In this blog post Why MCP SDK for .NET Turns Tool Access Into a Security Decision we will look at why a seemingly simple developer choice can quickly become a business risk, governance, and compliance decision. If your team is exploring AI assistants that can do more than answer questions, this matters now, because MCP is becoming a standard way for AI tools to reach into company systems and take action.
The high-level idea is straightforward. MCP, short for Model Context Protocol, is an open standard that gives AI applications a common way to connect to tools, data, and business systems. The official C# SDK for .NET gives Microsoft-focused teams a faster way to build those connections, whether the AI sits in a custom app, GitHub Copilot, Visual Studio Code, or another MCP-aware product.
That sounds like a productivity win, and it is. But the moment an AI assistant can read customer records, trigger a workflow, approve a request, or touch Azure and Microsoft 365, you are no longer making a coding decision. You are designing who can access sensitive systems, how that access is controlled, and what happens if the wrong action is taken. That is security architecture.
What MCP and the .NET SDK actually do
Think of MCP as a universal connector for AI. Instead of building a one-off integration for every model, tool, and app, MCP creates a common language between an AI host, a client connection, and a server that exposes capabilities. Under the hood, the protocol uses JSON-RPC messages, and the C# SDK lets .NET teams build both MCP clients and MCP servers using normal .NET patterns.
MCP servers can expose three main things. Tools let the AI do something, such as create a ticket or check an order. Resources let the AI read data, such as a document or record. Prompts provide structured instructions. In practice, tools are where the business risk jumps, because that is where the AI stops being informative and starts being operational.
On March 5, 2026, the official MCP C# SDK reached v1.0 with support for the 2025-11-25 MCP specification. That release added stronger authorization support, richer metadata, improved tool calling patterns, and better handling for long-running requests. In plain English, the platform is maturing quickly, which means more businesses will move from experiments to production use.
Why this is a security architecture decision, not just a coding shortcut
1. Every tool is a permission boundary
When a developer publishes an MCP tool, they are not just exposing a function. They are creating a new path into a business system. A tool called GetCustomerInvoices may sound harmless, but it raises practical questions your leadership team should care about. Should every employee be able to use it? Should it return full records or summaries only? Should contractors, offshore staff, or external AI services ever touch it?
This is where many businesses get caught out. The technical work of exposing a tool is often easier than defining the access model around it. If the access rules are vague, the AI gets broad reach by default, and broad reach is exactly what auditors, insurers, and security teams worry about.
2. Local and remote MCP are different risk profiles
MCP supports local connections over stdio and remote connections over Streamable HTTP. Local usually means the AI client launches a tool on the same machine or in a tightly controlled environment. Remote means the tool is running as a network service that can potentially serve many clients. Those are very different exposure levels, even if the business function looks identical.
For business leaders, the simple takeaway is this. A local MCP server may behave more like a controlled desktop integration. A remote MCP server behaves more like an application interface, and it needs the same seriousness you would apply to any internet-facing or internally shared business system. That includes authentication, host restrictions, careful browser access rules, and clear decisions about whether the service should keep session state or stay stateless for simpler scaling and lower operational risk.
3. Identity has to flow end to end
One of the most important recent improvements in the C# SDK is built-in identity propagation. In plain English, the tool can know who is actually calling it, rather than relying on a generic shared connection. That matters because proper access control, filtering, and audit trails depend on user identity flowing all the way from the AI client to the tool handler.
The broader MCP authorization model is based on OAuth 2.1, and the SDK now supports stronger discovery and enterprise sign-on patterns. There is even an enterprise-managed authorization extension designed for organisations that want IT and security teams, not individual staff, to control which MCP servers users can access through the company identity provider. For a mid-sized Australian business, that is a big deal. It means onboarding, offboarding, and access reviews can sit inside your normal identity and compliance processes instead of becoming another shadow IT problem.
