Blog Post

Apps on Azure Blog
3 MIN READ

How to Connect Azure SRE Agent to Azure MCP

dbandaru's avatar
dbandaru
Icon for Microsoft rankMicrosoft
Jan 23, 2026

Azure MCP (Model Context Protocol) provides a powerful way to extend your Azure SRE Agent with Azure-native tools. This guide walks you through connecting your SRE Agent to Azure MCP, enabling your agent to perform Azure operations like listing subscriptions, querying resources, and managing infrastructure.

Prerequisites

Before you begin, ensure you have:

  • An active Azure subscription
  • An Azure SRE Agent deployed and accessible

Step 1: Add an MCP Connector Using the Portal UI

To connect Azure MCP to your SRE Agent, you need to add an MCP connector through the Azure Portal. This connector tells the SRE Agent how to communicate with the Azure MCP server.

Navigate to the MCP Connectors section:

  1. Open the Azure Portal and navigate to your SRE Agent resource
  2. In the left navigation menu, select Connectors under the Settings section
  3. Click + Add MCP Connector to open the configuration panel

Configure the connector settings:

  1. Name: Enter a descriptive name for your connector (for example, "Azure MCP Server")
  2. Connection Type: Select stdio from the dropdown menu. This tells the agent to communicate with the MCP server through standard input/output
  3. Arguments: Enter the command arguments that will launch the Azure MCP server. Use the following format, with each argument separated by a comma:
npx, -y, @azure/mcp, server, start

Customizing Tool Exposure:

You can customize which tools Azure MCP exposes to your agent by adding optional arguments:

  • To expose only tools in the subscription namespace, add: --namespace, subscription
  • To expose all tools without the namespace wrapper, add: --mode, all

Step 2: Configure Managed Identity

Select a managed identity from the Managed Identity dropdown menu. Azure MCP will use this identity to make downstream API calls. The capabilities of Azure MCP are bounded by the permissions granted to this identity.

Add the following required environment variables:

VariableValuePurpose
AZURE_CLIENT_ID<client-id-of-managed-identity>Specifies which managed identity to use
AZURE_TOKEN_CREDENTIALSmanagedidentitycredentialTells the server to only use managed identity

The AZURE_CLIENT_ID must match the client ID of the managed identity selected in the dropdown. Consult the Azure MCP documentation for additional environment variables that can customize behavior.

Important: You must assign the necessary Azure RBAC roles to this managed identity for it to perform the actions in its tool calls. For example, if you want the agent to list resources, grant the identity at least Reader access on the relevant subscriptions or resource groups.

Step 3: Create a Subagent Using Subagent Builder

Use the Subagent Builder to create a subagent that leverages your MCP connector:

  1. Give the subagent a meaningful name (for example, "Azure Resource Manager")
  2. Provide helpful instructions on when and how to use its MCP tools
  3. Click "Choose tools" and add the previously configured MCP connector to the subagent's available tools

Example instructions for your subagent:

You are an Azure resource management assistant. Use the Azure MCP tools to:
- List Azure subscriptions the user has access to
- Query resources across subscriptions
- Retrieve resource details and configurations

Always confirm the subscription context before performing operations.

Step 4: Test Your Configuration

Test your configuration by calling an MCP tool in the subagent's playground:

  1. Open the subagent playground
  2. Ask a question that triggers an MCP tool call (for example, "List my Azure subscriptions")
  3. View the trace of the interaction to verify:
    • The tool call was made correctly
    • The tool response contains the expected data

Security Considerations

Managed Identity Access Control

Azure MCP can only use managed identity when used with SRE Agent in this configuration. This design has an important security implication: if users are granted access to the SRE Agent, they effectively inherit the permissions of the agent's managed identity.

This can accidentally provide over-privileged access to users if:

  • The SRE Agent's managed identity has broad permissions across Azure resources
  • Users are granted access to the SRE Agent who should not have access to those resources

Best Practices:

  1. Follow the principle of least privilege when assigning roles to the managed identity
  2. Scope permissions to specific resource groups rather than entire subscriptions when possible
  3. Regularly audit the managed identity's role assignments
  4. Consider creating separate SRE Agents with different managed identities for different user groups or use cases

Summary

Connecting Azure SRE Agent to Azure MCP enables powerful Azure-native capabilities for your AI agent. By following the steps above, you can configure your agent to interact with Azure resources securely using managed identity authentication. Remember to carefully consider the security implications of the managed identity's permissions and implement appropriate access controls.

Additional Resources

Updated Jan 23, 2026
Version 1.0
azure sre agent
No CommentsBe the first to comment