jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-19 18:10:59 -05:00
Code Issues Projects Releases Wiki Activity

Merge pull request #41314 from github/repo-sync

Browse Source 
Repo sync
This commit is contained in:
docs-bot
2025-11-17 13:33:34 -08:00
committed by GitHub
parent b2561a14a1 3507ae89ee
commit a7cb66933c
13 changed files with 247 additions and 299 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
content/copilot/concepts/index.md
View File

@@ -19,6 +19,7 @@ children:
- /billing
- /about-enterprise-accounts-for-copilot-business
- /policies
- /mcp-management
- /network-settings
- /copilot-metrics
contentType: concepts

51
content/copilot/concepts/mcp-management.md Normal file
View File

@@ -0,0 +1,51 @@
---
title: MCP server usage in your company
shortTitle: MCP management
intro: 'You can manage MCP server usage to provide your developers with valuable tools while maintaining security and compliance.'
versions:
feature: copilot
topics:
- Copilot
contentType: concepts
---
You can manage Model Context Protocol (MCP) server usage in your organization or enterprise by configuring a series of MCP policies on {% data variables.product.prodname_dotcom_the_website %}. Through these policies, you can allow or block MCP server usage entirely, or restrict access to a list of servers that you define in an MCP registry.
## MCP registries
An MCP registry is a directory of MCP servers that acts like a catalog for IDEs and {% data variables.product.prodname_copilot_short %}. Each registry entry points to a server's manifest, which describes the tools, resources, and prompts that server provides.
After you create your MCP registry, you can make it available to your company, allowing you to:
* Curate a catalog of MCP servers your developers can discover and use without context switching
* Restrict access to unapproved servers for increased security and compliance
* Provide clarity to developers when a server is blocked by policy
## MCP policy settings
The following settings let you control how MCP servers are discovered and accessed in your organization or enterprise:
* **MCP servers in {% data variables.product.prodname_copilot_short %}**: Manage the use of MCP servers for all users with {% data variables.product.prodname_copilot_short %} seats in your organization or enterprise.
* **MCP Registry URL**: Specify the URL of your MCP registry, allowing your developers to discover and use approved MCP servers in supported surfaces.
* **Restrict MCP access to registry servers**: Choose whether to allow all MCP servers or restrict access to only those listed in your configured registry.
## Supported surfaces
MCP management features are supported as follows:
| Surface | Registry display | Allowlist enforcement |
|---|:---:|:---:|
| {% data variables.copilot.copilot_cli_short %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} |
| {% data variables.copilot.copilot_coding_agent %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} |
| Eclipse | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
| JetBrains | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
| {% data variables.product.prodname_vs %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} |
| {% data variables.product.prodname_vscode_shortname %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
| {% data variables.product.prodname_vscode_shortname %} Insiders | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
| Xcode | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
> [!NOTE]
> For Eclipse, JetBrains, and Xcode, MCP management features are supported in the pre-release versions of {% data variables.product.prodname_copilot_short %}.
## Next steps
To create your own MCP registry, see [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-mcp-usage/configure-mcp-registry).

286
content/copilot/how-tos/administer-copilot/configure-mcp-server-access.md
View File

