All posts
June 18, 20263 min read

Non-human identity for MCP servers on Entra

Many teams assume that giving an AI‑driven MCP server a static service‑account token is enough to keep the system safe, but that approach ignores the need for a non-human identity that can be audited. The reality is that a static credential provides no visibility into who or what is driving each request, and it cannot be revoked without a full rollout. In practice, engineers often create a dedicated service account in Entra, export its client secret, and embed that secret in the MCP server conf

Free White Paper

Non-Human Identity Management + Single Sign-On (SSO): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Many teams assume that giving an AI‑driven MCP server a static service‑account token is enough to keep the system safe, but that approach ignores the need for a non-human identity that can be audited. The reality is that a static credential provides no visibility into who or what is driving each request, and it cannot be revoked without a full rollout.

In practice, engineers often create a dedicated service account in Entra, export its client secret, and embed that secret in the MCP server configuration. The server then talks directly to the target resource – a database, a Kubernetes API, or an internal HTTP endpoint – without any gatekeeper in the middle. This approach satisfies the basic requirement of authentication, but it leaves three critical gaps: there is no real‑time audit of each command, no way to mask sensitive response data, and no ability to pause a risky operation for human review.

Why non-human identity alone is not enough

Switching to a non-human identity issued by Entra improves credential management. The MCP server can obtain an OIDC token on demand, and the token carries the service account’s group membership. However, the request still travels straight to the target resource. The data path remains uncontrolled, so the same audit, masking, and approval gaps persist. In other words, the identity layer decides *who* is making the request, but it does not enforce *what* the request may do.

Introducing a data‑path gateway

To close the gap, place a Layer 7 gateway between the non-human identity and the infrastructure. The gateway verifies the Entra token, then proxies the protocol‑level traffic to the target. Because the gateway sits in the data path, it can apply policy checks before any command reaches the backend.

hoop.dev records every session, storing a replayable log that auditors can query later. hoop.dev masks sensitive fields in responses, ensuring that downstream services never expose secrets to the MCP server. hoop.dev enforces just‑in‑time approvals, routing high‑risk commands to an approver before they are executed. hoop.dev blocks dangerous commands outright when a policy dictates that they are prohibited.

Architectural flow

1. Deploy the gateway using the quick‑start Docker Compose or a Kubernetes manifest. The deployment includes an agent that runs inside the same network as the target resource.

2. Register Entra as the OIDC provider in the gateway configuration. The gateway becomes the relying party, validates incoming tokens, and extracts group claims.

Continue reading? Get the full guide.

Non-Human Identity Management + Single Sign-On (SSO): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

3. Define a connection for the MCP server’s target – for example, a PostgreSQL database or an internal HTTP API. The gateway stores the credential needed to reach the target, so the MCP server never sees it.

4. Enable policy modules such as session recording, inline masking, and just‑in‑time approval in the gateway UI or declarative config.

When the MCP server starts, it obtains an Entra token, presents it to the gateway, and the gateway forwards the request to the target after applying the configured controls. All enforcement outcomes happen inside the gateway, not in the MCP server or the target.

Benefits for AI‑driven workloads

  • Full audit trails give security teams visibility into every AI‑generated query.
  • Inline masking prevents accidental leakage of PII or credentials from downstream responses.
  • Just‑in‑time approvals add a human checkpoint for high‑impact operations without slowing down routine work.
  • Command blocking reduces the blast radius of a compromised service account.

Getting started

Follow the getting‑started guide to spin up the gateway and connect it to Entra. The documentation walks through registering an OIDC provider, defining a connection, and turning on masking and approval policies. For deeper insight into policy configuration, explore the learn section where you can see examples of audit‑log queries and masking rules.

FAQ

Can I use the same Entra application for multiple MCP servers?
Yes. Each MCP server can request a token from the same Entra application. The gateway evaluates the token’s group claims for each request, so you can enforce different policies per server by assigning them to distinct groups.

What happens if the Entra token expires mid‑session?
The gateway detects token expiration and forces a re‑authentication before forwarding further traffic. This ensures that the session cannot continue with a stale credential.

Do I need to modify my MCP server code to use the gateway?
No. The MCP server points its client library at the gateway’s endpoint just as it would a regular database or API endpoint. The gateway handles protocol translation and policy enforcement transparently.

Ready to try it out? Clone the open‑source repository and start experimenting: https://github.com/hoophq/hoop.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot