Microsoft 365 MCP Server
Access Microsoft 365 and Office services (Outlook, Calendar, OneDrive, Excel, Teams, SharePoint) via the Graph API.
Add to your client
Copy the config for your MCP client and paste it into its config file.
claude mcp add ms365 -- npx -y @softeria/ms-365-mcp-serverPaste into ~/Library/Application Support/Claude/claude_desktop_config.json
{
"mcpServers": {
"microsoft-365-mcp-server": {
"command": "npx",
"args": [
"-y",
"@softeria/ms-365-mcp-server"
]
}
}
}Step-by-step guides: Add to Claude Desktop · Add to Cursor · Add to Windsurf
Before you start
- Node.js >= 20 (recommended; Node.js 14+ may work with dependency warnings)
- A Microsoft 365 personal or work/school account
- Microsoft authentication via device code flow, OAuth, or a pre-existing OAuth token (BYOT)
- Optional: a custom Azure AD app registration (MS365_MCP_CLIENT_ID / MS365_MCP_CLIENT_SECRET) for production/OAuth deployments and extra scopes
About Microsoft 365 MCP Server
Microsoft 365 MCP Server connects MCP clients (Claude Desktop, Claude Code, Cursor, Open WebUI, etc.) to the Microsoft Graph API, exposing 200+ tools defined declaratively in src/endpoints.json. Personal account tools (email, calendar, OneDrive, Excel, OneNote, To Do, Planner, contacts, profile, search) are available by default; organization tools (Teams, chats, meetings, transcripts, SharePoint, shared mailboxes, user management, presence, virtual events) require the --org-mode flag. It supports stdio and Streamable HTTP transports, MSAL-based auth (device code, OAuth 2.1 auth code, BYOT), multiple clouds (Global, China/21Vianet), read-only mode, regex tool filtering, presets, dynamic tool discovery, and multi-account support.
Tools & capabilities (11)
loginAuthenticate via Microsoft device code flow; auto-checks for an existing cached token.
verify-loginConfirm/verify the current login state.
list-mail-messagesList email messages from Outlook (mapped to a Microsoft Graph endpoint).
get-mail-messageRetrieve a single Outlook email message.
list-shared-mailbox-messagesList messages from a shared mailbox (org-mode; pass the shared mailbox email as user-id).
list-drivesList OneDrive drives.
get-drive-itemGet an item from a OneDrive drive.
download-bytesDownload file bytes from OneDrive/Graph.
list-usersDiscover available users and shared mailboxes in the organization (org-mode).
list-accountsList the Microsoft accounts configured for the server instance (account IDs hidden).
graph-batchDrive arbitrary Microsoft Graph endpoints via batch requests (can be combined with --extra-scopes).
When to use it
- Read, search and triage Outlook email and calendar events from an AI assistant
- Browse, download and manage OneDrive files and edit Excel workbooks
- Manage To Do tasks, Planner boards, OneNote notes and contacts
- Work with Teams chats, online meetings, transcripts/recordings, attendance reports and presence (org-mode)
- Read and update SharePoint sites and lists, and access shared mailboxes/calendars (org-mode)
- Deploy a single multi-account, read-only or scope-limited Graph gateway for enterprise/headless environments
Security notes
Requires Microsoft authentication before tools can be used. Tokens are cached in the OS credential store (keytar) when available, falling back to file-based storage (0600 permissions) on headless systems. Default file fallback paths are inside the package directory and can be lost on reinstall; set MS365_MCP_TOKEN_CACHE_PATH and MS365_MCP_SELECTED_ACCOUNT_PATH to persist tokens. HTTP mode requires OAuth (Authorization: Bearer token) for all MCP requests and enables per-IP rate limiting by default. Use --read-only mode and --allowed-scopes / presets to limit the exposed tool surface and requested Graph permissions. MS365_MCP_REDACT_PII can scrub JWTs and email addresses from logs.
Microsoft 365 MCP Server FAQ
How do I access Teams, SharePoint and other work/school features?
Enable organization mode with the --org-mode flag (or --work-mode / MS365_MCP_ORG_MODE=true). It must be enabled from the start; without it only personal account features (email, calendar, OneDrive, etc.) are available.
Do I need my own Azure app registration?
No for basic use — a built-in Softeria Azure app is used by default. For production/OAuth, custom scopes via --extra-scopes, or admin-consented enterprise deployments, configure MS365_MCP_CLIENT_ID / MS365_MCP_CLIENT_SECRET / MS365_MCP_TENANT_ID against an app you control.
Which authentication methods are supported?
Three: device code flow (default, interactive via the login tool or --login), OAuth 2.1 authorization code flow (required in --http mode), and bring-your-own-token via MS365_MCP_OAUTH_TOKEN (no token refresh handled).
How can I reduce token usage and limit the exposed tools?
Use --preset (e.g. mail, calendar, teams), --enabled-tools regex filtering, --read-only mode, --allowed-scopes to narrow Graph permissions, --discovery for on-demand tool loading, or --toon for a 30-60% more token-efficient output format.
Does it support multiple Microsoft accounts?
Yes. A single instance can serve multiple accounts; when more than one is logged in, an 'account' parameter (email or MSAL homeAccountId) is injected into every tool. Single-account setups auto-select and remain fully backward compatible.
Alternatives to Microsoft 365 MCP Server
Compare all alternatives →
Self-hosted MCP server for Jira and Confluence Cloud and Server/Data Center.
Create, read, and modify Excel workbooks with your AI agent — no Microsoft Excel required.
Official Notion server to read, search, create, and update pages and databases in your workspace.
Compare Microsoft 365 MCP Server with: