Yes. Microsoft 365 Copilot supports the Model Context Protocol, known as MCP, across Copilot Studio, the Microsoft 365 Copilot app, and the broader Copilot agent stack. Microsoft announced general availability of MCP support inside Copilot Studio in May 2025, and by late 2025 expanded MCP tool calling into the Microsoft 365 Copilot chat surface, Researcher, Analyst, and custom agents built in Agent Builder. This means users and admins can connect Copilot to live MCP servers from vendors like Atlassian, Stripe, ServiceNow, GitHub, and Notion, plus any internal MCP server a company builds.
The specific problem MCP solves is brittle, one-off connector code. Before MCP, every AI app had to build custom plumbing to reach each tool or data source, which is governed inside Microsoft 365 by the Microsoft 365 Copilot connector framework and enterprise data boundary rules under Microsoft Purview. Skipping the standard pathway breaks governance, logs, and data loss prevention. The immediate negative consequence is data leakage, failed audits, and loss of the tenant’s compliance posture.
A recent Microsoft Work Trend Index report found that 82% of leaders plan to deploy AI agents in the next 12 months, and MCP is now the default plug that makes those agents useful on day one.
- 🧩 How Microsoft 365 Copilot connects to MCP servers inside Copilot Studio and Agent Builder
- 🛡️ How admins keep tenant data safe using Purview, Entra, and DLP during MCP tool calls
- ⚙️ Three real examples of MCP servers running inside Microsoft 365 Copilot today
- 💸 What licenses, SKUs, and add-ons you need to unlock MCP features
- 🚫 The most common mistakes teams make when wiring MCP into Copilot, and how to avoid each one
What Is MCP and Why Microsoft Backs It
The Model Context Protocol is an open standard, first released by Anthropic in November 2024, that lets AI assistants talk to tools, files, and data sources through one shared interface. Think of MCP as the USB-C of AI. Instead of building a new cable for every tool, developers expose a single MCP server, and any MCP client, including Microsoft 365 Copilot, can plug in and call it.
Microsoft joined the MCP Steering Committee in March 2025 and co-authored the official C# SDK with Anthropic. That partnership matters because it guarantees first-class MCP support inside the Microsoft ecosystem, from Visual Studio Code to GitHub Copilot and Windows 11.
The plain-English meaning is simple. An MCP server advertises a list of tools, resources, and prompts. An MCP client like Copilot reads that list, shows the tools to the language model, and lets the model call them during a chat. The consequence of skipping MCP is a return to custom REST wrappers, which break every time an API changes. A real-world example is a finance team that wired Stripe into Copilot in one afternoon using the public Stripe MCP server instead of a three-week custom connector project. A common misconception is that MCP replaces Microsoft Graph. It does not. MCP sits beside Graph and calls it when needed.
The MCP Architecture in Plain Terms
MCP defines three roles, a host, a client, and a server. The host is the app the user sees, like the Microsoft 365 Copilot chat window. The client is the protocol layer that handles the JSON-RPC messages. The server is the tool provider, which can run locally on a laptop or remotely on a cloud URL.
MCP supports two transports today, described in the official transport spec. The first is stdio, used mostly for local developer tools. The second is Streamable HTTP, used for remote enterprise servers. Microsoft 365 Copilot currently focuses on Streamable HTTP with OAuth 2.1, because enterprise tenants need a secure, auditable channel.
The consequence of using the wrong transport is a dead integration. A stdio server cannot reach a cloud tenant. A common misconception is that MCP is only for local use. In truth, remote MCP over HTTPS is the production pattern Microsoft recommends in the Copilot Studio MCP documentation.
Why Microsoft Bet on an Open Standard
Microsoft had its own plugin format, the OpenAI plugin manifest, and its own connector framework. The company chose to adopt MCP because customers kept asking for one standard that works across Claude, ChatGPT, Cursor, and Copilot. The May 2025 Build keynote confirmed MCP as the default agent protocol inside Azure AI Foundry, Windows, and Microsoft 365 Copilot.
The consequence for IT buyers is portability. An MCP server built for Copilot also works in Claude Desktop and Cursor with zero code changes. The real-world example is the GitHub MCP server, which Microsoft ships as an official tool and which runs in every major MCP client. A common misconception is that Microsoft forked MCP. It did not. The spec stays open and governed by the joint steering committee.
Where MCP Lives Inside Microsoft 365 Copilot
Microsoft 365 Copilot is not one product. It is a family of surfaces, and MCP shows up in different places with different rules. The main entry points are Copilot Studio, the Microsoft 365 Copilot chat app, the Agent Builder inside Copilot chat, and the specialized Researcher and Analyst agents.
The plain-English breakdown is that Copilot Studio is the low-code builder for custom agents, Agent Builder is the in-app builder for declarative agents, and the Copilot chat app is where end users actually talk to those agents. The consequence of confusing the surfaces is wasted license spend. A real-world example is a company that bought Copilot Studio capacity thinking it unlocked MCP inside the Copilot chat app, when in fact the MCP connector needed to be attached to a specific agent first.
Copilot Studio MCP Support
Copilot Studio was the first Microsoft surface to ship MCP, announced in the May 2025 Copilot Studio blog post. Makers add an MCP server as a new Action inside an agent, and Copilot Studio auto-discovers the tools, prompts, and resources the server exposes. The server must speak Streamable HTTP and authenticate with OAuth 2.1 or an API key stored in Power Platform connector security.
The consequence of a misconfigured OAuth scope is a silent failure where the tool appears but every call returns 401. A real-world example is maker Priya at Contoso, who wired the Atlassian MCP server into a project-status agent in 20 minutes by pasting the server URL and approving the Entra consent prompt. A common misconception is that Copilot Studio MCP needs a Power Platform premium license for every end user. It does not. The maker needs Copilot Studio capacity, but end users consume the agent through their existing Microsoft 365 Copilot seat.
Microsoft 365 Copilot Chat and Agent Builder
The Microsoft 365 Copilot chat app, the one users open inside Teams, Word, Outlook, and copilot.microsoft.com, started accepting MCP-powered agents in late 2025. Admins publish Copilot Studio agents to the Microsoft 365 Copilot agent store, and those agents carry their MCP tools with them.
The consequence of publishing without admin approval is that the agent stays invisible to users, because the Integrated Apps portal blocks unapproved extensions. A real-world example is developer Marcus, who built a ServiceNow MCP agent in Agent Builder, then watched it fail rollout because the tenant admin had not whitelisted the ServiceNow MCP endpoint in the Cloud App Security policy. A common misconception is that every user can sideload an MCP agent. In most tenants, sideloading is off by default.
Researcher, Analyst, and Deep Reasoning Agents
The Researcher and Analyst agents launched in March 2025 and gained MCP tool support later that year. These agents run on reasoning models and can call MCP servers mid-thought, which means a Researcher agent can pull live data from a Salesforce MCP server while writing a competitive brief.
The consequence is much richer output, but also higher token spend, because each MCP call burns context window. A real-world example is analyst Jordan, who asked Researcher to compare Q1 pipeline across regions, and the agent pulled the numbers from a Snowflake MCP server in real time. A common misconception is that Researcher only reads Microsoft Graph. With MCP, it reads anything the tenant admin allows.
How to Connect an MCP Server to Microsoft 365 Copilot
The path from zero to working MCP inside Copilot has five steps, all documented in the Copilot Studio MCP guide. Step one is choosing or building an MCP server. Step two is registering the server as a custom connector in Power Platform. Step three is attaching the connector as an action inside a Copilot Studio agent. Step four is testing the tool calls in the test pane. Step five is publishing the agent to the Microsoft 365 Copilot app.
The plain-English version is that you wire the server once, Copilot handles the rest. The consequence of skipping the custom-connector step is that Copilot Studio cannot enforce Data Loss Prevention policies on the traffic, which breaks compliance. A real-world example is a healthcare ISV that added a FHIR MCP server through the proper connector flow and kept HIPAA alignment intact.
