{"id":22324,"date":"2026-02-12T09:05:00","date_gmt":"2026-02-12T17:05:00","guid":{"rendered":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/?p=22324"},"modified":"2026-02-26T09:14:54","modified_gmt":"2026-02-26T17:14:54","slug":"protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance","status":"publish","type":"post","link":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\/","title":{"rendered":"Protecting AI conversations at Microsoft with Model Context Protocol security and governance"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">When we gave our Microsoft 365 Copilot agents a simple way to connect to tools and data with Model Context Protocol (MCP), the work spoke for itself.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Answers got sharper. Delivery sped up. New patterns of development emerged across teams working with Copilot agents.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That ease of communication, however, comes with a responsibility: <em>Protect the conversation<\/em>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Questions came up like, who\u2019s allowed to speak? What can they say? And what should never leave the room?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft Digital, the company\u2019s IT organization, and the Chief Information Security Officer (CISO) team, our internal security organization, are leaning on those questions to help us shape our strategy and tooling around MCP internally at Microsoft.<\/p>\n\n\n\n<figure class=\"wp-block-image alignright size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"500\" height=\"500\" src=\"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/Swetha-Kumar.png\" alt=\"A photo of Kumar. \" class=\"wp-image-22328\" style=\"width:150px\" srcset=\"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/Swetha-Kumar.png 500w, https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/Swetha-Kumar-300x300.png 300w, https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/Swetha-Kumar-150x150.png 150w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u201cWith MCP, the problem is not the inherent design; it\u2019s that every improper server implementation becomes a potential vulnerability. Even one misconfigured server can give the AI the keys to your data.\u201d<\/p>\n<cite>Swetha Kumar, security assurance engineer, Microsoft CISO<\/cite><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Our approach is intentionally straightforward. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Start secure by default. Use trusted servers. Keep a living catalog so we always know which voices are in the room. Shape how agents communicate by requiring consent before making changes. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We minimize what\u2019s shared outside our walls, watch for drift, and act when something looks off. Our goal is practical governance that lets builders move fast while keeping our data safe.<\/p>\n\n\n\n<aside class=\"wp-block-group aside-for-guide has-white-200-background-color has-background has-global-padding is-content-justification-right is-layout-constrained wp-container-core-group-is-layout-3f1abf08 wp-block-group-is-layout-constrained\" style=\"border-radius:10px;padding-top:var(--wp--preset--spacing--spacing-12);padding-right:var(--wp--preset--spacing--spacing-12);padding-bottom:var(--wp--preset--spacing--spacing-12);padding-left:var(--wp--preset--spacing--spacing-12)\">\n<div class=\"wp-block-group is-nowrap is-layout-flex wp-container-core-group-is-layout-298f84b7 wp-block-group-is-layout-flex\" style=\"margin-top:0;margin-bottom:0;padding-top:0;padding-bottom:0\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"132\" height=\"132\" src=\"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2025\/10\/Engage-with-our-experts_blogs.png\" alt=\"\" class=\"wp-image-20636\" style=\"width:48px\"\/><\/figure>\n\n\n\n<p class=\"has-body-lg-font-size wp-block-paragraph\"><strong>Engage with our experts!<\/strong><\/p>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\" style=\"margin-top:var(--wp--preset--spacing--spacing-4)\">Customers or Microsoft account team representatives from Fortune 500 companies are welcome to <a href=\"mailto:msitstaff@microsoft.com\">request a virtual engagement<\/a> on this topic with experts from our Microsoft Digital team.<\/p>\n<\/aside>\n\n\n\n<p class=\"wp-block-paragraph\">That\u2019s the risk we design for, and it\u2019s why our controls prioritize clear ownership, simple choices, and visible guardrails.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cWith MCP, the problem is not the inherent design; it\u2019s that every improper server implementation becomes a potential vulnerability,\u201d says Swetha Kumar, a security assurance engineer in the Microsoft CISO organization. \u201cEven one misconfigured server can give the AI the keys to your data.\u201d<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Understanding MCP and the need for security<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">MCP is a simple standard that lets AI systems \u201ctalk\u201d to the right tools and data without custom integration work. Think of it like USB\u2011C for AI. Instead of building a new connection every time, teams plug into a common pattern. That standardization delivers speed and flexibility\u2014but it also changes the security equation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Before MCP, every integration was its own isolated conversation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cNow, one pattern can unlock many systems,\u201d Kumar says. \u201cIt\u2019s a win and a risk. When AI can reach more systems with less effort, we must be precise about who\u2019s allowed to speak, what they can say, and how much gets shared.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We frame this as communications security.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The question isn\u2019t just, \u201cIs this API secure?\u201d It\u2019s \u201cIs this a conversation we trust?\u201d We want to know which servers are in the room, what actions they\u2019re permitted to take, and how we\u2019ll notice if something changes. At the same time, we keep the cognitive load low for builders. They choose from trusted options, see clear prompts before an agent makes edits, and move on. Simple choices lead to safer outcomes.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cMCP enables granular control over the tools and resources exposed to the Large Language Model,\u201d Kumar says. \u201cBut that means the developer is responsible for configuring it correctly\u2014which tools an agent can see, what actions a server can take, and what context is shared.