Skip to content
News Product launch

MCP Enterprise-Managed Authorization Reaches Stable: Okta, Anthropic, and VS Code Adopt Zero-Touch OAuth for AI Connectors

· by Pondero Newsdesk

The short version

The Enterprise-Managed Authorization extension to the Model Context Protocol went stable on June 18, 2026, letting enterprise IT admins provision MCP server access once through their identity provider so employees inherit it on first login.

MCP Enterprise-Managed Authorization Reaches Stable: Okta, Anthropic, and VS Code Adopt Zero-Touch OAuth for AI Connectors

The Enterprise-Managed Authorization (EMA) extension to the Model Context Protocol went stable on June 18, 2026, removing the per-server OAuth consent flow that had slowed MCP adoption in corporate environments. Okta is the first supported identity provider, and both Anthropic's Claude products and Visual Studio Code shipped client implementations the same day.

What happened

The MCP specification team published the EMA extension on June 18 as a stable release, per the MCP official blog. The extension addresses a friction point that enterprise teams had consistently flagged: before EMA, every employee had to authorize each MCP server individually. There was no central policy enforcement, no unified audit trail, and no way to require a corporate identity rather than a personal one.

EMA flips that model. Administrators define access policy once inside their identity provider. When a user signs in, the client exchanges an Identity Assertion JWT Authorization Grant (ID-JAG) for a resource-scoped token from each MCP server's authorization server. No per-server consent screen appears. Access is scoped automatically to the groups and roles the user already holds in the identity provider.

Okta is the first identity provider to support the extension, using its Cross-App Access (XAA) protocol. Additional providers are expected but not yet named.

Seven MCP servers shipped EMA support at launch: Asana, Atlassian, Canva, Figma, Granola, Linear, and Supabase, per the MCP blog post. Slack is actively adding support and was not in the initial seven.

On the client side, Anthropic implemented EMA across its shared MCP layer, meaning administrators can authorize servers for users in Claude, Claude Code, and Claude Cowork through a single admin action. EMA for Claude is in beta for Team and Enterprise plan subscribers. Visual Studio Code v1.123 also shipped the extension under its enterprise-managed MCP authentication preview, per the VS Code release notes, allowing organizations using Entra ID, Okta, or Auth0 to authenticate once and have VS Code mint per-resource tokens for each MCP server on the user's behalf.

Why it matters

Enterprise MCP deployment has faced a structural problem since the protocol launched. The standard authorization model was built for individual users making their own access decisions, not for IT teams rolling out dozens of connectors to thousands of employees. The result was ad-hoc workarounds, inconsistent security posture, and slow adoption numbers in corporate environments.

EMA provides three concrete improvements over the old model, as described in the MCP specification. First, centralized policy: access decisions live in the identity provider admin console rather than scattered across individual user sessions. Second, a single audit trail: every grant and revocation records in one place. Third, a clean separation between personal and enterprise accounts by removing the interactive account selection step where a user might accidentally connect a personal service account to a work tool.

Aaron Parecki, Director of Identity Standards at Okta, framed the release as making identity a "centralized governance plane" with "strict compliance control," per the MCP blog post. That is a vendor self-claim, not an independent audit finding.

For enterprise AI tool buyers, the practical question is procurement and rollout speed. Before EMA, deploying MCP broadly required either accepting a self-service model with no central oversight or building bespoke tooling to manage tokens at scale. EMA provides a standards-based path that hooks into existing identity infrastructure most enterprises already run.

The seven-server launch set is modest relative to the full MCP server catalog, but it covers widely-used project management and design tools. Asana, Atlassian, Figma, and Linear together cover a large share of engineering and product workflows.

Context and reactions

The MCP protocol, originally released by Anthropic in late 2024, has grown substantially. The EMA extension itself is the work of the broader MCP community, including the authors of SEP-990 and the maintainers of the ext-auth repository, and reflects the Linux Foundation's stewardship of the protocol.

Tom Moor, Head of Engineering at Linear, described the experience in the MCP blog post: "Logging in once and automatically having all your MCP connectors automatically setup is pretty magical." Devdatta Akhawe, VP of Engineering at Figma, cited XAA as making it easier for enterprises "to scale their MCP deployments securely without slowing teams down." Both statements are vendor-attributed.

Microsoft's adoption on the VS Code side reflects the same week in which both major Claude clients and Microsoft's primary developer tool shipped the same identity extension. That alignment across competing clients on day one is a stronger signal than any single vendor's adoption.

The timing coincides with a broader enterprise push by Anthropic. The company extended Claude access to KPMG's 276,000 employees in May 2026 and has been signing large-scale enterprise agreements throughout the first half of the year. EMA gives those deployments a practical mechanism for rolling out MCP connectors at workforce scale without burdening employees with repeated authentication steps.

What to watch next

Three milestones will indicate whether EMA gains real traction. First, which identity providers follow Okta. Microsoft Entra ID is the most obvious candidate given VS Code's existing EMA client support. Second, growth in the server count beyond the current seven. Slack's active work to add support suggests the list will expand in weeks rather than months. Third, the beta-to-GA transition for Claude Team and Enterprise. Anthropic has not published a timeline for lifting the beta gate, but that transition will determine how broadly the feature can be deployed across existing Claude enterprise accounts.

The ext-auth repository and the EMA Interest Group at modelcontextprotocol.io are the places to watch for specification updates and new adopter announcements.

Sources