Microsoft
The Microsoft enables tools and to call the Microsoft Graph API on behalf of a user. It supports Arcade’s servers for Outlook Calendar, Outlook Mail, Microsoft Teams, and SharePoint, as well as your own custom and app code.
On this page
- Configure Microsoft auth — three options depending on your security posture
- Production readiness — custom verifier, admin consent, conditional access
- MCP server scopes reference — which permissions each server requires
- Use Microsoft auth in app code — get a token for Graph API calls
- Use Microsoft auth in custom tools — build that call Graph APIs
Configure Microsoft auth
Arcade supports three ways to connect Microsoft auth. Choose based on your team’s security requirements and how much control you need over the Azure app registration.
| Option 1: Included provider | Option 2: Multi-tenant app | Option 3: Tenant-specific app | |
|---|---|---|---|
| Azure setup | None — Arcade provisions the app | You register in Azure Portal | You register in Azure Portal |
| Tenant scope | Any organization | Any organization | Single tenant only |
| Permission control | Scopes fixed per approval cycle | Full control | Full control |
| Branding | Arcade branding on consent screen | Your app’s branding | Your app’s branding |
| Best for | Getting started, prototyping | Production with cross-org access | Production with strict tenant isolation |
Option 1: Use Arcade’s included provider
The fastest path. Arcade provides a pre-configured Microsoft OAuth app — no Azure app registration required. Your IT or security team approves the app in Microsoft Entra ID, and you’re ready to go.
Trade-off: The granted scopes are tied to the specific agent use case. If you add servers or that require additional permissions, your security team will need to approve the updated scope set.
Go to the Arcade Dashboard
Navigate to the Arcade Dashboard . If you are self-hosting, the dashboard is available at http://localhost:9099/dashboard by default.
Add the included Microsoft provider
- Under Connections, click Connected Apps
- Click + Add OAuth Provider
- Select the Included Providers tab
- In the Provider dropdown, select Microsoft
Configure the provider
- Choose a unique ID for your provider (e.g.,
my-microsoft-provider) - Optionally enter a Description
- Click Create
IT / security approval
Share the app details with your IT or security team. They will need to:
- Locate the Arcade app in Enterprise Applications in the Azure Portal
- Review the requested permissions
- Grant admin consent for your organization
Once approved, in your organization can authorize through the standard OAuth flow.
Option 2: Register a multi-tenant Azure app
Register your own app in Azure to get full control over branding, permissions, and token policies. This configuration allows users from any Azure AD to authenticate.
Create app registration
- Go to Azure Portal
- Search for App Registrations
- Click + New Registration
- Configure:
- Name: Your preferred name (e.g., “Acme OAuth App”)
- Supported types: “Accounts in any organizational directory (Multitenant)”
- Redirect URI:
- Type: Web
- URL:
https://cloud.arcade.dev/api/v1/oauth/XXXXX/callback(copy from your Arcade Dashboard )
- Click Register
Create client secret
- In your app registration, go to Certificates & secrets
- Click + New client secret
- Add a description (e.g., “Acme Arcade Integration”)
- Set the expiry period (recommended: 24 months)
- Click Add
Copy and save the secret value immediately. It won’t be shown again.
Configure API permissions
- Go to API permissions in your app registration
- Click + Add a permission
- Select Microsoft Graph
- Select Delegated permissions
- Add the required scopes based on which servers you’re using (see MCP server scopes reference or the detailed per-tool breakdown)
- Click Add permissions
- If any permissions require admin consent, click Grant admin consent for [Your Organization]
Configure in Arcade
- Go to the Arcade Dashboard
- Under Connections, click Connected Apps
- Click + Add OAuth Provider
- Select Microsoft from the included providers list
- Configure:
- Provider ID: Your preferred identifier (e.g.,
acme-microsoft) - Client ID: Copy from Azure App Registration “Application (client) ID”
- Client Secret: The secret value you saved earlier
- Provider ID: Your preferred identifier (e.g.,
- Click Create
Option 3: Register a tenant-specific Azure app
Restrict authentication to a single Microsoft Entra ID . Use this when your organization’s security policy requires tenant isolation.
Get your tenant ID
- Go to Azure Portal
- Search for Microsoft Entra ID (formerly Azure Active Directory)
- On the Overview page, find your ID (a GUID like
12345678-1234-1234-1234-123456789abc) - Copy and save this ID
Create app registration
Follow the same steps as Option 2, but for Supported types, select:
- “ in this organizational directory only (Single )“
Configure API permissions
Follow the same steps as Option 2.
Configure in Arcade (custom provider)
-specific endpoints require the Custom Provider option in Arcade:
-
Go to the Arcade Dashboard
-
Under Connections, click Connected Apps
-
Click + Add OAuth Provider
-
Select Custom Provider
-
Configure:
- Provider ID: Your preferred identifier (e.g.,
acme-microsoft-tenant) - Client ID: Copy from Azure App Registration
- Client Secret: The secret value you saved
- Authorization Endpoint:
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize - Token Endpoint:
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token - Scopes:
https://graph.microsoft.com/.default offline_access
Replace
{tenant-id}with your actual ID. - Provider ID: Your preferred identifier (e.g.,
-
Click Create
Production readiness
Custom user verifier
For Options 2 and 3, where you bring your own Azure app credentials, you must configure a custom user verifier before deploying to production.
Without a custom verifier, your end-users would need an Arcade.dev to complete the OAuth flow — which is not what you want in a production environment. The custom verifier lets your application handle identity, so the auth flow stays within your own UX.
Production deployments with custom app credentials will not work without a custom verifier. Set this up before going live.
Enterprise environment configuration
For organizations that require additional security controls beyond the app registration:
-
Admin consent and conditional access:
- Go to Enterprise Applications in Azure Portal
- Find your application
- Configure conditional access policies as required by your security team
- Set up assignment requirements to control which users can authorize
- Grant -wide admin consent if needed
-
Security team coordination:
- Review the required permissions per MCP server with your security team before granting consent
- Ensure conditional access policies don’t block Microsoft Graph API access
- Configure token lifetime policies that align with your organization’s session management standards
If you have multiple Microsoft providers configured in Arcade, see using multiple auth providers of the same type.
MCP server scopes reference
Each Arcade Microsoft server requires a specific set of Microsoft Graph API delegated permissions. The table below summarizes the scopes per server. For a detailed breakdown of scopes per , including API endpoints, see permissions and scopes.
| MCP Server | Required Permissions |
|---|---|
| Outlook Calendar | User.Read, Calendars.ReadBasic, Calendars.ReadWrite, MailboxSettings.Read |
| Outlook Mail | Mail.Read, Mail.ReadWrite, Mail.Send |
| Microsoft Teams | User.Read, Team.ReadBasic.All, TeamMember.Read.All, Channel.ReadBasic.All, ChannelMessage.Read.All, ChannelMessage.Send, Chat.Read, Chat.Create, ChatMessage.Read, ChatMessage.Send, People.Read |
| SharePoint | User.Read, Sites.Read.All |
All Microsoft servers use the default scope https://graph.microsoft.com/.default. When running locally or with custom deployments, you can update the base URL to point to your custom Microsoft Graph endpoint. API endpoints remain consistent across deployments.
Use Microsoft auth in app code
Use the Microsoft in your and AI apps to get a token for Microsoft Graph APIs. See authorizing agents with Arcade to understand how this works.
Use client.auth.start() to get a token for Microsoft Graph APIs:
Python
from arcadepy import Arcade
client = Arcade() # Automatically finds the `ARCADE_API_KEY` env variable
user_id = "{arcade_user_id}"
# Start the authorization process
auth_response = client.auth.start(
user_id=user_id,
provider="microsoft",
scopes=["User.Read", "Files.Read"],
)
if auth_response.status != "completed":
print("Please complete the authorization challenge in your browser:")
print(auth_response.url)
# Wait for the authorization to complete
auth_response = client.auth.wait_for_completion(auth_response)
token = auth_response.context.token
# TODO: Do something interesting with the token...Use Microsoft auth in custom tools
You can build your own custom tools that interact with Microsoft Graph APIs.
Use the Microsoft() auth class to specify that a requires authorization with Microsoft. The context.authorization.token field is automatically populated with the ’s Microsoft token:
from typing import Annotated
import httpx
from arcade_tdk import ToolContext, tool
from arcade_tdk.auth import Microsoft
@tool(
requires_auth=Microsoft(
scopes=["User.Read", "Files.Read"],
)
)
async def get_file_contents(
context: ToolContext,
file_id: Annotated[str, "The ID of the file to get the contents of"],
) -> Annotated[str, "The contents of the file"]:
"""Get the contents of a file from Microsoft Graph."""
url = f"https://graph.microsoft.com/v1.0/me/drive/items/{file_id}"
headers = {"Authorization": f"Bearer {context.authorization.token}"}
async with httpx.AsyncClient() as client:
response = await client.get(
url=url,
headers=headers,
)
response.raise_for_status()
return response.json()