Azure MCP Server
Community MCP server for Microsoft Azure that manages resources, role assignments, and executes arbitrary Azure SDK code
Score Breakdown
Server Info
- Package
- azure-mcp
- Registry
- npm
- Repository
- gkvp70/azure-mcp
- Maintainer
- Community
- Category
- Cloud & Infrastructure
- Tags
- azurecloudmicrosoft
- Last Scanned
- 7 Apr 2026
Findings
11 issuesAuthentication & Identity
HIGHNo per-request auth - requires instance-per-user
Stdio-only transport. Uses ChainedTokenCredential with three credential sources in order: ClientSecretCredential (from AZURE_CLIENT_ID/SECRET/TENANT_ID env vars), ManagedIdentityCredential, and DefaultAzureCredential as fallback. Supports service principal, managed identity, and interactive auth. For multi-tenant deployment, the platform must spawn a separate server instance per user.
Add HTTP/SSE transport to accept per-request Authorization headers, or implement the MCP OAuth spec.
Tool Schema Quality
MEDIUMOnly 0 of 9 schemas have parameter constraints
Most schemas lack maxLength, enum, or pattern constraints on string parameters.
Add constraints to string parameters, especially on write operations.
CRITICALDangerous execution surface: run-azure-code
Tool allows raw code/query execution which could be exploited via prompt injection.
Use parameterized queries or validated command sets.
Permission Granularity
MEDIUM1 tools combine read and write operations
run-azure-code is a god-mode tool that can execute any Azure SDK operation. create-resource-group and select-tenant are proper write tools. The read tools for role assignments and permissions are well-separated. However, run-azure-code makes all permission boundaries meaningless since it can do anything the credentials allow.
Split into separate read and write tools.
HIGH1 destructive operations not isolated
Admin/delete tools are mixed with regular operations and cannot be independently disabled.
Namespace admin tools separately for independent access control.
LLM Safety
MEDIUM1 tool descriptions are too vague
Short or generic descriptions make tool selection unreliable.
Expand descriptions with specific actions, data types, and side effects.
HIGHTool descriptions contain instructional language
Descriptions include directives that could influence LLM behavior beyond tool selection.
Remove instructional language. Descriptions should be purely factual.
Data Exposure
MEDIUM3 list operations lack pagination
list-resource-groups, list-role-assignments, and get-role-definitions all iterate through all results without pagination support. Uses for-await-of loops that collect everything. Resource caching (60s TTL) reduces repeated API calls but does not limit data exposure.
Add limit/offset or cursor-based pagination.
LOWNo field selection on responses
Responses return full records rather than projected fields.
Implement field selection to return only relevant fields.
Maintenance & Trust
LOWCommunity-maintained by gkvp70
No official vendor backing.
Seek vendor verification.
HIGH12 dependency vulnerabilities (1 critical, 10 high)
npm audit found 1 critical and 10 high severity CVEs.
Run `npm audit fix` and update vulnerable dependencies.
Tools
9 total| Name | Description | Risk |
|---|---|---|
| run-azure-code | Run Azure code | admin |
| list-tenants | List all available Azure tenants | read |
| select-tenant | Select Azure tenant and subscription | write |
| list-resource-groups | List all resource groups in the selected subscription | read |
| get-resource-details | Get detailed information about a specific resource | read |
| create-resource-group | Create a new resource group | write |
| list-role-assignments | List role assignments for the subscription or resource group | read |
| get-role-definitions | List available role definitions | read |
| get-user-permissions | Get detailed user permissions by combining role assignments and role definitions | read |
Deploy Azure MCP Server securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow