Description
When running an Agentic Workflow on GitHub Enterprise, Copilot CLI blocks both MCP servers at startup:
! 2 MCP servers were blocked by policy: 'github', 'safeoutputs'
This prevents the agent from using any GitHub MCP tools or safe outputs. The agent executes successfully (32 turns, 683K
tokens) but cannot access repos, issues, or PRs because the MCP tools are unavailable.
Environment
- GHE instance: ...
- gh-aw version: v0.67.1
- Engine: Copilot CLI (latest)
- MCP Gateway: v0.2.14
- AWF version: v0.25.13
- Run IDs: 69122712, 69149652, 69158042 (all reproduce the same issue)
What we've verified
- Copilot Business is enabled at the enterprise level for the org
COPILOT_GITHUB_TOKEN is a valid fine-grained PAT with Copilot Requests: Read-onlyGH_AW_GITHUB_MCP_SERVER_TOKEN tested with both fine-grained PAT and classic PAT (repo + read:org scopes) — same result- The MCP Gateway starts correctly and loads both servers:
✓ github: connected
✓ safeoutputs: connected
✓ All checks passed (2 succeeded, 0 skipped)
- The blockage happens after the gateway is ready, when Copilot CLI itself refuses to connect due to policy
Key observation
The MCP Gateway health checks pass — both servers are reachable and responding. Copilot CLI blocks the connection before even
attempting to authenticate. This is a policy enforcement issue, not a token or network issue.
Org Copilot settings
Under the org's Copilot settings (/organization/l....), only "Access" and "Cloud
agent" sections are visible in the sidebar. There is no "Policies" tab where we could enable "MCP servers in Copilot".
Relevant logs
agent-stdio.log:
! 2 MCP servers were blocked by policy: 'github', 'safeoutputs'
github.log:
[INFO] Configuring HTTP MCP backend: github, url=https://api.githubcopilot.com/mcp/
[ERROR] Failed to create HTTP connection: github, error=status=401, body=unauthorized:
AuthenticateToken authentication failed
start-gateway.log:
✓ github: connected
✓ safeoutputs: connected
✓ All checks passed (2 succeeded, 0 skipped)
Questions
- How do we enable the "MCP servers in Copilot" policy on GHE when the Policies section is not visible at the org level?
- Is this policy managed exclusively at the enterprise level? If so, where exactly can an enterprise admin find and enable
it?
- Is there a GHE version requirement for this policy to be available?
Description
When running an Agentic Workflow on GitHub Enterprise, Copilot CLI blocks both MCP servers at startup:
! 2 MCP servers were blocked by policy: 'github', 'safeoutputs'
This prevents the agent from using any GitHub MCP tools or safe outputs. The agent executes successfully (32 turns, 683K
tokens) but cannot access repos, issues, or PRs because the MCP tools are unavailable.
Environment
What we've verified
COPILOT_GITHUB_TOKENis a valid fine-grained PAT withCopilot Requests: Read-onlyGH_AW_GITHUB_MCP_SERVER_TOKENtested with both fine-grained PAT and classic PAT (repo+read:orgscopes) — same result✓ github: connected
✓ safeoutputs: connected
✓ All checks passed (2 succeeded, 0 skipped)
Key observation
The MCP Gateway health checks pass — both servers are reachable and responding. Copilot CLI blocks the connection before even
attempting to authenticate. This is a policy enforcement issue, not a token or network issue.
Org Copilot settings
Under the org's Copilot settings (
/organization/l....), only "Access" and "Cloudagent" sections are visible in the sidebar. There is no "Policies" tab where we could enable "MCP servers in Copilot".
Relevant logs
agent-stdio.log:
! 2 MCP servers were blocked by policy: 'github', 'safeoutputs'
github.log:
[INFO] Configuring HTTP MCP backend: github, url=https://api.githubcopilot.com/mcp/
[ERROR] Failed to create HTTP connection: github, error=status=401, body=unauthorized:
AuthenticateToken authentication failed
start-gateway.log:
✓ github: connected
✓ safeoutputs: connected
✓ All checks passed (2 succeeded, 0 skipped)
Questions
it?