Get started with Atlassian Rovo MCP server in Azure SRE Agent
Connect Azure SRE Agent to Jira, Confluence, Compass, and Jira Service Management using the official Atlassian Rovo MCP server.
Overview
The Atlassian Rovo MCP server is a cloud-hosted bridge between your Atlassian Cloud site and Azure SRE Agent. Once configured, it enables real-time interaction with Jira, Confluence, Compass, and Jira Service Management data through natural language. All actions respect your existing Atlassian user permissions.
The server supports API token (Basic or Bearer auth) for headless or automated setups. Azure SRE Agent connects using Streamable-HTTP transport directly to the Atlassian-hosted endpoint.
Key capabilities
| Product | Capabilities |
|---|---|
| Jira | Search issues with JQL, create/update tickets, add comments and worklogs, transition issues through workflows |
| Confluence | Search pages with CQL, create/update pages and live docs, manage inline and footer comments |
| Compass | Create/delete service components and relationships, manage custom fields, query dependencies |
| Jira Service Management | Query ops alerts, view on-call schedules, get team info, escalate alerts |
| Rovo Search | Natural language search across Jira and Confluence, fetch content by ARI |
[!NOTE] This is the official Atlassian-hosted MCP server at
https://mcp.atlassian.com/v1/mcp. The server exposes 46+ tools across five product areas. Tool availability depends on authentication method and granted scopes.
Prerequisites
- Azure SRE Agent resource deployed in Azure
- Atlassian Cloud site with one or more of: Jira, Confluence, Compass, or Jira Service Management
- User account with appropriate permissions in the Atlassian products you want to access
- For API token auth: Organization admin must enable API token authentication in the Rovo MCP server settings
Step 1: Get your Atlassian credentials
Choose one of the two authentication methods below. API token (Option A) is recommended for Azure SRE Agent because it enables headless configuration without browser-based flows.
Option A: Personal API token (recommended for Azure SRE Agent)
API token authentication allows headless configuration without browser-based OAuth flows—ideal for Azure SRE Agent connectors.
Navigate to the API token page
- Log in to your Atlassian account
- Select your profile avatar in the top-right corner
- Select Manage account
- In the left sidebar, select Security
- Under the API tokens section, you can manage your existing tokens
Alternatively, use this direct link that pre-selects all MCP scopes:
Direct URL: Create API token with all MCP scopes
Create the token
- Navigate to the Atlassian API token creation page to create a token with all MCP scopes preselected
- Optionally click Back to manually select only the scopes you need (see Available scopes)
- Copy the generated token and note the email address associated with your Atlassian account
- Base64-encode your credentials:
# Format: email:api_token
echo -n "your.email@example.com:YOUR_API_TOKEN_HERE" | base64
On Windows PowerShell:
[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("your.email@example.com:YOUR_API_TOKEN_HERE"))
This produces a base64-encoded string you'll use in the connector configuration as the Authorization: Basic <value> header.
[!IMPORTANT] Store the API token securely. It cannot be viewed again after creation. If lost, generate a new token from the same API tokens page.
[!NOTE] API token authentication must be enabled by your organization admin. If you cannot create a token, ask your admin to enable API token authentication in the Rovo MCP server settings at admin.atlassian.com > Security > Rovo MCP server.
Available scopes
The API token supports the following scope categories:
| Category | Scopes |
|---|---|
| Jira | read:jira-work, write:jira-work, read:jira-user |
| Confluence | read:page:confluence, write:page:confluence, read:comment:confluence, write:comment:confluence, read:space:confluence, read:hierarchical-content:confluence, read:confluence-user, search:confluence |
| Compass | read:component:compass, write:component:compass |
| JSM | read:incident:jira-service-management, write:incident:jira-service-management, read:ops-alert:jira-service-management, write:ops-alert:jira-service-management, read:ops-config:jira-service-management, read:servicedesk-request |
| Bitbucket | read:repository:bitbucket, write:repository:bitbucket, read:pullrequest:bitbucket, write:pullrequest:bitbucket, read:pipeline:bitbucket, write:pipeline:bitbucket, read:user:bitbucket, read:workspace:bitbucket, admin:repository:bitbucket |
| Platform | read:me, read:account, search:rovo:mcp |
[!NOTE] Bitbucket scopes are available in the token, but Bitbucket tools are not yet listed on the official supported tools page. Bitbucket tool support may be added in a future update.
Step 2: Add the MCP connector
Connect the Atlassian Rovo MCP server to your SRE Agent using the portal.
Using the Azure portal (API token auth)
- In Azure portal, navigate to your SRE Agent resource
- Select Builder > Connectors
- Select Add connector
- Select MCP server (User provided connector) and select Next
- Configure the connector:
| Field | Value |
|---|---|
| Name | atlassian-rovo-mcp |
| Connection type | Streamable-HTTP |
| URL | https://mcp.atlassian.com/v1/mcp |
| Authentication | Custom headers |
| Header Key | Authorization |
| Header Value | Basic <your_base64_encoded_email_and_token> |
- Select Next to review
- Select Add connector
Step 3: Create an Atlassian subagent
Create a specialized subagent to give the AI focused Atlassian expertise and better prompt responses.
- Navigate to Builder > Subagents
- Select Add subagent
- Paste the following YAML configuration:
api_version: azuresre.ai/v1
kind: AgentConfiguration
metadata:
owner: your-team@contoso.com
version: "1.0.0"
spec:
name: AtlassianRovoExpert
display_name: Atlassian Rovo Expert
system_prompt: |
You are an Atlassian expert with access to Jira, Confluence, Compass, and
Jira Service Management via the Atlassian Rovo MCP server.
## Capabilities
### Jira
- Search issues using JQL (Jira Query Language) with `searchJiraIssuesUsingJql`
- Create, update, and transition issues through workflows
- Add comments, worklogs, and manage issue metadata
- Look up user account IDs and project configurations
### Confluence
- Search pages and content using CQL (Confluence Query Language) with `searchConfluenceUsingCql`
- Create and update pages and live docs with Markdown content
- Add inline and footer comments on pages
- Navigate spaces and page hierarchies
### Compass
- Create, query, and delete service components (services, libraries, applications)
- Define and manage relationships between components
- Manage custom field definitions and component metadata
- View component activity events (deployments, alerts)
### Jira Service Management
- Query ops alerts by ID, alias, or search criteria
- View on-call schedules and current/next responders
- Get team info including escalation policies and roles
- Acknowledge, close, or escalate alerts
### Cross-Product
- Use Rovo Search (`search`) for natural language queries across Jira and Confluence
- Fetch specific content by Atlassian Resource Identifier (ARI) using `fetch`
- Get current user info and list accessible cloud sites
## Best Practices
When searching Jira:
- Use JQL for precise queries: `project = "MYPROJ" AND status = "Open"`
- Start with broad searches, then refine based on results
- Use `currentUser()` for user-relative queries
- Use `openSprints()` for active sprint work
When searching Confluence:
- Use CQL for structured searches: `space = "ENG" AND type = page`
- Use Rovo Search for natural language queries when JQL/CQL isn't needed
- Consider space keys to narrow results
When creating content:
- Confirm project/space/issue type with the user before creating
- Use `getJiraIssueTypeMetaWithFields` to check required fields
- Use `getConfluenceSpaces` to list available spaces
When handling errors:
- If access is denied, explain what permission is needed
- Suggest the user contact their Atlassian administrator
- For expired tokens, advise re-authentication
mcp_connectors:
- atlassian-rovo-mcp
handoffs: []
- Select Save
[!NOTE] The
mcp_connectorsfield references the connector name you created in Step 2. This gives the subagent access to all tools provided by the Atlassian Rovo MCP server.
Step 4: Add an Atlassian skill
Skills provide contextual knowledge and best practices that help agents use tools more effectively. Create an Atlassian skill to give your agent expertise in JQL, CQL, and Atlassian workflows.
- Navigate to Builder > Skills
- Select Add skill
- Paste the following skill configuration:
api_version: azuresre.ai/v1
kind: SkillConfiguration
metadata:
owner: your-team@contoso.com
version: "1.0.0"
spec:
name: atlassian_rovo
display_name: Atlassian Rovo
description: |
Expertise in Atlassian Cloud products including Jira, Confluence, Compass,
and Jira Service Management. Use for searching issues with JQL, creating
and updating pages, managing service components, investigating ops alerts,
and navigating Atlassian workspaces via the Rovo MCP server.
instructions: |
## Overview
Atlassian Cloud provides integrated tools for project tracking (Jira),
documentation (Confluence), service catalog management (Compass), and
incident management (Jira Service Management). The Atlassian Rovo MCP
server enables natural language interaction with all four products.
**Authentication:** OAuth 2.1 or API token (Basic/Bearer). All actions
respect existing user permissions.
## Searching Jira with JQL
JQL (Jira Query Language) enables precise issue searches. Always use
`searchJiraIssuesUsingJql` for structured queries.
