Blog
January 20, 2026
DreamFactory announces the general availability of version 7.4.0, a significant release that positions the platform at the forefront of AI-ready enterprise API infrastructure. This release introduces native Model Context Protocol (MCP) server capabilities, enabling seamless integration between AI applications and enterprise data sources. Additionally, v7.4.0 delivers substantial improvements to Azure AD/Entra ID authentication, critical security patches, and enhanced database connector functionality.
Executive Summary
DreamFactory 7.4.0 addresses three strategic priorities for enterprise API teams: AI readiness, identity management simplification, and security hardening. The new MCP Server package enables organizations to expose their existing DreamFactory APIs to AI agents and large language models without additional development. Enhanced Azure AD integration automates role assignment based on Entra ID group membership, reducing administrative overhead. Multiple security vulnerabilities have been patched, including SQL injection and XSS attack vectors, ensuring DreamFactory deployments meet stringent enterprise security requirements.
New Feature: MCP Server Integration for AI Applications
The most significant addition in DreamFactory 7.4.0 is the new df-mcp-server package (v1.0.0), which implements the Model Context Protocol specification. MCP has emerged as a standard interface for connecting AI applications—including large language models, AI agents, and copilot systems—to external data sources and tools.
What This Means for Enterprise Teams
Organizations running DreamFactory can now expose their existing REST APIs to AI applications without writing custom integration code. This capability enables several high-value use cases:
- Conversational data access: Allow AI assistants to query databases, retrieve records, and perform CRUD operations through natural language interfaces
- AI-powered automation: Enable AI agents to interact with enterprise systems through DreamFactory's unified API layer
- Custom AI tooling: Build internal AI applications that leverage existing database connections and business logic
- Secure AI integration: Maintain DreamFactory's role-based access controls when AI systems interact with sensitive data
The MCP Server integration includes support for custom login pages, allowing organizations to maintain consistent authentication experiences across human and AI-driven access patterns.
Azure AD / Entra ID Group-to-Role Mapping
DreamFactory 7.4.0 introduces automatic mapping between Microsoft Entra ID (formerly Azure Active Directory) groups and DreamFactory roles. This feature significantly reduces the administrative burden of managing API access permissions in Azure-centric environments.
Key Capabilities
- Automatic role assignment: When users authenticate via Azure AD, DreamFactory automatically assigns roles based on their Entra ID group membership
- Permission synchronization on login: Group membership changes are detected and applied each time a user logs in, ensuring permissions stay current without manual intervention
- Enhanced configuration UI: The service creation and edit screens now display role-per-app settings, providing better visibility into permission configurations
Benefits for Enterprise Identity Management
Organizations using Microsoft Entra ID as their identity provider can now manage DreamFactory API permissions entirely through their existing Azure AD group structure. This eliminates the need for duplicate permission management across systems and ensures that employee role changes propagate automatically to API access controls.
Critical Security Fixes
DreamFactory 7.4.0 includes multiple security patches addressing vulnerabilities identified through internal security reviews and responsible disclosure processes.
Patched Vulnerabilities
| Vulnerability | Severity | Description |
|---|---|---|
| PTT-2025-032 | Critical | Security vulnerability patched across df-core and df-system packages |
| SQL Injection (RBAC) | High | Replaced string concatenation with parameterized queries in role-based service filtering; added input validation for service IDs |
| XSS Prevention | Medium | Server-side input validation for service labels (max 80 characters) and descriptions (max 255 characters); HTML tag stripping implemented |
| Private Key Validation | Medium | Added validation checks for private key files to prevent security misconfigurations |
Recommendation: All DreamFactory users should upgrade to version 7.4.0 to receive these security patches. Organizations running DreamFactory in production environments should prioritize this update.
OAuth and Authentication Enhancements
Beyond Azure AD group mapping, DreamFactory 7.4.0 includes several authentication improvements that expand integration options for enterprise identity scenarios.
Active Directory / Entra Client Credentials Flow
Full support for the OAuth 2.0 Client Credentials grant type with Microsoft Entra ID enables machine-to-machine authentication scenarios. This is essential for:
- Backend services that need to access DreamFactory APIs without user context
- Scheduled jobs and automation workflows
- Service account authentication patterns
- Microservices architectures where services authenticate to each other
Session Token Support
Client credentials authentication now supports session tokens, providing more flexible token management for service accounts and automated systems.
