Microsoft 365 connector security guide (original) (raw)

What it is

The Microsoft 365 Connector is an Anthropic-hosted integration that enables Claude to securely access Microsoft 365 services (Outlook, SharePoint, OneDrive, Teams) through user-delegated permissions. Anthropic has completed Microsoft's publisher verification process, associating our verified Microsoft Partner Network account with this application to confirm our organizational identity.

The connector operates as a secure proxy, and your Microsoft 365 documents, emails, and files remain in your tenant. The connector only retrieves data on-demand during active queries and doesn’t cache file content. Credentials are encrypted and managed by Anthropic's backend infrastructure. The MCP server itself doesn’t store or manage these credentials. Microsoft's Azure SDK handles the On-Behalf-Of token exchange and caching on a per-user basis for accessing the Graph API.

Access restriction

Access can be fully restricted

The connector provides multiple layers of access control to address your security requirements. For detailed information on administration of the Microsoft 365 connector, see Set up the Microsoft 365 connector.

1. Microsoft Entra tenant requirement

All people using the connector—regardless of Claude plan—must authenticate with a Microsoft 365 account tied to a Microsoft Entra tenant. Personal Microsoft accounts (@outlook.com, @hotmail.com) can't be used. A Microsoft Entra Global Administrator must complete a one-time consent process before anyone in the tenant can connect.

2. Organization-level gating (Team and Enterprise plans)

On Team and Enterprise plans, access to the connector requires a two-step approval process. First, Owners must explicitly enable the Microsoft 365 connector in Claude organization settings by navigating to Organization settings > Connectors > Browse connectors > Add "Microsoft 365." Until this approval is granted, team members have no access.

Second, after the Owner enables the connector, a Microsoft Entra Global Administrator must complete individual authentication and grant consent on behalf of the whole organization before any team members can connect.

3. Granular permission revocation

You can selectively disable specific capabilities via Microsoft Entra Admin Center. For example:

Changes take effect immediately for all people in your organization. People can also choose to disable capabilities during a chat by selectively toggling off the connector's tools.

4. Microsoft conditional access integration

The connector fully supports your existing Entra (Azure AD) policies:

5. User-level permissions

6. Token management

Security architecture summary

Authentication flow

Data flow

Multi-tenant isolation

Available capabilities

Current features (read-only access)

The connector provides read-only access to:

Permissions list

Basic permissions

Mail permissions

Calendar permissions

User directory

Chat permissions

Channel permissions

Meeting permissions

Files permissions

Sites permissions

Current limitations

Frequently asked questions

Can we test with a small pilot group before enterprise-wide rollout?

Yes. The recommended approach is to use app assignment to restrict who can use the connector:

How do we ensure no data leakage occurs between our organization and others in the multi-tenant environment?

Multi-tenant isolation ensures complete separation:

What happens if someone tries to connect with a personal Microsoft account?

The connector requires a Microsoft Entra tenant tied to a Microsoft Business plan. Personal Microsoft accounts (@outlook.com, @hotmail.com) can't be used to authenticate. People attempting to connect with a personal account will receive an authentication error.

Do you have audit logging for compliance?

Yes. All Graph API calls made by the connector are logged in your organization's Microsoft 365 audit log, which you can access through the M365 Compliance Center. These logs show the timestamp, user, operation performed, and resource accessed, with retention periods matching your Microsoft 365 audit policy. Additionally, Anthropic logs authentication and tool execution events.

Can we revoke access if we discover unauthorized usage?

There are multiple revocation methods:

What certifications does Anthropic have?

Anthropic has the following certifications:

Additional resources

Related Articles

Set up the Microsoft 365 connectorWork across Microsoft 365 appsUse Claude for Microsoft 365 with third-party platformsMCP connectorsConnect to Microsoft 365