Skip to main content
Security is fundamental to AI system design, which is why the MCP for Beginners curriculum prioritizes it as Module 2 — before you write a single line of server code. This aligns with Microsoft’s Secure by Design principle from the Secure Future Initiative.
This module reflects MCP security standards as of February 5, 2026, aligned with MCP Specification 2025-11-25. Always refer to the current MCP Specification and security best practices documentation for the latest guidance.

Learning Objectives

By the end of this module, you will be able to:
  • Identify MCP-specific threats including prompt injection, tool poisoning, session hijacking, confused deputy problems, token passthrough vulnerabilities, and supply chain risks
  • Apply security controls including robust authentication, least privilege access, secure token management, and supply chain verification
  • Leverage Microsoft Prompt Shields, Azure Content Safety, and GitHub Advanced Security for MCP workload protection
  • Recognize the importance of tool metadata validation and monitoring for dynamic changes
  • Combine foundational security practices with MCP-specific controls for comprehensive protection

Mandatory Security Requirements

Before exploring specific threats, you need to know the non-negotiable requirements from the MCP specification:
These are hard requirements — not recommendations:
  • MCP servers MUST NOT accept any tokens that were not explicitly issued for the MCP server
  • MCP servers implementing authorization MUST verify ALL inbound requests
  • MCP servers MUST NOT use sessions for authentication
  • MCP proxy servers using static client IDs MUST obtain user consent for each dynamically registered client
Research from the Microsoft Digital Defense Report shows that 98% of reported breaches would be prevented by robust security hygiene. The most effective strategy combines foundational security practices with MCP-specific controls.

OWASP MCP Top 10

The OWASP MCP Azure Security Guide defines the ten most critical security risks for MCP implementations:
RiskDescriptionPrimary Azure Mitigation
MCP01Token Mismanagement & Secret ExposureAzure Key Vault, Managed Identity
MCP02Privilege Escalation via Scope CreepRBAC, Conditional Access
MCP03Tool PoisoningTool validation, integrity verification
MCP04Supply Chain AttacksGitHub Advanced Security, dependency scanning
MCP05Command Injection & ExecutionInput validation, sandboxing
MCP06Prompt Injection via Contextual PayloadsAzure AI Content Safety, Prompt Shields
MCP07Insufficient Authentication & AuthorizationAzure Entra ID, OAuth 2.1 with PKCE
MCP08Lack of Audit & TelemetryAzure Monitor, Application Insights
MCP09Shadow MCP ServersAPI Center governance, network isolation
MCP10Context Injection & Over-SharingData classification, minimal exposure

