Introduction to MCP and A2A Protocols: Enabling Agent Communication

Introduction to MCP
and A2A Protocols:
Enabling Agent
Communication
Maxim Salnikov
AI Developer Tools Solution
Engineer at
Microsoft

What is an
Agent?
90% - Software Engineering
10% - Gen AI
 Agents pursue goals on behalf of a
consumer which may happen quickly or take some
time
 Agents are connected to the data
sources and can perform actions to achieve
that goal
 Agents may need to maintain context to
move towards that goal, such as conversation threads.

Fragmented AI Development
AI App 1
AI App 2
AI App 3
Custom implementation
Custom prompt logic
Custom prompt logic
Custom prompt logic Custom tool calls
Custom tool calls
Custom tool calls Custom data access
Custom data access
Custom data access

Problem
Context
fragmentation
Tool & memory
integration
Composable &
modular content
Efficient retrieval
Scalability &
extensibility
- LLMs have a
limited context
window, = can only
"see" a certain
amount of
information at once.
- Makes it hard to
maintain long
conversations,
remember past
interactions, or
integrate large
documents
LLMs often rely on
plugins, APIs, or
memory systems,
but there's no
standard way to
describe or interact
with these
resources
It's hard to combine
different types of
context (e.g., user
preferences,
documents, calendar
events) in a coherent
way
Without a protocol,
models may
inefficiently retrieve or
process information,
leading to slower
responses or higher
costs
As LLM ecosystems
grow, it's hard to
scale context
management
without a common
framework

Context
fragmentation
Tool & memory
integration
Composable &
modular content
Efficient retrieval
Scalability &
extensibility
MCP introduces a
structured way
to reference and
retrieve external
context (like
documents, memory, or
tool outputs) without
needing to fit
everything into the
model's prompt.
Benefit: It allows the
model to link to
external
sources and dynamically
fetch what it needs
MCP provides
a standardized
protocol for describing
and accessing tools,
memory, and other
context providers.
Benefit: This makes it
easier for models
to interoperate with
different systems and
for developers to plug
in new capabilities
MCP enables modular
context composition,
where different sources of
information can be
combined in a structured,
queryable format.
Benefit: This allows the
model to reason across
multiple sources more
effectively
MCP supports on-
demand, scoped
retrieval of relevant
context,
Benefit: improving
both efficiency and
relevance of the model’s
responses
MCP is designed to
be extensible, allowing
new types of context
providers to be added
without breaking
existing systems.
Benefit: This
supports scalable,
future-proof
development
Solution

MCP is an open protocol that enables seamless integration between LLM
applications and your tools & data sources.
6
What is the Model Context Protocol (MCP)?
APIs
Standardize how web applications
interact with the backend:
● Servers
● Databases
● Services
MCP
Standardizes how AI applications interact
with external systems:
● Prompts
● Tools
● Resources

Key participants
 Python SDK:
https://github.com/modelcontextp
rotocol/python-sdk
 TypeScript SDK:
rotocol/typescript-sdk
 Java SDK:
rotocol/java-sdk
 C#/.NET SDK:
rotocol/csharp-sdk
• MCP Host: The AI application that
coordinates and manages one or
multiple MCP clients
• MCP Client: A component that
maintains a connection to an MCP
server and obtains context from an
MCP server for the MCP host to use
• MCP Server: A program that provides
context to MCP clients

MCP Architecture
https://modelcontextprotocol.io/docs/learn/architecture

MCP Server
Exposes Resources
Exposes Tools
Exposes Prompt Templates
9
MCP Client
Queries for Resources
Invokes Tools
Interpolates Prompts
How does it work?
Tools
Functions and tools that
can be invoked by the client
Prompts
User-invoked prompts to
interact with the model
Retrieve / search
Send a message
Update DB records
Document Q&A
Transcript Summary
Output as JSON
Resources
Data or content exposed
by the server
Files
Database Records
API Responses
Server Capabilities
Resource provider Prompt Template
Tool Executor Authentication
Client Capabilities
Resource Discovery Tool invocation
Prompt Management Secure Communication

Data layer: JSON-RPC 2.0
 Lifecycle management: Handles connection initialization, capability
negotiation, and connection termination between clients and servers
 Server features: Enables servers to provide core functionality including tools
for AI actions, resources for context data, and prompts for interaction
templates from and to the client
 Client features: Enables servers to ask the client to sample from the host
LLM, elicit input from the user, and log messages to the client
 Utility features: Supports additional capabilities like notifications for real-
time updates and progress tracking for long-running operations

Transport layer
STDIO Transport:
 Uses standard input/output streams for direct process communication
 Optimal for local processes on the same machine with no network overhead
 Commonly used for local MCP server implementations
Streamable HTTP Transport: (ex-HTTP+SSE)
 Uses HTTP POST for client-to-server messages
 Optional Server-Sent Events (SSE) for server-to-client streaming
 Enables remote server communication across networks
 Supports standard HTTP authentication (bearer tokens, API keys, custom
headers)
 MCP recommends OAuth for secure token-based authentication

Tools
Tools in MCP allow servers to expose executable
functions that can be invoked by clients and used
by LLMs to perform actions.
• Discovery: Clients can list available tools
through the tools/list endpoint
• Invocation: Tools are called using
the tools/call endpoint, where servers
perform the requested operation and return
results
• Flexibility: Tools can range from simple
calculations to complex API interactions
https://modelcontextprotocol.io/docs/learn/server-concepts

Resources
Resources represent any kind of data that an MCP
server wants to make available to clients. This can
include:
• File contents
• Database records
• API responses
• Live system data
• Screenshots and images
• Log files
• And more
resources/list
resources/read

Prompts
Prompts enable servers to define reusable prompt
templates and workflows that clients can easily surface
to users and LLMs. They provide a powerful way to
standardize and share common LLM interactions.
prompts/list
prompts/get

Sampling
Sampling allows servers to request language model completions through the client, enabling agentic
behaviors while maintaining security and user control.
Elicitation
Elicitation enables servers to request specific information from users during interactions, creating more
dynamic and responsive workflows.
https://modelcontextprotocol.io/docs/learn/client-concepts

Is it safe?
“S stands for Security in MCP abbreviation” (famous joke)

• Access to private data:
The AI system has access to sensitive or confidential
information within its environment.
• Exposure to untrusted content:
The AI model can be exposed to malicious or
manipulated content, such as through prompt injection
attacks, which tricks the AI into performing unintended
actions.
• Ability to communicate externally:
The attacker can get the compromised data out of the
system.
• Models read everything — even what
is hidden.
• If there is an instruction, the model
follows it. Regardless of where it comes
from.
• They don't evaluate, they obey.
Model behaviour AI Agents’ “lethal trifecta”
https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

https://genai.owasp.org/resource/owasp-top-10-for-llm-applications-2025/
1. LLM01:2025 Prompt Injection
2. LLM02:2025 Sensitive Information
Disclosure
3. LLM03:2025 Supply Chain
4. LLM04: Data and Model Poisoning
5. LLM05:2025 Improper Output Handling
6. LLM06:2025 Excessive Agency
7. LLM07:2025 System Prompt Leakage
8. LLM08:2025 Vector and Embedding
Weaknesses
9. LLM09:2025 Misinformation
10.LLM10:2025 Unbounded Consumption

MCP Vulnerabilities - Attacks on tools and infrastructure
Category Typical Attack Method Consequence
Prompt injection
Hidden instructions in user input, issues,
messages, or README.
Leads to data leaks, or the agent
following malicious orders.
Tool Poisoning Hidden instructions in the tool description. Leads to data leaks, hidden compromise.
Shadowing A malicious tool overrides other tools.
Leads to overriding across servers,
account takeover.
Privilege abuse Too many permissions for tools/agents.
Leads to unauthorized access, deletion of
sensitive data.
Supply chain Poisoned or "typosquatted" tools.
Leads to backdoors, "rug pull," delayed
attacks.

MCP Vulnerabilities - Data, Access, and System Impact
Category Typical Attack Method Consequence
Auth weakness
Weak/incorrect authentication, leaking of
tokens
Leads to unauthorized access, lateral
movement.
Data leakage Exposure of logs, conversation context.
Leads to sensitive data being
compromised.
RCE/Injection Code/command or SQL injection.
Leads to full system compromise,
exfiltration.
Audit gap Blind spots (model sees more than the user).
Leads to attacks remaining hidden from
the user/admin.
Denial of Service Overloading, flooding, API misuse. Leads to downtime, financial loss.

Prompt injection via GitHub issue
PRESENTATION TITLE 08.08.2025
24
• An attacker opens a seemingly helpful
GitHub Issue in an open repository.
• Text instructs the model to find,
collect, and publish private
information.
• The model has access to both public
and private repositories via the MCP
server.
• The agent follows the instruction,
creates a Pull Request with private
info – and publishes it openly.
• No need for vulnerable code or a
compromised server – the whole
thing is triggered by one clever text.