Example 1: GitHub MCP Server Inside Copilot
The GitHub MCP server exposes issues, pull requests, code search, and repository metadata. A developer can connect it to a Copilot Studio agent named Repo Helper and ask Copilot to summarize open pull requests in a specific repo. The OAuth scope is repo and read:org, granted through the standard GitHub consent screen.
The consequence of granting write scopes unintentionally is that Copilot can now merge pull requests on the user’s behalf, which may violate change-management policy. A real-world example is engineer Sam, who asked Copilot which of my open PRs are waiting on review, and the GitHub MCP server answered in seconds. A common misconception is that the GitHub MCP server needs a self-hosted runner. The official server runs as a hosted endpoint at https://api.githubcopilot.com/mcp.
Example 2: Atlassian MCP Server for Jira and Confluence
The Atlassian Remote MCP server went GA in 2025 and lets Copilot read Jira tickets, create new issues, and search Confluence pages. Setup takes a server URL and an OAuth 2.1 consent flow scoped to the user’s Atlassian Cloud site.
The consequence of a missing site scope is that Copilot can only see one project. A real-world example is project manager Elena, who asked Copilot draft a status email from this week’s Jira updates, and the MCP server returned the ticket list, which Copilot then summarized into an email. A common misconception is that the Atlassian MCP server replaces the Jira Power Automate connector. It does not. Both can coexist, and makers pick whichever fits the job.
Example 3: Internal Stripe Billing MCP Server
Stripe ships an official Stripe MCP server that exposes charges, customers, invoices, and subscriptions. A finance team can attach it to a Copilot agent called Billing Buddy and ask Copilot questions like show me failed charges from the last 24 hours for enterprise customers. Authentication uses a restricted Stripe API key stored in Azure Key Vault and referenced by the Power Platform connector.
The consequence of using a full-access Stripe key is obvious blast radius, because a prompt-injection attack could trigger refunds. A real-world example is controller Dana, who scoped the key to read-only and avoided a near-miss when a user asked Copilot to issue a full refund. A common misconception is that MCP servers require a Stripe partner agreement. The server is free and open source.
Scenarios Copilot Users See with MCP
Below are the three most common real-world patterns, each shown in a two-column table.
Scenario A: Live Data Retrieval
| User Ask | Copilot + MCP Outcome |
|---|---|
| “Show me open Jira bugs tagged P1” | Copilot calls Atlassian MCP, returns a filtered list, and offers to paste it into Teams |
| “Pull last week’s Salesforce pipeline” | Copilot calls a Salesforce MCP server, renders a table, and saves it to OneDrive |
| “List failed Stripe charges today” | Copilot calls Stripe MCP, summarizes the root cause, and drafts a follow-up email |
Scenario B: Write-Back Actions
| User Ask | Copilot + MCP Outcome |
|---|---|
| “Create a Jira ticket for this bug” | Copilot uses Atlassian MCP, posts the ticket, and returns the ticket link |
| “Open a ServiceNow incident for the outage” | Copilot calls ServiceNow MCP, creates the incident, and shares the number with the channel |
| “Merge my approved PR” | Copilot uses GitHub MCP, merges the PR, and posts a confirmation in Teams |
Scenario C: Cross-Tool Reasoning
| User Ask | Copilot + MCP Outcome |
|---|---|
| “Compare my GitHub PRs with linked Jira tickets” | Copilot calls GitHub MCP and Atlassian MCP, joins the data, and flags mismatches |
| “Summarize customer health from CRM and support” | Copilot calls Salesforce MCP and Zendesk MCP, blends signals, and ranks at-risk accounts |
| “Match Stripe revenue to HubSpot deals” | Copilot calls Stripe MCP and HubSpot MCP, reconciles the numbers, and builds a variance table |
Licensing, Pricing, and SKU Requirements
The base license for MCP inside the Microsoft 365 Copilot chat app is a Microsoft 365 Copilot seat, priced at 30 USD per user per month on an annual commitment as of the 2026 price list. To build MCP-powered agents, makers also need Copilot Studio capacity, which costs 200 USD per tenant per month for the base pack of 25,000 messages.
The consequence of underestimating message consumption is a surprise bill, because every MCP tool call counts against the pack. A real-world example is a retail tenant that crossed 200,000 messages in month one and had to buy three add-on packs mid-cycle. A common misconception is that Copilot Studio messages equal chat turns. They do not. A single user turn can burn several messages if the agent calls multiple MCP tools.
E3 vs. E5 vs. Copilot Add-On
The table below summarizes the common SKUs and what each unlocks for MCP use.
| SKU | MCP Capability |
|---|---|
| Microsoft 365 E3 only | No MCP inside Copilot chat, since Copilot add-on is required per the Copilot licensing guide |
| Microsoft 365 E5 only | Same as E3, needs the Copilot add-on for MCP features |
| Microsoft 365 Copilot add-on | Full MCP access in Copilot chat, Researcher, Analyst, and published agents |
| Copilot Studio pay-as-you-go | MCP agent building, billed per message against an Azure subscription |
Hidden Costs to Watch
Egress, token burn, and MCP server hosting are the three hidden costs teams miss. Egress hits when Copilot pulls large documents from an MCP server hosted outside Azure. Token burn compounds when a Researcher agent chains five MCP calls in one turn. Hosting costs appear when a team runs a custom MCP server on Azure Container Apps or Azure Functions.
The consequence of ignoring hidden costs is a 3x overrun in quarter one. A real-world example is a services firm that budgeted 5,000 USD per month and hit 18,000 USD because the MCP server returned full PDF bodies instead of summaries. A common misconception is that MCP is free because the protocol is open. The runtime is not free.
Security, Governance, and Compliance
MCP inside Microsoft 365 Copilot inherits the full Microsoft 365 security stack, including Entra ID authentication, Conditional Access, Purview DLP, and Defender for Cloud Apps. The plain-English version is that MCP traffic is not a side door. Every call is logged, every identity is checked, and every payload can be inspected.
The consequence of disabling any layer is a gap in the audit chain. A real-world example is a bank that turned off Defender for Cloud Apps in a test tenant and lost the ability to block a prompt-injection attempt that tried to exfiltrate customer data through a rogue MCP server.
Entra ID and OAuth 2.1
MCP servers authenticate through OAuth 2.1, which the MCP spec mandates for remote servers. Admins register the server as an app in Entra ID, grant delegated scopes, and the user sees a consent screen the first time Copilot calls the tool.
The consequence of granting admin consent too broadly is that every user can reach the MCP server, which may leak data. A real-world example is a hospital that granted tenant-wide consent to a patient-records MCP server and had to roll it back when HIPAA review flagged it. A common misconception is that API-key auth is fine for production. It is not, because keys cannot be revoked per user.
Purview, DLP, and Sensitivity Labels
Microsoft Purview treats MCP tool calls like any other Copilot interaction. DLP policies inspect the prompt and the response, sensitivity labels flow through to generated content, and audit logs record which MCP server was called and by whom.
The consequence of skipping label inheritance is that highly confidential data can leave a label-protected environment and land in an unlabeled Word doc. A real-world example is a defense contractor that relied on Purview’s label inheritance to keep ITAR-restricted data inside the right boundary. A common misconception is that MCP responses bypass Purview. They do not.
Defender for Cloud Apps and Prompt Injection
Defender for Cloud Apps adds a layer that watches for prompt-injection attacks hidden in MCP server responses. Microsoft’s Prompt Shields service scans tool outputs before the model reads them.
The consequence of bypassing Prompt Shields is that a poisoned MCP response can hijack the agent. A real-world example is the EchoLeak proof of concept disclosed in 2025, which showed how a malicious email could steer an agent through an MCP tool. A common misconception is that prompt injection is a theoretical risk. It is the number-one real-world agent threat today.
Mistakes to Avoid When Wiring MCP into Copilot
Teams repeat the same errors, and each one carries a specific cost.
- Skipping the custom-connector step in Power Platform, which strips DLP enforcement and breaks audit logs
- Using a long-lived API key instead of OAuth 2.1, which makes per-user revocation impossible
- Granting admin consent tenant-wide before pilot testing, which exposes sensitive scopes to every user
- Hosting the MCP server in a different region than the tenant, which can violate data residency commitments
- Returning full documents instead of summaries from the MCP server, which burns tokens and inflates bills
- Forgetting to apply sensitivity labels to generated content, which breaks downstream protection
- Mixing stdio and HTTP transports without reading the MCP transport spec, which leads to silent failures
- Publishing agents without admin approval in the Integrated Apps portal, which hides them from users
- Ignoring Prompt Shields on MCP responses, which opens the door to prompt-injection attacks
- Forgetting to set Copilot Studio message caps, which surprises the finance team at month-end
Do’s and Don’ts for MCP Adoption
Do’s
- Do pilot with a read-only MCP server first, because read-only eliminates write-back risk
- Do store secrets in Azure Key Vault, because Key Vault gives you rotation and audit
- Do apply Conditional Access policies to MCP apps, because CA enforces device and location rules
- Do enable audit logs in Purview, because logs are your forensic trail
- Do version your MCP server, because breaking changes will happen and you need rollback
Don’ts
- Don’t expose write tools without approval gates, because a hallucinated call can mutate production data
- Don’t use a single shared service account, because you lose per-user attribution
- Don’t skip threat modeling, because MCP expands the attack surface
- Don’t rely on obscurity, because MCP servers on public URLs will be scanned
- Don’t ship without a kill switch, because you need to disable the server fast if something goes wrong
Pros and Cons of Microsoft 365 Copilot MCP Support
Pros
- One standard, many clients, because MCP works in Copilot, Claude, Cursor, and ChatGPT
- Enterprise-grade governance, because Purview, Entra, and Defender wrap every call
- Low-code builder path, because Copilot Studio lets non-developers wire up MCP in minutes
- Rich ecosystem of public servers, because vendors like Stripe, Atlassian, and GitHub ship official servers
- Portability across Microsoft surfaces, because the same agent runs in Teams, Word, Outlook, and the web app
Cons
- Licensing complexity, because the Copilot add-on and Studio capacity stack up fast
- Token and message costs, because every tool call burns budget
- Limited local-stdio support, because the enterprise path favors HTTPS
- New attack surface, because prompt injection through tool responses is real
- Fast-moving spec, because MCP is still evolving and breaking changes happen
Step-by-Step: Building Your First MCP Agent
The first agent takes about 30 minutes if you have the right licenses. Open Copilot Studio, create a new agent, and name it MCP Starter. Click Add action, then pick Model Context Protocol, then paste your server URL. Copilot Studio auto-discovers the tool list and shows each one with a description.
The consequence of skipping the description review is a confused model that calls the wrong tool. A real-world example is maker Aisha, who found that her create_ticket tool had a description that matched close_ticket, which caused the model to close tickets users wanted to create.
Testing and Publishing
Use the Copilot Studio test pane to trigger prompts and watch the tool calls in the trace. If a call fails, the trace shows the HTTP status and the request payload, which is the fastest way to debug. Once the agent works, publish it to the Microsoft 365 Copilot app through the publish flow.
The consequence of publishing without running the DLP review is that the agent may get blocked at the tenant boundary. A real-world example is builder Liam, whose finance agent failed publish review because the MCP server lived on a non-approved domain. A common misconception is that publish is instant. Admin review can take 24 to 72 hours.
Key Entities in the MCP + Copilot Story
- Anthropic created MCP and co-stewards the spec through the steering committee
- Microsoft contributes the official C# SDK and builds MCP into Copilot, Azure, and Windows
- Copilot Studio is the low-code builder where makers attach MCP servers to agents
- Microsoft Graph is the data layer that many MCP servers call under the hood
- Entra ID handles OAuth 2.1 and Conditional Access for every MCP call
- Microsoft Purview provides DLP, audit, and sensitivity labels across MCP traffic
- Defender for Cloud Apps monitors MCP endpoints for threats and data exfiltration
How Copilot MCP Compares to Other Clients
The table below shows how the same MCP server behaves across the top clients.
| Client | MCP Behavior |
|---|---|
| Microsoft 365 Copilot | Runs remote HTTP MCP with Entra OAuth, full Purview and DLP wrap |
| Claude Desktop | Runs local stdio and remote HTTP MCP, per-user consent, no enterprise DLP layer |
| Cursor | Developer-focused, local stdio first, light governance |
| ChatGPT Enterprise | Supports remote MCP with OpenAI’s own admin controls, not Purview |
The consequence of picking the wrong client for a regulated workload is a compliance gap. A real-world example is a pharma firm that standardized on Microsoft 365 Copilot for any MCP call touching clinical data, because only Purview met its audit needs. A common misconception is that all clients treat MCP identically. They do not. Governance varies widely.
The Roadmap Through 2026
Microsoft published the Copilot release roadmap showing MCP-related items through 2026. Expect deeper multi-agent orchestration, where one Copilot agent calls another MCP-wrapped agent. Expect first-class MCP in Windows 11 through the Windows AI Foundry MCP layer. Expect richer resource support, where Copilot can subscribe to live streams from an MCP server rather than polling.
The consequence of betting on yesterday’s connector framework is technical debt. A real-world example is a firm that paused new Power Platform custom connectors in 2025 and rebuilt them as MCP servers to match the future state. A common misconception is that MCP will replace Graph, Dataverse, or Power Automate. It will not. Those remain the data and workflow fabric, and MCP sits on top.
FAQs
Does Microsoft 365 Copilot Support MCP Today?
Yes. MCP support is generally available across Copilot Studio, the Microsoft 365 Copilot chat app, Researcher, Analyst, and custom agents built in Agent Builder, per Microsoft’s 2025 and 2026 announcements.
Do I Need a Separate License for MCP?
No. MCP itself carries no license fee, but you need a Microsoft 365 Copilot seat for end users and Copilot Studio capacity for makers who build MCP-powered agents.
Can I Build My Own MCP Server for Copilot?
Yes. Any server that speaks the MCP spec over Streamable HTTP with OAuth 2.1 works, and Microsoft publishes a C# SDK, a Python SDK, and a TypeScript SDK to make it easy.
Does MCP Work Inside Microsoft Teams Copilot?
Yes. Any agent published to the Microsoft 365 Copilot app also shows up in Teams Copilot chat, which means MCP tools work there with no extra setup.
Is MCP Traffic Covered by Microsoft Purview DLP?
Yes. Purview inspects prompts, responses, and tool payloads for DLP violations, applies sensitivity labels, and writes audit logs for every MCP call.
Can MCP Servers Write Data Back to My Systems?
Yes. MCP supports tools that mutate state, but Microsoft strongly recommends approval gates and scoped OAuth permissions before enabling write-back in production.
Does Copilot Studio Support Local Stdio MCP Servers?
No. Copilot Studio targets remote Streamable HTTP servers, because stdio cannot reach a cloud tenant in a secure, auditable way.
Will Sideloading Let Users Add Any MCP Server?
No. Most tenants disable sideloading by default, so MCP-powered agents must pass admin review in the Integrated Apps portal before users see them.
Do MCP Calls Count Against Copilot Studio Messages?
Yes. Each MCP tool call inside a Copilot Studio agent consumes messages from the tenant’s capacity pack, which can add up fast in high-volume agents.
Is MCP Safe From Prompt-Injection Attacks?
No. MCP expands the attack surface, but Microsoft Prompt Shields, Defender for Cloud Apps, and Purview reduce risk when admins turn them on and keep them tuned.
Can I Use the Same MCP Server in Copilot and Claude?
Yes. MCP is an open standard, so a properly built server runs in Microsoft 365 Copilot, Claude Desktop, Cursor, and any other compliant MCP client.
Does MCP Replace Microsoft Graph Connectors?
No. Graph connectors index content for Microsoft Search, while MCP handles live tool calls during a chat, and the two patterns are complementary.