Connect agents to third-party tools with MCP Services

Important

This feature is in Beta. Account admins can control access to this feature from the account console Previews page. See Manage Azure Databricks previews.

An MCP Service is a Unity Catalog securable that registers an external MCP server and governs how agents use it. You address it by its three-level name, catalog.schema.mcp_service, and invoke it through Unity AI Gateway, the control plane for governing AI traffic.

Registering an MCP server as a Unity Catalog securable means you manage it with the same primitives that protect your other Unity Catalog assets. These include grants to control who can invoke it, tool selection to limit which tools it exposes, service policies to allow or deny individual tool calls, and audit and usage logging to track every invocation.

There are two ways to use MCP Services:

Approach Use when
Use a Databricks-provided MCP Service You want a common software-as-a-service (SaaS) tool—Slack, GitHub, Google Drive, and more—with zero setup. No server to host and no connection to create.
Register your own external MCP server You have a self-hosted or third-party MCP server to govern as a Unity Catalog securable.

MCP Services connect agents to external services. For Azure Databricks data, use managed MCP servers; to host your own tools, use a custom MCP server.

To register and invoke an external MCP server, see Register an external MCP server. To restrict its tools and calls, see Govern an MCP service.

Tip

For a complete worked example—register the GitHub MCP server, restrict its tools, block destructive calls with a service policy, and audit usage—follow Tutorial: Govern a coding agent's GitHub MCP access.

How it works

An agent calls an MCP Service by its Unity AI Gateway URL, and every call flows through the same governed path:

An agent configured with an MCP Service URL invokes the service through Unity AI Gateway. The gateway authorizes the call against the MCP Service in Unity Catalog, which enforces the EXECUTE grant, tool selection, and service policies, then proxies the request through a Unity Catalog HTTP connection with managed credentials to the external MCP server, such as GitHub or Slack. Usage, audit, and trace records land in system tables.

  1. Invoke: The agent sends an MCP request to the service's Unity AI Gateway URL, authenticated with the caller's Azure Databricks identity.
  2. Authorize and govern: The gateway checks that the caller has EXECUTE on the MCP Service in Unity Catalog. The service exposes only the tools you selected and evaluates any attached service policy, which can allow, deny, or require approval for the call.
  3. Proxy with managed credentials: The request is forwarded to the external MCP server through the service's HTTP connection. Azure Databricks stores the credentials and handles OAuth flows and token refresh, so the agent never sees them.
  4. Log usage, audit, and traces: Every invocation is recorded in system tables, so you can monitor usage and audit activity over time.

Requirements

  • A workspace enabled for Unity Catalog.
  • To govern an external MCP server as an MCP Service, the Unity AI Gateway Beta and the Managed MCP Servers preview enabled for your account. See Manage Azure Databricks previews.

Databricks-provided MCP Services

Azure Databricks provides ready-to-use MCP Services in the system.ai schema for common SaaS applications, so agents can reach these tools without hosting or registering your own MCP server. Each one is a built-in MCP Service that you address by its Unity Catalog name. To give an agent access, grant EXECUTE on the service (for example, system.ai.github)—no connection setup required. Built-in services ship with platform-managed tools and a built-in service policy, such as one to block write operations. You govern them with grants rather than with custom tool selection or policy functions.

MCP Service Connects to
system.ai.slack Slack
system.ai.github GitHub
system.ai.atlassian Jira and Confluence
system.ai.google_drive Google Drive
system.ai.google_calendar Google Calendar
system.ai.gmail Gmail
system.ai.sharepoint Microsoft SharePoint

For Google Drive, Gmail, Google Calendar, or SharePoint, these built-in services handle OAuth for you, with no app registration required.

Authentication and security

Azure Databricks uses managed MCP proxies and Unity Catalog HTTP connections to securely handle authentication to external MCP servers.

  • Shared principal authentication: All users share the same credentials when accessing the external service. This includes Bearer token, OAuth Machine-to-Machine (M2M), and OAuth User-to-Machine Shared authentication. Use this when the external service doesn't require user-specific access, or when a single service account is sufficient.
  • Per-user authentication (OAuth U2M Per User): Each user authenticates with their own credentials. The external service receives requests on behalf of the individual user, enabling user-specific access control, auditing, and accountability. Use this when accessing user-specific resources, such as a user's GitHub repositories, Slack messages, or calendar.

Azure Databricks handles OAuth flows and token refresh, so end users don't see tokens. You view and manage your external MCP connections alongside your LLM endpoints from Unity AI Gateway. For detailed configuration instructions for each authentication method, see HTTP connections.

Limitations

During the Beta, the following limitations apply to MCP Services:

  • SQL DDL for MCP Services (for example, CREATE MCP SERVICE) is not available. Create and manage MCP Services with the UI or the REST API.
  • You can register only external MCP servers as your own MCP Service. Registering Genie, Apps, or Unity Catalog entity sources as an MCP Service is not currently supported. Azure Databricks also provides built-in MCP Services for common SaaS apps.
  • Tool selection supports prefix (get_*) and exact-match patterns. Exclusion patterns (for example, !delete_*) are not supported.
  • Unity Catalog Global Search does not surface MCP Services.

External MCP server connections also have the following limitations:

  • External MCP servers are only available in regions where Model Serving is supported, including use in AI Playground, Genie Code, and Chat in Genie. See Model serving features availability.

Next steps