECRET + TENANT_ID all set)
   ↓ (if not configured)
2. Azure CLI credentials (az login)
   ↓ (if not available)
3. Managed Identity (when running in Azure)

Option 1: Azure CLI (Recommended for Development)

The simplest approach. Just log in once:

az login

The server uses AzureCliCredential which reads your local CLI token. No environment variables needed beyond AZURE_SUBSCRIPTION_ID.

Option 2: Service Principal (Recommended for Production)

Create a Service Principal:

az ad sp create-for-rbac --name "azops-mcp" --role Contributor \
    --scopes /subscriptions/<SUBSCRIPTION_ID>

Add the output values to your .env:

.envbash
AZURE_TENANT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
AZURE_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
AZURE_CLIENT_SECRET=your-client-secret
AZURE_SUBSCRIPTION_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

The server detects all three are set and uses ClientSecretCredential.

Option 3: Managed Identity

When running inside Azure (e.g., Azure VM, App Service), the server falls back to ManagedIdentityCredential automatically. No configuration needed — just assign the appropriate RBAC role to the managed identity.

Checking Auth Status

Use the auth_status tool in your AI client:

What's my Azure auth status?

This reports which authentication method is active, token expiry, validity, and subscription source.

Runtime Subscription Switching

You don't have to restart the server to change subscriptions. Use set_subscription in chat:

Switch to subscription xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Under the hood, this:

  1. Validates the UUID format
  2. Optionally validates the subscription exists by calling the Subscription API
  3. Clears all cached Azure SDK clients (so they re-initialize with the new subscription)
  4. Sets _runtime_config["subscription_id"] in tools/_clients.py

The override persists for the session only. Restarting the server reverts to the .env value.

Account Tools

account_show

Get details of the current Azure subscription — similar to az account show. Shows the subscription name, ID, tenant, state, and environment.

account_clear

Clear cached Azure credentials and subscription override — similar to az account clear. Resets the in-memory subscription override and clears all cached SDK clients.

account_get_access_token

Get an Azure access token — similar to az account get-access-token. By default fetches a token for Azure Resource Manager. The token is masked in the output for security.

Token Security

ConcernMitigation
Azure CLI token exposureTokens are read from the CLI cache and never logged
Service Principal secretStored in .env which is gitignored; never sent over MCP
Access tokensMasked in output — only first 8 and last 4 characters shown
Credential cachingaccount_clear resets all cached credentials

Production Recommendations

  • Set AZURE_SUBSCRIPTION_ID in .env to avoid accidental operations on the wrong subscription
  • Use Managed Identity when running in Azure to avoid managing secrets entirely
  • Rotate client secrets regularly
  • Use Service Principal with least-privilege RBAC roles