SharePoint MCP Server

# Azure AD App Registration Guide This guide walks you through setting up an Azure AD application for the SharePoint MCP server. ## Prerequisites - Azure AD tenant (you have one if you use Microsoft 365/SharePoint) - Admin access or ability to register applications - Access to the Azure Portal ## Step-by-Step Setup ### 1. Navigate to Azure Active Directory 1. Go to [Azure Portal](https://portal.azure.com) 2. Search for "Azure Active Directory" or find it in the left menu 3. Click on **App registrations** in the left sidebar ### 2. Register a New Application 1. Click **+ New registration** at the top 2. Fill in the registration form: **Name**: `SharePoint MCP Server` (or any name you prefer) **Supported account types**: - Select "Accounts in this organizational directory only (Single tenant)" - This ensures the app can only be used by users in your organization **Redirect URI**: - Type: **Web** - URI: `http://localhost:8765/callback` 3. Click **Register** ### 3. Note Your Application IDs After registration, you'll see the **Overview** page. Copy these values: - **Application (client) ID** - This is your `AZURE_CLIENT_ID` - **Directory (tenant) ID** - This is your `AZURE_TENANT_ID` You'll need these for your MCP configuration. ### 4. Add API Permissions 1. In the left sidebar, click **API permissions** 2. Click **+ Add a permission** 3. Select **Microsoft Graph** 4. Select **Delegated permissions** 5. Search for and add these permissions: **Sites permissions:** - ✅ `Sites.Read.All` - Read items in all site collections **Files permissions:** - ✅ `Files.ReadWrite.All` - Have full access to user files **User permissions:** - ✅ `User.Read` - Sign in and read user profile **Offline access:** - ✅ `offline_access` - Maintain access to data you have given it access to 6. Click **Add permissions** ### 5. Grant Admin Consent (If Required) Some organizations require admin consent for delegated permissions. 1. On the **API permissions** page, look for a button that says **Grant admin consent for [Your Organization]** 2. If you see it and have admin rights, click it 3. Confirm by clicking **Yes** 4. You should see green checkmarks in the "Status" column If you don't have admin rights, ask your IT administrator to grant consent. ### 6. Enable Public Client Flows 1. In the left sidebar, click **Authentication** 2. Scroll down to **Advanced settings** → **Allow public client flows** 3. Toggle **Enable the following mobile and desktop flows** to **Yes** 4. Click **Save** at the top This is required for the OAuth flow with PKCE that the MCP server uses. ### 7. Verify Your Configuration Your app registration should now have: **Overview:** - Application (client) ID: `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` - Directory (tenant) ID: `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` **Authentication:** - Platform: Web - Redirect URI: `http://localhost:8765/callback` - Allow public client flows: Yes **API permissions:** - Microsoft Graph: - Sites.Read.All (Delegated) ✅ - Files.ReadWrite.All (Delegated) ✅ - User.Read (Delegated) ✅ - offline_access (Delegated) ✅ ## Using Your App Credentials ### For Claude Desktop Add to `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) or `%APPDATA%\Claude\claude_desktop_config.json` (Windows): ```json { "mcpServers": { "sharepoint": { "command": "uvx", "args": ["sharepoint-mcp"], "env": { "AZURE_CLIENT_ID": "your-application-client-id-here", "AZURE_TENANT_ID": "your-directory-tenant-id-here" } } } } ``` ### For Claude Code Either set environment variables: ```bash export AZURE_CLIENT_ID="your-application-client-id-here" export AZURE_TENANT_ID="your-directory-tenant-id-here" ``` Or create a config file at `~/.config/sharepoint-mcp/config.json`: ```json { "client_id": "your-application-client-id-here", "tenant_id": "your-directory-tenant-id-here" } ``` ## Testing Your Setup 1. Restart Claude Desktop 2. Ask: "List my SharePoint sites" 3. A browser window should open 4. Sign in with your Microsoft account 5. Review the permissions being requested 6. Click **Accept** 7. Return to Claude - you should see your sites! ## Troubleshooting ### "AADSTS500113: No reply address is registered for the application" **Problem**: The redirect URI doesn't match. **Solution**: 1. Go to your app registration → Authentication 2. Ensure the redirect URI is exactly: `http://localhost:8765/callback` 3. Make sure it's added as a **Web** platform, not **Single-page application** ### "AADSTS65001: The user or administrator has not consented" **Problem**: Permissions haven't been granted. **Solution**: 1. Check API permissions - ensure all 4 permissions are added 2. If you have admin rights, click "Grant admin consent" 3. Otherwise, ask your IT administrator to grant consent ### "AADSTS7000218: The request body must contain the following parameter: 'client_assertion'" **Problem**: Public client flows are not enabled. **Solution**: 1. Go to Authentication → Advanced settings 2. Enable "Allow public client flows" 3. Save the changes ### "Access denied" when trying to access SharePoint **Problem**: You might not have access to the SharePoint site, or the permissions are insufficient. **Solution**: 1. Verify you can access the site directly in your browser 2. Check that the app has the required Graph API permissions 3. Ensure admin consent has been granted if required ## Security Best Practices 1. **Least Privilege**: The permissions requested are the minimum needed. Don't add extra permissions. 2. **Single Tenant**: Keep the app as "Single tenant" to prevent external users from authenticating. 3. **Token Storage**: The MCP server stores tokens in your OS keychain, not in plain text files. 4. **Regular Review**: Periodically review app permissions in Azure AD and revoke access if the app is no longer needed. 5. **Client Secret**: This app uses public client flows (no client secret). Never add a client secret to a desktop/CLI application. ## Advanced Configuration ### Custom Redirect Port If port 8765 is already in use, you can change it: 1. In Azure AD, update the redirect URI to use a different port (e.g., `http://localhost:8766/callback`) 2. In your MCP configuration, add: ```json "env": { "AZURE_CLIENT_ID": "...", "AZURE_TENANT_ID": "...", "REDIRECT_URI": "http://localhost:8766/callback" } ``` ### Multi-Tenant Applications If you want to allow users from other organizations to use your MCP server: 1. Change "Supported account types" to "Accounts in any organizational directory" 2. Update tenant_id in your config to `common` or `organizations` Note: This is generally not recommended for personal MCP servers. ## Further Reading - [Microsoft identity platform documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/) - [Microsoft Graph permissions reference](https://docs.microsoft.com/en-us/graph/permissions-reference) - [OAuth 2.0 authorization code flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow)