Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
This feature is in Beta. Account admins can control access to this feature from the account console Previews page. See Manage Azure Databricks previews.
An MCP Service is a Unity Catalog securable that registers an external MCP server and governs how agents use it. You address it by its three-level name, catalog.schema.mcp_service, and invoke it through Unity AI Gateway, the control plane for governing AI traffic.
Registering an MCP server as a Unity Catalog securable means you manage it with the same primitives that protect your other Unity Catalog assets. These include grants to control who can invoke it, tool selection to limit which tools it exposes, service policies to allow or deny individual tool calls, and audit and usage logging to track every invocation.
There are two ways to use MCP Services:
| Approach | Use when |
|---|---|
| Use a Databricks-provided MCP Service | You want a common software-as-a-service (SaaS) tool—Slack, GitHub, Google Drive, and more—with zero setup. No server to host and no connection to create. |
| Register your own external MCP server | You have a self-hosted or third-party MCP server to govern as a Unity Catalog securable. |
MCP Services connect agents to external services. For Azure Databricks data, use managed MCP servers; to host your own tools, use a custom MCP server.
To register and invoke an external MCP server, see Register an external MCP server. To restrict its tools and calls, see Govern an MCP service.
Tip
For a complete worked example—register the GitHub MCP server, restrict its tools, block destructive calls with a service policy, and audit usage—follow Tutorial: Govern a coding agent's GitHub MCP access.
How it works
An agent calls an MCP Service by its Unity AI Gateway URL, and every call flows through the same governed path:
- Invoke: The agent sends an MCP request to the service's Unity AI Gateway URL, authenticated with the caller's Azure Databricks identity.
- Authorize and govern: The gateway checks that the caller has
EXECUTEon the MCP Service in Unity Catalog. The service exposes only the tools you selected and evaluates any attached service policy, which can allow, deny, or require approval for the call. - Proxy with managed credentials: The request is forwarded to the external MCP server through the service's HTTP connection. Azure Databricks stores the credentials and handles OAuth flows and token refresh, so the agent never sees them.
- Log usage, audit, and traces: Every invocation is recorded in system tables, so you can monitor usage and audit activity over time.
Requirements
- A workspace enabled for Unity Catalog.
- To govern an external MCP server as an MCP Service, the Unity AI Gateway Beta and the Managed MCP Servers preview enabled for your account. See Manage Azure Databricks previews.
- A workspace in a region where Model Serving is supported. See Model serving features availability.
Databricks-provided MCP Services
Azure Databricks provides ready-to-use MCP Services in the system.ai schema for common SaaS applications, so agents can reach these tools without hosting or registering your own MCP server. Each one is a built-in MCP Service that you address by its Unity Catalog name. To give an agent access, grant EXECUTE on the service (for example, system.ai.github)—no connection setup required. Built-in services ship with platform-managed tools and a built-in service policy, such as one to block write operations. You govern them with grants rather than with custom tool selection or policy functions.
| MCP Service | Connects to |
|---|---|
system.ai.slack |
Slack |
system.ai.github |
GitHub |
system.ai.atlassian |
Jira and Confluence |
system.ai.google_drive |
Google Drive |
system.ai.google_calendar |
Google Calendar |
system.ai.gmail |
Gmail |
system.ai.sharepoint |
Microsoft SharePoint |
For Google Drive, Gmail, Google Calendar, or SharePoint, these built-in services handle OAuth for you, with no app registration required.
Authentication and security
Azure Databricks uses managed MCP proxies and Unity Catalog HTTP connections to securely handle authentication to external MCP servers.
- Shared principal authentication: All users share the same credentials when accessing the external service. This includes Bearer token, OAuth Machine-to-Machine (M2M), and OAuth User-to-Machine Shared authentication. Use this when the external service doesn't require user-specific access, or when a single service account is sufficient.
- Per-user authentication (OAuth U2M Per User): Each user authenticates with their own credentials. The external service receives requests on behalf of the individual user, enabling user-specific access control, auditing, and accountability. Use this when accessing user-specific resources, such as a user's GitHub repositories, Slack messages, or calendar.
Azure Databricks handles OAuth flows and token refresh, so end users don't see tokens. You view and manage your external MCP connections alongside your LLM endpoints from Unity AI Gateway. For detailed configuration instructions for each authentication method, see HTTP connections.
Limitations
During the Beta, the following limitations apply to MCP Services:
- SQL DDL for MCP Services (for example,
CREATE MCP SERVICE) is not available. Create and manage MCP Services with the UI or the REST API. - You can register only external MCP servers as your own MCP Service. Registering Genie, Apps, or Unity Catalog entity sources as an MCP Service is not currently supported. Azure Databricks also provides built-in MCP Services for common SaaS apps.
- Tool selection supports prefix (
get_*) and exact-match patterns. Exclusion patterns (for example,!delete_*) are not supported. - Unity Catalog Global Search does not surface MCP Services.
External MCP server connections also have the following limitations:
- External MCP servers are only available in regions where Model Serving is supported, including use in AI Playground, Genie Code, and Chat in Genie. See Model serving features availability.
Next steps
- Register an external MCP server to register and invoke an external MCP server.
- Govern an MCP service to restrict tools and apply service policies.
- Use MCP servers in agents to call an MCP Service programmatically from agent code.
- Connect MCPs to AI assistants and coding agents to connect coding agents and AI assistants.
- AI governance with Unity AI Gateway to govern MCP servers and LLM endpoints from a central location.