AI-Specific Security Threats

MCP systems face attack vectors that traditional security measures cannot fully address:
Indirect Prompt Injection (also called Cross-Domain Prompt Injection) is one of the most critical vulnerabilities in MCP-enabled AI systems. Attackers embed malicious instructions within external content — documents, web pages, emails, or data sources — that AI systems subsequently process as legitimate commands.Attack scenarios:
  • Document-based: Malicious instructions hidden in processed documents that trigger unintended AI actions
  • Web content: Compromised web pages containing embedded prompts that manipulate AI behavior when scraped
  • Email-based: Malicious prompts in emails that cause AI assistants to leak information or perform unauthorized actions
  • Data source contamination: Compromised databases or APIs serving tainted content to AI systems
Real-world impact: These attacks can result in data exfiltration, privacy breaches, generation of harmful content, and manipulation of user interactions.Mitigations:
  • Deploy Microsoft AI Prompt Shields for advanced detection and filtering
  • Use delimiter and datamarking systems to distinguish trusted instructions from external content
  • Implement spotlighting techniques to help models maintain proper instruction hierarchy
  • Validate and sanitize all external content before it enters the model’s context
Tool Poisoning targets the metadata that defines MCP tools, exploiting how LLMs interpret tool descriptions to make execution decisions.Attack mechanisms:
  • Metadata manipulation: Attackers inject malicious instructions into tool descriptions or parameter definitions
  • Invisible instructions: Hidden prompts in tool metadata that the AI model processes but human users cannot see
  • Dynamic tool modification (“Rug Pulls”): Tools approved by users are later modified to perform malicious actions
  • Parameter injection: Malicious content embedded in tool parameter schemas that influence model behavior
Hosted server risks: Remote MCP servers present elevated risks because tool definitions can be updated after initial user approval.Mitigations:
  • Implement cryptographic hashing and integrity verification of tool definitions
  • Monitor for unexpected changes with real-time alerting
  • Require explicit user approval for any tool modifications
  • Maintain version history with rollback capabilities
Session hijacking in stateful MCP implementations lets unauthorized parties obtain and abuse legitimate session identifiers to impersonate clients.Attack scenarios:
  • Session hijack prompt injection: Attackers with stolen session IDs inject malicious events into servers sharing session state
  • Direct impersonation: Stolen session IDs enable direct MCP server calls that bypass authentication
  • Compromised resumable streams: Attackers terminate requests prematurely, causing legitimate clients to resume with malicious content
Required controls:
  • Use cryptographically secure, non-deterministic session IDs (minimum 128 bits of entropy)
  • Bind session IDs to user-specific information: <user_id>:<session_id>
  • Implement proper expiration, rotation, and invalidation
  • Enforce HTTPS for all session communication
  • Verify ALL inbound requests — never rely on sessions for authentication
The confused deputy problem occurs when MCP servers act as authentication proxies between clients and third-party services, creating opportunities for authorization bypass.Attack mechanics:
  • Cookie-based consent bypass: Previous user authentication creates consent cookies that attackers exploit through malicious authorization requests with crafted redirect URIs
  • Authorization code theft: Existing consent cookies cause authorization servers to skip consent screens, redirecting codes to attacker-controlled endpoints
  • Unauthorized API access: Stolen authorization codes enable token exchange and user impersonation
Required controls:
  • MCP proxy servers using static client IDs MUST obtain user consent for each dynamically registered client
  • Implement OAuth 2.1 with PKCE (Proof Key for Code Exchange) for all authorization requests
  • Apply strict validation of redirect URIs and client identifiers
Token passthrough is an explicit anti-pattern where MCP servers accept client tokens without proper validation and forward them to downstream APIs.Why it’s prohibited: The MCP specification explicitly forbids this pattern because it:
  • Bypasses critical rate limiting, validation, and monitoring controls
  • Makes client identification impossible, corrupting audit trails
  • Enables malicious actors to use servers as proxies for data exfiltration
  • Violates downstream services’ trust assumptions about token origins
  • Allows compromised tokens to enable lateral movement across multiple services
Required controls:
  • Never accept tokens not explicitly issued for your MCP server
  • Always validate token audience claims match the MCP server’s identity
  • Implement short-lived access tokens with secure rotation
  • Store tokens in Azure Key Vault or equivalent secure credential stores

Microsoft Security Solutions

AI Prompt Shields

Microsoft AI Prompt Shields provide comprehensive defense against both direct and indirect prompt injection attacks:

Advanced Detection

Machine learning algorithms and NLP techniques detect malicious instructions in external content. Real-time analysis of documents, web pages, emails, and data sources for embedded threats.

Spotlighting

Distinguishes between trusted system instructions and potentially compromised external inputs. Text transformation methods isolate malicious content while maintaining legitimate context.

Delimiter Systems

Explicit boundary definition between trusted system messages and external input text. Special markers highlight boundaries between trusted and untrusted data sources.

Continuous Intelligence

Microsoft continuously monitors emerging attack patterns and updates defenses. Regular security model updates maintain effectiveness against evolving threats.
Implementation resources: Microsoft Prompt Shields Documentation

Azure Content Safety

Azure Content Safety provides additional detection for jailbreak attempts, harmful content, and security policy violations — unified security controls across AI application components.

Authentication and Authorization

External Identity Provider Integration

The MCP specification (2025-11-25) now allows MCP servers to delegate authentication to external identity providers rather than implementing custom authentication. This is a significant security improvement: Benefits of delegating to Microsoft Entra ID:
  • Eliminates custom authentication implementation risks
  • Inherits enterprise-grade security with MFA and Conditional Access
  • Centralizes user lifecycle management and compliance auditing
  • Provides risk-based adaptive authentication
Token validation requirements: 
Token Validation Requirements:
  audience_validation: MANDATORY
  issuer_verification: MANDATORY
  signature_check: MANDATORY
  expiration_enforcement: MANDATORY
  scope_validation: MANDATORY

Token Lifecycle Management:
  rotation_frequency: "Short-lived tokens preferred"
  secure_storage: "Azure Key Vault or equivalent"
  transmission_security: "TLS 1.3 minimum"
  replay_protection: "Implemented via nonce/timestamp"

Access Control Implementation

1

Apply Principle of Least Privilege

Grant MCP servers only the minimum permissions required for their intended functionality. Conduct regular permission reviews to prevent privilege creep.
2

Implement Role-Based Access Control

Define fine-grained role assignments scoped tightly to specific resources and actions. Avoid broad permissions that unnecessarily expand the attack surface.
3

Monitor Continuously

Implement ongoing access auditing and monitor permission usage patterns for anomalies. Promptly remediate excessive or unused privileges.
4

Use Just-in-Time Access

For administrative functions, implement just-in-time access using Microsoft Entra Privileged Identity Management (PIM) to minimize standing privileges.

Supply Chain Security

MCP implementations must treat all AI ecosystem components — models, embeddings, context providers, external APIs — with the same security rigor as traditional software dependencies. AI-specific supply chain elements to verify:
  • Foundation Models — pre-trained models requiring provenance verification
  • Embedding Services — external vectorization and semantic search services
  • Context Providers — data sources, knowledge bases, and document repositories
  • Third-party APIs — external AI services, ML pipelines, and data processing endpoints
  • Model Artifacts — weights, configurations, and fine-tuned model variants
Microsoft GitHub Advanced Security provides:
  • Secret scanning — automated detection of credentials and API keys in repositories
  • Dependency scanning — vulnerability assessment for open-source dependencies
  • CodeQL analysis — static code analysis for security vulnerabilities
  • Supply chain insights — visibility into dependency health and security status

Foundational Security Best Practices

  • Protect against OWASP Top 10 web application vulnerabilities
  • Implement controls for OWASP Top 10 for LLMs
  • Use dedicated vaults (Azure Key Vault) for tokens, API keys, and sensitive configuration
  • Implement end-to-end encryption across all application components
  • Rigorously validate all user inputs, API parameters, and data sources

Microsoft Enterprise Security Ecosystem

Microsoft Defender for Cloud

Comprehensive cloud security posture management for MCP workloads.

Azure Sentinel

Cloud-native SIEM and SOAR capabilities for advanced threat detection.

Microsoft Entra ID

Enterprise identity and access management with conditional access policies.

Azure Key Vault

Centralized secrets management with hardware security module (HSM) backing.

Hands-On Security Training

For practical, hands-on security implementation experience, complete the MCP Security Summit Workshop (Sherpa):
CampFocusOWASP Risks Covered
Base CampMCP fundamentals & authentication vulnerabilitiesMCP01, MCP07
Camp 1: IdentityOAuth 2.1, Azure Managed Identity, Key VaultMCP01, MCP02, MCP07
Camp 2: GatewayAPI Management, Private Endpoints, governanceMCP02, MCP07, MCP09
Camp 3: I/O SecurityPrompt injection, PII protection, content safetyMCP03, MCP05, MCP06
Camp 4: MonitoringLog Analytics, dashboards, threat detectionMCP08
The SummitRed Team / Blue Team integration testAll
Workshop URL: https://azure-samples.github.io/sherpa/ The workshop uses a proven “vulnerable → exploit → fix → validate” methodology. You’ll experience vulnerabilities firsthand by exploiting intentionally insecure servers, then learn to fix them.

Key Security Takeaways

  • Layered security: Combine foundational practices (secure coding, least privilege, supply chain verification, continuous monitoring) with AI-specific controls
  • AI-specific threat landscape: MCP systems face unique risks that require specialized mitigations beyond traditional software security
  • Authentication excellence: Use external identity providers (Microsoft Entra ID), enforce proper token validation, and never accept tokens not explicitly issued for your MCP server
  • AI attack prevention: Deploy Microsoft Prompt Shields and Azure Content Safety for injection and poisoning defenses
  • Session security: Use cryptographically secure session IDs bound to user identities; never use sessions for authentication
  • OAuth security: Prevent confused deputy attacks through explicit user consent, PKCE, and strict redirect URI validation
  • Token principles: Avoid passthrough anti-patterns, validate audience claims, and maintain clear trust boundaries
  • Supply chain: Treat all AI ecosystem components with the same security rigor as traditional software dependencies
  • Continuous evolution: Stay current with rapidly evolving MCP specifications and maintain adaptive security postures

Resources

MCP Security Best Practices

Official MCP security best practices documentation.

OWASP MCP Azure Security Guide

Comprehensive OWASP MCP Top 10 with Azure implementation guidance.

MCP Authorization Specification

The official MCP authorization specification.

OAuth 2.0 Security Best Practices (RFC 9700)

Current OAuth security best practices standard.

OWASP Top 10 for LLMs

Security risks specific to large language model applications.

Microsoft Prompt Shields

Documentation for deploying AI Prompt Shields.

What’s Next

With a solid understanding of MCP security, you’re ready to start building. Continue to Module 3: Getting Started to set up your environment and create your first MCP server.

Build docs developers (and LLMs) love

Get started for freeTalk to us