Understanding MCP: The Protocol Revolutionizing AI Tool Integration

Part 3 of the "From .NET to AI Engineer" series

The USB Moment for AI

Remember when every device had its own proprietary connector? Then USB came along and standardized everything. MCP is having that moment for AI.

The Model Context Protocol (MCP) is an open standard that Anthropic released in November 2024, and by late 2025, it's become the de facto way to connect AI models to external tools and data sources. OpenAI adopted it in March 2025. Google DeepMind confirmed Gemini support in April 2025. In December 2025, Anthropic donated MCP to the Linux Foundation under the newly formed Agentic AI Foundation.

For .NET developers like me, this matters enormously. We're no longer building isolated applications—we're building components in an agentic ecosystem.

What Problem Does MCP Solve?

Before MCP, every AI integration was custom:

Without MCP:
┌─────────────┐     Custom Integration     ┌─────────────┐
│   Claude    │ ←─────────────────────────→ │   Slack     │
└─────────────┘                             └─────────────┘
       ↑
       │ Different Custom Integration
       ↓
┌─────────────┐     Yet Another Custom     ┌─────────────┐
│    GPT      │ ←─────────────────────────→ │   GitHub    │
└─────────────┘                             └─────────────┘

Every model-to-tool connection required bespoke code. Want Claude to read your Slack? Write an integration. Want GPT to access GitHub? Write another integration. Scaling was painful.

With MCP:
┌─────────────┐                            ┌─────────────┐
│   Claude    │                            │   Slack     │
│    GPT      │ ←── MCP Protocol ────────→ │   GitHub    │
│   Gemini    │                            │  Database   │
└─────────────┘                            └─────────────┘
                                           MCP Servers

MCP creates a standard interface. Any model can connect to any MCP server. Build once, use everywhere.

MCP Architecture

The protocol defines three main concepts:

1. MCP Servers

Servers expose tools and resources to AI models:

// Example: A simple MCP server for database queries
import { Server } from "@modelcontextprotocol/sdk/server";

const server = new Server({
  name: "database-server",
  version: "1.0.0"
});

// Define a tool
server.setRequestHandler("tools/call", async (request) => {
  if (request.params.name === "query_database") {
    const sql = request.params.arguments.query;
    const results = await executeQuery(sql);
    return { content: [{ type: "text", text: JSON.stringify(results) }] };
  }
});

2. MCP Clients

Clients are AI applications that connect to servers. Claude Desktop, for example, is an MCP client that can connect to multiple servers simultaneously.

3. Resources and Tools

• Resources: Data the AI can read (files, database records, API responses)
• Tools: Actions the AI can perform (run queries, send messages, create files)

Building an MCP Server in C#

Yes, you can build MCP servers in .NET! Here's a simplified example:

// MCP Server for Azure DevOps work items
public class AzureDevOpsMcpServer
{
    private readonly DevOpsClient _devOpsClient;

    [McpTool("get_work_item")]
    public async Task<WorkItem> GetWorkItem(int id)
    {
        return await _devOpsClient.GetWorkItemAsync(id);
    }

    [McpTool("create_work_item")]
    public async Task<WorkItem> CreateWorkItem(
        string title,
        string description,
        string type = "Task")
    {
        return await _devOpsClient.CreateWorkItemAsync(
            title, description, type);
    }

    [McpTool("query_work_items")]
    public async Task<List<WorkItem>> QueryWorkItems(string wiql)
    {
        return await _devOpsClient.QueryAsync(wiql);
    }
}

With this server running, an AI agent could:

1. Query for bugs assigned to a developer
2. Create new tasks based on conversation
3. Update work item status

The MCP Ecosystem (2025-2026)

The growth has been explosive:

• 97M+ monthly SDK downloads across Python and TypeScript
• Thousands of community-built servers for everything from Slack to Salesforce
• Claude's Connector Directory now lists 75+ official integrations
• Enterprise adoption across finance, healthcare, and tech

Popular MCP Servers

Server	Purpose
@modelcontextprotocol/server-filesystem	Read/write local files
@modelcontextprotocol/server-github	GitHub repository access
@modelcontextprotocol/server-postgres	PostgreSQL database queries
@modelcontextprotocol/server-slack	Slack messaging
@modelcontextprotocol/server-brave-search	Web search