@@ -1,286 +0,0 @@
---
title: Configure MCP server access for your organization or enterprise
intro: You can configure an MCP registry URL and access control policy to determine which MCP servers developers can discover and use in supported IDEs with {% data variables.product.prodname_copilot %}.
permissions: Enterprise owners and organization owners
product: '{% data variables.copilot.copilot_enterprise_short %} or {% data variables.copilot.copilot_business_short %}'
versions:
feature: copilot
allowTitleToDifferFromFilename: true
topics:
- Copilot
- Enterprise
shortTitle: Configure MCP server access
redirect_from:
- /copilot/how-tos/administer-copilot/manage-for-organization/set-extension-permissions
contentType: how-tos
category:
- Manage Copilot for a team
---
> [!NOTE]
> The MCP registry URL and allowlist are in {% data variables.release-phases.public_preview %} and subject to change.
## Overview
An MCP registry is a directory of Model Context Protocol (MCP) servers that acts like a catalog for IDEs and {% data variables.product.prodname_copilot_short %} (as well as other host applications). Each registry entry points to a server's manifest, which describes the tools, resources, and prompts that server exposes.
As an enterprise or organization owner, you can configure an **MCP registry URL**, allowing you to:
* **Provide a curated catalog** of MCP servers your developers can discover and use
* **Restrict access** to unapproved servers for increased security and compliance
* **Give clarity to developers** when a server is blocked by policy
If you haven't created an MCP registry yet, see [Setting up an MCP registry](#setting-up-an-mcp-registry) later in this article.
## About MCP policy settings
The following settings let you control how MCP servers are discovered and accessed in your organization or enterprise.
### MCP servers in {% data variables.product.prodname_copilot_short %}
First, you must set the overall **MCP servers in {% data variables.product.prodname_copilot_short %}** policy:
* Enabled for all: MCP servers are allowed (default behavior depends on registry configuration)
* Disabled for all: No MCP servers can be used by any users with {% data variables.product.prodname_copilot_short %} seats from this enterprise or organization
* Let organizations decide (Enterprise only): Child organizations can set their own MCP policies
### MCP Registry URL
The **MCP Registry URL** is an optional field where you specify the URL of your discoverable or restricted internal MCP registry. When you configure a registry URL:
* The servers listed in the registry are displayed in supported IDEs
* The "Restrict MCP access to registry servers" setting becomes configurable
### Restrict MCP access to registry servers
Under the **Restrict MCP access to registry servers** setting, you choose how strictly to enforce registry-based access:
* **Allow all** (default): Developers can run any local and remote MCP servers. Registry servers are still shown in the IDE catalog as a curated list for easier discoverability.
* **Registry only**: Developers can only run MCP servers that are explicitly listed in the uploaded MCP registry. In IDE UIs, blocked servers appear greyed out with a warning message. In the `mcp.json` configuration file, they may also show `"run": "blocked"`.
> [!NOTE]
> If you choose the "Registry only" option with the MCP registry URL cleared, all MCP servers will be blocked.
#### Current enforcement limitations
The "Registry only" setting currently has the following limitations:
* Enforcement is based only on server name/ID matching, which can be bypassed by editing configuration files
* Strict enforcement that prevents installation of non-registry servers is not yet available
For the highest level of security, you can **disable MCP servers in {% data variables.product.prodname_copilot_short %}** until strict enforcement is available.
## How MCP policies apply to your users
MCP policies apply to **all users who receive {% data variables.product.prodname_copilot_short %} seats** from the organization or enterprise where the policy is configured.
When a policy is enabled or disabled at the enterprise level, it is automatically applied to all child organizations and their members, and cannot be overridden by those organizations.
When an enterprise lets child organizations configure their own MCP policies, each organization must choose its own registry URL and enforcement settings. This allows teams with different security or compliance needs to choose the configuration that works best for them.
## Support for MCP policies
| Surface | Registry display | Allowlist enforcement |
|---|:---:|:---:|
| {% data variables.copilot.copilot_cli_short %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} |
| {% data variables.copilot.copilot_coding_agent %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} |
