April 8th, 2026
compellinglikeheart5 reactions

Introducing SQL MCP Server

Jerry Nixon
Principal Program Manager

SQL MCP Server gives enterprises a secure, feature-rich way to enable agents to access data. This is accomplished without exposing the schema, risking consistency, or relying on fragile natural language parsing. SQL MCP Server is a feature of Data API builder, so deployments have a proven entity abstraction system, RBAC security at the API layer with Azure Key Vault integration, custom OAuth and Microsoft Entra support, first-level and second-level caching with integration with Redis and Azure Managed Redis, and complete instrumentation and telemetry with integration with Azure Log Analytics, Application Insights, and OpenTelemetry.

Learn more: https://aka.ms/sql/mcp

Like an elite guard dog at your SQL door

SQL MCP Server Topology

It supports hybrid queries and multiple data sources across Microsoft SQL, PostgreSQL, Azure Cosmos DB, and MySQL. Data API builder (DAB) 2.0 provides a production-ready surface for REST, GraphQL, and MCP with automatic configuration, native integration with Microsoft Foundry, a first-class query builder, and developer tooling like dedicated VS Code extensions, built-in REST and GraphQL tools, and a cross-platform CLI.

SQL MCP Server is a simple MCR container that requires a JSON configuration file. It is a zero-code solution that reduces friction, dependencies, and entire blocks of repetitive, error-prone CRUD code from line-of-business applications, custom websites, tailored mobile apps, and AI agents.

Fine print worth reading

Best of all, SQL MCP Server is open source and free. It runs in any cloud, including on-premises. It was built, managed, and is maintained by Microsoft as the prescriptive approach to expose enterprise databases to applications and agents in a secure, feature-rich way, with no language or framework requirements and no drivers or libraries to install.

Data API builder (DAB) Logo

Model Context Protocol (MCP)

Model Context Protocol (MCP) is a standard that defines how AI agents discover and call external tools. A tool is a single operation, such as creating a record or reading data. Each tool describes its inputs, outputs, and behavior. MCP provides a predictable way for agents to discover and use capabilities.

Standards-based

SQL MCP Server implements MCP protocol version 2025-06-18 as a fixed default. It supports two transports: streamable HTTP for standard hosting scenarios and stdio for local or CLI scenarios. During initialization, the server advertises tool and logging capabilities and returns server metadata so agents can understand the server’s intent.

Agentic use cases

Enterprises are looking for agentic solutions that take security, performance, scale, and exposure seriously. SQL MCP Server was built to solve the problems in the gap between AI agents and production data. It has a considerable breadth of potential applications. Here are a few:

  • Allow copilots or chatbots to perform safe CRUD operations
  • Build internal automations without writing SQL
  • Add agent capabilities without exposing the database directly
  • Interoperate with multiple databases, one on-premises and one in the cloud
  • Integrate an agent into a REST-based line-of-business application

The multimodal use case for Data API builder is one of its key differentiators. Combined with its multi-data-source capabilities and broad suite of integrations, the engine stands out as a cornerstone of the Azure Data developer story.

Complex SQL MCP Server

Endpoints

Data API builder (DAB) supports REST, GraphQL, and MCP endpoints in any combination. In the diagram above, DAB exposes both REST and MCP at the same time, exposing the same rich data access through both protocols.

MCP for Microsoft SQL

SQL MCP Server is Microsoft’s dynamic, open-source engine for agentic apps accessing SQL. It exposes data operations as a small family of MCP tools so agents can interact with database entities through a controlled contract. The server is self-hosted but, for developers, it can also run locally through the DAB command line. You configure it with a JSON file that defines:

  1. How to connect to your database
  2. Which tables, views, or stored procedures to expose
  3. The permissions that apply to each object

Configuration snapshot

The DAB CLI can create, configure, and run SQL MCP Server in three easy commands: init, add, and start. Here’s a simplified example to illustrate how you can get started.

dab init 
    --database-type mssql 
    --connection-string "@env('sql_connection_string')"

dab add Customers
    --source dbo.Customers
    --permissions "anonymous:*"

dab start

Read the docs: SQL MCP Server

Configuration secrets

Configuration property values can use literal strings, environment variables, or Azure Key Vault secrets.

Secure your schema

Data API builder uses a well-defined entity abstraction layer that lists all tables, views, and stored procedures exposed through the API in the configuration. This layer lets you alias names and columns, describe objects and parameters, and limit which fields are available to different roles.

Role-based security

Data API builder (DAB) is role-aware and only exposes the entities and operations that the current role is permitted to access.

Because SQL MCP Server is a feature of Data API builder, it also uses this abstraction layer. This approach prevents the internal schema from being exposed to external consumers and allows you to define complex, and even cross-data-source, families of objects and relationships at the API layer.

Automatic configuration

In some cases, a schema-driven API is enough. It simplifies getting started and reduces configuration complexity. Auto-config, introduced in 2.0, allows enterprises that are comfortable with limited abstraction to run without a static config file. Instead, the system inspects the database each time the stateless container starts and builds the configuration dynamically.

This gives flexibility for rapid setup and changing schemas, while still allowing other enterprises to define a more controlled, abstracted configuration when they need stronger boundaries and protection.

Read the docs: DAB auto-configuration

Support for DDL

DDL (Data Definition Language) is the database language used to create and alter objects such as tables and views. SQL MCP Server is built around DML (Data Manipulation Language), the database language used to create, read, update, and delete data in existing tables and views. DML also covers the execution of stored procedures. As a result, SQL MCP Server is designed to work with data, not schema. This design aligns with production MCP use cases where AI agents interact with mission-critical or business-sensitive systems.