4. Logging, approvals, and blast radius matter more than clever demos
The most dangerous MCP rollout is not usually the one with malicious intent. It is the one that quietly gives an AI assistant too much freedom. A tool that can read all SharePoint files, reset user accounts, alter security groups, or trigger financial workflows may work beautifully in a demo. In production, it can create a very large blast radius if access is too broad or actions are not logged well enough.
The SDK gives teams practical hooks for control, including authorization filters and middleware-style filters for logging, rate limiting, and request handling. That is useful, but only if the business decides where guardrails belong. Read-only tools should be separated from high-impact tools. Sensitive write actions should be explicit, logged, and in some cases require approval outside the model.
A simple .NET example and the hidden decision behind it
Here is the important point for non-technical leaders. In .NET, exposing a tool can be very easy. That is good for speed, but it also means risky access can be published faster than governance can catch up.
[McpServerToolType]
public static class FinanceTools
{
[McpServerTool]
[Description("Returns a customer invoice summary by customer ID.")]
public static async Task<string> GetInvoiceSummary(string customerId)
{
// Business logic here
return $"Summary for {customerId}";
}
}
builder.Services
.AddMcpServer()
.WithToolsFromAssembly()
.AddAuthorizationFilters();That small block of code is useful, but the hard questions sit outside the code. Which identities can call it? Does it return all invoice details or just a summary? Is the data masked? Is every request logged? Can the same AI assistant also access write-capable finance tools, or are those isolated? Those are architecture and governance questions, not developer convenience questions.
What a sensible architecture looks like for a 50 to 500 person business
- Start with read-only tools before write actions. Let AI retrieve approved information before it can change anything. This reduces business risk while still delivering productivity gains.
- Use your existing identity platform so access follows normal staff joiner, mover, and leaver processes. That is cleaner for governance and much easier to explain during audits.
- Separate low-risk and high-risk tools. A knowledge lookup tool should not live in the same trust zone as an admin tool that changes Microsoft 365 or Azure settings.
- Prefer stateless remote services where possible. The official guidance recommends stateless mode for most servers because it reduces complexity and deployment constraints.
- Apply least privilege and clear logging. This supports stronger security practice generally and helps businesses working toward Essential Eight, which is the Australian government’s baseline cybersecurity framework. MCP will not solve Essential Eight by itself, but a badly governed AI tool layer can absolutely undermine the spirit of access control and auditability.
An anonymised scenario
Imagine a 180-person professional services firm in Melbourne. The leadership team wants an AI assistant that can pull documents from Microsoft 365, answer internal policy questions, check Azure spend, and create service desk tickets. Their first instinct is to let one remote MCP server connect to everything because it is faster to build and easier to demo.
On paper, that sounds efficient. In reality, it creates a messy trust model. One compromise or bad prompt could expose HR files, finance data, and cloud administration functions through the same channel. A better design is to separate knowledge tools from operational tools, keep high-risk actions behind stronger approval and identity controls, and make sure every tool call is attributable to a real user or managed workload.
The business outcome is not just better security. It is faster rollout with fewer internal objections, cleaner audit evidence, simpler offboarding, and less chance that the AI project stalls because risk was ignored too early. That is usually what separates an AI proof of concept from something the business will actually trust.
The bottom line
The MCP SDK for .NET is a strong step forward. It gives .NET teams a practical, standard way to connect AI to business tools, and the ecosystem around Microsoft products is moving quickly. But that convenience changes the leadership question from Can we expose this tool? to Should we, for whom, and under what controls?
That is exactly where a practical partner helps. At CloudPro Inc, we work with mid-sized businesses across Melbourne and Australia to make cloud, AI, and security decisions that are useful in the real world, not just impressive in a demo. If you are exploring MCP, OpenAI, Claude, Azure, Microsoft 365, Intune, or a broader Essential Eight uplift and you are not sure whether your current approach is opening the right doors or too many of them, we are happy to take a look with you, no strings attached.
Discover more from CPI Consulting
Subscribe to get the latest posts sent to your email.