← Back to blog
·5 min read·Jeff Weisbein

enterprise mcp has arrived. now the hard part starts.

microsoft shipped a hosted MCP server for azure devops on march 17, then dropped it into microsoft foundry two days later. one URL, entra authentication, access to work items, pull requests, pipelines, repos, wikis, and test plans. no local server to install. no infrastructure to manage.

this matters because it changes who adopts MCP. when MCP required running local sidecars and wiring up auth yourself, the audience was developers who were comfortable with terminal setup and JSON config files. a hosted endpoint with enterprise SSO is a different conversation. it's the conversation enterprise buyers are willing to have.

but i want to push back on the framing that this makes production agent use "easy." it doesn't. it shifts where the hard work lives.

from setup to governance

the local MCP server era had a clear bottleneck: getting the thing running. installing dependencies, configuring transports, managing API keys. that work was annoying but well-understood. a developer could do it in an afternoon.

the hosted era removes that bottleneck and replaces it with questions that take much longer to answer:

who gets to connect agents to this endpoint? what operations can those agents perform? can an agent that reads work items also modify pipelines? who reviews what the agent did? what happens when an agent makes a mistake at 3am?

microsoft built two controls that hint at this: an X-MCP-Readonly header that restricts to read-only operations, and an X-MCP-Toolsets header that scopes which tool categories are available. these are good starts. they're also the bare minimum of what enterprise teams will require.

what enterprise buyers will actually ask

i run MCP in production for clients at hype lab. the questions i get from enterprise buyers are nothing like the questions i see in developer forums. developers ask "how do i connect this?" buyers ask:

"can we start read-only?" every enterprise deployment i've been part of starts this way. let the agent observe before it acts. microsoft's readonly header handles this, but buyers want guarantees, not headers. they want audit logs showing the agent never wrote anything.

"who approved this tool list?" scoped toolsets are great, but someone has to decide which tools are in scope. that's a governance decision, not a technical one. it involves security teams, compliance teams, and often legal. the tool itself is easy to configure. the approval process takes weeks.

"what's the audit trail?" when an agent reads a work item and then creates a pull request, buyers want a full trace of what happened and why. not just that the agent acted, but what context it had when it made the decision. MCP doesn't standardize this yet. every production deployment i've built includes custom logging on top.

"what happens when it breaks?" agents fail. models hallucinate. APIs time out. the question isn't whether failures happen but how they're handled. does the agent retry? does it escalate to a human? does it stop and wait? most MCP implementations don't have opinions about failure modes, which means you build them yourself.

the 7% scaling problem

mckinsey's latest research shows 88% of organizations use AI in at least one function, but only 7% have scaled AI across operations. gartner says 40% of enterprise apps will include task-specific agents by end of year, up from under 5% in 2025.

those numbers tell a clear story: adoption is high, but production scaling is rare. the gap isn't access to models or even tools. it's the operational work of making agent systems reliable, governable, and auditable enough to run without constant supervision.

hosted MCP servers close the access gap. they don't close the operations gap. a team that can connect to azure devops in five minutes still needs weeks of work to build the governance layer that makes that connection safe to use at scale.

why managed agent operators still have an advantage

there's a version of this market where everyone self-serves. microsoft provides the hosted endpoint, teams connect their agents, and everything works. i don't think that's what happens in practice.

what actually happens is that the first team to connect an agent to production devops data spends three months building guardrails, logging, failure handling, and approval workflows. the second team in the same company wants to do the same thing and either rebuilds everything or waits for the first team to productize their work internally.

this is where managed agent operators (like hype lab, and others building in this space) have a real advantage. we've already built the governance layer. we've already made the mistakes. we know which MCP tools need read-only defaults, which ones need human approval before execution, and which ones need custom scoping that the standard headers don't cover.

the pattern i see: enterprises try self-serve MCP, hit the governance wall, and then look for someone who's already solved it.

what comes next

microsoft will keep adding MCP servers for more azure services. other cloud providers will follow. within a year, most major enterprise tools will have hosted MCP endpoints.

that acceleration makes the governance gap more urgent, not less. every new MCP endpoint is another surface area to secure, scope, and monitor. the teams that treat tool access, policy enforcement, and reliability as product work will be the ones that actually ship agents to production. the ones that treat it as an integration chore will stay in pilot mode.

the hard part of enterprise MCP was never getting it running. it was always getting it running safely, at scale, with the kind of controls that let security teams sleep at night. microsoft just made the first part trivial. the second part is where the real work starts.

← All posts