Claude Microsoft 365 Connector: The MSP Consent Audit
A client asking for the Claude Microsoft 365 connector MSP review does not need an AI pep talk. They need a consent audit.
Anthropic's Microsoft 365 connector lets Claude search and analyze Outlook, SharePoint, OneDrive, and Teams through user-delegated Microsoft Graph permissions. The key phrase is not "AI". It is "permissions".
The connector is read-only, according to Anthropic's Microsoft 365 connector setup guide, and users can only access Microsoft 365 data they already have permission to view. That is useful, but it is not the same as low risk. If SharePoint permissions are messy, shared mailboxes are over-permissioned, or admin consent is granted without a rollout plan, Claude can make old access problems easier to surface.
Quick answer: before approving the Claude Microsoft 365 connector for a client, MSPs should audit the Entra enterprise applications, the granted Microsoft Graph delegated permissions, approved user groups, Conditional Access coverage, Microsoft Purview audit logging, and revocation steps. Then document which data classes are allowed before users connect Claude.
This is the same governance muscle MSPs already need for Claude Desktop rollouts, M365 Conditional Access baselines, and Entra licensing conversations. The connector is just the latest place where vague policy turns into tenant exposure.
What the connector actually does
Anthropic describes the Microsoft 365 connector as an Anthropic-hosted integration that accesses Microsoft 365 through user-delegated permissions. It uses OAuth and Microsoft Graph so Claude can retrieve data during active queries from Outlook, SharePoint, OneDrive, and Teams.
Two facts matter for MSPs.
First, a Microsoft Entra Global Administrator must grant one-time tenant consent before users in that tenant can connect. Anthropic's setup guide also notes that manual setup can create two enterprise application service principals: M365 MCP Client for Claude and M365 MCP Server for Claude.
Second, the connector uses delegated permissions, not app-only permissions. Microsoft's Graph permissions overview explains that delegated permissions let an app act on behalf of a signed-in user, and the app cannot access anything the user could not already access. That boundary is important, but it inherits every bad permission decision already sitting in the tenant.
The permission list is not tiny. Anthropic documents read scopes across mail, calendars, chat, channels, meetings, files, sites, and basic directory profile data. SharePoint search uses Sites.Read.All, and Anthropic's Microsoft 365 connector security guide says site-specific permissioning with selected scopes is not supported because the underlying search is tenant-wide.
That is the whole MSP story. The connector may be read-only, but it can read across the user's existing world.
The consent risk is mostly tenant hygiene
Most clients will ask, "Is Claude safe?" That is the wrong first question.
Ask this instead: "If a normal user signs in, what can they already read?"
If the answer is clean, connector approval is easier. If the answer is "half the company can search old client folders because nobody cleaned up SharePoint groups," the connector did not create the problem. It made the problem more usable.
Microsoft's Graph permissions overview separates delegated permissions from application permissions. Delegated access follows the signed-in user's permissions. Application permissions can access data without a user present. That distinction should go into the client explanation, because it keeps the conversation precise.
The client does not need panic. They need a checklist.
Run this tenant audit before approval
Use this before a Global Administrator clicks consent.
1. Identify the enterprise applications
In Microsoft Entra, search enterprise applications for the Claude Microsoft 365 service principals. Confirm the display names, publisher details, owners, sign-in settings, and whether assignment is required.
Microsoft's Entra application management guidance recommends managing application access, consent, permissions, Conditional Access, tokens, monitoring, and cleanup as part of the application lifecycle. Treat this connector like that, not like a one-off user request.
2. Review the Graph permissions
Open the application's permissions tab and review the granted Microsoft Graph delegated scopes. Pay special attention to:
- Sites.Read.All for SharePoint search
- Files.Read and Files.Read.All for OneDrive and files the user can access
- Mail.Read and Mail.Read.Shared for user and shared mailbox access
- Chat.Read and channel message permissions for Teams content
- offline_access because it keeps access alive between sessions
Microsoft documents how admins can review and revoke permissions granted to enterprise applications in Entra. If the client does not need a data source, revoke that scope before rollout and test the user experience.
3. Restrict who can use it
Do not make the connector available to the whole tenant on day one.
Set assignment required to yes for both Claude enterprise applications, then assign a pilot group. Anthropic recommends restricting both components to the same set of authorized users or groups.
Start with IT, a security owner, and one business sponsor. Expand only after you see what people ask Claude to retrieve.
4. Enforce Conditional Access
Anthropic says the connector supports existing Entra policies such as MFA, compliant device requirements, IP restrictions, and group-based access.
That means the pilot should be covered by Conditional Access from the start. If the client would not allow unmanaged-device access to SharePoint, do not allow unmanaged-device access to Claude-mediated SharePoint search.
If the client has not replaced Security Defaults with a real baseline yet, start with the M365 Conditional Access baseline for MSPs before you approve new connector access.
5. Confirm audit logging and retention
Anthropic says Microsoft 365 connector Graph API calls are logged in the organization's Microsoft 365 audit log. Microsoft Purview Audit captures user and admin operations across Microsoft services, and Audit Standard retains records for 180 days for supported organizations.
Check that the client can answer three questions:
- Who connected Claude?
- What connector activity can we search?
- How long do we retain the audit trail?
If nobody owns those answers, the rollout is not ready.
6. Document revocation and offboarding
Write the rollback before approval.
The client should know how to disable the connector in Claude organization settings, revoke permissions in Entra, remove user or group assignments, and disconnect individual users. Microsoft's Entra permission guidance is blunt: revoking current granted permissions does not automatically stop users from re-consenting if the app can ask again, so user consent policy matters too.
For departed employees, offboarding should include both Microsoft account disablement and any connector cleanup needed in Claude.
Client policy questions MSPs should force
Technical approval is not enough. The client also needs a plain-language connector policy.
Use these questions in the rollout note:
- Which tenants are approved for Claude Microsoft 365 connector use?
- Which roles or groups can use it?
- Which data classes are allowed in Claude workflows?
- Are regulated data, client secrets, credentials, contracts, HR files, and financial records prohibited?
- Who can request new connector permissions?
- Who reviews audit logs after rollout?
- Are personal Claude accounts allowed, or only approved business accounts?
Anthropic says personal Microsoft accounts cannot be used for the connector because it requires an Entra tenant. That does not answer the whole account question. Clients still need rules for personal Claude plans, business Claude plans, exports, copied answers, and what happens when sensitive source material appears in a saved chat.
The broader MCP direction points the same way. The Model Context Protocol project says Enterprise-Managed Authorization became stable in June 2026 so organizations can manage MCP server access centrally through their identity provider. That does not remove the need for a tenant audit. It reinforces the principle: connector access should be approved centrally, scoped to groups, and visible in an audit trail.
This is where the MSP has to be useful. Not dramatic. Useful.
The QBR conversation
The best way to package this is as a small governance assessment, not a giant AI project.
Bring the client a one-page summary:
| Audit area | What to show the client |
|---|---|
| Entra consent | Which Claude apps exist, who approved them, and when |
| Graph scopes | Which data types Claude can request through user-delegated access |
| User groups | Who is allowed to connect today and who is excluded |
| Conditional Access | Whether MFA, device compliance, and location policy apply |
| Logging | Where audit records live and how long they are retained |
| Revocation | How the client turns access off during an incident or offboarding |
That summary belongs in the QBR because it ties AI adoption to client risk, roadmap work, and budget.
If the audit finds overbroad SharePoint access, that becomes a permissions cleanup project. If Conditional Access is thin, that becomes an identity baseline project. If audit retention is weak, that becomes a compliance discussion. If nobody owns policy, that becomes an executive decision.
Scopable fits here because the deliverable is not "buy AI." It is the gap analysis, client-readable roadmap, budget conversation, and quote-ready follow-up. If this kind of finding still dies in a note or spreadsheet, join Scopable early access.
Bottom line
Do not approve the Claude Microsoft 365 connector from vibes.
Approve it from evidence: Entra consent, Graph permissions, user assignment, Conditional Access, audit logging, revocation, and a client policy that says what data belongs in Claude and what does not.
The connector can be reasonable in a well-managed tenant. In a messy tenant, it becomes a mirror. MSPs should look in the mirror before the client does.