User Creation Control
A new toggle in OAuth configuration allows administrators to control whether new user accounts are automatically created during SSO login. This provides finer control over user provisioning workflows and prevents unauthorized account creation in environments with strict user management policies.
PostgreSQL System Database Compatibility
Improved handling of NOT NULL constraints ensures reliable operation when using PostgreSQL as the DreamFactory system database, expanding deployment options for organizations standardized on PostgreSQL.
Database Connector Improvements
Oracle Database: Decimal Type Handling
A new toggle in Oracle database service configuration allows full decimal type support for null or unassigned integer types. This aligns DreamFactory's behavior with Oracle's native defaults, improving compatibility for applications that depend on Oracle's specific numeric handling.
AWS: Virtual Relationships
The AWS connector (covering DynamoDB and S3) now supports virtual relationships. This feature enables developers to define cross-table relationships without requiring foreign keys in the underlying data store—particularly valuable for NoSQL databases where traditional relational constraints don't exist.
Schema Management Fix
Resolved an issue where the virtual foreign key slider in the schema tab was not functioning correctly when creating new virtual fields. This fix ensures consistent behavior in the database schema management interface.
API Documentation and Developer Experience
Role-Based API Docs Filtering
The API documentation interface now filters visible services based on the authenticated user's roles and permissions. Users see only the APIs they have access to, reducing confusion and improving the developer experience in multi-tenant or role-restricted environments.
IIS Compatibility
Fixed parameter handling in IIS deployments where the parameters key was incorrectly interpreted as an HTTP verb. This resolves issues for organizations running DreamFactory on Windows Server with Internet Information Services.
Infrastructure and Logging
HTTP/RWS Connector Improvements
The HTTP and Remote Web Service connectors have been refactored with improved curl support, providing better error handling and connection management for external API integrations.
GelfLogger Modernization
The GelfLogger class has been refactored to support PHP's Stringable interface, ensuring compatibility with modern PHP logging patterns and frameworks.
Package Version Summary
| Package | Previous Version | New Version |
|---|---|---|
| df-admin-interface | 1.5.x | 1.6.0 |
| df-apidoc | 0.8.0 | 0.8.3 |
| df-aws | 0.19.x | 0.20.0 |
| df-core | 1.0.9 | 1.0.12 |
| df-mcp-server | — | 1.0.0 (new) |
| df-oauth | 0.18.x | 0.19.0 |
| df-rws | 0.18.1 | 0.18.2 |
| df-system | 0.6.2 | 0.6.3 |
Upgrade Path
DreamFactory 7.4.0 is a non-breaking upgrade from previous 7.x versions. Standard upgrade procedures apply:
- Back up your existing DreamFactory system database
- Update to the latest version using your preferred deployment method (Docker, installer, or Composer)
- Run database migrations if prompted
- Clear application caches
Organizations using Azure AD authentication should review the new group-to-role mapping feature to determine if it can simplify their current permission management workflows.
Why DreamFactory for Enterprise API Management
DreamFactory 7.4.0 reinforces the platform's position as an enterprise-grade API generation and management solution. Key differentiators include:
- Automatic API generation: Connect databases and instantly generate secure REST APIs with full CRUD operations, eliminating weeks of manual API development
- AI-ready infrastructure: The new MCP Server integration positions DreamFactory as a bridge between enterprise data and the rapidly evolving AI application ecosystem
- Enterprise identity integration: Deep integration with Azure AD/Entra ID, LDAP, SAML, and OAuth providers ensures DreamFactory fits into existing enterprise identity architectures
- Security-first design: Role-based access controls, API rate limiting, and continuous security updates protect sensitive enterprise data
- Multi-database support: Connect to MySQL, PostgreSQL, SQL Server, Oracle, MongoDB, DynamoDB, Snowflake, and dozens of other data sources through a unified API layer
Kevin McGahey is an accomplished solutions engineer and product lead with expertise in API generation, microservices, and legacy system modernization, as demonstrated by his successful track record of facilitating the modernization of legacy databases for numerous public sector organizations.