The Best MCP Gateways for Copilot Studio in 2026

An MCP gateway gives a Copilot Studio agent one governed MCP connection to many business systems. That means one wizard run, one Power Platform connector for admins to police, and one tool list that fits the 128-tool budget — instead of a separate server, credential, and DLP entry per system. Microsoft Copilot Studio’s own plumbing is good: a native MCP wizard, three OAuth modes, end-user credentials by default. What it doesn’t supply sits behind the connector: deep third-party actions, per-user identity into each system, curation, audit. Verdict: StackOne for governed, per-user depth on systems of record behind one DLP-scopable connector; Zapier for breadth-first maker pilots; Workato where the recipes already exist.

This page is for the maker building agents in Copilot Studio and the Power Platform admin who governs their environments. For Microsoft 365 Copilot and the tenant-wide governance picture, see our Microsoft Copilot MCP gateway guide.

How to add an MCP server to Copilot Studio

MCP support in Copilot Studio is generally available (announced May 29, 2025). There are three ways to attach a server, per Microsoft’s documentation (doc dated 2026-05-28):

1. The onboarding wizard (recommended): agent → Tools page → Add a tool → New tool → Model Context Protocol.
2. A custom connector built from an OpenAPI spec tagged x-ms-agentic-protocol: mcp-streamable-1.0 — the pro-dev path when you need connector-level control.
3. Agent 365 registration (preview) — register the server tenant-wide via the Agent 365 CLI with admin approval.

Whichever path, the same architectural fact applies: “Access to MCP servers in Copilot Studio relies on Power Platform connectors for connectivity.” The MCP server becomes a connector — which is why DLP governs it (below), and why a maker can optionally publish the MCP connector for certification to share it across tenants.

The constraints a maker hits:

• Transport: Streamable HTTP only. “Copilot Studio no longer supports SSE for MCP after August 2025” (mcp-add-existing-server-to-agent, doc dated 2026-05-28). An SSE-only or stdio-only server won’t connect at all.
• Primitives: tools and resources, not prompts (MCP’s reusable prompt templates). Server-side tool changes reflect dynamically in the agent, and generative orchestration — the agent setting that lets the model pick tools; classic orchestration can’t use MCP — is required (agent-extend-action-mcp, doc dated 2026-04-17). All tools are turned on by default when you add a server, and makers can toggle individual MCP tools off (mcp-add-components-to-agent, doc dated 2026-05-15).
• The tool budget: 128 max, 25–30 recommended. An agent with generative orchestration takes a maximum of 128 tools, Microsoft recommends 25–30 for best performance, and each child agent in multi-agent orchestration gets its own 128 budget (add-tools-custom-agent, doc dated 2026-01-29).

What auth does the wizard support?

This is where most third-party servers fail the wizard. Options, per the same 2026-05-28 doc:

• None — demos only.
• API key — as a header or query parameter.
• OAuth 2.0, in three modes: Dynamic discovery (dynamic client registration against the server’s discovery endpoint — zero manual entry), Dynamic (DCR without discovery; you supply authorization and token URLs), and Manual (client ID/secret, authorization/token/refresh URLs, and scopes by hand; Copilot Studio supplies the callback URL).

OAuth is the mode that matters for business systems: it lets “individual users authenticate with the server… without sharing their credentials.”

Whose credentials do tools run with?

Per tool, the maker chooses end-user credentials — the default, which Microsoft says “ensures users only access data they’re authorized to see” — or maker-provided (shared) credentials (add-tools-custom-agent, doc dated 2026-01-29). The catch: the setting governs authentication to the MCP server. Whether the Workday call behind it runs as the user depends on whether the server carries that identity downstream.

How admins govern it, and what it costs

Because MCP rides on connectors, governance is the connector stack: “if a data policy regulates Power Platform connectors, it also regulates access to the MCP server and its tools” (mcp-add-existing-server-to-agent, doc dated 2026-05-28). Advanced Connector Policies (ACP) went GA on June 4, 2026 (design-time enforcement rolls out per maker portal, with Copilot Studio following Power Automate; runtime enforcement applies meanwhile): an allowlist model where admins block an entire MCP server like any connector, per environment or environment group. Note the granularity boundary: per-action disable applies to certified connectors — for MCP servers, Microsoft’s ACP documentation says granular control over individual tools “isn’t available” yet; blocking the whole server is what’s supported, and per-tool curation stays with the maker’s toggles. Tenant-wide, the Agent 365 Agent Tools Registry adds runtime Block/Unblock, preview BYO registration routed through the Agent 365 Tooling Gateway, and Defender advanced hunting (manage-tools-for-agent, doc dated 2026-06-04).