| Eclipse | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
| JetBrains | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
| {% data variables.product.prodname_vs %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} |
| {% data variables.product.prodname_vscode_shortname %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
| {% data variables.product.prodname_vscode_shortname %} Insiders | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
| Xcode | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
> [!NOTE]
> For Eclipse, JetBrains, and Xcode, these features are supported in the pre-release versions of {% data variables.product.prodname_copilot_short %}.
## Configuring the MCP allowlist policy for an enterprise
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.ai-controls-tab %}
{% data reusables.enterprise-accounts.view-mcp-policies %}
1. Ensure **MCP servers in {% data variables.product.prodname_copilot_short %}** is set to **Enabled everywhere**.
1. In the **MCP Registry URL** section, enter the URL of your specification-compliant MCP registry, then click **Save**.
1. In the **Restrict MCP access to registry servers** section, select one of the following from the dropdown menu:
* **Allow all**: No restrictions. All MCP servers can be used.
* **Registry only**: Only servers from the registry may run.
Your chosen policy will immediately apply to developers in your enterprise.
## Configuring the MCP allowlist policy for an organization
{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
1. In the sidebar, under "Code, planning, and automation", click **{% octicon "copilot" aria-hidden="true" aria-label="copilot" %} {% data variables.product.prodname_copilot_short %}**, then click **Policies**.
1. Under "Features" ensure **MCP servers in {% data variables.product.prodname_copilot_short %}** is set to **Enabled**.
1. In the **MCP Registry URL (optional)** field, enter the URL of your specification-compliant MCP registry.
1. Click **Save**.
1. Next to **Restrict MCP access to registry servers**, select one of the following from the dropdown:
* **Allow all**: No restrictions. All MCP servers can be used.
* **Registry only**: Only servers from the registry may run.
Your chosen policy will immediately apply to developers in your organization.
## How are MCP allowlists enforced?
{% data variables.product.github %} uses the following strategies for MCP allowlist enforcement.
### Local servers
MCP allowlist enforcement applies to local MCP servers as well. When "Registry only" is configured, local servers must be included in the registry to be allowed.
**Including local servers in your registry:**
* Local servers must be listed in your registry with their correct server ID
* The server ID must match exactly between the registry entry and the installed server
* Consult the server's documentation or manifest for its canonical ID
* For consistent deployment across your organization, provide installation instructions that ensure users install the server with the expected ID
### Policy resolution for users with multiple seats
MCP allowlist enforcement is always tied to the organization or enterprise that assigns the {% data variables.product.prodname_copilot %} seat. If a user has multiple seats (for example, from several organizations or from both an enterprise and its child organizations), {% data variables.product.github %} automatically resolves conflicts and applies a single active policy.
The resolution logic is:
1. **Scope**: Policies set by a parent enterprise override those set by an organization. Enterprise policies trickle down to all organizations and members within that enterprise.
1. **Enforcement strictness**: `Registry only` outranks `Allow all`.
1. **Recency of registry upload**: If two policies have the same scope and strictness, the most recently uploaded registry wins.
1. **Tie-breaker**: If all else is equal, the lowest internal ID wins.
> [!IMPORTANT]
> At this time, only one registry URL can be applied to a user. Even if multiple organizations or enterprises provide different registries, only the winning registry is used.
>
> **For uniform access**, you can set and maintain your MCP registry URL and allowlist policy at the enterprise level.
>
> **For varied team needs**, configure separate policies for each organization, ensuring users only belong to one organization to avoid policy conflicts.
## Setting up an MCP registry
If you don't already have an MCP registry configured, there are a few different ways you can create one depending on your needs.
### Self-hosting a registry
At its core, a registry is a set of HTTPS endpoints that serve details about the included MCP servers. To make your registry reachable, you can take any of the following paths:
* Fork and self-host the open-source MCP Registry
* Run the open-source registry locally using Docker
* Publish your own custom implementation
To get started with the open-source registry, see the [MCP Registry Quickstart](https://github.com/modelcontextprotocol/registry/tree/main?tab=readme-ov-file#quick-start) in the `github/modelcontextprotocol` repository.
A valid registry must:
* Be reachable over HTTPS
* Support URL routing
To successfully configure your registry, you need to implement the following endpoints:
* `GET /v0.1/servers`: Returns a list of all included MCP servers
* `GET /v0.1/servers/{serverName}/versions/latest`: Returns the latest version of a specific server
* `GET /v0.1/servers/{serverName}/versions/{version}`: Returns the details for a specific version of a server
#### Example registry format
Your registry must return a JSON response following [the v0.1 MCP registry specification](https://registry.modelcontextprotocol.io/docs#/operations/list-servers-v0.1):
```json
{
"servers": [
{
"_meta": {
"io.modelcontextprotocol.registry/official": {
"status": "active",
"publishedAt": "2025-09-01T00:00:00Z",
"isLatest": true
}
},
"server": {
"$schema": "https://static.modelcontextprotocol.io/schemas/2025-10-17/server.schema.json",
"name": "io.github.modelcontextprotocol/server-github",
"description": "Official GitHub MCP server for repository management, issues, and pull requests.",
"version": "1.0.0",
"packages": [
{
"registryType": "npm",
"identifier": "@modelcontextprotocol/server-github",
"version": "1.0.0",
"transport": { "type": "stdio" }
}
],
"remotes": [
{
"type": "http",
"url": "https://api.githubcopilot.com/mcp/"
}
]
}
},
{
"_meta": {
"io.modelcontextprotocol.registry/official": {
"status": "active",
"publishedAt": "2025-09-01T00:00:00Z",
"isLatest": true
}
},
"server": {
"$schema": "https://static.modelcontextprotocol.io/schemas/2025-10-17/server.schema.json",
"name": "io.github.modelcontextprotocol/server-filesystem",
"description": "MCP server for secure file system operations with configurable access controls.",
"version": "1.0.0",
"packages": [
{
"registryType": "npm",
"identifier": "@modelcontextprotocol/server-filesystem",
"version": "1.0.0",
"transport": { "type": "stdio" }
}
]
}
}
],
"metadata": {
"count": 2,
"nextCursor": null
}
}
```
Required fields:
* `server.name`: Reverse DNS identifier for the MCP server
* `server.description`: Brief summary of server functionality
* `server.version`: Version string
* `server.packages`: Required if the server provides a local installation (`registryType`, `identifier`, `version`, `transport`)
* `server.remotes`: Required if the server provides hosted endpoints (`type`, `url`)
Optional fields that provide additional metadata:
* `_meta`: Registry-managed metadata (`status`, `publishedAt`, `isLatest`)
* `metadata`: Pagination details (`count`, `nextCursor`)
* Additional publisher-provided fields may appear under `server._meta`
#### Support for v0.1
To avoid breaking changes to your registry in the future, you should implement v0.1 of the MCP registry specification. Be aware that v0.1 is currently only supported in {% data variables.product.prodname_vscode_shortname %} Insiders, with other surfaces adding support soon. See the following table for more details.
| Surface | v0.1 support date |
| ---------------------- | ----------------- |
| {% data variables.product.prodname_vscode_shortname %} Insiders | Oct 23, 2025 |
| {% data variables.product.prodname_vs %} | Nov 5, 2025 |
| {% data variables.product.prodname_vscode_shortname %} | Nov 14, 2025 |
| Eclipse | Dec 2025 |
| JetBrains IDEs | Dec 2025 |
| Xcode | Dec 2025 |
### Using Azure API Center as a registry
> [!NOTE]
> Azure API Center requires an Azure API Management subscription to function as an MCP registry. For pricing details, see [MCP management availability](https://learn.microsoft.com/en-us/azure/api-management/mcp-server-overview#availability) and [API Management pricing](https://azure.microsoft.com/en-us/pricing/details/api-management/) in the Azure API Center documentation.
For enterprises that want a dynamic and fully managed option, Azure API Center can be used as an MCP registry. It provides governance features, discovery UI, and integration with existing API catalogs.
1. Go to the Azure API Center portal.
1. Create a new API Center instance (or reuse an existing one).
1. Add your MCP servers as APIs, including their manifests and metadata.
1. Publish your API Center instance.
1. Copy the API Center endpoint URL—this becomes your MCP registry URL.
1. Paste this URL into the **MCP Registry URL (optional)** field in your {% data variables.product.prodname_enterprise %} or organization settings.
For more information, see [Register and discover remote MCP servers in your API inventory](https://learn.microsoft.com/en-us/azure/api-center/register-discover-mcp-server) in the Azure API Center Documentation.

2
content/copilot/how-tos/administer-copilot/index.md
View File

@@ -9,8 +9,8 @@ topics:
children:
- /manage-for-organization
- /manage-for-enterprise
- /manage-mcp-usage
- /download-activity-report
- /configure-mcp-server-access
redirect_from:
- /copilot/how-tos/administer
contentType: how-tos

80
content/copilot/how-tos/administer-copilot/manage-mcp-usage/configure-mcp-registry.md Normal file
View File

@@ -0,0 +1,80 @@
---
title: Configure an MCP registry for your organization or enterprise
intro: Create and host a list of MCP servers that your developers can access.
permissions: Enterprise owners and organization owners
product: '{% data variables.copilot.copilot_enterprise_short %} or {% data variables.copilot.copilot_business_short %}'
versions:
feature: copilot
topics:
- Copilot
- Enterprise
shortTitle: Configure MCP registry
contentType: how-tos
---
## Prerequisites
Before you create your Model Context Protocol (MCP) registry, you should understand the functionality and benefits of MCP management for your company. See [AUTOTITLE](/copilot/concepts/mcp-management).
## Option 1: Self-hosting an MCP registry
At its core, an MCP registry is a set of HTTPS endpoints that serve details about the included MCP servers. You can create your registry with any of the following options:
* Fork and self-host the open-source MCP Registry. To get started, see the [MCP Registry Quickstart](https://github.com/modelcontextprotocol/registry/tree/main?tab=readme-ov-file#quick-start) in the `modelcontextprotocol/registry` repository.
* Run the open-source registry locally using Docker.
* Publish your own custom implementation.
> [!NOTE]
> If you want your developers to have access to local MCP servers, include those servers in your registry with the correct server ID. For more information, see [AUTOTITLE](/copilot/reference/mcp-allowlist-enforcement).
To create a valid MCP registry that is reachable by {% data variables.product.prodname_copilot %}, the registry must meet the following requirements:
* [Endpoint and specification requirements](#endpoint-and-specification-requirements)
* [Cross-Origin Resource Sharing requirements](#cross-origin-resource-sharing-requirements)
### Endpoint and specification requirements
A valid registry must support URL routing and follow the v0.1 MCP registry specification, including the following endpoints:
* `GET /v0.1/servers`: Returns a list of all included MCP servers
* `GET /v0.1/servers/{serverName}/versions/latest`: Returns the latest version of a specific server
* `GET /v0.1/servers/{serverName}/versions/{version}`: Returns the details for a specific version of a server
For more details and example JSON responses to requests, see the [Official MCP Registry documentation](https://registry.modelcontextprotocol.io/docs).
#### Support for the v0.1 specification
While the MCP registry launched using the v0 specification, that version is now considered unstable and should not be implemented. Instead, create your registry according to the v0.1 specification, which is supported in the following IDEs:
| IDE | v0.1 support |
| ---------------------- | ----------------- |
| {% data variables.product.prodname_vscode_shortname %} Insiders | {% octicon "check" aria-label="Supported" %} |
| {% data variables.product.prodname_vscode_shortname %} | {% octicon "check" aria-label="Supported" %} |
| {% data variables.product.prodname_vs %} | {% octicon "check" aria-label="Supported" %} |
| Eclipse | Coming Dec 2025 |
| JetBrains IDEs | Coming Dec 2025 |
| Xcode | Coming Dec 2025 |
### Cross-Origin Resource Sharing requirements
To ensure {% data variables.product.prodname_copilot_short %} can successfully make cross-origin requests when fetching your registry, the registry or reverse proxy must include Cross-Origin Resource Sharing (CORS) headers. Add the following headers to all `/v0.1/servers` endpoints:
```
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Headers: Authorization, Content-Type
```
## Option 2: Using Azure API Center as an MCP registry
Azure API Center provides a fully managed MCP registry with automatic CORS configuration, built-in governance features, and no additional web server setup.
1. To complete the initial setup for your registry, see [Register and discover remote MCP servers in your API inventory](https://learn.microsoft.com/azure/api-center/register-discover-mcp-server) in the Azure documentation.
1. If you want your developers to have access to local MCP servers, include those servers in your registry with the correct server ID. For more information, see [AUTOTITLE](/copilot/reference/mcp-allowlist-enforcement).
1. To ensure {% data variables.product.prodname_copilot %} can fetch your registry, in the visibility settings of your API Center, allow anonymous access.
1. Copy your API Center endpoint URL. In the next article, you will use this URL to make your registry available across your company.
### Pricing and limits
Azure API Center offers a **free tier** for basic API cataloging and discovery, including MCP registry management. If you need higher limits than those included with the free tier, you can upgrade to the Standard plan. For detailed limits and pricing, see [Azure API Center limits](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-api-center-limits) in the Azure documentation.
## Next steps
Now that you have created your MCP registry, you can set MCP policies for your company. See [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-mcp-usage/configure-mcp-server-access).

63
content/copilot/how-tos/administer-copilot/manage-mcp-usage/configure-mcp-server-access.md Normal file
View File

@@ -0,0 +1,63 @@
---
title: Configure MCP server access for your organization or enterprise
intro: You can configure an MCP registry URL and access control policy to determine which MCP servers developers can discover and use in supported IDEs with {% data variables.product.prodname_copilot %}.
permissions: Enterprise owners and organization owners
product: '{% data variables.copilot.copilot_enterprise_short %} or {% data variables.copilot.copilot_business_short %}'
versions:
feature: copilot
topics:
- Copilot
- Enterprise
shortTitle: Configure MCP server access
redirect_from:
- /copilot/how-tos/administer-copilot/configure-mcp-server-access
- /copilot/how-tos/administer-copilot/manage-for-organization/set-extension-permissions
contentType: how-tos
category:
- Manage Copilot for a team
---
> [!NOTE]
> The MCP registry URL and allowlist are in {% data variables.release-phases.public_preview %} and subject to change.
## Prerequisites
Before you can fully configure MCP server access for your company, you need to create an MCP registry. See [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-mcp-usage/configure-mcp-registry).
## Configuring the MCP allowlist policy for an enterprise
To ensure uniform access, you can set and maintain your MCP registry URL and allowlist policy at the enterprise level. Otherwise, if your teams have different needs, you should configure separate policies for each organization.
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.ai-controls-tab %}
{% data reusables.enterprise-accounts.view-mcp-policies %}
1. Ensure **MCP servers in {% data variables.product.prodname_copilot_short %}** is set to **Enabled everywhere**.
1. In the **MCP Registry URL** section, enter the URL of your registry, then click **Save**.
{% data reusables.copilot.mcp.azure-api-center-url %}
1. In the **Restrict MCP access to registry servers** section, select the dropdown menu, then click one of the following options:
* **Allow all**: No restrictions. All MCP servers can be used.
* **Registry only**: Only servers from the registry may run.
Your chosen policy will immediately apply to developers in your enterprise.
## Configuring the MCP allowlist policy for an organization
{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
1. In the sidebar, under "Code, planning, and automation", click **{% octicon "copilot" aria-hidden="true" aria-label="copilot" %} {% data variables.product.prodname_copilot_short %}**, then click **Policies**.
1. In the "Features" section, ensure **MCP servers in {% data variables.product.prodname_copilot_short %}** is set to **Enabled**.
1. In the **MCP Registry URL (optional)** field, enter the URL of your registry, then click **Save**.
{% data reusables.copilot.mcp.azure-api-center-url %}
1. In the **Restrict MCP access to registry servers** section, select the dropdown menu, then click one of the following options:
* **Allow all**: No restrictions. All MCP servers can be used.
* **Registry only**: Only servers from the registry may run.
Your chosen policy will immediately apply to developers in your organization.
## Next steps
For detailed information on MCP allowlist enforcement and limitations, see [AUTOTITLE](/copilot/reference/mcp-allowlist-enforcement).

13
content/copilot/how-tos/administer-copilot/manage-mcp-usage/index.md Normal file
View File

@@ -0,0 +1,13 @@
---
title: Managing MCP usage in your company
shortTitle: Manage MCP usage
intro: 'Organization and enterprise owners can control the availability of MCP servers for their developers using MCP management features.'
versions:
feature: copilot
topics:
- Copilot
children:
- /configure-mcp-registry
- /configure-mcp-server-access
contentType: how-tos
---

4
content/copilot/reference/allowlist-reference.md → content/copilot/reference/copilot-allowlist-reference.md
View File

@@ -1,6 +1,5 @@
---
title: Allowlist reference
allowTitleToDifferFromFilename: true
title: Copilot allowlist reference
intro: 'Learn how to allow certain traffic through your firewall or proxy server for {% data variables.product.prodname_copilot_short %} to work as intended in your organization.'
permissions: Proxy server maintainers or firewall maintainers
versions:
@@ -13,6 +12,7 @@ redirect_from:
- /copilot/reference/proxy-server-and-firewall-settings-for-copilot
- /copilot/managing-copilot/managing-github-copilot-in-your-organization/configuring-your-proxy-server-or-firewall-for-copilot
- /copilot/how-tos/administer/organizations/configuring-your-proxy-server-or-firewall-for-copilot
- /copilot/reference/allowlist-reference
contentType: reference
---

3
content/copilot/reference/index.md
View File

@@ -12,7 +12,8 @@ children:
- /keyboard-shortcuts
- /custom-agents-configuration
- /policy-conflicts
- /allowlist-reference
- /copilot-allowlist-reference
- /mcp-allowlist-enforcement
- /metrics-data
- /copilot-billing
- /agentic-audit-log-events

32
content/copilot/reference/mcp-allowlist-enforcement.md Normal file
View File

@@ -0,0 +1,32 @@
---
title: MCP allowlist enforcement
intro: 'Understand the logic and limitations of MCP allowlist enforcement.'
versions:
feature: copilot
topics:
- Copilot
contentType: reference
---
## Current enforcement limitations
MCP allowlist enforcement currently has the following limitations:
* Enforcement is based only on server name/ID matching, which can be bypassed by editing configuration files
* Strict enforcement that prevents installation of non-registry servers is not yet available
For the highest level of security, you can **disable MCP servers in {% data variables.product.prodname_copilot_short %}** until strict enforcement is available.
## Enforcement for local servers
MCP allowlist enforcement applies to both remote and local MCP servers. When "Registry only" is configured, local servers must be included in your registry with the correct server ID, which must exactly match the installed server ID. A server's canonical ID is often defined in its documentation or manifest.
## Policy resolution for users with multiple seats
MCP allowlist enforcement is always tied to the organization or enterprise that assigns the {% data variables.product.prodname_copilot %} seat. If a user has multiple seats, {% data variables.product.github %} automatically resolves conflicts and applies a single active policy and registry.
The resolution logic is:
1. **Scope**: Policies set by a parent enterprise override those set by an organization. Enterprise policies trickle down to all organizations and members within that enterprise.
1. **Enforcement strictness**: Since `Registry only` is more restrictive than `Allow all`, it will always take precedence.
1. **Recency of registry upload**: If two policies have the same scope and strictness, the most recently uploaded registry will be applied.

6
content/migrations/using-github-enterprise-importer/migrating-between-github-products/migrating-repositories-from-github-enterprise-server-to-github-enterprise-cloud.md
View File

@@ -252,9 +252,6 @@ You may need to allowlist {% data variables.product.company_short %}'s IP ranges
### Uploading your migration archives to {% data variables.product.prodname_ghos %}
> [!NOTE]
> Repository migrations with {% data variables.product.prodname_ghos %} are currently in {% data variables.release-phases.public_preview %} and subject to change.
If you're using {% data variables.product.prodname_ghos %}, you will upload your archive to {% data variables.product.prodname_ghos %} using the following process:
1. Create a multipart upload by submitting a POST request
@@ -413,9 +410,6 @@ For {% data variables.product.pat_generic %} requirements, see [AUTOTITLE](/migr
### Migrating repositories with {% data variables.product.prodname_ghos %}
> [!NOTE]
> Repository migrations with {% data variables.product.prodname_ghos %} are currently in {% data variables.release-phases.public_preview %} and subject to change.
If you do not want to set up and provide {% data variables.product.prodname_importer_proper_name %} with access to a customer-owned blob storage account for storing your repository archives, you can migrate repositories using {% data variables.product.prodname_ghos %}. To do so, you must be running v1.9.0 (or higher) of {% data variables.product.prodname_gei_cli %}. {% data variables.product.prodname_ghos %} does not require additional setup and is available as an option when you run {% data variables.product.prodname_gei_cli %} commands.
For security purposes, {% data variables.product.prodname_ghos %} is explicitly write-only, and downloads from {% data variables.product.prodname_ghos %} are not possible. After a migration is complete, the repository archives are immediately deleted. If an archive is uploaded and not used in a migration, the archive is deleted after 7 days.

3
content/migrations/using-github-enterprise-importer/migrating-from-bitbucket-server-to-github-enterprise-cloud/migrating-repositories-from-bitbucket-server-to-github-enterprise-cloud.md
View File

@@ -96,9 +96,6 @@ Before you can run a migration, you need to set up a storage container with your
### Using {% data variables.product.prodname_ghos %}
> [!NOTE]
> Repository migrations with {% data variables.product.prodname_ghos %} are currently in {% data variables.release-phases.public_preview %} and subject to change.
If you do not want to set up and provide {% data variables.product.prodname_importer_proper_name %} with access to a blob storage account behind your firewall, you can migrate repositories with {% data variables.product.prodname_ghos %} using the `--use-github-storage` flag. To do so, you must be running v1.9.0 (or higher) of {% data variables.product.prodname_bbs2gh_cli %}.
For security purposes, {% data variables.product.prodname_ghos %} is explicitly write-only, and downloads from {% data variables.product.prodname_ghos %} are not possible. After a migration is complete, the repository archives are immediately deleted. If an archive is uploaded and not used in a migration, the archive is deleted after 7 days.

2
data/reusables/copilot/mcp/azure-api-center-url.md Normal file
View File

@@ -0,0 +1,2 @@
> [!NOTE]
> If you set up your MCP registry using Azure API Center, enter the base URL for your API Center. Including route suffixes like `/v0.1/servers` will cause the registry to error out.