Visual Studio Code

To modify schema during local development, you can use the Microsoft SQL Server (MSSQL) extension in Visual Studio Code, which provides comprehensive DDL support.

Support for DML

SQL Model Context Protocol (MCP) Server exposes seven Data Manipulation Language (DML) tools to AI agents. These tools provide a typed CRUD surface for database operations, creating, reading, updating, and deleting records, aggregating data, and executing stored procedures. All tools respect role-based access control (RBAC), entity permissions, and policies defined in your configuration.

DML (Data Manipulation Language) tools handle data operations, creating, reading, updating, and deleting records, aggregating data, and executing stored procedures. Unlike DDL (Data Definition Language), which modifies schema, DML works exclusively on the data plane in existing tables and views.

  • describe_entities – Discovers available entities and operations
  • create_record – Inserts new rows from a table or view
  • read_records – Queries tables and views
  • update_record – Modifies existing rows from a table or view
  • delete_record – Removes rows from a table or view
  • execute_entity – Runs stored procedures
  • aggregate_records – Performs aggregation queries

The context window is the agent’s thinking space. When too many tools are exposed, that space fills with tool definitions instead of reasoning. SQL MCP Server avoids this by using a fixed, small set of tools, regardless of database size. This keeps the context focused so the agent can think first and access data second. Each tool can still be configured independently in the configuration file, letting you control behavior without expanding the surface area.

"runtime": {
  "mcp": {
    "enabled": true,              // default: true
    "path": "/mcp",               // default: /mcp
    "dml-tools": {
      "describe-entities": true,  // default: true
      "create-record": true,      // default: true
      "read-records": true,       // default: true
      "update-record": true,      // default: true
      "delete-record": true,      // default: true
      "execute-entity": true,     // default: true
      "aggregate-records": true   // default: true
    }
  }
}

Set dml-tools to true or false to enable or disable all tools, or use an object with per-tool toggles.

Custom tools

Some enterprises will want to create a specific MCP experience with tailored tools instead of a generic family. Turning off built-in DML tools is available to every customer. SQL MCP Server supports this scenario, too. Promoting stored procedures in your database as custom tools lets you fine-tune the agentic experience through routines that encapsulate business processes, workflows, and specialized validation. Custom tools allow you to configure and create a bespoke MCP surface area, helping guide agents toward real success.

Solving NL2SQL

SQL MCP Server takes a different approach from many of the short-sighted database MCP servers available today. A key example is that SQL MCP Server intentionally doesn’t support NL2SQL.

Why? Models aren’t deterministic, and complex queries are the most likely to produce subtle errors. These complex queries are often the ones users hope AI can generate, yet they are also the ones that require the most scrutiny when produced in a nondeterministic way.

Determinism

Deterministic means the same input always produces the same output. There is no randomness or variation across calls, which makes results predictable, testable, and safe to automate.

Instead, SQL MCP Server supports what might be called an NL2DAB model. This approach uses the secure Data API builder entity abstraction layer and the built-in DAB Query Builder. Together, they produce accurate, well-formed Transact-SQL (T-SQL) in a fully deterministic way. This approach removes the risk, overhead, and nuisance associated with NL2SQL while preserving safety and reliability for agent-generated queries.

Support for RBAC

Authorization scope

Role-based constraints apply at every step of agent interaction.

SQL MCP Server benefits from the same proven role-based access control (RBAC) system used throughout Data API builder. Each entity in your configuration defines which roles may read, create, update, or delete data, and which fields are included or excluded for those roles. These rules apply automatically to every MCP tool, ensuring security remains consistent across REST, GraphQL, and MCP with no extra configuration required.

Support for caching

SQL MCP Server automatically caches results from the read_records tool. Caching in Data API builder is enabled globally, and you can configure it per entity. Both level 1 and level 2 caching help reduce database load, prevent request stampedes, and support warm-start scenarios in horizontally scaled environments.

Caching SQL MCP Server

Support for monitoring

SQL MCP Server emits logs and telemetry that let enterprises monitor and validate activity from a single pane of glass. This capability includes Azure Log Analytics, Application Insights, and local file logs inside a container.
SQL MCP Server Monitoring

Health checks

SQL MCP Server provides a detailed health report and entity health checks across REST, GraphQL, and MCP endpoints. Data API builder Health lets developers define performance expectations, set thresholds, and verify that each endpoint is functioning as expected.

Semantic Guidance

Descriptions are semantic metadata that help AI agents understand your SQL Model Context Protocol (MCP) Server database schema. When you add descriptions to entities, fields, and parameters, language models make better decisions about which data to query and how to use it. This article shows how to add descriptions at every level using the Data API builder CLI, improving AI agent accuracy and tool discovery.

Agentic consumption

AI agents rely on context to understand your data. Without descriptions, an agent only sees technical names like ProductID or dbo.Orders. With descriptions, the agent understands that ProductID is “Unique identifier for each product in the catalog” and dbo.Orders contains “Customer purchase orders with line items and shipping details.”

Why descriptions?

  • Tool discovery – Agents find the right entities faster
  • Query accuracy – Agents build better queries with proper context
  • Parameter usage – Agents supply correct values to stored procedures
  • Field selection – Agents return only relevant fields

Start here

Over and over, you can see how SQL MCP Server elevates how agents work with data. Replacing fragile queries and unpredictable results, it establishes a controlled, deterministic surface built on proven patterns. Defining the contract once, every agent interaction follows it with precision. This means safer systems, simpler architecture, and a clear path to scaling agentic solutions without compromising your data.

Get Started with SQL MCP Server

Category

Author

Jerry Nixon
Jerry Nixon
Principal Program Manager

SQL Server Developer Experience Program Manager for Data API builder.

2 comments

Sort by :

Read next