Changes on Application environment

Changes on Infrastructure

User Code Execution

The Workload Identity of backend-service-chat must be granted a role that involves data action Microsoft.CognitiveServices/*. It is recommended to grant the AzureRM built-in role Cognitive Services User.

To avoid downtime, the role shall be granted before release 2025.48 without revoking the old assignment, wheres after the rollout of the new release a potential older role assignment can be revoked.

About the /*: At the time of publication of these release notes Microsoft does not offer documentation or references on which roles, exact role definitions or (data) actions are exactly needed to run the code interpreter features.

Admin MCP (Beta)

To enable the MCP Beta feature across all frontend applications, the following environment variables must be set to true in web-app-chat, web-app-admin, web-app-knowledge-upload and web-app-theme. These flags activate both the MCP user experience and the new MCP Admin capabilities.

FEATURE_FLAG_ENABLE_MCP_UN_11963=true
FEATURE_FLAG_ENABLE_MCP_ADMIN_UN_14099=true

Required Permissions

To access and use the MCP Connector Admin Panel, you must have the following Zitadel authorizations:

• connector.admin.read - View MCP connector configurations

• connector.admin.write - Create and modify MCP connector configurations

These are new roles that need to be added to existing Installations of Unique. Please refer to the following page for the setup guide: Understand Roles and Permissions.

Backend Configuration (Chat Service)

To enable MCP functionality on the chat backend (backend-service-chat) and allow unrestricted access to MCP servers/tools (as required for the MCP Beta), the following environment variables must be set.

These settings configure the backend’s MCP Policy Engine, which controls which MCP servers/endpoints the platform is allowed to connect to.

Required

FEATURE_FLAG_ENABLE_MCP_UN_11963=true
FEATURE_FLAG_ENABLE_MCP_ADMIN_UN_14099=true

MCP_POLICY_MODE="UNRESTRICTED" # STRICT | PATTERN | UNRESTRICTED
MCP_ALLOWED_ENDPOINTS="*" # *.unique.app, mcp.*.com
MCP_DENIED_ENDPOINTS=""

What These Do

MCP_POLICY_MODE="UNRESTRICTED"

Enables full, unrestricted access to MCP servers and tools.
In this mode:

• All endpoints are allowed by default

• Deny rules still take precedence if set

• No pattern matching or strict whitelisting is used

This is required for MCP Beta so that Spaces and Admin configuration fully determine tool availability.

Possible values:

• STRICT → access only if host is explicitly listed

• PATTERN → access only if host matches a glob pattern

• UNRESTRICTED → always allow (unless denied above)

MCP_ALLOWED_ENDPOINTS="*"

• Matches any host (*) using glob pattern logic

• Needed for compatibility even though UNRESTRICTED overrides allowed lists

• Ensures consistent behavior across legacy code paths

MCP_DENIED_ENDPOINTS=""

• No hosts are explicitly denied

• Important because denied endpoints always override allow rules in the policy evaluation flow

How It Works

The backend evaluates endpoint access in this order:

1. Normalize the host (handles wildcards, IPv6, ports, paths)

2. Apply DENIED rules first
   If a host matches MCP_DENIED_ENDPOINTS, access is immediately blocked.

3. Apply the selected policy mode

   • STRICT → access only if host is explicitly listed

   • PATTERN → access only if host matches a glob pattern

   • UNRESTRICTED → always allow (unless denied above)