Tool poisoning – hidden instructions in the tool description
PRESENTATION TITLE 08.08.2025
25
• The user only sees the
function name and short
descriptions, but the
model follows
EVERYTHING in the
description.
• An MCP tool looks like a
regular API (e.g., "add
numbers," "order pizza").
• A hidden instruction in
the description field tells
the agent to perform
unwanted actions (e.g.,
leak an SSH key, send
chat logs to the
attacker).

WhatsApp + "Fun Fact": shadowing in practice
26

How to Build a Secure MCP
1.Show ALL text the model sees – not just in the UI.
2.Use version pinning and known, reliable tools.
3.Minimize rights ("least privilege") for tools and agents.
4.Log and regularly audit all prompts and manifests.
5.Use strong authentication, never share tokens across systems.
6.Never blindly trust "hype tools" – check and monitor.
7.Prompt Shields:
1.Filters malicious input before it reaches the model.
2.Uses delimiters and data marking to separate reliable/external input.
3.Gives the agent better context and protects against hidden instructions.

Host a remote MCP server
protected by Entra ID
1️⃣ Entra ID handles the full auth flow
2️⃣ API Management validates & caches tokens
3️⃣ Azure Functions performs the On-Behalf-Of
flow
4️⃣ Microsoft Graph returns user data
5️⃣ And the client only sees a session ID
No client secrets. No token leaks.
Just clean, server-side security at scale.
Full code and walkthrough:
https://den.dev/blog/remote-mcp-server/

Key resources
29
MCP Official Website
https://modelcontextprotocol.io/
MCP for Beginners
https://aka.ms/MCP-for-Beginners (guides, videos, exercises)
Reference and 3rd party MCP servers
https://github.com/modelcontextprotocol/servers
Microsoft MCP servers
https://github.com/microsoft/mcp
Remote MCP servers
 https://learn.microsoft.com/api/mcp
 https://api.githubcopilot.com/mcp/
MCP Dev Days
https://developer.microsoft.com/en-us/reactor/series/s-1563/

MCP vs A2A
Both are protocols
Both are related to agents
Both have clients and servers
Both use JSON-RPC

Why do we
need Multi
Agent
architectures?
 Agent’s work best when they focus on a specific goal /
problem.
 Asking an AI Agent to consider too much can overwhelm it
leading to poor outcomes.
 Overloading an Agent with MCP tools will lead to poor
outcomes.
 Multi Agent architectures handle complex goals using
specialized agents, each with access to contextually relevant
MCP tools
 The agents you’re talking to may not even be in your
organization. Consider a Travel Agent’s Agent
 Book flights
 Book hotels
 Organize excursions

Can’t we use MCP for Agent to Agent comms?
Prompt
An Agent will use prompts to
reach its goals, but it’s more than
a Prompt. It needs memory and
tools and potentially other agents.
Tools
An agent could be invoked as an
MCP tool. But agents tend to be
more conversational. Natural
language in.
Resource
Agents are less static than a file or
database row. Although MCP
resources are a good way to
discover agents.

MCP A2A
MCP is about Agent -> Tool interactions
A2A is about Agent -> Agent interactions

A2A
Agent to Agent
The A2A Protocol is an open standard for
enabling AI assistants to communicate
and collaborate effectively.
A2A provides a common language for
agent interactions
It’s not an SDK for building agents.
Microsoft are on the working group
inputting to the protocol

Introduction to MCP and A2A Protocols: Enabling Agent Communication

Finding Agents.
The A2A Agent Card

The Agent Card
{
"name": "TravelBookingAgent",
"description": "helps a user book a luxury travel
experience",
"url": "http://localhost:7197/messages",
"provider": null,
"version": "1.0.0",
"documentationUrl": null,
"capabilities": {
“streaming”: true,
"pushNotifications": false,
"stateTransitionHistory": false
},
"securitySchemes": {
"api-key": {
"type": "apiKey",
"name": "x-functions-key",
"in": "header"
}
},
"security": [
{
"api-key": []
}
],
"defaultInputModes": [
"text/plain"
],
"defaultOutputModes": [
"skills": [
{
"id": "BookLuxuryHoliday",
"name": "BooksLuxuryHolidays",
"description": "Organises a luxury holiday experience
including flights, hotels, and restaurants from Perth and
Sydney, to Hawaii. Nowhere else!",
"examples": [
"Book me an amazing holiday to Hawaii from Perth",
"I'm turning 50 this year. I want to eat like royalty
in Maui. Can you help?"
],
"inputModes": [
"text/plain"
],
"outputModes": [
"text/plain"
],
"tags": []
}
],
"supportsAuthenticatedCard": false
}
Recommended location: https://{server_domain}/.well-known/agent-card.json

Talking to Agents.
The A2A protocol.
• JSON-RPC 2.0
• gRPC
• HTTP+JSON/REST

A2A’s JSON
RPC Protocol  JSON RPC protocol methods (0.2.1)
 message/stream send a message to an agent and
receive events back
 message/send send a message and wait for a ‘final’
response or receive a webhook callback
 tasks/cancel
 tasks/resubscribe listen to notifications from a
task
 https://google-a2a.github.io/A2A/specification/

A2A tasks  Asks of an Agent are represented by a
Task
 They can last seconds, months, years, it
doesn’t matter
“I have sent a reservation request for El Celler de Can Roca.
I’ll get back to you when I hear from them, or will cancel the
flights if I don’t hear back in 3 months”
 Agents can broadcast live task updates via
SSE or call you back with a Webhook.
 It’ s up to the Agent to define this in its Agent Card.

A2A
Authentication
and
Authorization
 A2A treats agents as standard enterprise applications,
relying on established web security practices
 Agents authenticate using standard API auth
mechanisms, e.g. Bearer tokens, API keys, etc.
 Identity information is not transmitted within A2A
JSON-RPC payloads; it is handled at the HTTP transport
layer.
 If an agent needs additional auth it should ask so in a
message to the user:
 This is called In-Task Authentication (Secondary
Credentials) and should be sent from client to server in
a message, or out-of-band
Message:
Text Part: We need additional auth for this
Data Part: idp: id.facebook.com, scope: friends.read,
Message:
Data Part: Bearer ey043e498……==

Task 1 (context-A)
Status: Completed
Message: Flights will cost …
History
User Message: Find flights from
Perth to Hawaii
Asst Message: Looking for
flights
Asst Message: Found options…
Task 123 (context-A)
Status: Input-Required
Message: Sure – shout to book it…
History
User Message: 1 adult 17 July
flights
Client Agent Flight Company Agent
A2A
lication
App
Task 1 (context-A)
Status: Completed
Message: Hotel options…
History
User Message: What hotels are
there?
hotels
Hotel Company Agent
A2A

Azure AI Foundry supports open protocols
Import external agents
Assistants API
Responses API*
Activity protocol*
A2A*
Agent protocol✧
MCP*
Azure AI Foundry
Expose your agent
externally
Assistants API
Responses API✧
Activity protocol✧
A2A
Agent protocol✧
MCP*
* Available with Semantic Kernel ✧ Coming soon

A2A in AI
Foundry Agent
Service
 Open A2A API Head: Allows third-party
orchestrators to invoke agents from
Foundry Agent Service, facilitating task
delegation and context-aware processing.
 Multi-Turn Interactions: Enables agents to
handle multi-step conversations and pass
context fluidly between agents, ensuring
consistent responses.
 Cross-Platform Flexibility: Designed to
work with a wide range of open-source
agent frameworks, including AutoGen,
LangChain, and Semantic Kernel, providing
maximum flexibility for developers.
https://aka.ms/a2a

MCP and A2A
in Semantic
Kernel
 MCP Support: Enables developers to define
and consume OpenAPI-based tools within their
agent workflows, providing a standardized way
to connect with third-party services and APIs.
 A2A Orchestration: Supports dynamic,
context-aware agent composition, allowing
developers to create complex, multi-agent
workflows with fine-grained control over task
delegation and message passing.
 Unified API Surface: Provides a single,
consistent API for integrating external tools,
services, and agents, making it easier to build
modular, interoperable agent systems at scale.
https://aka.ms/mcp

Resources
 https://a2a-protocol.org/ - Official website of Agent2Agent (A2A) Protocol
 https://aka.ms/a2a - Microsoft intro blog post
https://techcommunity.microsoft.com/blog/azure-ai-services-blog/building-a-digital-
workforce-with-multi-agents-in-azure-ai-foundry-agent-service/4414671 - A2A in AI Foundry
https://devblogs.microsoft.com/foundry/semantic-kernel-a2a-integration/ - A2A in Semantic
Kernel

Thank you!
Let’s connect and chat:
 Maxim Salnikov on LinkedIn

Introduction to MCP and A2A Protocols: Enabling Agent Communication

More Related Content

Similar to Introduction to MCP and A2A Protocols: Enabling Agent Communication (20)

More from Maxim Salnikov (20)

Recently uploaded (20)

Introduction to MCP and A2A Protocols: Enabling Agent Communication