azure-mcp-connectionlisted

Use this skill when connecting the azure-mcp vendor through the WYRE MCP Gateway — registering an Azure service principal, supplying tenantId/clientId/clientSecret, and granting least-privilege Reader-tier RBAC. Covers the read-only deployment model and why broader write roles must not be granted.
wyre-technology/msp-claude-plugins · ★ 26 · DevOps & Infrastructure · score 82

Install: claude install-skill wyre-technology/msp-claude-plugins

# Azure MCP Connection The `azure-mcp` vendor runs Microsoft's official Azure MCP Server (`mcr.microsoft.com/azure-sdk/azure-mcp`) as a WYRE-built sidecar inside the MCP gateway. Each connecting MSP supplies its own Azure **service principal**; the gateway isolates credentials per tenant and scopes every request to the principal you registered. ## Read-only deployment — read this first The gateway runs the Azure MCP Server with the `--read-only` flag and a deliberately constrained namespace allowlist. Day-one the connector exposes exactly eight read-leaning namespaces: ``` monitor pricing quota advisor resourcehealth applens subscription group ``` Write- and delete-capable namespaces (`storage`, `keyvault`, `compute`, `role`, `aks`, and others) are **not enabled**. This is intentional defense-in-depth: even if a service principal were over-privileged, the gateway cannot route a mutating call. As shipped, `azure-mcp` is an Azure observability, cost, and resource-health tool — nothing it does changes infrastructure. Because the deployment is read-only, the service principal you connect should also be read-only. Grant Reader-tier roles and nothing more. ## Step 1 — Register an Azure service principal In the Azure tenant you want to manage, create an Azure AD **app registration** with a client secret. Either the portal (**Microsoft Entra ID → App registrations → New registration**) or the CLI works: ``` az ad sp create-for-rbac \ --name "wyre-azure-mcp" \