**Common JQL patterns:**
```jql
# Open issues assigned to current user
assignee = currentUser() AND status != Done
# Bugs created in the last 7 days
project = "MYPROJ" AND type = Bug AND created >= -7d
# High-priority issues in active sprints
project = "MYPROJ" AND priority in (High, Highest) AND sprint in openSprints()
# Full-text search
project = "MYPROJ" AND text ~ "payment error"
# Issues updated recently
updated >= -24h ORDER BY updated DESC
```
**JQL operators:** `=`, `!=`, `~` (contains), `in`, `>=`, `<=`, `NOT`, `AND`, `OR`
**JQL functions:** `currentUser()`, `openSprints()`, `startOfDay()`,
`endOfDay()`, `membersOf("group")`
## Searching Confluence with CQL
CQL (Confluence Query Language) searches pages, blog posts, and attachments.
Use `searchConfluenceUsingCql` for structured queries.
**Common CQL patterns:**
```cql
# Search by title
title ~ "Architecture"
# Search in specific space
space = "ENG" AND type = page
# Full-text content search
text ~ "deployment pipeline"
# Recently modified pages
lastModified >= now("-7d") AND type = page
# Pages by label
label = "runbook" AND space = "SRE"
```
**CQL fields:** `title`, `text`, `space`, `type`, `label`, `creator`,
`lastModified`
## Creating Jira Issues
Follow this workflow:
1. `getVisibleJiraProjects` — list available projects
2. `getJiraProjectIssueTypesMetadata` — list issue types for the project
3. `getJiraIssueTypeMetaWithFields` — get required/optional fields
4. `createJiraIssue` — create the issue
Common issue types: Story, Bug, Task, Epic, Sub-task.
## Creating Confluence Pages
Pages support Markdown content:
1. `getConfluenceSpaces` — list available spaces
2. `getPagesInConfluenceSpace` — optionally find a parent page
3. `createConfluencePage` — create the page with space, title, and body
## Working with Compass Components
Component types: SERVICE, LIBRARY, APPLICATION, CAPABILITY,
CLOUD_RESOURCE, DATA_PIPELINE, MACHINE_LEARNING_MODEL, UI_ELEMENT,
WEBSITE, OTHER.
Relationship types: DEPENDS_ON, OTHER.
## Jira Service Management Operations
For incident and alert management:
- `getJsmOpsAlerts` — query alerts by ID, alias, or search
- `updateJsmOpsAlert` — acknowledge, close, or escalate alerts
- `getJsmOpsScheduleInfo` — view on-call schedules and responders
- `getJsmOpsTeamInfo` — list teams with escalation policies
## Cross-Product Workflows
- Use `search` (Rovo Search) for natural language queries across products
- Use `fetch` with ARIs (Atlassian Resource Identifiers) for direct content retrieval
- Use `getAccessibleAtlassianResources` to list cloud sites and get cloudIds
## Troubleshooting
| Issue | Solution |
|-------|----------|
| JQL syntax error | Check field names; quote values with spaces |
| CQL returns no results | Verify space key; try broader terms |
| Cannot create issue | Verify "Create" permission in the project |
| Cannot edit page | Verify "Edit" permission in the space |
| OAuth expired | Re-invoke any tool to trigger fresh OAuth flow |
| "Site admin must authorize" | Admin must complete initial 3LO consent |
| cloudId errors | Use `getAccessibleAtlassianResources` to find correct cloudId |
mcp_connectors:
- atlassian-rovo-mcp
- Select Save
Reference the skill in your subagent
Update your subagent configuration to include the skill:
spec:
name: AtlassianRovoExpert
skills:
- atlassian_rovo
mcp_connectors:
- atlassian-rovo-mcp
Step 5: Test the integration
- Open a new chat session with your SRE Agent
- Try these example prompts:
Jira workflows
Find all open bugs assigned to me in the PAYMENTS project
Create a new story in project PLATFORM titled "Implement rate limiting for API gateway"
Show me the available transitions for issue PLATFORM-1234
Add a comment to PLATFORM-1234: "Reviewed and approved for deployment"
Log 2 hours of work on PLATFORM-1234 with description "Code review and testing"
Confluence workflows
Search Confluence for pages about "incident response runbooks"
Show me the spaces I have access to
Create a new Confluence page in the Engineering space titled "Q3 2025 Architecture Review"
What pages are under the "Runbooks" parent page?
Compass workflows
List all service components in Compass
Create a new service component called "payment-gateway"
What components depend on the api-gateway service?
Show me recent activity events for the auth-service component
Jira Service Management workflows
Show me active ops alerts from the last 24 hours
Who is currently on-call for the platform-engineering schedule?
Acknowledge alert with alias "high-cpu-prod-web-01"
Get team info and escalation policies for the SRE team
Cross-product workflows
Search across Jira and Confluence for content related to "deployment pipeline"
What Atlassian cloud sites do I have access to?
Fetch the Confluence page linked to Jira issue PLATFORM-500
Available tools
Jira tools (14 tools)
| Tool | Description | Required Scopes |
|---|---|---|
searchJiraIssuesUsingJql | Search issues using a JQL query | read:jira-work |
getJiraIssue | Get issue details by ID or key | read:jira-work |
createJiraIssue | Create a new issue in a project | write:jira-work |
editJiraIssue | Update fields on an existing issue | write:jira-work |
addCommentToJiraIssue | Add a comment to an issue | write:jira-work |
addWorklogToJiraIssue | Add a time tracking worklog entry | write:jira-work |
transitionJiraIssue | Perform a workflow transition | write:jira-work |
getTransitionsForJiraIssue | List available workflow transitions | read:jira-work |
getVisibleJiraProjects | List projects the user can access | read:jira-work |
getJiraProjectIssueTypesMetadata | List issue types in a project | read:jira-work |
getJiraIssueTypeMetaWithFields | Get create-field metadata for a project and issue type | read:jira-work |
getJiraIssueRemoteIssueLinks | List remote links (e.g., Confluence pages) on an issue | read:jira-work |
lookupJiraAccountId | Find user account IDs by name or email | read:jira-work |
Confluence tools (11 tools)
| Tool | Description | Required Scopes |
|---|---|---|
searchConfluenceUsingCql | Search content using a CQL query | search:confluence |
getConfluencePage | Get page content by ID (as Markdown) | read:page:confluence |
createConfluencePage | Create a new page or live doc with Markdown body | write:page:confluence |
updateConfluencePage | Update an existing page (title, body, location) | write:page:confluence |
getConfluenceSpaces | List spaces by key, ID, type, status, or labels | read:space:confluence |
getPagesInConfluenceSpace | List pages in a space, filtered by title/status/type | read:page:confluence |
getConfluencePageDescendants | List descendant pages under a parent page | read:hierarchical-content:confluence |
createConfluenceFooterComment | Create a footer comment or reply on a page | write:page:confluence |
createConfluenceInlineComment | Create an inline comment tied to selected text | write:page:confluence |
getConfluencePageFooterComments | List footer comments on a page (as Markdown) | read:comment:confluence |
getConfluencePageInlineComments | List inline comments on a page | read:comment:confluence |
Compass tools (13 tools)
| Tool | Description | Required Scopes |
|---|---|---|
getCompassComponents | Search or list components | read:component:compass |
getCompassComponent | Get component details by ID | read:component:compass |
createCompassComponent | Create a service, library, or other component | write:component:compass |
deleteCompassComponent | Delete an existing component and its definitions | write:component:compass |
createCompassComponentRelationship | Create a relationship between two components | write:component:compass |
deleteCompassComponentRelationship | Remove a relationship between two components | write:component:compass |
getCompassComponentActivityEvents | List recent activity events (deployments, alerts) | read:component:compass |
getCompassComponentLabels | Get labels applied to a component | read:component:compass |
getCompassComponentTypes | List available component types | read:component:compass |
getCompassComponentsOwnedByMyTeams | List components owned by your teams | read:component:compass |
getCompassCustomFieldDefinitions | List custom field definitions | read:component:compass |
createCompassCustomFieldDefinition | Create a custom field definition | write:component:compass |
deleteCompassCustomFieldDefinition | Delete a custom field definition | write:component:compass |
Jira Service Management tools (4 tools)
[!NOTE] JSM tools only support authentication via API token. These tools are available only if API token authentication is enabled by your organization admin.
