Add documentation about Entra limitations preventing service principal OBO as captured in issue #2192.

[vukelich]

What does this PR do?

No functional changes. This PR adds clear documentation to reference #2192. The Entra limitations are a potential unintuitive pitfall for self-hosting remote MCP users, so we should provide transparent warnings and suggestions to users.

GitHub issue number?

References without fixing #2192

Pre-merge Checklist

• Required for All PRs
  • Read contribution guidelines
  • PR title clearly describes the change
  • Commit history is clean with descriptive messages (cleanup guide)
  • Added comprehensive tests for new/modified functionality
  • Created a changelog entry if the change falls among the following: new feature, bug fix, UI/UX update, breaking change, or updated dependencies. Follow the changelog entry guide
• For MCP tool changes:
  • One tool per PR: This PR adds or modifies only one MCP tool for faster review cycles
  • Updated servers/Azure.Mcp.Server/README.md and/or servers/Fabric.Mcp.Server/README.md documentation
  • Validate README.md changes running the script ./eng/scripts/Process-PackageReadMe.ps1. See Package README
  • For new or modified tool descriptions, ran ToolDescriptionEvaluator and obtained a score of 0.4 or more and a top 3 ranking for all related test prompts
  • For tools with new names, including new tools or renamed tools, update consolidated-tools.json
  • For renamed tools, follow the Tool Rename Checklist and tag the PR with the breaking-change label
  • For new tools associated with Azure services or publicly available tools/APIs/products, add URL to documentation in the PR description
• Extra steps for Azure MCP Server tool changes:
  • Updated command list in servers/Azure.Mcp.Server/docs/azmcp-commands.md
  • Ran ./eng/scripts/Update-AzCommandsMetadata.ps1 to update tool metadata in azmcp-commands.md (required for CI)
  • Updated test prompts in servers/Azure.Mcp.Server/docs/e2eTestPrompts.md
  • 👉 For Community (non-Microsoft team member) PRs:
    • Security review: Reviewed code for security vulnerabilities, malicious code, or suspicious activities before running tests (crypto mining, spam, data exfiltration, etc.)
    • Manual tests run: added comment /azp run mcp - pullrequest - live to run Live Test Pipeline

[Copilot]

Pull request overview

This PR documents a Microsoft Entra ID limitation affecting Azure MCP Server’s UseOnBehalfOf outgoing auth strategy when callers use application-only tokens (service principals / managed identities), referencing issue #2192 to help remote/self-hosting scenarios avoid a common pitfall.

Changes:

• Adds consistent warnings across Azure MCP Server docs that OBO requires delegated (user) tokens and does not work with app-only callers.
• Adds troubleshooting guidance for the AADSTS7000114 error.
• Adds in-code XML documentation noting the OBO limitation for maintainers.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
servers/Azure.Mcp.Server/docs/new-command.md	Adds an OBO limitation note in remote server/auth strategy guidance.
servers/Azure.Mcp.Server/docs/azmcp-commands.md	Expands --outgoing-auth-strategy UseOnBehalfOf docs with an OBO limitation warning and issue link.
servers/Azure.Mcp.Server/azd-templates/README.md	Adds a note warning that OBO requires delegated tokens for the OBO azd template.
servers/Azure.Mcp.Server/TROUBLESHOOTING.md	Adds a dedicated troubleshooting section for AADSTS7000114 with explanation and link to #2192.
docs/Authentication.md	Updates supported auth matrix and adds a warning block explaining why Application + OBO is unsupported.
core/Microsoft.Mcp.Core/src/Services/Azure/Authentication/HttpOnBehalfOfTokenCredentialProvider.cs	Adds XML docs describing the OBO delegated-token requirement and expected failure mode for app-only callers.
core/Microsoft.Mcp.Core/src/Areas/Server/Options/OutgoingAuthStrategy.cs	Adds XML remarks documenting the OBO delegated-token requirement on the enum value.