UPDATED · FIELD RESEARCH · MARCH 2026

Model Context Protocol:
Architecture, Catalog & Attack Surface

MCP is no longer experimental. Microsoft has published an official MCP server catalog and Copilot Studio now supports MCP tools natively. This significantly expands both the capability and the attack surface of enterprise agents.

📌 Microsoft Official MCP Catalog

Microsoft publishes a formal catalog of official MCP server implementations at github.com/microsoft/mcp. These include servers for Azure, GitHub, SharePoint, Teams, Outlook, SQL Server, and more. Copilot Studio agents can now use MCP tools directly — each tool added extends the agent's action surface to everything that MCP server can reach. The security implications scale with the permissions of the MCP server's connected services.

MCP Architecture

The Three-Layer MCP Model

MCP defines how AI agents discover, connect to, and invoke tools, data sources, and services across a standard protocol. With Microsoft's official server catalog, MCP is now enterprise infrastructure — not a prototype technology.

Layer 1 — MCP Host (the AI agent / client)

Copilot Studio agent (MCP tools natively supported)

Azure AI Foundry agent

GitHub Copilot (VS Code / Visual Studio)

Custom LLM application

Shadow / unsanctioned agents with unreviewed MCP tools

Layer 2 — MCP Server (the tool/connector layer)

Microsoft Azure MCP Server

GitHub MCP Server

SharePoint / M365 MCP Server

Azure DevOps MCP Server

SQL Server MCP Server

Third-party / community MCP servers (unvetted)

Often lacks authentication in OSS implementations

Tool descriptions (used by agent for routing) can be poisoned

Layer 3 — Backend Resources

Azure subscriptions / resource groups

GitHub repositories / issues / PRs

SharePoint / OneDrive / Exchange

SQL databases

Salesforce, ServiceNow, Jira (via third-party servers)

All accessed using the agent's credentials — in Copilot Studio, this is maker credentials by default

Copilot Studio + MCP

Copilot Studio MCP Tools — A Specific Risk Pattern

When a Copilot Studio agent is configured with MCP tools, the agent authenticates to those MCP servers using maker credentials by default. This means:

⚠ Maker Credentials × MCP Tools

The maker (developer/admin) connects an Azure MCP server to a Copilot Studio agent. The agent authenticates to Azure as the maker. If the agent is shared org-wide with no authentication, every employee can trigger Azure resource queries or management actions — using the maker's Azure permissions.

CRITICAL COMBINATIONCopilot Studio

⚠ Unreviewed MCP Tool Lifecycle

MCP tools added to a Copilot Studio agent are not subject to the same App Registration review as traditional app permissions. Microsoft recommends using the "MCP Tool Configured" Advanced Hunting query and enforcing lifecycle reviews for every MCP tool configuration in the environment.

Governance GapKQL Detectable

Attack Vectors

MCP-Specific Attack Vectors

Attack	How It Works	Impact	Primary Control
Tool Poisoning	Malicious MCP server returns poisoned tool descriptions. Agent reads descriptions to decide which tool to invoke — poisoned descriptions redirect agent to attacker-controlled tools.	CRITICAL Full agent hijack	Foundry Guardrails (whitelist); Defender for Cloud Apps (MCP server governance)
MCP Server Impersonation	Attacker substitutes a malicious MCP server (DNS hijack, supply chain, local server swap). Agent connects to attacker's server and receives malicious tool outputs.	CRITICAL Data exfiltration, action hijack	Defender for Cloud Apps (MCP server registry); no cryptographic binding standard in MCP spec
Indirect Prompt Injection via MCP	Malicious instructions embedded in data returned by an MCP tool. Agent treats the embedded text as legitimate instruction and acts on it using maker credentials.	CRITICAL Data exfiltration, lateral movement	Prompt Shields (XPIA detection); Entra Internet Access Prompt Injection Protection (GA Mar 31)
OAuth Scope Abuse	Agent inherits overly broad OAuth scopes from maker credentials when connecting to MCP-backed SaaS. Broad token enables lateral movement across multiple services.	HIGH Lateral movement across SaaS	Defender for Cloud Apps OAuth governance; enforce end-user auth per agent
Unauthenticated MCP Server	Many community MCP servers have no authentication. Any agent or attacker on the network can call them without credentials.	HIGH Unauthorised tool execution	Network segmentation; Entra Internet Access; security review of MCP server implementations
MCP Supply Chain Attack	Malicious package in MCP server registry. Enterprise deploys a compromised MCP server — attacker gains persistent access to the agent's tool layer.	HIGH Persistent backdoor in agent tooling	Defender for Cloud (supply chain scanning); Security Dashboard AI Inventory; GitHub Advanced Security
Unreviewed MCP Tool in Copilot Studio	Developer adds a community MCP server to a Copilot Studio agent without security review. Agent runs with maker credentials against unvetted tool surface.	HIGH Uncontrolled action surface	"MCP Tool Configured" Advanced Hunting query; enforce MCP tool lifecycle reviews

⚠ Critical Gap: No Strong MCP Server Authentication Standard

The MCP specification (as of early 2026) does not mandate strong cryptographic authentication for MCP server-to-client binding. Microsoft's official MCP catalog servers use standard OAuth where supported, but third-party and community servers vary widely. There is no platform-enforced way to guarantee the MCP server an agent connects to is the legitimate, unmodified server it expects. This requires defence-in-depth at the network, CASB, and orchestration layers — no single product closes it.

Microsoft Controls

How Microsoft Secures the MCP Boundary

Defender for Cloud Apps (CASB)

Primary control for MCP-to-SaaS boundary. Discovers MCP-connected SaaS apps. Governs OAuth permissions. Detects anomalous access from agent-driven API calls. Can block or alert on risky MCP-to-SaaS connections. For Copilot Studio specifically: provides real-time protection — blocks tool invocations if prompt is suspicious (1-second timeout, then allow if no decision).

GAOAuth GovernanceRT Protection

Security Dashboard — AI Inventory

Includes MCP servers in AI inventory — now GA. Discovery and risk assessment of MCP servers across the environment including those deployed without IT knowledge. Coverage extends to third-party AI including ChatGPT, Gemini, and MCP servers.

✓ Now GA · RSAC 2026MCP Server Discovery

Foundry Guardrails

For Foundry-deployed agents — define which MCP tools the agent is allowed to invoke. Whitelist at the orchestration layer. Does not apply to Copilot Studio agents — each platform has its own governance model.

PreviewTool Whitelist⚠ Foundry only — not Copilot Studio

Prompt Shields

Primary defence against indirect prompt injection via MCP tool outputs. Inspects content flowing from MCP responses into agent context before reaching the model.

GAXPIA DefenceTool Output Inspection

Entra Internet Access — Prompt Injection Protection

Network-layer enforcement blocking malicious AI prompts across apps and agents. Complements Prompt Shields at the network boundary. GA March 31, 2026.

GA March 31Network Layer

Sentinel MCP Entity Analyzer

Natural language querying of MCP entity data within Sentinel investigations. GA April 2026. Enables analysts to explore MCP-connected entity relationships without writing KQL from scratch.

GA April 2026Natural LanguageSentinel

Defence Architecture

Layered MCP Defence-in-Depth

Layer	What It Covers	Microsoft Control	Status
Catalog governance	Vetting which MCP servers are approved for use; lifecycle reviews	Internal policy + "MCP Tool Configured" Advanced Hunting query	Process control — no product enforcement
Network	Control which MCP servers agents can reach; block malicious prompts	Entra Internet Access	GA Mar 31
Identity	Authenticate which agents can invoke which MCP tools; prevent maker credential blast radius	Enforce end-user auth (Power Platform admin)	Available now
Orchestration	Whitelist allowed tools per agent (Foundry only)	Foundry Guardrails	Preview · Foundry only
Content Inspection	Detect adversarial instructions in MCP tool outputs	Prompt Shields	GA
Runtime Protection	Block tool invocations during suspicious Copilot Studio agent activity	Defender for Cloud Apps real-time protection	Preview · Copilot Studio only
SaaS Governance	OAuth scope governance; anomalous API usage detection	Defender for Cloud Apps	GA
Inventory & Posture	Discover all MCP servers; assess risk	Security Dashboard for AI	Now GA
Investigation	NL querying of MCP entity relationships in Sentinel	Sentinel MCP Entity Analyzer	GA April

← PREVIOUSIdentity & OBO NEXT →Threat Scenarios