[DOCS] MCP policy docs do not explain `deniedMcpServers` blocks Claude.ai connectors

Open 💬 4 comments Opened Mar 27, 2026 by coygeek

Documentation Type

Missing documentation (feature not documented)

Documentation Location

https://code.claude.com/docs/en/mcp

Section/Topic

Managed MCP configurationOption 2: Policy-based control with allowlists and denylists, plus Use MCP servers from Claude.ai

Current Documentation

The MCP docs currently say:

If you've logged into Claude Code with a Claude.ai account, MCP servers you've added in Claude.ai are automatically available in Claude Code: Claude.ai servers appear in the list with indicators showing they come from Claude.ai.

Later on the same page, the managed-policy section says:

#### Denylist behavior (deniedMcpServers) undefined (default): No servers are blocked Empty array []: No servers are blocked * List of entries: Specified servers are explicitly blocked across all scopes

The settings reference also says:

| deniedMcpServers | When set in managed-settings.json, denylist of MCP servers that are explicitly blocked. Applies to all scopes including managed servers. Denylist takes precedence over allowlist. |

None of these sections explicitly says whether Claude.ai-provided MCP servers are filtered by deniedMcpServers.

What's Wrong or Missing?

Changelog v2.1.85 says:

Fixed deniedMcpServers setting not blocking claude.ai MCP servers

The docs define deniedMcpServers in terms of “all scopes” and separately explain that Claude.ai MCP servers are automatically available, but they never connect those two behaviors.

That leaves an important policy interaction undocumented: admins cannot tell from the docs that a managed deniedMcpServers rule is supposed to block Claude.ai-provided MCP servers too.

This is especially confusing because the MCP docs describe Claude.ai as a connector source, not as one of the named local/project/user scopes. As written, users can reasonably wonder whether Claude.ai servers bypass the denylist.

Suggested Improvement

Add an explicit note in the MCP page that Claude.ai-provided MCP servers are still evaluated against managed MCP policy, including deniedMcpServers.

For example, the docs could say:

Claude.ai MCP servers remain subject to managed MCP policy. If a Claude.ai-provided server matches a deniedMcpServers rule, Claude Code blocks it and it will not appear as an available MCP server.

Also update the deniedMcpServers row in https://code.claude.com/docs/en/settings to clarify that this includes servers coming from Claude.ai connectors, not just local/project/user/managed file-based configurations.

Impact

Medium - Makes feature difficult to understand

Additional Context

Affected Pages:

| Page | Context |
|------|---------|
| https://code.claude.com/docs/en/mcp | Primary page for both Claude.ai MCP server availability and managed MCP policy; should explicitly describe denylist enforcement for Claude.ai-provided servers |
| https://code.claude.com/docs/en/settings | Authoritative settings reference for deniedMcpServers; should clarify that Claude.ai connector servers are included |

Total scope: 2 pages affected

Source: Changelog v2.1.85

Changelog entry: Fixed deniedMcpServers setting not blocking claude.ai MCP servers

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