Entra ID uses OAuth 2.0 RFC 8693 to propagate identity to MCP Tool and Data Server Implementations
Referenced standards
- OAuth 2.0 RFC 8693Open standardSteward: IETF
Microsoft Entra ID issues OAuth 2.0 access tokens and can participate in RFC 8693 token exchange flows, while MCP Tool and Data Server Implementations can authenticate requests using Entra-issued bearer tokens and standard JWT validation, making OAuth 2.0 RFC 8693 the standard mechanism for propagating Pillar A identity into Pillar B MCP servers for identity-aware tool and data access.
Linked Evidence
Microsoft Entra ID supports OAuth 2.0 authorization flows and issues access tokens for calling protected resources, acting as the authorization server for downstream APIs.
OAuth 2.0 authorization with Microsoft Entra IDA guide to setting up Azure Entra ID OAuth2 authentication for MCP servers shows clients obtaining access tokens from Entra’s OAuth 2.0 token endpoint and using those bearer tokens to authenticate to an MCP server that validates them via JWKS.
Setting up Azure Entra ID OAuth2 Authentication for MCP ServersRFC 8693 defines OAuth 2.0 Token Exchange, allowing an authorization server to issue a new token suitable for a different resource when presented with an existing token at the token endpoint.
RFC 8693 - OAuth 2.0 Token ExchangeTechnical examples demonstrate delegated OAuth 2.0 Token Exchange flows using Microsoft Entra ID access tokens as subject tokens and exchanging them for tokens issued by other authorization servers, showing practical use of RFC 8693 with Entra ID in multi-hop API chains.
OAuth 2.0 Token Exchange delegated implementation with Microsoft Entra IDA delegated token management sample implements OAuth 2.0 Token Exchange (RFC 8693) using Entra ID and another authorization server, confirming that Entra-issued tokens can participate in RFC 8693-based exchanges for downstream APIs.
Token management delegated OAuth 2.0 Token Exchange with Entra ID