An organization has published an MCP registry that contains only approved internal MCP servers. Developers use Copilot CLI and supported IDEs to connect MCP servers during agent workflows. The organization setting MCP servers in Copilot is enabled, and the MCP Registry URL points to the approved registry. Security reports show developers can still use MCP servers that are not listed in the registry. Which configuration change should you make first?
Choose an answer
Tap an option to check your answer.
Correct answer: Set the MCP access restriction to Registry only.
Why this is the answer
The organization has enabled MCP servers in Copilot and provided a registry URL, but developers can still use unapproved servers. This indicates that the current configuration allows connections to servers outside the registry. Setting the MCP access restriction to "Registry only" enforces that Copilot CLI and IDEs can only connect to MCP servers defined within the specified registry, preventing connections to unauthorized servers. Removing local MCP server entries from developer machines is a temporary fix that doesn't prevent developers from adding new unapproved servers. Adding repository MCP JSON for every approved server is about defining the servers, which is already handled by the registry. Disabling Copilot CLI would prevent all agent workflows, which is not the goal.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed