How to integrate Netwrix Access Analyzer with Microsoft Copilot Studio through MCP server?
Hi, Cooper -
The MCP server should support Copilot Studio, but we haven’t tested this configuration internally. While we documented Claude Desktop on our github page due to popularity and ease of use, we did built this open source project with customizability in mind, and it should be possible to use your tool of choice.
Claude has completed the demo, but the customer needs to see the results of Microsoft Copilot Studio connecting to MCP. Could you provide the relevant configuration methods?
Hi Cooper,
Thank you for the follow-up. That’s an excellent question, and it gets to the heart of a key architectural difference in how Claude Desktop and Microsoft Copilot Studio integrate with external tools like our MCP server.
As Ben mentioned, our open-source project was designed with flexibility in mind, and while we haven’t internally certified the configuration for Copilot Studio, it is certainly possible. The setup process differs from the one for Claude Desktop due to the fundamental way each platform operates.
The Key Difference: Local vs. Cloud-Hosted
- Claude Desktop is a local application. It directly launches our MCP server script on your machine (via
stdio
) and communicates with it locally. This is why the setup is a simple entry in a local configuration file. - Microsoft Copilot Studio is a 100% cloud-hosted service. It cannot start processes on your local machine. Instead, it needs to call an already-running MCP server over the network via an HTTP endpoint.
Therefore, to integrate with Copilot Studio, we need to perform two main tasks: first, run our MCP server in a way that it can accept network requests, and second, make it securely accessible to the Microsoft cloud.
Here is a high-level guide on how to configure this.
Integration Guide for Microsoft Copilot Studio
The core logic of our MCP server remains the same. The primary change is how it’s run and exposed.
Step 1: Run the MCP Server in HTTP Mode
Instead of letting Claude launch the server, you’ll start it manually from the command line, telling it to listen for HTTP requests. The fastmcp
library, which we use, has a built-in transport for this called streamable-http
, which is exactly what Copilot Studio expects.
# From within the mcp-server-naa directory
fastmcp run main.py --transport streamable-http --host 0.0.0.0 --port 8000 --path /mcp
This command starts the server, and it’s now listening for requests on your local network at http://<your-ip>:8000/mcp
.
Step 2: Make the Server Endpoint Reachable from the Cloud
Since your server is running on a local machine, Microsoft’s cloud services can’t see it yet. You need to create a secure bridge. Here are the most common options:
-
For Quick Testing (Recommended for a demo): Ngrok
A tool like Ngrok can create a secure, temporary public URL that tunnels directly to your local server. This is the fastest way to get a proof-of-concept running.ngrok http 8000
Ngrok will give you a public
https://*.ngrok-free.app
URL. -
For Production/Corporate Networks: On-Premises Data Gateway
Microsoft provides an On-Premises Data Gateway specifically for this scenario. You install it within your network, and it creates a secure, outbound connection to Power Platform (which Copilot Studio is part of), allowing it to query your internal resources without opening inbound firewall ports. -
For a Cloud-Native Approach: Deploy to Azure
You can package the MCP server and deploy it as an Azure App Service or Container App. It would then have a permanent, public-facing URL.
Step 3: Describe the Endpoint to Copilot Studio with OpenAPI
Copilot Studio needs a “map” to understand how to talk to your MCP server. You provide this map via a small OpenAPI (formerly Swagger) YAML file. This file simply tells it the URL and the protocol to use.
Create a file named naa-mcp.yaml
:
swagger: "2.0"
info:
title: Netwrix Access Analyzer MCP
version: "1.0"
host: your-public-url.ngrok-free.app # Replace with your Ngrok or Azure URL (NO "https://")
basePath: /
schemes:
- https
paths:
/mcp/: # The path you specified when running the server
post:
x-ms-agentic-protocol: mcp-streamable-1.0
operationId: invoke
responses:
"200": { description: "OK" }
Step 4: Create and Add the Custom Connector
With the server running and the OpenAPI file ready, the final steps are within the Microsoft cloud. This is where you formally register your server’s endpoint so Copilot Studio can discover and use it.
- Navigate to your agent in Microsoft Copilot Studio. In the left-hand menu, select Tools, and then click + New tool.
- From the options that appear, select Custom connector. This will redirect you to the Power Apps portal where connectors are managed.
- In Power Apps, click + New custom connector and choose Import an OpenAPI file from the dropdown menu. Upload the
naa-mcp.yaml
file you created in the previous step.
- Proceed through the setup wizard. On the Security tab, select “No authentication” (unless you have implemented your own security layer). If you are using the On-Premises Data Gateway, you will select your configured gateway here.
- Finally, save and test the connector. Once it’s ready, return to Copilot Studio.
- You will now see your new custom connector listed under the Tools section of your agent. Ensure it is enabled.
Once added and enabled, Copilot Studio will automatically connect to your MCP server, discover the available tools, and make them available to the agent. You can then test the integration in the chat pane with a prompts.
We understand this is more involved than the Claude Desktop setup. The key takeaway is that the server needs to be hosted and registered as a network service for any cloud-based AI platform.
Please let us know if you have any questions as you go through these steps. We’re happy to provide further clarification.