Security Considerations

With great power comes great responsibility. MCP opens significant attack surfaces:

Known Vulnerabilities

Research from Knostic in July 2025 found:

• No default authentication: Many MCP servers expose tool listings without auth
• Prompt injection risks: Malicious data in resources can manipulate AI behavior
• Tool shadowing: Attackers can create lookalike tools that intercept calls
• Data exfiltration: Combined tools can be chained to extract sensitive data

Security Best Practices

// Always validate and sanitize tool inputs
[McpTool("query_database")]
public async Task<QueryResult> QueryDatabase(string query)
{
    // NEVER do this:
    // return await _db.ExecuteRawSql(query);

    // DO this: Validate against allowed patterns
    if (!IsAllowedQuery(query))
        throw new SecurityException("Query not permitted");

    // Use parameterized queries
    return await _db.ExecuteParameterizedQuery(query);
}

// Implement authentication
[McpServer(RequireAuth = true)]
public class SecureMcpServer
{
    [McpTool("sensitive_operation")]
    [RequireScope("admin")]
    public async Task<Result> SensitiveOperation() { }
}

Enterprise MCP Guidelines

1. Never expose MCP servers to the public internet without authentication
2. Implement least-privilege access for each tool
3. Log all tool invocations for audit trails
4. Use content filtering on AI responses before actions
5. Rate limit tool calls to prevent abuse

MCP vs. OpenAI Function Calling vs. LangChain Tools

How does MCP compare to other approaches?

Aspect	MCP	OpenAI Functions	LangChain
Standard	Open, multi-vendor	OpenAI proprietary	Framework-specific
Discovery	Dynamic server registration	Defined at call time	Code-defined
Transport	JSON-RPC over stdio/HTTP	HTTP API	In-process
Multi-agent	Native support	Limited	Varies

My take: MCP is becoming the interoperability standard. OpenAI functions work great within OpenAI, but MCP works across the ecosystem.

Practical Example: Building an AI DevOps Assistant

Let me walk through a real scenario I'm building:

┌─────────────────────────────────────────────────────────┐
│                    Claude Desktop                        │
│                    (MCP Client)                          │
└─────────────────────┬───────────────────────────────────┘
                      │ MCP Protocol
        ┌─────────────┼─────────────┐
        ↓             ↓             ↓
┌───────────┐  ┌───────────┐  ┌───────────┐
│  Azure    │  │  GitHub   │  │  Slack    │
│  DevOps   │  │   MCP     │  │   MCP     │
│   MCP     │  │  Server   │  │  Server   │
└───────────┘  └───────────┘  └───────────┘

Conversation flow:

Me: "What bugs were filed this week that I haven't triaged?"

Claude: Uses Azure DevOps MCP to query work items "I found 3 untriaged bugs filed this week:

1. #4521 - Login timeout on slow connections
2. #4523 - PDF export missing headers
3. #4525 - Dark mode color contrast issues"

Me: "Assign #4521 to me and create a branch for it"

Claude: Uses Azure DevOps MCP to update work item Uses GitHub MCP to create branch "Done. I've assigned bug #4521 to you and created branch fix/4521-login-timeout from main."

This kind of multi-tool orchestration is what MCP enables.

The Future: Multi-Agent Collaboration

The November 2025 MCP spec update added support for:

• Asynchronous operations: Long-running tasks without blocking
• Server identity: Cryptographic verification of server authenticity
• Agent-to-agent communication: Multiple AI agents coordinating via MCP

By 2026, we're seeing "agent squads"—specialized agents working together:

┌──────────────┐    ┌──────────────┐    ┌──────────────┐
│   Diagnosis  │───→│  Remediation │───→│  Validation  │
│    Agent     │    │    Agent     │    │    Agent     │
└──────────────┘    └──────────────┘    └──────────────┘

Each agent has its own MCP connections and specialization.

---

Key Takeaways

• MCP is the emerging standard for AI-to-tool integration—learn it now
• SDKs exist for TypeScript, Python, and yes, .NET
• Security is a real concern; never expose MCP servers without proper auth
• The protocol enables multi-agent orchestration that wasn't possible before
• Enterprise adoption is accelerating; understanding MCP will be essential for AI engineers

---

Next up: The Agentic AI landscape and what it means for Azure/.NET developers building the next generation of intelligent applications.