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This approach helps both sides.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Product teams get a consistent way to extend their agents while security teams get consistent places to add guardrails\u2014at discovery, access, and throughout the flow of requests and responses. Everyone operates from the same playbook.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When we treat MCP this way, we protect the conversation without slowing it down. We know who\u2019s speaking. We know what they can do. And we can prove it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Assessing MCP security across four layers<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Every MCP session creates a conversation graph. An agent discovers a server, ingests its tool descriptions, adds credentials and context, and starts sending requests. Each step\u2014metadata, identity, content, and code\u2014introduces potential risk.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We evaluate those risks across four layers so we can catch failures early, contain blast radius, and keep conversations in bounds.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, the big picture is just as important as the details.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cWe take a holistic view of MCP security: start with the ecosystem, then specify controls across the four layers,\u201d Kumar says. \u201cThe layers make the work concrete, but the goal stays the same\u2014unified governance, shared education, and faster detect-and-mitigate when a server is at risk.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Applications and agents layer<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is where user intent meets execution. Agents parse prompts, discover tools, select actions, and request changes. MCP clients live here, deciding which servers to trust and when to ask for user consent.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">What can go wrong\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Tool poisoning or shadowing. <\/strong>A server advertises safe\u2011looking actions but performs something else.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Silent swaps.<\/strong> A tool\u2019s metadata changes and the client keeps trusting an altered \u201cvoice.\u201d<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>No sandbox.<\/strong> The agent can request edits or run code without strong guardrails.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li class=\"wp-block-list-item\">What we watch for\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Unexpected tool descriptions or capabilities at connect time.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Edit attempts on critical resources without explicit user consent.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Abnormal tool\u2011selection patterns across sessions.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>AI platform layer<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The AI platform layer includes the AI models and runtimes that interpret prompts and call tools, along with orchestration logic and safety features.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">What can go wrong\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Model supply\u2011chain drift.<\/strong> Unvetted models, unsafe updates, or compromised fine\u2011tunes change behavior.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Prompt injection via tool text. <\/strong>Descriptions and responses steer the model toward unsafe actions.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li class=\"wp-block-list-item\">What we watch for\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Model provenance and update cadence tied to agent behavior changes.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Signals of jailbreaks or instruction overrides in prompts and intermediate messages.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Output drift linked to specific tools or servers.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Data layer<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This layer covers business data, files, and secrets the conversation can touch.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">What can go wrong\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Context oversharing. <\/strong>Session data, files, or secrets get packed into the model\u2019s context and leak to a third\u2011party server.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Over\u2011scoped credentials. <\/strong>Long\u2011lived tokens, broad scopes, or wrong audience claims enable lateral movement.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li class=\"wp-block-list-item\">What we watch for\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Size and sensitivity of context passed to tools.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Token hygiene, including short lifetimes, least\u2011privilege scopes, and correct audience claims.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Data egress patterns that don\u2019t match a tool\u2019s declared purpose.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Infrastructure layer<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The infrastructure layer includes compute, network, and runtime environments.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">What can go wrong\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Local servers with too much reach. <\/strong>Excessive access to environment variables, file systems, or system processes.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Cloud endpoints without a gateway.<\/strong> No TLS enforcement, rate limiting, or centralized logging.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Open egress. <\/strong>Servers call out to the internet where they shouldn\u2019t.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li class=\"wp-block-list-item\">What we watch for\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">All remote MCP servers registered behind the API gateway.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Runtime signals, such as authentication failures, burst traffic, or unusual geographies.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Network policies that restrict outbound calls to certain targets.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Across all four layers, the throughline is AI communications security. We decide who can speak and verify what was said\u2014and keep listening for change.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Establishing a secure-by-default strategy<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We start by closing the front door. We recommend every remote MCP server sits behind our API gateway, giving us a single place to authenticate, authorize, rate\u2011limit, and log. There are no direct calls and no blind spots.<\/p>\n\n\n\n<figure class=\"wp-block-image alignright size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"500\" height=\"500\" src=\"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/Prabitha-Enjeti.png\" alt=\"A photo of Enjeti\" class=\"wp-image-22329\" style=\"width:150px\" srcset=\"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/Prabitha-Enjeti.png 500w, https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/Prabitha-Enjeti-300x300.png 300w, https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/Prabitha-Enjeti-150x150.png 150w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u201cEverything we do starts with securing the MCP server by default and that begins by registering it in API Center for easier discovery. We rely solely on vetted and attested MCP servers, ensuring every call comes from a trusted footprint.\u201d<\/p>\n<cite>Prathiba Enjeti, principal PM manager, Microsoft CISO<\/cite><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Next, we decide who gets a voice.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Teams choose from a vetted list of MCP servers. If someone connects to an unapproved endpoint, they receive a friendly nudge and a clear path to register it. No shaming\u2014just fast correction and a better inventory the next time around.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Identity comes next. Servers expect short\u2011lived, least\u2011privilege tokens with the right scopes and audience. Admin paths require strong authentication, and where possible, we use proof\u2011of\u2011possession to bind tokens to the client and reduce replay risk. Secrets don\u2019t live in code, keys rotate, and audit trails are in place.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cEverything we do starts with making the MCP server secure by default and that begins by registering it in API Center for easier discovery,\u201d says Prathiba Enjeti, a principal product manager in the Microsoft CISO organization. \u201cWe only use vetted and attested MCP servers. That\u2019s how we keep the conversation safe without slowing it down.\u201c<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On the client side, we slow agents at the right moments. Agents can\u2019t touch high\u2011risk tools without explicit consent. Tool descriptions are verified on connection and compared to approved contracts. If a tool\u2019s \u201cvoice\u201d drifts, we block the call.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We also minimize what\u2019s shared.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Context is trimmed to what the task requires. Sensitive data isn\u2019t included by default, and third\u2011party servers get only what they need\u2014not the whole transcript. Output filters and prompt shields sit alongside the model to prevent risky inputs from becoming risky actions.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Isolation completes the design. Local servers run in containers with tight file and network permissions. Hosted servers allow only the outbound calls they need, and inbound traffic flows through the gateway, with TLS and logging enforced.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Simple rules with visible guardrails.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cWe only use vetted MCP servers,\u201d Enjeti says. \u201cThat\u2019s how we keep the conversation safe without slowing it down.\u201d<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How we run MCP at scale: architecture, vetting, and inventory<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We keep MCP safe by making three things intentionally boring: architecture, vetting, and inventory. One defined path. One vetting flow. One living catalog.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Architecture<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We recommend remote MCP servers sit behind an API gateway, giving us a single place to authenticate, authorize, validate, rate\u2011limit, and log. Transport Layer Security (TLS) is required by default, and for sensitive endpoints, we can require mutual TLS. Outbound egress is pinned to approved destinations using private endpoints and firewall rules, so servers can\u2019t \u201ccall anywhere.\u201d Runtime protection continuously watches for credential abuse, injection patterns, burst traffic, and odd geographies.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Identity is established up front. We issue short\u2011lived, least\u2011privilege tokens with the correct audience and scopes, and admin paths require strong authentication. Where supported, tokens are bound to the client to reduce replay risk. Services use managed identities or signed credentials; secrets don\u2019t live in code, and keys rotate on schedule.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Model\u2011side safety travels with every conversation. Content safety and prompt shields help models ignore risky inputs, while orchestration enforces a per\u2011tool allowlist, so an agent can\u2019t call tools that aren\u2019t in policy\u2014even if the model suggests it. We also track model versions, allowing behavior changes to be correlated with updates.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Clients enforce consent at the edge. \u201cAsk before edits\u201d is enabled by default for write, delete, and configuration changes. When an agent connects, it verifies tool descriptions against the approved contract.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Observability ties it all together. We\u2019re working toward logging tool calls, resource access, and authorization decisions end\u2011to\u2011end with correlation IDs. Detections flag abnormal tool selection, unexpected data egress, or edits without consent. Every server has an owner, a contract, and an approval record, and metadata changes automatically trigger re\u2011review. Kill switches live at both the client and the gateway when we need them.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Vetting<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We don\u2019t \u201cconnect and hope.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Before any MCP server can speak in our environment, it earns trust. Owners declare what the server does (tools and actions), what it touches (data categories and exports), how callers authenticate (scopes and audience), and where it runs (runtime and on\u2011call ownership).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We start with static checks: manifests must match the contract, side\u2011effecting actions must be consent\u2011gated, tokens must be short\u2011lived and properly scoped. A SBOM (Software Bill of Materials) must be present, dependencies must be current, and no credentials can be embedded in code.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Then we test like a client would. We snapshot tool metadata on connect and compare it to the approved contract, probe for prompt\u2011injection and tool\u2011poisoning, and verify that \u201cask before edits\u201d triggers for destructive actions.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We also confirm context minimization, validate that egress is pinned to approved hosts, and test resilience under load, including health checks, retry behavior, and isolation using containers with least\u2011privilege file and network access. Servers are published only when security, privacy, and responsible AI reviews are complete, runbooks and on\u2011call are in place, and the registry entry is created and pinned.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Inventory<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image alignright size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"500\" height=\"500\" src=\"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/Priya-Janardhanan.png\" alt=\"A photo of Janardhanan\" class=\"wp-image-22330\" style=\"width:150px\" srcset=\"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/Priya-Janardhanan.png 500w, https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/Priya-Janardhanan-300x300.png 300w, https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/Priya-Janardhanan-150x150.png 150w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u201cInventory is the foundation\u2014if we miss a server, we miss the conversation. Every server, regardless of where it\u2019s running or how it\u2019s deployed, must be accounted for in our system.\u201d<\/p>\n<cite>Priya Janardhanan, principal security assurance engineering manager, Microsoft CISO<\/cite><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">You can\u2019t govern what you can\u2019t see, and MCP shows up in more places than a single system of record. To solve that, we\u2019re building the map from signals and stitch them into one catalog.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cInventory is the foundation\u2014if we miss a server, we miss the conversation,\u201d says Priya Janardhanan, a principal security assurance engineering manager at Microsoft CISO Operations. \u201cEvery server, regardless of where it\u2019s running or how it\u2019s deployed, must be accounted for in our system. Without a complete inventory, we lose visibility into critical operations, risk exposing sensitive data, and undermine our ability to ensure compliance and security.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Our goal state is that Endpoint telemetry catches developer\u2011run servers on laptops and workstations. Repos and CI pipelines reveal intent before anything ships. IDEs (Integrated Development Environments) surface local extensions and configured endpoints. The gateway and our registries anchor what\u2019s approved for business data, while low\u2011code environments tell us which connectors are in use and where they point.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We normalize and correlate those signals with stable IDs for servers, tools, and owners.&nbsp;Ownership is proven through repositories, gateway services, and environment administrators\u2014on\u2011call contacts included. Exposure is scored based on data touches, scopes requested, egress rules, and change history, so high\u2011risk items rise to the top of the queue.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Freshness is tracked with last\u2011seen timestamps, and stale entries are retired over time. Builders can discover and reuse approved servers; reviewers can see what changed since the last approval, and admins get instant visibility into coverage and hotspots.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We\u2019re working toward automated identification and notification for unknow servers. In the ideal state, a registration stub is created when we detect an unknown server on an endpoint. Then, the likely owner is notified, and direct calls are blocked until the server is vetted through an automated process. If tool metadata changes after approval, high-risk actions are paused and routed for re-review, then auto-resumed once approved.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cIt all revolves around inventory as the foundation,\u201d Janardhanan says. \u201cIf we miss a server, we miss the conversation.\u201d<\/p>\n\n\n\n<figure class=\"wp-block-image alignright size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"500\" height=\"500\" src=\"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/Aisha-Hasan.png\" alt=\"A photo of Hasan\" class=\"wp-image-22331\" style=\"width:150px\" srcset=\"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/Aisha-Hasan.png 500w, https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/Aisha-Hasan-300x300.png 300w, https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/Aisha-Hasan-150x150.png 150w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u201cAgent 365 tooling servers will allow centralized governance for IT admins. That means a single pane where they can see what\u2019s approved, who owns it, what data it touches, and then apply policy.\u201d<\/p>\n<cite>Aisha Hasan, principal product manager, Microsoft Digital<\/cite><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Architecture gives us stable choke points. Vetting keeps weak servers out. Inventory keeps our map current. It\u2019s a single pattern for builders and a unified playbook for security.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Governing agents in low\u2011code and pro-code scenarios<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Makers move fast\u2014that\u2019s the point. A Customer Support team needed a Copilot action to pull case history, so they opened Copilot Studio, selected an approved MCP connector, and shipped a first version before lunch. No tickets. No detours. Governance showed up in the flow, not as a blocker.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cAgent 365 tooling servers will allow centralized governance for IT admins,&#8221; says Aisha Hasan, a principal product manager at Microsoft Digital. &#8220;That means a single pane where they can see what\u2019s approved, who owns it, what data it touches, and then apply policy. We\u2019re moving toward that consolidation so innovation continues while governance gets simpler and more consistent.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We place guardrails where makers already work. In Copilot Studio, trusted and verified first-party MCP servers are allowed in developer environments to accelerate innovation and encourage experimentation. Riskier or complex MCP integration is available in Copilot Studio custom environments and other pro-code tools such as Microsoft 365 Agent Tool kit in VS Code and Microsoft Foundry, but only with clear checks: service ownership, security and privacy review, responsible AI assessment, and consent gating for high\u2011impact actions.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The allowlist is our north star.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Approved MCP servers and connectors live in one catalog with documented owners, scopes, and data boundaries. Makers choose from that shelf. If an MCP server uses an unverified tool, we enforce endpoint filtering. If there is misconfiguration, we open a task for the owner and help them build securely.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Permissions stay tight without adding cognitive load. Tokens are short\u2011lived and scoped to the task. Context is trimmed so only the necessary fields flow to the tool. Third\u2011party servers never get the full transcript. If a connector\u2019s capabilities change, the runtime compares the new \u201cvoice\u201d to what we approved. MCP Clients should pause risky actions, notify the owner, and resume automatically once reviewed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With agent inventory in Power Platform Admin Center and registry in Agent 365, admins get a clean view on which connectors are active, who owns them, what data they touch, and how often they\u2019re called. Organization policies such as DLP and MIP can be enforced in a unified way , with a re\u2011review when capabilities change. The goal is simple: let builders innovate confidently and securely while maintaining security and compliance.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cMCP servers are powerful AI tools that enable agents to seamlessly integrate and interact with enterprise data and transform business workflows,\u201d Hasan says. \u201cThat means the same enterprise data and governance principles are applied equally to MCP servers and other connectors. A robust inventory, an agile policy framework, and an automated workflow for enforcement are cornerstones for successfully governing agents at scale.\u201d<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Securing MCP at scale: Operating, monitoring, and enabling<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Our work doesn\u2019t stop at go\u2011live. Once an MCP server is in the catalog, we operate the conversation like a service: measurable, observable, and responsive. Identity and policy guard the front door, but runtime is where we prove the controls work without slowing anyone down.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In practice, operating MCP at scale comes down to four motions:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Observe<\/strong> <strong>every tool call end to end<\/strong>. We make the flow observable. Every tool call carries a correlation ID from client to gateway to server and back. Prompts, tool selections, authorization decisions, and resource access should belogged with consistent schemas. Golden signals\u2014latency, errors, saturation\u2014sit alongside safety signals like unexpected egress or edits without consent. Owners and security teams see the same dashboards.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Detect drift and abnormal behavior early<\/strong>. Detection lives close to the work. We flag abnormal tool patterns, spikes in write operations, burst traffic from new geographies, and context sizes that don\u2019t fit a task. We continuously compare a tool\u2019s \u201cvoice\u201d at connect time to the approved version; drift automatically pauses risky actions and pings the owner. Cost controls double as guardrails, using rate limits and budgets to cap blast radius and surface runaway loops early.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Respond<\/strong> <strong>with precision instead of blunt shutdowns<\/strong>. Response is graded, not binary. We can block destructive actions and allow reads, or throttle a noisy client without killing the session. Kill switches exist at both the client and the gateway. Playbooks are pre\u2011approved and integrated into the consoles owners already use, and dry runs are part of muscle memory, so the first switch flip doesn\u2019t happen during an incident.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We treat model behavior as part of operations. Content safety and prompt shields run in production, not just in tests. We pin model versions and watch for output drift after updates. If a model starts suggesting tools out of character, the owner gets paged with the exact prompts and calls that triggered it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Telemetry respects privacy. Logs avoid sensitive payloads by default and mask what must pass through for forensics. Access is role\u2011based, retention follows policy, and audit readiness is designed in on day one.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Enable<\/strong> <strong>builders through templates, education, and reuse<\/strong>. Adoption and education run in parallel. Builders get templates that enable best practices: sample manifests with consent gates, CI checks for token scope and SBOMs, and gateway stubs with sane defaults. A \u201cten\u2011minute preflight\u201d runs locally to verify contracts, test consent flows, and check egress before a pull request is opened. IDE lint rules catch common issues early.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cThis is how we operate MCP at scale,\u201d says Janardhanan. \u201cObserve the conversation, detect drift early, respond with precision, and teach habits that make the right path the easy path. We run it like a product because that\u2019s what it is.\u201d<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Measuring results and moving forward<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This program has changed how we build. Reviews move faster because every server follows the same path. Drift is caught early because clients compare a tool\u2019s \u201cvoice\u201d on connection. Shadow servers decline as inventory fills in from endpoint, repo, IDE, and gateway signals. Reuse increases because teams can discover trusted servers instead of creating new ones. Incidents resolve faster with correlation IDs across the conversation and kill switches at both the client and the gateway.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s also changed how our admins work. One gateway means one perimeter to manage. Policies land once and apply everywhere. Owners see the same telemetry security sees, so fixes happen where the work happens.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Going forward, we\u2019re focused on more consolidation and automation. We\u2019re moving toward a single pane for MCP governance\u2014approve, monitor, and pause from one place. Policy-as-code will keep allowlists, consent rules, and egress boundaries versioned and testable in CI.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Our preflight checks will get smarter, with stronger injection tests, automatic egress validation, and environment\u2011aware templates. We\u2019ll expand consent patterns so high\u2011impact actions remain explicit and auditable, even across multi\u2011tool chains. And we\u2019ll keep shrinking re\u2011review time, so drift is measured in minutes, not days.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">AI conversations are now part of how we build every day. MCP standardizes how agents talk to tools and data. Secure\u2011by\u2011default architecture, rigorous vetting, and a living inventory, ensure the right voices stay in the room, only what\u2019s needed is shared, and drift is caught early.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The result is simple: teams ship faster with fewer surprises, and governance stays visible without getting in the way. We\u2019ll keep tightening the loop, so saying yes remains both easy and safe.<\/p>\n\n\n\n<div class=\"wp-block-group has-global-padding is-content-justification-left is-layout-constrained wp-container-core-group-is-layout-c0392459 wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-7db9d80f wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<figure class=\"wp-block-image alignleft size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"190\" height=\"190\" src=\"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Key-takeaways-badge.png\" alt=\"\" class=\"wp-image-19493\" style=\"object-fit:cover;width:75px;height:75px\" srcset=\"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Key-takeaways-badge.png 190w, https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Key-takeaways-badge-150x150.png 150w\" sizes=\"auto, (max-width: 190px) 100vw, 190px\" \/><\/figure>\n\n\n\n<p class=\"has-body-xl-font-size wp-block-paragraph\" style=\"margin-top:var(--wp--preset--spacing--spacing-24);margin-bottom:0;padding-top:var(--wp--preset--spacing--spacing-24)\">Key takeaways<\/p>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">If you\u2019re implementing MCP security, consider these key actions to ensure secure, efficient adoption in your organization:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Build governance into the maker flow.<\/strong> Embed security, consent, and responsible AI checks directly where teams build\u2014so protection shows up by default, not as an afterthought.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Maintain a single allowlist and catalog.<\/strong> Centralize approved MCP servers and connectors with clear ownership, scope, and data boundaries.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Enforce scoped, short-lived permissions by default.<\/strong> Automatically limit token scope and duration to minimize risk and exposure.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Monitor continuously and detect drift early.<\/strong> Observe activity, flag deviations, and pause risky actions until reviewed and approved by owners.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Automate incident response and controls.<\/strong> Leverage pre-approved playbooks, kill switches, and rate limits for fast, precise action.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Design for privacy and auditability from day one.<\/strong> Mask sensitive data, restrict log access by role, and endure audit readiness.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Promote education and reuse.<\/strong> Provide templates, training, and feedback loops to encourage safe development and adoption of trusted servers.<\/li>\n<\/ul>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-global-padding is-content-justification-left is-layout-constrained wp-container-core-group-is-layout-c0392459 wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-7db9d80f wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<figure class=\"wp-block-image alignleft size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"190\" height=\"190\" src=\"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Try-it-out-badge.png\" alt=\"\" class=\"wp-image-19492\" style=\"object-fit:cover;width:75px;height:75px\" srcset=\"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Try-it-out-badge.png 190w, https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Try-it-out-badge-150x150.png 150w\" sizes=\"auto, (max-width: 190px) 100vw, 190px\" \/><\/figure>\n\n\n\n<p class=\"has-body-xl-font-size wp-block-paragraph\" style=\"margin-top:var(--wp--preset--spacing--spacing-24);margin-bottom:0;padding-top:var(--wp--preset--spacing--spacing-24)\">Try it out<\/p>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/training\/support\/mcp-get-started?OCID=InsideTrack_Product_10799\" target=\"_blank\" rel=\"noreferrer noopener\">Get started with MCP Server.<\/a><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-global-padding is-content-justification-left is-layout-constrained wp-container-core-group-is-layout-c0392459 wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-7db9d80f wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<figure class=\"wp-block-image alignleft size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"190\" height=\"190\" src=\"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Related-links-badge.png\" alt=\"\" class=\"wp-image-19491\" style=\"object-fit:cover;width:75px;height:75px\" srcset=\"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Related-links-badge.png 190w, https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Related-links-badge-150x150.png 150w\" sizes=\"auto, (max-width: 190px) 100vw, 190px\" \/><\/figure>\n\n\n\n<p class=\"has-body-xl-font-size wp-block-paragraph\" style=\"margin-top:var(--wp--preset--spacing--spacing-24);margin-bottom:0;padding-top:var(--wp--preset--spacing--spacing-24)\">Related links<\/p>\n<\/div>\n\n\n\n<ul style=\"margin-top:var(--wp--preset--spacing--spacing-20)\" class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/training\/support\/mcp\" target=\"_blank\" rel=\"noreferrer noopener\">Learn more about MCP Server.<\/a><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/azure\/api-management\/\" target=\"_blank\" rel=\"noreferrer noopener\">Explore Microsoft API Management documentation to secure and govern MCP servers behind a single gateway.<\/a><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-copilot-studio\/guidance\/kit-configure-compliance-hub\" type=\"link\" id=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-copilot-studio\/guidance\/kit-configure-compliance-hub\" target=\"_blank\" rel=\"noreferrer noopener\">Get started with Copilot Studio Kit Compliance Hub.<\/a><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/microsoft-copilot-studio\/security-compliance-overview\" target=\"_blank\" rel=\"noreferrer noopener\">Get started with Microsoft Copilot Studio security and compliance for custom connectors and actions.<\/a><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/security\/zero-trust\/\" target=\"_blank\" rel=\"noreferrer noopener\">Understand Microsoft\u2019s Zero Trust guidance app\u2011to\u2011app communication.<\/a><\/li>\n<\/ul>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-global-padding is-content-justification-left is-layout-constrained wp-container-core-group-is-layout-c0392459 wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-7db9d80f wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<figure class=\"wp-block-image alignleft size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"190\" height=\"190\" src=\"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Wed-like-to-hear-from-you-badge.png\" alt=\"\" class=\"wp-image-19490\" style=\"object-fit:cover;width:75px;height:75px\" srcset=\"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Wed-like-to-hear-from-you-badge.png 190w, https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Wed-like-to-hear-from-you-badge-150x150.png 150w\" sizes=\"auto, (max-width: 190px) 100vw, 190px\" \/><\/figure>\n\n\n\n<p class=\"has-body-xl-font-size wp-block-paragraph\" style=\"margin-top:var(--wp--preset--spacing--spacing-24);margin-bottom:0;padding-top:var(--wp--preset--spacing--spacing-24)\">We&#8217;d like to hear from you!<\/p>\n<\/div>\n\n\n\n<ul style=\"margin-top:var(--wp--preset--spacing--spacing-20)\" class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"mailto:msitstaff@microsoft.com\">Want more information? Email us and include a link to this story and we\u2019ll get back to you.<\/a><\/li>\n<\/ul>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>When we gave our Microsoft 365 Copilot agents a simple way to connect to tools and data with Model Context Protocol (MCP), the work spoke for itself. Answers got sharper. Delivery sped up. New patterns of development emerged across teams working with Copilot agents. That ease of communication, however, comes with a responsibility: Protect the [&hellip;]<\/p>\n","protected":false},"author":92,"featured_media":22326,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_hide_featured_on_single":false,"_show_featured_caption_on_single":true,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[71,1],"tags":[864,199,850,237,827,849,848],"coauthors":[550],"class_list":["post-22324","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-featured","category-uncategorized","tag-agent","tag-ai","tag-end-user-services-and-support","tag-governance","tag-microsoft-365-copilot","tag-network-and-infrastructure","tag-security-and-risk-management","m-blog-post"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Protecting AI conversations at Microsoft with Model Context Protocol security and governance - Inside Track Blog<\/title>\n<meta name=\"description\" content=\"Discover how we\u2019re streamlining MCP governance through secure-by-default architecture, automation, and inventory at Microsoft.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Protecting AI conversations at Microsoft with Model Context Protocol security and governance - Inside Track Blog\" \/>\n<meta property=\"og:description\" content=\"Discover how we\u2019re streamlining MCP governance through secure-by-default architecture, automation, and inventory at Microsoft.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\/\" \/>\n<meta property=\"og:site_name\" content=\"Inside Track Blog\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-12T17:05:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-26T17:14:54+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/10799_Hero-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2300\" \/>\n\t<meta property=\"og:image:height\" content=\"1293\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Jason Kellington\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jason Kellington\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"19 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\\\/\"},\"author\":{\"name\":\"Jason Kellington\",\"@id\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/#\\\/schema\\\/person\\\/873dfaa69644d9b2e9861bc6dac478b6\"},\"headline\":\"Protecting AI conversations at Microsoft with Model Context Protocol security and governance\",\"datePublished\":\"2026-02-12T17:05:00+00:00\",\"dateModified\":\"2026-02-26T17:14:54+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\\\/\"},\"wordCount\":3988,\"image\":{\"@id\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2026\\\/02\\\/10799_Hero-image.jpg\",\"keywords\":[\"Agent\",\"AI\",\"End user services and support\",\"governance\",\"Microsoft 365 Copilot\",\"Network and infrastructure\",\"Security and risk management\"],\"articleSection\":[\"Featured\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\\\/\",\"url\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\\\/\",\"name\":\"Protecting AI conversations at Microsoft with Model Context Protocol security and governance - Inside Track Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2026\\\/02\\\/10799_Hero-image.jpg\",\"datePublished\":\"2026-02-12T17:05:00+00:00\",\"dateModified\":\"2026-02-26T17:14:54+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/#\\\/schema\\\/person\\\/873dfaa69644d9b2e9861bc6dac478b6\"},\"description\":\"Discover how we\u2019re streamlining MCP governance through secure-by-default architecture, automation, and inventory at Microsoft.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\\\/#primaryimage\",\"url\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2026\\\/02\\\/10799_Hero-image.jpg\",\"contentUrl\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2026\\\/02\\\/10799_Hero-image.jpg\",\"width\":2300,\"height\":1293,\"caption\":\"We\u2019re streamlining MCP governance through secure-by-default architecture, automation, and inventory to deliver a faster, safer agent development environment at Microsoft.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Protecting AI conversations at Microsoft with Model Context Protocol security and governance\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/\",\"name\":\"Inside Track Blog\",\"description\":\"How Microsoft does IT\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/#\\\/schema\\\/person\\\/873dfaa69644d9b2e9861bc6dac478b6\",\"name\":\"Jason Kellington\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d4b158da36ed1724c7b9904b655dca8f848e188c9a11b293da2c41a62cd51391?s=96&d=mm&r=g194a4f0f478cef34134d870cc64e1068\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d4b158da36ed1724c7b9904b655dca8f848e188c9a11b293da2c41a62cd51391?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d4b158da36ed1724c7b9904b655dca8f848e188c9a11b293da2c41a62cd51391?s=96&d=mm&r=g\",\"caption\":\"Jason Kellington\"},\"url\":\"https:\\\/\\\/newed.any0.dpdns.org\\\/insidetrack\\\/blog\\\/author\\\/v-jaske\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Protecting AI conversations at Microsoft with Model Context Protocol security and governance - Inside Track Blog","description":"Discover how we\u2019re streamlining MCP governance through secure-by-default architecture, automation, and inventory at Microsoft.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\/","og_locale":"en_US","og_type":"article","og_title":"Protecting AI conversations at Microsoft with Model Context Protocol security and governance - Inside Track Blog","og_description":"Discover how we\u2019re streamlining MCP governance through secure-by-default architecture, automation, and inventory at Microsoft.","og_url":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\/","og_site_name":"Inside Track Blog","article_published_time":"2026-02-12T17:05:00+00:00","article_modified_time":"2026-02-26T17:14:54+00:00","og_image":[{"width":2300,"height":1293,"url":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/10799_Hero-image.jpg","type":"image\/jpeg"}],"author":"Jason Kellington","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jason Kellington","Est. reading time":"19 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\/#article","isPartOf":{"@id":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\/"},"author":{"name":"Jason Kellington","@id":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/#\/schema\/person\/873dfaa69644d9b2e9861bc6dac478b6"},"headline":"Protecting AI conversations at Microsoft with Model Context Protocol security and governance","datePublished":"2026-02-12T17:05:00+00:00","dateModified":"2026-02-26T17:14:54+00:00","mainEntityOfPage":{"@id":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\/"},"wordCount":3988,"image":{"@id":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\/#primaryimage"},"thumbnailUrl":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/10799_Hero-image.jpg","keywords":["Agent","AI","End user services and support","governance","Microsoft 365 Copilot","Network and infrastructure","Security and risk management"],"articleSection":["Featured"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\/","url":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\/","name":"Protecting AI conversations at Microsoft with Model Context Protocol security and governance - Inside Track Blog","isPartOf":{"@id":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\/#primaryimage"},"image":{"@id":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\/#primaryimage"},"thumbnailUrl":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/10799_Hero-image.jpg","datePublished":"2026-02-12T17:05:00+00:00","dateModified":"2026-02-26T17:14:54+00:00","author":{"@id":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/#\/schema\/person\/873dfaa69644d9b2e9861bc6dac478b6"},"description":"Discover how we\u2019re streamlining MCP governance through secure-by-default architecture, automation, and inventory at Microsoft.","breadcrumb":{"@id":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\/#primaryimage","url":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/10799_Hero-image.jpg","contentUrl":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/10799_Hero-image.jpg","width":2300,"height":1293,"caption":"We\u2019re streamlining MCP governance through secure-by-default architecture, automation, and inventory to deliver a faster, safer agent development environment at Microsoft."},{"@type":"BreadcrumbList","@id":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/protecting-ai-conversations-at-microsoft-with-model-context-protocol-security-and-governance\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/"},{"@type":"ListItem","position":2,"name":"Protecting AI conversations at Microsoft with Model Context Protocol security and governance"}]},{"@type":"WebSite","@id":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/#website","url":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/","name":"Inside Track Blog","description":"How Microsoft does IT","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/#\/schema\/person\/873dfaa69644d9b2e9861bc6dac478b6","name":"Jason Kellington","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d4b158da36ed1724c7b9904b655dca8f848e188c9a11b293da2c41a62cd51391?s=96&d=mm&r=g194a4f0f478cef34134d870cc64e1068","url":"https:\/\/secure.gravatar.com\/avatar\/d4b158da36ed1724c7b9904b655dca8f848e188c9a11b293da2c41a62cd51391?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d4b158da36ed1724c7b9904b655dca8f848e188c9a11b293da2c41a62cd51391?s=96&d=mm&r=g","caption":"Jason Kellington"},"url":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/author\/v-jaske\/"}]}},"jetpack_featured_media_url":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/uploads\/prod\/2026\/02\/10799_Hero-image.jpg","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9hcZA-5O4","_links":{"self":[{"href":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/22324","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/wp-json\/wp\/v2\/users\/92"}],"replies":[{"embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/wp-json\/wp\/v2\/comments?post=22324"}],"version-history":[{"count":15,"href":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/22324\/revisions"}],"predecessor-version":[{"id":22450,"href":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/22324\/revisions\/22450"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/wp-json\/wp\/v2\/media\/22326"}],"wp:attachment":[{"href":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/wp-json\/wp\/v2\/media?parent=22324"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/wp-json\/wp\/v2\/categories?post=22324"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/wp-json\/wp\/v2\/tags?post=22324"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/newed.any0.dpdns.org\/insidetrack\/blog\/wp-json\/wp\/v2\/coauthors?post=22324"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}