We’ve migrated our analytics workspace to use dynamic Model Context Protocol servers for form rendering in our agent-based reporting system. The MCP server is registered and appears active in the admin center, but forms fail to load when agents attempt to access them.
The error suggests permission issues related to role mapping:
MCP.Security.AuthorizationException: Agent principal lacks 'Forms.Read.All'
Context: Dynamic role resolution failed for service principal
ERP inheritance chain: Incomplete
I’ve verified the agent service principal has the Forms.Read.All permission in Azure AD, and the MCP server configuration includes the ERP connector for privilege inheritance. The same forms load correctly when accessed directly through Power Apps, but fail when the analytics agent tries to render them through the MCP server. This is blocking our automated reporting workflows that depend on dynamic form data extraction. Has anyone successfully configured dynamic MCP role mapping with ERP privilege inheritance?
I ran into something similar last month. The issue was that dynamic MCP servers require explicit role mapping configuration in the MCP manifest, not just Azure AD permissions. The agent service principal needs to be mapped in the MCP server’s security context, separate from the standard app registration. Check your MCP manifest file for the roleMapping section and ensure your agent principal ID is listed there with the appropriate scope.
I’ve made progress but still hitting issues. Changed the Forms.Read.All to application permission and added the ERP connector as a privilege source. The inheritance chain error is gone, but now I’m getting a different error about scope mismatch when the agent tries to access forms. The MCP server logs show the agent principal is authenticated but the scope validation fails during form rendering. Is there a specific scope format required for MCP server access versus direct Power Apps access?
You’re very close. The scope mismatch happens because dynamic MCP servers use a compound scope format that combines the base permission with the resource context. Here’s what you need to do:
1. Dynamic MCP Role Mapping:
In your MCP server manifest (mcpserver.json), add the agent service principal to the roleMapping section:
Notice the .MCP suffix - this is crucial for dynamic server contexts.
2. ERP Privilege Inheritance:
In the Power Platform admin center, navigate to your MCP server → Security tab → Privilege Sources. Add your ERP connector and configure the inheritance mapping:
After making these changes, you must restart the MCP server service (not just refresh the configuration). The scope format for agent access is different from user access - agents use the compound scope format while users can use simple scopes. The MCP server validates this during authentication, which is why you’re seeing the scope mismatch.
4. Verification:
Test the connection using the MCP diagnostic tool:
This should return a successful authentication result with the complete privilege chain displayed. Once this works, your analytics agent will be able to render forms through the MCP server with proper ERP privilege inheritance.
The key issue is that dynamic MCP servers require the compound scope format (.MCP suffix) for non-interactive principals like agents, while direct Power Apps access uses simple scopes. This is by design to ensure proper security context separation between interactive and automated access patterns.
Thanks for the pointer. I checked the MCP manifest and the roleMapping section only has the default system identities. Where exactly should I add the agent service principal? Is this in the mcpserver.json configuration file or through the Power Platform admin portal? Also, does the ERP privilege inheritance work automatically once the role mapping is correct, or is there additional configuration needed for that chain?