Feature Request - MCP Server Whitelist for GitHub Copilot Enterprise

[ajayrathi2004]

Select Topic Area

General

Copilot Feature Area

Copilot Enterprise

Body

Subject: Feature Request - MCP Server Whitelist for GitHub Copilot Enterprise

Hello GitHub Team,

I would like to request enhanced admin controls for MCP (Model Context Protocol) server management.

The Problem with Current MCP Access:
Enabling MCP servers generally creates several enterprise security concerns:

1. Unrestricted External Access: Users can potentially connect to any MCP server on the internet, including unknown or malicious ones
2. Data Exposure Risk: MCP servers can access code context, conversations, and potentially sensitive information
3. Compliance Issues: Many organizations require approval processes for external integrations that handle code/data
4. No Audit Trail: Admins cannot track which MCP servers users are connecting to
5. Unvetted Third-Party Code: MCP servers may execute untested code or make unauthorized API calls

Current Limited Options:
GitHub Copilot Enterprise currently offers only:

• Enable all MCP servers: Opens security risks by allowing connections to any MCP server
• Disable all MCP servers: Blocks valuable legitimate integrations (internal tools, approved APIs, trusted services)

Feature Request - MCP Server Whitelist:
Enterprise administrators need the ability to configure an approved list of MCP servers that balances security with functionality:

• **Admin-controlled allowlist **: Specify which MCP server URLs/identifiers are permitted
• Default deny policy: Automatically block connections to non-whitelisted MCP servers
• Enterprise-wide enforcement: Apply policy across all users in the organization
• User-friendly messaging: Clear error messages when users attempt to use non-approved servers

Why This Matters:
This granular control would enable organizations to:

• Leverage trusted MCP integrations (internal documentation systems, approved APIs, vetted tools)
• Maintain security posture by preventing unauthorized external connections
• Meet compliance requirements for third-party integrations
• Safely scale Copilot adoption across enterprise environments

Currently, many enterprise teams must disable MCP functionality entirely due to the all-or-nothing security model, which significantly limits Copilot's potential value.

Thank you for considering this enhancement.

[zonar-shae-kuronen]

This might work, checking now...

https://docs.github.com/en/copilot/how-tos/administer-copilot/configure-mcp-server-access#setting-up-an-mcp-registry