Improve Azure Deployment README for clarity and completeness (#726)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: anshulkhantwal

deploy/azure/README.md

@@ -8,7 +8,7 @@ This directory contains an Azure Bicep template (`bicep/main.bicep`) and support
 
 - Azure CLI (2.55.0 or later) installed and signed in (`az login`).
 - Azure subscription with permissions to deploy the required resources.
-- MongoDB MCP server container image available in dockerhub registry (mongodb/mongodb-mcp-server:latest).
+- MongoDB MCP server container image available in dockerhub registry (mongodb/mongodb-mcp-server:1.2.0). Version 1.2.0 has been validated for Azure AI Foundry compatibility when the aggregate, create-index, explain, and export tools are omitted (additional tools are disabled by default for security). You can reference the `latest` tag instead if you want to experiment with newer builds.
 
 ## Parameter Files
 
@@ -19,6 +19,17 @@ Two sample parameter files are provided to help you tailor deployments:
 
 > **Tip:** Update the image reference, secrets, networking, and any other environment-specific values in the chosen parameter file before deployment.
 
+### Managed Identity Authentication Parameters
+
+When using `bicep/paramsWithAuthEnabled.json`, provide tenant and app-specific values for the following parameters before deployment:
+
+- `authClientId`: Set to the application (client) ID of the Microsoft Entra ID app registration that represents the MongoDB MCP server API (often the managed identity or a server-side app registration).
+- `authIssuerUrl`: Use the issuer URL for your tenant. Use `<authentication-endpoint>/<TENANT-ID>/v2.0`, and replace <authentication-endpoint> with the authentication endpoint for your cloud environment (for example, "https://login.microsoftonline.com" for global Azure), also replacing <TENANT-ID> with the Directory (tenant) ID in which the app registration was created.
+- `authTenantId`: The tenant ID (directory ID) of the Microsoft Entra tenant that owns the identities interacting with the MCP server. Obtain it via `az account show --query tenantId -o tsv`.
+- `authAllowedClientApps` (optional): Provide an array of application (client) IDs for every client that should be allowed to request tokens for the MongoDB MCP server (for example, front-end apps, automation scripts, or integration partners). Omit this property to allow all clients without any filtering.
+
+For deeper guidance on Microsoft Entra authentication in Azure Container Apps, see the official docs: <https://learn.microsoft.com/en-us/azure/container-apps/authentication-entra>.
+
 ## Deploy the Bicep Template
 
 1. **Set common variables (PowerShell example):**
@@ -54,6 +65,8 @@ Two sample parameter files are provided to help you tailor deployments:
       --parameters @$parameterFile
    ```
 
+   If the deployment returns an error, rerun the command with `--debug` to surface detailed troubleshooting output.
+
 5. **Monitor outputs:** Review the deployment outputs and logs for connection endpoints, credential references, or other values needed to complete integration.
 
 ## Post-Deployment Checklist

deploy/azure/bicep/main.bicep

@@ -8,7 +8,7 @@ param location string = resourceGroup().location
 param containerAppName string = 'mongo-mcp-server-app'
 
 @description('Docker image to deploy')
-param containerImage string = 'mongodb/mongodb-mcp-server:latest'
+param containerImage string = 'mongodb/mongodb-mcp-server:1.2.0'
 
 @description('Container CPU (vCPU) as string. Allowed: 0.25 - 2.0 in 0.25 increments')
 @allowed([

deploy/azure/bicep/params.json

@@ -3,8 +3,8 @@
   "contentVersion": "1.0.0.0",
   "parameters": {
     "containerAppEnvName": { "value": "container-app-env" },
-    "containerAppName": { "value": "mongo-mcp-server-app-without-auth" },
-    "containerImage": { "value": "mongodb/mongodb-mcp-server:latest" },
+    "containerAppName": { "value": "mongo-mcp-without-auth" },
+    "containerImage": { "value": "mongodb/mongodb-mcp-server:1.2.0" },
     "containerCpu": { "value": "1.0" },
     "containerMemory": { "value": "2Gi" },
     "appEnvironmentVars": {
@@ -15,10 +15,10 @@
         "MDB_MCP_TRANSPORT": "http",
         "MDB_MCP_LOGGERS": "disk,mcp,stderr",
         "MDB_MCP_LOG_PATH": "/tmp/mongodb-mcp",
-        "MDB_MCP_DISABLED_TOOLS": "explain,export,atlas-create-access-list,atlas-create-db-user,drop-database,drop-collection,delete-many"
+        "MDB_MCP_DISABLED_TOOLS": "aggregate,create-index,explain,export,atlas-create-access-list,atlas-create-db-user,drop-database,drop-collection,delete-many"
       }
     },
-    "authMode": { "value": "NOAUTH" },
-    "mdbConnectionString": { "value": "<MONGODB_CONNECTION_STRING>" }
+    "mdbConnectionString": { "value": "<MONGODB_CONNECTION_STRING>" },
+    "authMode": { "value": "NOAUTH" }
   }
 }

deploy/azure/bicep/paramsWithAuthEnabled.json

@@ -3,8 +3,8 @@
   "contentVersion": "1.0.0.0",
   "parameters": {
     "containerAppEnvName": { "value": "container-app-env" },
-    "containerAppName": { "value": "mongo-mcp-server-app-with-auth" },
-    "containerImage": { "value": "mongodb/mongodb-mcp-server:latest" },
+    "containerAppName": { "value": "mongo-mcp-with-auth" },
+    "containerImage": { "value": "mongodb/mongodb-mcp-server:1.2.0" },
     "containerCpu": { "value": "1.0" },
     "containerMemory": { "value": "2Gi" },
     "appEnvironmentVars": {
@@ -15,7 +15,7 @@
         "MDB_MCP_TRANSPORT": "http",
         "MDB_MCP_LOGGERS": "disk,mcp,stderr",
         "MDB_MCP_LOG_PATH": "/tmp/mongodb-mcp",
-        "MDB_MCP_DISABLED_TOOLS": "explain,export,atlas-create-access-list,atlas-create-db-user,drop-database,drop-collection,delete-many"
+        "MDB_MCP_DISABLED_TOOLS": "aggregate,create-index,explain,export,atlas-create-access-list,atlas-create-db-user,drop-database,drop-collection,delete-many"
       }
     },
     "mdbConnectionString": { "value": "<MONGODB_CONNECTION_STRING>" },