Less than two weeks after ERP Today covered Microsoft’s move to connect Dynamics 365 Field Service and Project Operations, the next layer of Microsoft’s ERP strategy was announced: governed access for AI agents inside Finance and Operations.
The earlier update dealt with operational integration, linking field service execution to project financials, inventory, costing, billing, and finance. The more recent Dynamics 365 ERP Model Context Protocol (MCP) server updates point to a broader architectural shift. Microsoft is giving agents a controlled way to work with ERP data, forms, and business logic under the same security boundaries that govern human users.
Microsoft Learn says the earlier static “Dynamics 365 ERP MCP” server will retire in calendar 2026. Microsoft is directing customers to the newer dynamic server, which exposes data tools, form tools, and action tools for Finance and Operations apps while requiring supported product versions, feature enablement, and configuration through the Allowed MCP Clients page.
The result is a more direct path from ERP integration to ERP automation. Microsoft is not only connecting business processes across Dynamics 365 applications; it is also creating a governed tool layer that lets agents act on those processes with role-based permissions, Entra ID registration, and administrative control over which agent platforms can connect.
Dynamic Tools Expand Agent Access
The Dynamics 365 ERP MCP server exposes three tool categories: data tools, form tools, and action tools.
Data tools let agents create, read, update, and delete records through data entities. Microsoft’s 10.0.47 platform update lists Data tools for Dynamics 365 ERP MCP as enabled by default, giving agents a more direct route to standard ERP data operations.
Form tools let agents work through application pages using server APIs and the application view model, rather than opening a live client session. The agent can open forms, set field values, filter grids, save records, and select available actions in a way that follows the same business logic exposed through the application.
Action tools let developers expose selected finance and operations code to agents through Microsoft’s AI tool framework. That gives organizations a path to make specific ERP business logic callable without relying only on generic data access or form interaction.
The result is a broader agent foundation for Dynamics 365 ERP. Microsoft’s said developers can build agents that work with data and perform nearly any function available to users through the application interface, without custom code, connectors, or one-off APIs.
Analysis
What this means: Agentic ERP needs governed tool access. Microsoft’s dynamic ERP MCP server gives agents a standardized route into ERP data, forms, and business logic while keeping execution inside role-based permissions. This makes controlled tool access a foundation for AI agents inside systems of record.
Security Defines the Agent Boundary
Microsoft built the server around the authenticated user’s security context.
The MCP server updates the context it gives the agent based on security permissions, application configuration, extensions, and personalization. If the agent operates under a purchasing role, it sees only the menu items, forms, entities, APIs, fields, and actions available to that role. Explicit calls to objects outside the role are rejected.
That design keeps agent execution inside the ERP permission model. An agent does not receive unrestricted system access just because it can call MCP tools. It inherits the boundaries of the user or agent identity assigned to it.
The allowlist model adds another control layer. Administrators decide which agent platforms can connect to the ERP MCP server, and non-default platforms must be registered through Entra ID before access is granted.
Analysis
What this means: Security and allowlisting move into the agent deployment path. Entra ID registration, Allowed MCP Clients, user-role filtering, and rejected unauthorized calls turn agent access into an administrative control point. Agent rollout now requires decisions about which platforms can connect, what permissions they inherit, and how actions are monitored.
Sponsor Industry‑Grade Research
SQL-Based Data Tools Improve Agent Retrieval
Microsoft is also improving how agents query ERP data.
A Dynamics 365 release plan item says MCP data tools are moving from OData toward SQL-based queries. Microsoft said OData limitations around aggregations and query operators can leave too much aggregation work to the LLM. SQL-based retrieval supports additional data operators and improves performance and response quality.
The MCP documentation also lists a data_find_entities_sql tool that replaces the earlier OData-based data_find_entities tool in version 10.0.48 of Finance and Operations apps. Microsoft seems to be pushing more deterministic data retrieval into the tool layer so agents do not have to infer, calculate, or aggregate too much from loose prompts.
Azure API Management Extends the Governance Layer
The Dynamics 365 ERP MCP server sits inside a broader Microsoft architecture for governing agent tools.
Microsoft’s Azure API Management (APIM) documentation says APIM can expose and govern MCP servers, including servers created from REST APIs and existing MCP-compatible servers. APIM policies can control access, authentication, authorization, rate limits, quotas, caching, and IP filtering. Monitoring can run through Azure Monitor and Application Insights.
Azure API Center adds the discovery layer. Microsoft said organizations can use API Center to register and discover MCP servers, including servers exposed in APIM and servers hosted elsewhere.
Microsoft has also extended content safety checks to MCP tools and Agent-to-Agent APIs managed in APIM. That brings tool execution and agent-to-agent communication closer to the same governance model already used for APIs and AI endpoints.
Analysis
What this means: MCP governance is becoming part of integration architecture. Azure APIM and API Center extend the story beyond Dynamics 365 by creating a governance and discovery layer for MCP servers, APIs, tools, and A2A interactions. ERP AI projects will increasingly depend on API catalogs, policy enforcement, telemetry, and content safety controls.
