Supercharge Your AI Agents: Securely Integrate GitHub Copilot with Azure API Management and MCP

AI agents like GitHub Copilot are transforming how we work, but their true potential lies in seamless integration with external tools and data. The Model Context Protocol (MCP) is emerging as the key to unlocking this potential. It offers a standardized way for AI models to interact with APIs, databases, and other services. Learn how to leverage it!

This article dives into how you can use MCP with Azure API Management (APIM) to create secure and efficient AI integrations, focusing on a real-world scenario: automating issue triage.

What is Model Context Protocol (MCP) and Why Should You Care?

MCP acts as a universal translator for AI agents, enabling them to communicate with various systems without needing custom connectors for each. Consider these benefits:

• Simplified Integration: Connect AI agents to local and remote data sources using a unified protocol, cutting down on development time.
• Enhanced Security: Implement robust security measures for your AI-powered workflows with centralized control.
• Improved Scalability: Build integrations that can grow with your needs, easily adding new tools and data sources as required.

MCP uses a client-host-server setup, leveraging JSON-RPC 2.0 for smooth messaging. For transport, it uses standard input/output (stdio) when client and server are together. When they are remote, it leverages HTTP and Server-Sent Events (SSE).

Securely Connecting AI Agents with Azure API Management

Azure API Management provides a comprehensive platform to publish, secure, and monitor your APIs. By treating MCP server endpoints as APIs, you gain access to enterprise-grade governance and security features. If you have an AI agent, you need to secure it.

Key benefits of using Azure API Management with MCP:

• Robust Security: Apply security policies to protect backend resources and prevent unauthorized access.
• Reliable Performance: Ensure consistent uptime and responsiveness for your AI integrations.
• Effective Monitoring: Trace requests in real-time to quickly identify and resolve issues.

Practical Example: Automating Issue Triage with GitHub Copilot, MCP, and APIM

Let's explore a real-world example: streamlining issue triage in an engineering team. Typically, this process involves manual steps transferring data between GitHub and ServiceNow. MCP, APIM and GitHub Copilot can automate this.

Traditional Workflow:

1. Engineers log bugs as GitHub issues.
2. Someone manually reviews the reported issues and then creates a matching incident ticket in ServiceNow.

Automated Workflow:

1. GitHub Copilot, integrated with GitHub and ServiceNow via MCP and APIM, automatically triages new issues and generates incident tickets.

Building Your MCP Servers

First, you'll need to build MCP servers for GitHub Issues and ServiceNow Incidents:

• GitHub Issues MCP Server: Authenticates with GitHub, retrieves user info, and lists repository issues.
• ServiceNow Incidents MCP Server: Authenticates with ServiceNow, lists existing incidents, and creates new incidents.

These servers will be secured behind Azure API Management, ensuring that all communication is protected.

Secure Client Authentication with Azure API Management

Azure API Management becomes the central hub for securing access to our MCP servers:

1. Subscription Keys: Use API Management subscriptions to generate unique keys for client access.
2. JWT Validation: Further secure /sse and /messages endpoints by validating JWTs to prevent unauthorized access.

Centralized Credential Management

Once you've registered OAuth applications in GitHub and ServiceNow, update Azure API Management's credential manager with the respective Client IDs and Secrets.

1. Centralized Storage: The Azure API management credential manager securely stores the GitHub and ServiceNow client IDs and secrets.
2. OAuth flow: API Management then performs OAuth flows to securely store and manage tokens for the 3rd party connections.

Connecting Your MCP Server to VS Code

Visual Studio Code now supports MCP, enabling GitHub Copilot to connect to MCP-compatible servers.

1. Open the command palette and type "MCP: Add Server..."
2. Select the server type as HTTP.
3. Paste in the server URL and provide a server ID.

Repeat these steps to add the ServiceNow MCP Server.

Behind the Scenes: Authentication and Authorization Flow

When a user initiates an authentication workflow, GitHub Copilot triggers the MCP server to generate an authorization request and a unique login URL. The user is redirected to a consent page managed by Azure API Management, where they grant permissions to access their GitHub account.

This diagram is the series of steps for the authorize_github command.

1. GitHub Copilot asks Azure API Management via MCP Client (VS Code).
2. The request goes to the GitHub MCP Server, which responds with tools it is capable of.
3. GitHub Copilot now starts the authorize_github tool which creates a session.
4. If it's the first login, it asks to redirect to the login URL.
5. Once logged in, it sends the authorization code to Azure API Management.
6. The API Management exchanges the code for tokens and saves an Access Control List.

Automating Tool Calling Through APIs in API Management

Tools like list_issues become powerful extensions to GitHub Copilot. When the tool is called:

1. A request comes from the MCP client to retrieve issues.
2. The MCP Server now attaches the authorization ID.
3. The issue list is now returned to the agent.

Next Steps: Building a Fully Automated Workflow

By connecting both the GitHub and ServiceNow MCP servers, GitHub Copilot can automatically extract issues from a private repo. It can even create new incidents in ServiceNow, and can be extended with tools to suggest assignees, update statuses, notify engineers, and request feedback.

By adding tools, you unlock a fully automated engineering workflow.

Azure API Management: Your Gateway to Secure and Efficient AI Integrations

By integrating MCP servers with Azure API Management, you can enable secure, agentic automation across your engineering tools. This approach streamlines workflows while ensuring enterprise-grade security and governance for all APIs. Use Azure API Management for AI agent integrations.

Additional Resources

• Using Credential Manager with Backend Services
• Client Auth for remote MCP servers
• AI lab Client Auth