Licensing: agent usage runs on Copilot Credits (prepaid packs or pay-as-you-go). Microsoft 365 Copilot seats zero-rate classic answers, generative answers, and Microsoft Graph tenant grounding when agents run in Copilot Chat, Teams, or SharePoint — but tool calls, including MCP tools, still consume Copilot Credits (billing-licensing, doc dated 2026-04-27).

What Copilot Studio’s native plumbing doesn’t cover

Microsoft is explicit about where its responsibility ends: “When you connect to a non-Microsoft product, including an external MCP server, you’re responsible for the tools and resources you access” (agent-extend-action-mcp, doc dated 2026-04-17). DLP, ACP, and the Agent Tools Registry decide which servers a maker can use — a gateway is the layer those policies point at, never a replacement. The maker-level gaps:

• No supplied depth. The certified catalog is large, but the agent-grade write actions a maker actually needs — into Workday, SAP, ServiceNow — behind an MCP interface are yours to find, build, or buy.
• No curation. All MCP tools are on by default; a raw API-wrapper server dumps its entire tool list on the maker, who then hand-disables tools to crawl back under the 25–30 recommendation — per agent, forever.
• End-user credentials stop at the server. The default is right; making it true end-to-end is the server operator’s job.
• No tool-call-level audit. When the security review asks which arguments your agent sent to Workday last Tuesday, the Tools page has no answer. Purview and Defender see interactions and gateway-routed calls; argument-level history lives with whoever runs the server.
• Tool-response security is your problem. Microsoft’s guidance on indirect prompt injection and tool poisoning in MCP (April 28, 2025) recommends its own mitigations — AI Prompt Shields and spotlighting — precisely because the platform doesn’t scan a third-party server’s tool responses before they reach your agent.

What to look for in an MCP gateway for Copilot Studio

Each criterion maps to a verified Copilot Studio constraint:

One economic note: agent actions consume Copilot Credits, so tools that agents select correctly the first time aren’t just a quality feature — they’re a cost feature.

The best MCP gateways for Copilot Studio, compared

Scoped to options genuinely relevant to a Copilot Studio deployment; the full 12-vendor comparison is in the hub post.

1. StackOne

StackOne is the enterprise layer for AI agents to safely act on any application — 310+ managed connectors exposing 20,000+ agent-optimized actions across HRIS, ERP, CRM, and ITSM, behind one governed MCP endpoint. Against this page’s criteria: it’s a managed remote MCP endpoint with OAuth 2.1 — verified end-to-end through the wizard: its OAuth 2.1 discovery-based flow maps to the wizard’s Dynamic discovery mode, the zero-manual-entry path — and end-user OAuth 2.1 account linking means Copilot Studio’s end-user credential default holds all the way into Workday or Salesforce rather than stopping at the connector. On the 128-tool cap, the answer is structural: agents get two meta-tools, search and execute, instead of thousands of definitions (a 460× reduction versus loading every definition, with 92.8% first-try tool-selection accuracy — the leading score in our published comparison, so two tools don’t trade away precision) — or admins scope an explicit action list via connector profiles to land near Microsoft’s 25–30 recommendation. Request logs capture every call down to provider requests (exportable to Datadog or Grafana) to complement Purview, and StackOne Defender scans tool responses for prompt injection — the class of control Microsoft’s MCP security guidance says is your responsibility to add (its own recommendations: AI Prompt Shields and spotlighting). Limitation: the catalog focuses on business systems, not consumer applications — for the consumer-app long tail, Zapier’s catalog is far bigger. When a system isn’t in the catalog, the AI Connector Builder builds or extends a connector on the same engine that powers the pre-built ones, so coverage isn’t capped at what ships out of the box.

Best for: Copilot Studio agents that need governed, deep, per-user actions on systems of record.

2. Workato Enterprise MCP

Workato’s Enterprise MCP makes sense for one specific maker: the one whose company already runs Workato as its automation backbone. The Copilot Studio fit is identity — Workato’s Verified User Access has agent actions inherit the authenticated user’s identity, with RBAC and audit following automatically, which is exactly the downstream behavior Copilot Studio’s end-user credential default needs from a server to mean anything. What the agent gets is the recipes and connectors your team has already built, exposed over MCP. Two things a maker should know going in: Enterprise MCP is a capability of the wider Workato platform rather than a product you adopt on its own (buying in just for MCP means buying an enterprise automation platform), and Workato publishes neither pricing nor the transport and wizard OAuth mode its MCP servers use — so test the wizard connection before promising it to anyone.

Best for: Workato shops whose recipes already encode the business logic their Copilot Studio agents need.

3. Zapier MCP

Zapier MCP is the largest catalog in this comparison — 9,000+ apps and 30,000+ pre-built actions — behind a remote endpoint set up entirely in the browser, with any Zapier connections you already hold showing up ready to use. For a Copilot Studio pilot that’s an easy start: allowlist a few apps, approve their actions, point the wizard at it. What a maker should price in before scaling: every MCP tool call is metered at two Zapier tasks, and a chatty agent burns those on top of the Copilot Credits Microsoft meters on its side, so the same conversation is billed twice; the actions are shaped for automations — wide coverage, shallow writes — rather than for agent reasoning on a system of record; and getting from 30,000 actions down to Microsoft’s recommended 25–30 tools is hand-curation that lands on whoever owns the agent, in Zapier’s allowlists and again in Copilot Studio’s per-tool toggles.

Best for: maker pilots that need many consumer and SaaS apps quickly, on teams already paying for Zapier, at modest volumes.

Microsoft’s native stack (certified connectors + ACP + Agent 365)

The fair baseline: know what your licenses already include. A large certified Power Platform connector catalog sits inside the same governance plane; ACP blocks connectors per environment or environment group — including entire MCP servers, though per-action disable applies to certified connectors only, not yet to individual MCP tools; the Agent Tools Registry adds tenant-wide visibility and runtime Block/Unblock, with Defender hunting on gateway-routed servers (manage-tools-for-agent, doc dated 2026-06-04). What it is not: a source of MCP-grade depth. Certified connectors were designed for Power Automate flows — their action sets and descriptions weren’t shaped for agent tool selection — and BYO MCP registration is preview. Use it as the policy plane every gateway here should sit under; it isn’t the gateway itself.

Best for: every tenant — as the governance layer, alongside whichever gateway supplies the connectors.

How to connect StackOne to Copilot Studio

1. Get your StackOne MCP server URL — it comes from your StackOne project; the MCP quickstart shows where, and StackOne MCP covers setup if you don’t have an account yet.
2. Open your agent → Tools → Add a tool → New tool → Model Context Protocol, paste that URL as the Streamable HTTP endpoint, and choose OAuth 2.0. StackOne’s discovery-based end-user OAuth 2.1 flow maps to the wizard’s Dynamic discovery mode — zero manual entry, no client ID or secret to paste — and we’ve verified the wizard connection end-to-end.
3. Once the tool is added, open its settings and keep end-user credentials (the default, set per tool after the connector exists) so each user acts as themselves.
4. In StackOne, scope which actions the agent sees via connector profiles to stay near Microsoft’s 25–30-tool recommendation — or use the two meta-tools and keep the tool count constant regardless of catalog size.
5. The result is a single MCP connector that DLP and Advanced Connector Policies govern like any other connector.

For the admin: the whole catalog appears as one connector in the Power Platform admin center — one DLP entry, one ACP row — while action scoping, linked accounts, and full request logs live in StackOne. For the end user: a one-time SSO sign-in through StackOne’s OAuth 2.1 end-user flow, approving which linked accounts the agent may use; after that, the agent acts as them without further prompts.

When you don’t need an MCP gateway for Copilot Studio

• One agent, one or two systems, a maker who owns it. The wizard pointed at a single vendor MCP server is simpler and cheaper.
• Everything the agent touches has a certified connector that’s deep enough. Stay native until an agent needs writes the certified catalog doesn’t carry.
• You’re still proving the use case. Connect a single managed MCP server directly, prove value, then add gateway controls when user count makes credential and tool sprawl real.

The trigger points: the first agent that needs to write to a non-Microsoft system of record, the first maker who hand-disables ninety tools to crawl back under 30 and asks if there’s a better way, and the first security review that wants to know who the agent acted as in Workday.

StackOne is the governed layer between AI agents and 310+ enterprise systems with 20,000+ agent-optimized actions — over MCP, A2A, API, and SDKs — with end-user OAuth linking, connectors you can extend, and built-in prompt-injection defense. See StackOne MCP, the full MCP gateway comparison, or how it works per system: Workday, Salesforce, ServiceNow. See pricing or book a demo.

More MCP gateway guides

Every guide in this series applies the same disclosed criteria to a different AI client. Start with the full comparison, or jump to yours: