Document API permissions

[JasonYeMSFT]

What does this PR do?

[Provide a clear, concise description of the changes]

Users who want to run Azure MCP as a remote server with OBO flow need to add downstream API permissions to the server app registration. This PR adds a markdown file documenting the tool namespace to API permissions map to help users figure out what they need to add for the tools they want to use in their self-hosted server.

[Any additional context, screenshots, or information that helps reviewers]

GitHub issue number?

#1450

Pre-merge Checklist

• Required for All PRs
  • Read contribution guidelines
  • PR title clearly describes the change
  • Commit history is clean with descriptive messages (cleanup guide)
  • Added comprehensive tests for new/modified functionality
  • Updated servers/Azure.Mcp.Server/CHANGELOG.md and/or servers/Fabric.Mcp.Server/CHANGELOG.md for product changes (features, bug fixes, UI/UX, updated dependencies)
• For MCP tool changes:
  • One tool per PR: This PR adds or modifies only one MCP tool for faster review cycles
  • Updated servers/Azure.Mcp.Server/README.md and/or servers/Fabric.Mcp.Server/README.md documentation
  • Validate README.md changes using script at eng/scripts/Process-PackageReadMe.ps1. See Package README
  • Updated command list in /servers/Azure.Mcp.Server/docs/azmcp-commands.md and/or /docs/fabric-commands.md
  • Run .\eng\scripts\Update-AzCommandsMetadata.ps1 to update tool metadata in azmcp-commands.md (required for CI)
  • For new or modified tool descriptions, ran ToolDescriptionEvaluator and obtained a score of 0.4 or more and a top 3 ranking for all related test prompts
  • For tools with new names, including new tools or renamed tools, update consolidated-tools.json
  • For new tools associated with Azure services or publicly available tools/APIs/products, add URL to documentation in the PR description
• Extra steps for Azure MCP Server tool changes:
  • Updated test prompts in /servers/Azure.Mcp.Server/docs/e2eTestPrompts.md
  • 👉 For Community (non-Microsoft team member) PRs:
    • Security review: Reviewed code for security vulnerabilities, malicious code, or suspicious activities before running tests (crypto mining, spam, data exfiltration, etc.)
    • Manual tests run: added comment /azp run mcp - pullrequest - live to run Live Test Pipeline

[Copilot]

Pull request overview

This PR adds a new documentation file that maps Azure MCP tool namespaces to their required API permissions. The file helps users configure downstream API permissions when setting up Azure MCP Server as a remote server with On-Behalf-Of (OBO) authentication flow.

Key changes:

• Added api-permissions.md file documenting namespace-to-API permission mappings
• Includes two tables: one for APIs with exposed permissions and one for APIs without exposed API permissions
• Covers 13 different Azure services including Storage, Key Vault, Cosmos DB, Event Hubs, and others

Comments suppressed due to low confidence (1)

servers/Azure.Mcp.Server/azd-templates/api-permissions.md:3

• The documentation should include introductory context explaining when and how to use this information. Consider adding: 1) A brief explanation of when users need to configure these permissions (e.g., when setting up Azure MCP as a remote server with OBO flow for service-to-service authentication), 2) Basic instructions or a link to documentation on how to add API permissions to an Azure AD app registration, and 3) An explanation of the relationship between namespaces and the required permissions.

# API permissions

A table of known API permissions of downstream APIs that can be called by Azure MCP.