Share via

Unable to find MCP Enterprise resource (e8c77dc2-69b3-43f4-bc51-3213c9d915b4) in Entra ID tenant

Swasti Ranjan Ojha 0 Reputation points
2026-04-24T07:02:43.3066667+00:00

Hi,

I am trying to use the Microsoft Graph MCP Enterprise endpoint: https://mcp.svc.cloud.microsoft/enterprise

However, I am unable to find the MCP Enterprise resource (e8c77dc2-69b3-43f4-bc51-3213c9d915b4) under API permissions in my App Registration.

Steps I tried:

  • Navigated to Azure Portal → App Registration → API Permissions
  • Clicked "Add a permission"
  • Checked "APIs my organization uses"
  • Searched for MCP / Microsoft Graph MCP
  • Tried directly searching using the resource ID

But the resource does not appear.

Additionally, I am receiving this error when requesting token: AADSTS650057: Invalid resource

This suggests the resource is not registered in my tenant.

Questions:

  1. Is Microsoft Graph MCP Enterprise currently available for all tenants?
  2. Does it require preview enablement or tenant-level provisioning?
  3. How can I enable MCP Enterprise in my tenant?
  4. Are there any prerequisites (licenses, roles, Copilot requirements)?

I have Global Admin access in the tenant.

Thanks.Hi,

I am trying to use the Microsoft Graph MCP Enterprise endpoint:
https://mcp.svc.cloud.microsoft/enterprise

However, I am unable to find the MCP Enterprise resource
(e8c77dc2-69b3-43f4-bc51-3213c9d915b4) under API permissions
in my App Registration.

Steps I tried:

  • Navigated to Azure Portal → App Registration → API Permissions
  • Clicked "Add a permission"
  • Checked "APIs my organization uses"
  • Searched for MCP / Microsoft Graph MCP
  • Tried directly searching using the resource ID

But the resource does not appear.

Additionally, I am receiving this error when requesting token:
AADSTS650057: Invalid resource

This suggests the resource is not registered in my tenant.

Questions:

  1. Is Microsoft Graph MCP Enterprise currently available for all tenants?
  2. Does it require preview enablement or tenant-level provisioning?
  3. How can I enable MCP Enterprise in my tenant?
  4. Are there any prerequisites (licenses, roles, Copilot requirements)?

I have Global Admin access in the tenant.

Thanks.

Azure API Management
Azure API Management

An Azure service that provides a hybrid, multi-cloud management platform for APIs.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VEMULA SRISAI 12,615 Reputation points Microsoft External Staff Moderator
    2026-04-24T13:25:17.07+00:00

    Hello Swasti Ranjan Ojha,This behavior is expected and not due to a misconfiguration on your side.Why you cannot find the MCP Enterprise resource

    The MCP Enterprise endpoint (https://mcp.svc.cloud.microsoft/enterprise) is backed by the Microsoft MCP Server for Enterprise service.

    This service is not automatically available in all Entra ID tenants and therefore does not appear under “APIs my organization uses” unless Microsoft has provisioned it for the tenant.

    Because the service principal (e8c77dc2-69b3-43f4-bc51-3213c9d915b4) does not exist in your tenant, Entra ID correctly returns:

    AADSTS650057 – Invalid resource

    Answers to your questions:

    Is Microsoft Graph MCP Enterprise available for all tenants?

    No. MCP Enterprise is not generally available and is currently limited to preview / controlled enablement scenarios (mainly Copilot and MCP client integrations).

    Does it require preview enablement or tenant-level provisioning?

    Yes. The MCP Enterprise service must be provisioned at the tenant level by Microsoft. Global Admin permissions alone do not make the resource visible or usable.

    How can I enable MCP Enterprise in my tenant?

    There is no self‑service enablement today.

    To get it enabled, one of the following is required:

    • Tenant is onboarded to Copilot / MCP preview
    • MCP enablement through an approved Microsoft program
    • Raising a Microsoft Support ticket to check tenant eligibility for MCP Enterprise

    Until this backend provisioning happens, the resource will not show up and token requests will fail.

    Are there any prerequisites (licenses, roles, Copilot requirements)?

