Enterprise and organization administrators can now configure MCP registries and test allowlist enforcement in VS Code Insiders, preparing for the rollout across all Copilot environments.

Understanding MCP registries and allowlists

An MCP registry is a catalog of MCP servers. GitHub administrators can upload a URL for an internal registry in their enterprise or organization’s Copilot policies page. The registry serves two purposes:

  • Discovery: It makes approved MCP servers visible and easily installable in MCP-compatible Copilot host applications (like Copilot in VS Code).
  • Allowlisting: When combined with the Registry only policy, it prevents any usage of MCP servers (at runtime) that are not defined in the internal registry.

Think of the uploaded registry as a recommended vendor list, while the allowlist policy determines whether that list is strictly enforced or simply recommended.

Setting up your registry

You can host your MCP registry using a couple of approaches:

  • Azure API Center: You can use Microsoft’s managed Azure API Center service for dynamic registry management with enterprise MCP governance features.
  • Static hosting: You can serve a JSON file following the official MCP registry specification. This could be hosted on GitHub Pages, S3, or any HTTPS endpoint. Any endpoint that returns a specification-compliant MCP registry JSON response will work.

Current availability

VS Code Insiders currently have the full experience available:

  • Registry servers appear in the MCP servers sidebar panel.
  • Registry only policy actively blocks servers that aren’t on the registry at runtime.

VS Code Stable users have a partial experience available:

  • Registry servers appear in the MCP servers sidebar panel.
  • No strict enforcement yet — all servers can run regardless of the policy setting.

This phased rollout lets you configure and test your registry now while most of your developers can continue working uninterrupted in their preferred Copilot editor.

Policy options

When configuring your MCP access policy, you have two choices:

  • Allow all (default): Your registry servers appear as recommendations, but developers can use any MCP server.
  • Registry only: Developers can only use servers listed in your registry — all others are blocked with a clear policy message.

Currently, local server enforcement only validates against server IDs. This is a known limitation. In October, we’ll add stricter configuration matching that verifies command paths, arguments, and environment variables for enhanced security.

Rollout timeline

  • Available now: VS Code Insiders supports full registry display and enforcement, VS Code Stable supports registry display only.
  • October: VS Code Stable and Visual Studio will have enforcement and enhanced local server configuration matching.
  • October-November: Copilot Coding Agent, JetBrains, Eclipse and Xcode registry and allowlist integration

Getting started

This feature is available exclusively for Copilot Business and Copilot Enterprise customers. Enterprise policies override organization policies for users with multiple seats. You can begin testing in VS Code Insiders now to validate your registry and allowlist configuration before this policy is supported on all Copilot environments.

For setup instructions and registry format specifications, see Configure MCP server access for your organization or enterprise.