Set up the Microsoft 365 connector (original) (raw)

This article walks admins through enabling the Microsoft 365 connector for their organization in Claude—including granting Microsoft Entra consent, restricting access, and managing permissions. Once setup is complete, people in your tenant can connect Microsoft 365 to their own Claude accounts and search across SharePoint, OneDrive, Outlook, and Teams from Claude.

Setup overview

Two things need to happen before anyone in your organization can connect Microsoft 365:

Once both are done, members can connect Microsoft 365 to their own Claude accounts following the steps in Connect Claude to Microsoft 365.

Enable the connector for your organization

This step applies to Team and Enterprise plans only. On Free, Pro, and Max plans, skip to the next section.

Grant Microsoft Entra admin consent

A Microsoft Entra Global Administrator in your tenant needs to authorize the integration before anyone can connect. There are two ways to do this.

Option 1: Consent through Claude

If your Microsoft Entra Global Administrator has a Claude account, they can grant consent during the standard connection flow:

After this, other people in the same Entra tenant can connect by following the standard end-user steps. They won't see the consent prompt—they'll just authenticate and start using the integration.

Option 2: Manual setup in Microsoft Entra ID

Use this path if your Microsoft Entra Global Administrator doesn't have a Claude account, or if you need to troubleshoot the app install and permissions setup. You can add the connector apps and grant admin consent directly in Microsoft Entra ID.

This process adds two service principals to your tenant. Each principal establishes a service-level identity for one of the two M365 MCP for Claude app registrations, allowing them to access and interact with your organization's data and resources via the Microsoft Graph API.

1. Add the service principals

Using Microsoft Graph Explorer, add both required service principals:

M365 MCP Client for Claude:

M365 MCP Server for Claude:

2. Grant admin consent

Construct and visit the following URLs in your browser, replacing {your-tenant-id} with your organization's tenant ID.

M365 MCP Client for Claude:

M365 MCP Server for Claude:

When you visit each URL, you'll be prompted to consent to the delegated permissions required by the integration on behalf of your organization.

3. Finish setup

Restrict who can use the connector

To limit which people in your tenant can authenticate to Microsoft 365 through Claude:

Both components need to be restricted to the same set of authorized people.

Restrict which permissions the connector can use

To limit which types of resources the integration can access, selectively revoke permissions from the default set of authorized scopes. This requires Microsoft Entra admin access.

Once revoked, attempts to access a resource with that permission will return a "Failed to call tool" error.

Members can also individually turn off specific tools in their own Microsoft 365 settings to prevent Claude from trying to access a tool for which the permission has been revoked.

To restore a revoked permission, follow the steps to grant admin consent described in Option 2: Manual setup in Microsoft Entra ID. This will revert the permissions to the default state.

Permissions reference

The Microsoft 365 connector uses delegated permissions, meaning Claude acts on behalf of each individual user and can only access data that user already has permission to view in Microsoft 365. Permissions are read-only—Claude can't modify, delete, or create content in your tenant.

During authentication, the integration requests the following permissions:

Basic access

Email (Outlook)

Calendar

Teams chat

Teams channels

Meetings

Files (OneDrive and SharePoint)

User directory

The Microsoft 365 connector searches SharePoint across the entire tenant using the permissions of the user. Site-specific search restriction isn't supported.

Privacy and security

Troubleshooting

A member can't authenticate

Members are seeing "Failed to call tool" errors

A permission may have been selectively revoked in Microsoft Entra. Members can turn off the corresponding tool in their Microsoft 365 settings to suppress the error, or you can restore the permission by repeating the admin consent steps in Option 2: Manual setup in Microsoft Entra ID.

Frequently asked questions

What happens if a member tries to connect before consent is granted?

They'll see an error message indicating that an administrator must grant app permissions before they can use the integration. The connection will fail until a Microsoft Entra Global Administrator approves the necessary permissions.

Can the Microsoft 365 connector be used with enterprise search?

Yes. When enterprise search is enabled, it can query Microsoft 365 alongside other connected services for unified search across Slack, Google Workspace, Microsoft 365, and more.

Can the integration modify Microsoft 365 data?

No. All permissions are read-only. Claude can search and analyze Microsoft 365 data but can't create, edit, or delete documents; send emails or calendar invites; modify SharePoint sites or OneDrive files; or change Teams settings or permissions.

Related Articles

Use connectors to extend Claude's capabilitiesMicrosoft 365 connector security guideUse Claude for Microsoft 365 with third-party platformsMCP connectorsConnect to Microsoft 365