| Tool | Description | Required Scopes |
|---|---|---|
getJsmOpsAlerts | Get alert by ID/alias or search by query and time window | read:ops-alert:jira-service-management, read:ops-config:jira-service-management, read:jira-user |
getJsmOpsScheduleInfo | List on-call schedules or get current/next responders | read:ops-config:jira-service-management, read:jira-user |
getJsmOpsTeamInfo | List ops teams with escalation policies and roles | read:ops-config:jira-service-management, read:jira-user |
updateJsmOpsAlert | Acknowledge, unacknowledge, close, or escalate an alert | read:ops-alert:jira-service-management, write:ops-alert:jira-service-management |
Rovo / Shared platform tools (4 tools)
| Tool | Description | Required Scopes |
|---|---|---|
search | Natural language search across Jira and Confluence (not JQL/CQL) | search:rovo:mcp |
fetch | Fetch content by Atlassian Resource Identifier (ARI) | search:rovo:mcp |
atlassianUserInfo | Get current user details (account ID) | read:me |
getAccessibleAtlassianResources | List accessible cloud sites and their cloudIds | read:account, read:me |
Troubleshooting
Authentication issues
| Error | Cause | Solution |
|---|---|---|
401 Unauthorized | Invalid or expired API token | Generate a new token at id.atlassian.com |
403 Forbidden | Missing product permissions | Verify you have access to the Atlassian product (Jira, Confluence, etc.) |
| "Your site admin must authorize this app" | First-time setup requires admin | A site admin must complete initial 3LO consent |
| "Your organization admin must authorize access from a domain" | Domain not allowed | Admin must add the domain in Rovo MCP server settings |
| "You don't have permission to connect from this IP address" | IP allowlisting enabled | Admin must add your IP range to the allowlist |
| API token auth fails | Feature disabled by admin | Admin must enable API token authentication |
Data and permission issues
| Error | Cause | Solution |
|---|---|---|
| No data returned | Wrong cloudId or expired session | Use getAccessibleAtlassianResources to find the correct cloudId |
| Cannot create issue | Missing project permission | Verify "Create" permission in the Jira project |
| Cannot update page | Missing space permission | Verify "Edit" permission in the Confluence space |
| Tool not available | Missing scopes | Re-create API token with required scopes |
| Compass tools unavailable | Scopes not available for API tokens | Some Compass tools require OAuth 2.1 |
| JSM tools not working | API token auth disabled | Admin must enable API token authentication |
Verify the connection
Test the server endpoint directly:
# Test with API token (Basic auth)
curl -I https://mcp.atlassian.com/v1/mcp \
-H "Authorization: Basic <your_base64_encoded_credentials>"
# Test with service account (Bearer auth)
curl -I https://mcp.atlassian.com/v1/mcp \
-H "Authorization: Bearer <your_api_key>"
Expected response: 200 OK confirms authentication is working.
Re-authorize the integration
If you encounter persistent issues:
- Go to id.atlassian.com/manage-profile/apps
- Find and revoke the MCP app authorization
- Generate a new API token or re-invoke a tool to trigger fresh OAuth flow
Limitations
| Limitation | Details |
|---|---|
| Limited tool availability with API tokens | Some tools (e.g., certain Compass tools) may not be available because required scopes aren't available for API tokens |
| No bounded cloudId | API tokens are not bound to a specific cloudId. Tools must explicitly pass the cloudId where needed |
| No domain allowlist validation | API token auth doesn't use OAuth redirect URIs, so domain allowlist checks cannot be performed |
| Bitbucket tools | Bitbucket scopes are available in the token, but Bitbucket tools are not yet listed as supported |
| JSM requires API token | Jira Service Management tools only work with API token authentication, not OAuth 2.1 |
Security considerations
How permissions work
- User-scoped: All actions respect the authenticated user's existing Atlassian permissions
- Product-level: Access requires matching product permissions (Jira, Confluence, Compass)
- Session-based: OAuth tokens expire and require re-authentication; API tokens persist until revoked
Admin controls
Atlassian administrators can: - Enable or disable API token authentication in Rovo MCP server settings - Manage and revoke MCP app access from the Connected Apps list - Control which external domains can connect via domain allowlists - Monitor activity through Atlassian audit logs - Configure IP allowlisting for additional security
[!IMPORTANT] MCP clients can perform actions in Jira, Confluence, and Compass with your existing permissions. Use least privilege, review high-impact changes before confirming, and monitor audit logs for unusual activity. See MCP Clients - Understanding security risks.
Related content
- Atlassian Rovo MCP Server - Getting started
- Atlassian Rovo MCP Server - Supported tools
- Atlassian Rovo MCP Server - API token authentication
- Atlassian Rovo MCP Server - OAuth 2.1 configuration
- Control Atlassian Rovo MCP Server settings
- MCP Clients - Understanding security risks
- MCP integration overview
- Build a custom subagent
Updated Feb 25, 2026
Version 2.0
dbandaru
Microsoft
Microsoft