title: "MCP for Enterprise .NET: Connecting Agents to Your ERP Without the Glue Code"
date: 2026-06-12
readingTime: 6 min read
tags: ["MCP", ".NET", "AI Agents", "Enterprise", "Security"]
Every team that builds AI features eventually hits the same wall: the model is only as useful as the systems it can reach. In an ERP world that means payroll, accounting, inventory, document stores, and a dozen internal APIs. The old answer was bespoke integration code for each model and each tool. The Model Context Protocol (MCP) replaces that with a single client-server standard.
MCP was created by Anthropic and introduced in late 2024. By 2026 it is no longer a single-vendor idea: it was donated to the Agentic AI Foundation under the Linux Foundation, and the major AI labs — Anthropic, OpenAI, Google, Microsoft — support it natively. For a .NET team, that maturity is the signal that it is safe to build on.
MCP is JSON-RPC under the hood, with three participants:
A server offers three kinds of things:
get_payroll_exceptions, post_journal_entry).The win is decoupling. You write one MCP server that wraps your payroll service, and any MCP-aware host can use it — your own agent today, a Copilot surface tomorrow — with no per-client integration.
The spec now defines two transports, and the distinction matters for deployment:
The older two-endpoint HTTP+SSE transport is deprecated. Do not build new systems on it.
There is an official C# SDK — package ModelContextProtocol, maintained as a Microsoft and Anthropic collaboration — with companion packages for the lightweight core and for ASP.NET Core hosting. A minimal stdio server looks like this:
using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.DependencyInjection;
using ModelContextProtocol.Server;
using System.ComponentModel;
var builder = Host.CreateApplicationBuilder(args);
builder.Services
.AddMcpServer()
.WithStdioServerTransport()
.WithToolsFromAssembly();
await builder.Build().RunAsync();
[McpServerToolType]
public static class PayrollTools
{
[McpServerTool, Description("Gets open payroll exceptions for a company and period.")]
public static Task<string> GetPayrollExceptions(
[Description("The company code.")] string companyCode,
[Description("The period in yyyy-MM format.")] string period)
=> PayrollService.GetExceptionsJsonAsync(companyCode, period);
}
The [McpServerTool] attribute and its [Description] define the contract the model sees. For an HTTP deployment you swap the stdio transport for the ASP.NET Core hosting package. Check NuGet for the current version — the SDK moved out of preview during 2026, so pin a version deliberately rather than guessing.
Here is where the .NET AI stack lines up cleanly. Microsoft.Extensions.AI is the foundational abstraction; Semantic Kernel and the Microsoft Agent Framework build on top of it; and both use the MCP C# SDK rather than reinventing it. MCP tools surface as AIFunction objects, which means:
AsKernelFunction() and add it as a plugin.Microsoft.Extensions.AI abstractions, and the agent runtime drives the tool-call loop for you.A rule of thumb on when MCP is worth the ceremony: for one or two tools, direct function calling is simpler. MCP pays off once you have roughly five or more tools, or when the same tools need to serve more than one application.
This is the part I will not let a team skip. An MCP server aggregates credentials for many backend systems, which makes it a far higher-value target than any single API. The 2025–2026 track record is full of real incidents, so treat the following as requirements, not suggestions:
There were real CVEs here — command injection in a popular remote-bridge tool, unauthenticated command execution in a debugging utility — and frameworks like the OWASP MCP Top 10 now exist precisely because this surface is being actively attacked.
MCP solves a real problem: it turns N models times M tools into one protocol. For enterprise .NET it slots neatly under Microsoft.Extensions.AI, Semantic Kernel, and Agent Framework, so adopting it is mostly additive. Just remember that a tool server sitting in front of payroll and accounting is now part of your attack surface. Design the auth, the least-privilege boundaries, and the audit logging before you expose the first tool.
References: