From 3b74add099684906ef883bbd493731522eace1dd Mon Sep 17 00:00:00 2001 From: Anshul Khantwal Date: Wed, 12 Nov 2025 14:21:48 +0530 Subject: [PATCH 1/4] Azure Deployment README updates --- deploy/azure/README.md | 15 ++++++++++++++- deploy/azure/bicep/main.bicep | 2 +- deploy/azure/bicep/params.json | 11 ++++++----- deploy/azure/bicep/paramsWithAuthEnabled.json | 6 +++--- 4 files changed, 24 insertions(+), 10 deletions(-) diff --git a/deploy/azure/README.md b/deploy/azure/README.md index b7ac079ee..c0cc660fd 100644 --- a/deploy/azure/README.md +++ b/deploy/azure/README.md @@ -8,7 +8,7 @@ This directory contains an Azure Bicep template (`bicep/main.bicep`) and support - Azure CLI (2.55.0 or later) installed and signed in (`az login`). - Azure subscription with permissions to deploy the required resources. -- MongoDB MCP server container image available in dockerhub registry (mongodb/mongodb-mcp-server:latest). +- MongoDB MCP server container image available in dockerhub registry (mongodb/mongodb-mcp-server:1.2.0). Version 1.2.0 has been validated for Azure AI Foundry compatibility when the aggregate, create-index, explain, and export tools are omitted. You can reference the `latest` tag instead if you want to experiment with newer builds. ## Parameter Files @@ -19,6 +19,17 @@ Two sample parameter files are provided to help you tailor deployments: > **Tip:** Update the image reference, secrets, networking, and any other environment-specific values in the chosen parameter file before deployment. +### Managed Identity Authentication Parameters + +When using `bicep/paramsWithAuthEnabled.json`, provide tenant and app-specific values for the following parameters before deployment: + +- `authClientId`: Set to the application (client) ID of the Microsoft Entra ID app registration that represents the MongoDB MCP server API (often the managed identity or a server-side app registration). +- `authIssuerUrl`: Use the issuer URL for your tenant. Use //v2.0, and replace with the authentication endpoint for your cloud environment (for example, "https://login.microsoftonline.com" for global Azure), also replacing with the Directory (tenant) ID in which the app registration was created. +- `authTenantId`: The tenant ID (directory ID) of the Microsoft Entra tenant that owns the identities interacting with the MCP server. Obtain it via `az account show --query tenantId -o tsv`. +- `authAllowedClientApps` (optional): Provide an array of application (client) IDs for every client that should be allowed to request tokens for the MongoDB MCP server (for example, front-end apps, automation scripts, or integration partners). Omit this property to allow all clients without any filtering. + +For deeper guidance on Microsoft Entra authentication in Azure Container Apps, see the official docs: . + ## Deploy the Bicep Template 1. **Set common variables (PowerShell example):** @@ -54,6 +65,8 @@ Two sample parameter files are provided to help you tailor deployments: --parameters @$parameterFile ``` + If the deployment returns an error, rerun the command with `--debug` to surface detailed troubleshooting output. + 5. **Monitor outputs:** Review the deployment outputs and logs for connection endpoints, credential references, or other values needed to complete integration. ## Post-Deployment Checklist diff --git a/deploy/azure/bicep/main.bicep b/deploy/azure/bicep/main.bicep index 241b1565b..32b1e52c1 100644 --- a/deploy/azure/bicep/main.bicep +++ b/deploy/azure/bicep/main.bicep @@ -8,7 +8,7 @@ param location string = resourceGroup().location param containerAppName string = 'mongo-mcp-server-app' @description('Docker image to deploy') -param containerImage string = 'mongodb/mongodb-mcp-server:latest' +param containerImage string = 'mongodb/mongodb-mcp-server:1.2.0' @description('Container CPU (vCPU) as string. Allowed: 0.25 - 2.0 in 0.25 increments') @allowed([ diff --git a/deploy/azure/bicep/params.json b/deploy/azure/bicep/params.json index 137a4ca45..ba3235dc8 100644 --- a/deploy/azure/bicep/params.json +++ b/deploy/azure/bicep/params.json @@ -3,8 +3,8 @@ "contentVersion": "1.0.0.0", "parameters": { "containerAppEnvName": { "value": "container-app-env" }, - "containerAppName": { "value": "mongo-mcp-server-app-without-auth" }, - "containerImage": { "value": "mongodb/mongodb-mcp-server:latest" }, + "containerAppName": { "value": "mongo-mcp-without-auth" }, + "containerImage": { "value": "mongodb/mongodb-mcp-server:1.2.0" }, "containerCpu": { "value": "1.0" }, "containerMemory": { "value": "2Gi" }, "appEnvironmentVars": { @@ -15,10 +15,11 @@ "MDB_MCP_TRANSPORT": "http", "MDB_MCP_LOGGERS": "disk,mcp,stderr", "MDB_MCP_LOG_PATH": "/tmp/mongodb-mcp", - "MDB_MCP_DISABLED_TOOLS": "explain,export,atlas-create-access-list,atlas-create-db-user,drop-database,drop-collection,delete-many" + "MDB_MCP_DISABLED_TOOLS": "aggregate,create-index,explain,export,atlas-create-access-list,atlas-create-db-user,drop-database,drop-collection,delete-many" } }, - "authMode": { "value": "NOAUTH" }, - "mdbConnectionString": { "value": "" } + "mdbConnectionString": { "value": "" }, + + "authMode": { "value": "NOAUTH" } } } diff --git a/deploy/azure/bicep/paramsWithAuthEnabled.json b/deploy/azure/bicep/paramsWithAuthEnabled.json index 78c0a30d0..8ab1e0d9e 100644 --- a/deploy/azure/bicep/paramsWithAuthEnabled.json +++ b/deploy/azure/bicep/paramsWithAuthEnabled.json @@ -3,8 +3,8 @@ "contentVersion": "1.0.0.0", "parameters": { "containerAppEnvName": { "value": "container-app-env" }, - "containerAppName": { "value": "mongo-mcp-server-app-with-auth" }, - "containerImage": { "value": "mongodb/mongodb-mcp-server:latest" }, + "containerAppName": { "value": "mongo-mcp-with-auth" }, + "containerImage": { "value": "mongodb/mongodb-mcp-server:1.2.0" }, "containerCpu": { "value": "1.0" }, "containerMemory": { "value": "2Gi" }, "appEnvironmentVars": { @@ -15,7 +15,7 @@ "MDB_MCP_TRANSPORT": "http", "MDB_MCP_LOGGERS": "disk,mcp,stderr", "MDB_MCP_LOG_PATH": "/tmp/mongodb-mcp", - "MDB_MCP_DISABLED_TOOLS": "explain,export,atlas-create-access-list,atlas-create-db-user,drop-database,drop-collection,delete-many" + "MDB_MCP_DISABLED_TOOLS": "aggregate,create-index,explain,export,atlas-create-access-list,atlas-create-db-user,drop-database,drop-collection,delete-many" } }, "mdbConnectionString": { "value": "" }, From 93759163614701bea46626d8b4a8a73dc21600d3 Mon Sep 17 00:00:00 2001 From: anshulkhantwal <93312257+anshulkhantwal@users.noreply.github.com> Date: Wed, 12 Nov 2025 14:35:57 +0530 Subject: [PATCH 2/4] Update deploy/azure/README.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- deploy/azure/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/azure/README.md b/deploy/azure/README.md index c0cc660fd..d5906b94f 100644 --- a/deploy/azure/README.md +++ b/deploy/azure/README.md @@ -8,7 +8,7 @@ This directory contains an Azure Bicep template (`bicep/main.bicep`) and support - Azure CLI (2.55.0 or later) installed and signed in (`az login`). - Azure subscription with permissions to deploy the required resources. -- MongoDB MCP server container image available in dockerhub registry (mongodb/mongodb-mcp-server:1.2.0). Version 1.2.0 has been validated for Azure AI Foundry compatibility when the aggregate, create-index, explain, and export tools are omitted. You can reference the `latest` tag instead if you want to experiment with newer builds. +- MongoDB MCP server container image available in dockerhub registry (mongodb/mongodb-mcp-server:1.2.0). Version 1.2.0 has been validated for Azure AI Foundry compatibility when the aggregate, create-index, explain, and export tools are omitted (additional tools are disabled by default for security). You can reference the `latest` tag instead if you want to experiment with newer builds. ## Parameter Files From c552f4944a3087d38bd3c9b85293fee3339132f4 Mon Sep 17 00:00:00 2001 From: anshulkhantwal <93312257+anshulkhantwal@users.noreply.github.com> Date: Wed, 12 Nov 2025 14:36:06 +0530 Subject: [PATCH 3/4] Update deploy/azure/README.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- deploy/azure/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/azure/README.md b/deploy/azure/README.md index d5906b94f..263c224f5 100644 --- a/deploy/azure/README.md +++ b/deploy/azure/README.md @@ -24,7 +24,7 @@ Two sample parameter files are provided to help you tailor deployments: When using `bicep/paramsWithAuthEnabled.json`, provide tenant and app-specific values for the following parameters before deployment: - `authClientId`: Set to the application (client) ID of the Microsoft Entra ID app registration that represents the MongoDB MCP server API (often the managed identity or a server-side app registration). -- `authIssuerUrl`: Use the issuer URL for your tenant. Use //v2.0, and replace with the authentication endpoint for your cloud environment (for example, "https://login.microsoftonline.com" for global Azure), also replacing with the Directory (tenant) ID in which the app registration was created. +- `authIssuerUrl`: Use the issuer URL for your tenant. Use `//v2.0`, and replace with the authentication endpoint for your cloud environment (for example, "https://login.microsoftonline.com" for global Azure), also replacing with the Directory (tenant) ID in which the app registration was created. - `authTenantId`: The tenant ID (directory ID) of the Microsoft Entra tenant that owns the identities interacting with the MCP server. Obtain it via `az account show --query tenantId -o tsv`. - `authAllowedClientApps` (optional): Provide an array of application (client) IDs for every client that should be allowed to request tokens for the MongoDB MCP server (for example, front-end apps, automation scripts, or integration partners). Omit this property to allow all clients without any filtering. From 88b2e46a63145193172a4da4983c9d2d20b6ea6a Mon Sep 17 00:00:00 2001 From: anshulkhantwal <93312257+anshulkhantwal@users.noreply.github.com> Date: Wed, 12 Nov 2025 14:36:15 +0530 Subject: [PATCH 4/4] Update deploy/azure/bicep/params.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- deploy/azure/bicep/params.json | 1 - 1 file changed, 1 deletion(-) diff --git a/deploy/azure/bicep/params.json b/deploy/azure/bicep/params.json index ba3235dc8..c64ad2fc0 100644 --- a/deploy/azure/bicep/params.json +++ b/deploy/azure/bicep/params.json @@ -19,7 +19,6 @@ } }, "mdbConnectionString": { "value": "" }, - "authMode": { "value": "NOAUTH" } } }