Question 4
Domain 4: Assembling and Deploying ApplicationsHow does Databricks securely connect an agent to a third-party MCP server hosted outside Databricks?
Correct answer: B
Explanation
Databricks supports integrating external MCP servers by “providing its connection details” and storing the API key in Databricks Secrets, which keeps credentials secure. For Databricks-hosted services, the exam objective says to “Integrate managed, external, and custom MCP servers,” so managed MCP proxies plus Unity Catalog connections are the secure pattern for connecting an agent to a third-party server outside Databricks.
Why each option is right or wrong
A. By copying the provider's PAT into the system prompt
Credentials belong in Databricks Secrets or connection config, not in prompts.
B. Through managed MCP proxies and Unity Catalog connections
Databricks’ MCP integration objective distinguishes managed and external servers: a managed server is referenced by its Databricks server identifier in the agent’s MCP configuration, while an external server is connected by supplying its endpoint details and storing the API key in Databricks Secrets. That combination is the secure production pattern because the credential is not embedded in code, and the agent can reach a third-party server outside Databricks through the configured MCP connection rather than a custom wrapper or ad hoc access path.
C. By mounting the provider API into DBFS
DBFS is storage, not a secure integration path for third-party MCP authentication.
D. By requiring every agent to run as a workspace admin
Agent access is controlled through configuration and governance, not by making every agent workspace admin.