    • Global Admin / App Admin: Required (you already have this)
    • Tenant provisioning by Microsoft: Mandatory
    • Copilot / MCP preview access: Typically required
    • Specific licenses: Depends on the Copilot/MCP scenario, but MCP Enterprise is not a standalone public API.
    0 comments
  2. Q&A Assist
    2026-04-24T07:03:07.2166667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more
    1. The Microsoft MCP Server for Enterprise is a Microsoft-owned service that appears in the tenant as a service principal with appId e8c77dc2-69b3-43f4-bc51-3213c9d915b4. The documentation describes how to confirm that this service principal exists in the tenant, but does not state that it is limited to specific tenants. It is treated as a built-in resource rather than something added manually via “Add a permission”. To verify that the MCP Server is present in the tenant, use Microsoft Graph or Microsoft Graph PowerShell to query service principals by appId:
      • Microsoft Graph REST: 
             GET https://graph.microsoft.com/v1.0/servicePrincipals?$select=id,appId,displayName&$filter=appId in('e8c77dc2-69b3-43f4-bc51-3213c9d915b4','aebc6443-996d-45c2-90f0-388ff96faa56')
      • Microsoft Graph PowerShell: 
             Import-Module Microsoft.Graph.Applications
     
     Get-MgServicePrincipal -Property "id,appId,displayName" -Filter "appId in('e8c77dc2-69b3-43f4-bc51-3213c9d915b4','aebc6443-996d-45c2-90f0-388ff96faa56')"
    2. The MCP Server for Enterprise does not require a separate preview enrollment step in the documentation provided. It is a Microsoft-owned service that can be disabled but not deleted. If needed, it can be disabled via Microsoft Graph by setting accountEnabled to false on its service principal: 
         PATCH https://graph.microsoft.com/v1.0/servicePrincipals(appId='e8c77dc2-69b3-43f4-bc51-3213c9d915b4')
   {
     "accountEnabled": false
   }
      There is no additional tenant-level provisioning step described beyond ensuring the service principal exists.
    3. To enable and use the Microsoft MCP Server for Enterprise with a custom MCP client:
      1. Register a client application in Microsoft Entra ID (single-tenant) and configure it as a confidential client (Web app/API) with an appropriate redirect URI.
      2. Record the client ID and tenant ID.
      3. Grant delegated permissions (MCP scopes) to the client app. The MCP Server exposes delegated scopes that mirror Microsoft Graph scopes with the MCP. prefix (for example, MCP.User.Read.All). These are managed via Microsoft Entra PowerShell rather than by searching for the resource in the “Add a permission” UI: 
              Grant-EntraBetaMCPServerPermission -ApplicationId "<MCP_Client_Application_Id>" -Scopes "<Scope1>", "<Scope2>", "<...>"
        To revoke: 
              Revoke-EntraBetaMCPServerPermission -ApplicationId "<MCP_Client_Application_Id>" -Scopes "<Scope1>", "<Scope2>", "<...>"
      4. Use only delegated permissions; app-only flows are not supported. The MCP Server is for user-interactive scenarios.
      5. Confirm the available MCP scopes by querying the MCP Server service principal’s oauth2PermissionScopes via Microsoft Graph and use scopes where isEnabled is true.
      The list of supported MCP scopes includes, for example, MCP.User.Read.All, MCP.GroupMember.Read.All, MCP.Organization.Read.All, and others. The naming pattern is MCP.{microsoft-graph-scope-name}. The AADSTS650057 “Invalid resource” error aligns with the fact that the MCP Server is not used like a normal resource you pick via “Add a permission” in the portal. Instead, permissions are granted using the dedicated PowerShell cmdlets against the MCP Server service principal.
    4. Prerequisites and requirements from the provided documentation:
      • The MCP Server for Enterprise supports only delegated permissions and only read-only operations; write actions are not allowed.
      • The client must be a confidential client (Web app/API) with a proper redirect URI configured in the app registration.
      • For Copilot Studio integration, an admin must complete the MCP onboarding wizard, create a connection, sign in with a tenant admin account, and then test queries such as “How many users are in my tenant?” to verify that the MCP Server tools can call Microsoft Graph.
      • For Copilot Studio scenarios, if a 403 Forbidden occurs when querying Graph data, the signed-in user must have appropriate Entra directory roles for the requested operations, and a fresh connection may be required if roles were recently assigned.
      The documentation does not list specific license SKUs or Copilot purchase requirements for the MCP Server itself, but Copilot Studio usage naturally requires access to Copilot Studio and Power Platform environments as described.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.