Microsoft 365 MCP Server
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to match its Microsoft 365 purpose, but it requests very broad tenant-wide admin permissions that let an agent read and change mail, files, chats, calendars, and tasks.
Install only if you are comfortable giving a trusted MCP agent broad Microsoft 365 access. Prefer least-privilege Graph permissions, require confirmations for send/write actions, use a dedicated Azure app secret, and test in a limited tenant or with constrained users before production use.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed with these permissions, the connected agent may be able to access or modify Microsoft 365 data across the organization, not only the installer's mailbox or files.
Application permissions with admin consent are app-wide tenant permissions, not just per-user delegated access, and the requested set includes multiple read/write and send capabilities.
Add these **Application permissions** for Microsoft Graph: `Mail.Read, Mail.Send, Mail.ReadWrite ... Files.ReadWrite.All ... Tasks.ReadWrite.All ... Chat.ReadWrite.All ... User.Read.All` ... **Important:** Click "Grant admin consent"
Use a dedicated Azure app with the smallest possible Graph permissions, restrict it to specific users/resources where possible, and have an administrator review the consent before enabling the skill.
Users may underestimate that they are configuring an application credential capable of broad Microsoft Graph access.
The runtime requires a high-value Azure client secret, while the registry metadata declares no required environment variables or primary credential.
const TENANT_ID = process.env.TENANT_ID!; const CLIENT_ID = process.env.CLIENT_ID!; const CLIENT_SECRET = process.env.CLIENT_SECRET!;
Declare the required environment variables and credential type in metadata, store the client secret securely, rotate it regularly, and revoke it if the skill is removed.
A mistaken or over-autonomous agent action could send email or Teams messages, create calendar events, or modify task data using the configured Microsoft 365 authority.
The skill exposes direct MCP tools for outward-facing or account-mutating actions, but the artifacts do not define approval requirements, recipient restrictions, or other guardrails.
`m365_mail_send` | Send email ... `m365_calendar_create` | Create event ... `m365_tasks_create` | Create task ... `m365_teams_send` | Send message
Require explicit user confirmation for send/create/write operations and consider disabling or removing write-capable Graph permissions unless they are truly needed.
Sensitive organizational content returned by the tools can enter the agent conversation or downstream logs depending on the client environment.
The MCP server is intentionally a bridge from Microsoft 365 into an agent/client context, including sensitive mail, files, and Teams chats.
Full Microsoft 365 integration via Model Context Protocol (MCP) ... Read file content ... Read and send messages
Use only with trusted MCP clients and model providers, avoid exposing highly sensitive tenants, and review client logging/data-retention settings.
Dependency changes could alter the runtime behavior of the MCP server after installation.
The package uses npm version ranges and the manifest does not include a lockfile, so a future install may resolve different dependency versions.
"dependencies": {
"@modelcontextprotocol/sdk": "^1.0.0",
"dotenv": "^16.3.1"
}Install from a trusted source, review or generate a lockfile, and pin dependency versions for production use.