import { Tabs, Callout, Steps } from "nextra/components";
# Microsoft
At this time, Arcade does not offer a default Microsoft Auth Provider. To use
Microsoft auth, you must create a custom Auth Provider with your own Microsoft
OAuth 2.0 credentials as described below.
The Microsoft auth provider enables tools and agents to call the Microsoft Graph API on behalf of a user.
### What's documented here
This page describes how to use and configure Microsoft auth with Arcade.
This auth provider is used by:
- Your [app code](#using-microsoft-auth-in-app-code) that needs to call Microsoft Graph APIs
- Or, your [custom tools](#using-microsoft-auth-in-custom-tools) that need to call Microsoft Graph APIs
## Configuring Microsoft auth
When using your own app credentials, make sure you configure your project to
use a [custom user
verifier](/guides/user-facing-agents/secure-auth-production#build-a-custom-user-verifier).
Without this, your end-users will not be able to use your app or agent in
production.
In a production environment, you will most likely want to use your own Microsoft app credentials. This way, your users will see your application's name requesting permission.
Before showing how to configure your Microsoft app credentials, let's go through the steps to create a Microsoft app.
### Create a Microsoft app
- Follow Microsoft's guide to [registering an app with the Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)
- Choose the permissions (scopes) you need for your app. Refer to the [section below](#arcade-microsoft-MCP Servers-scopes) for a list of scopes needed by the Arcade Microsoft MCP Servers, in case you intend to use them.
- Set the redirect URL to the redirect URL generated by Arcade (see below)
- Copy the client ID and client secret to use below
Next, add the Microsoft app to Arcade.
### Arcade Microsoft MCP Servers Scopes
Below is the list of scopes required by the Arcade Microsoft MCP Servers:
| MCP Server | Required Permissions |
| -------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Outlook Calendar](/resources/integrations/productivity/outlook-calendar) | `Calendars.ReadBasic`
`Calendars.ReadWrite`
`MailboxSettings.Read` |
| [Outlook Mail](/resources/integrations/productivity/outlook-mail) | `Mail.Read`
`Mail.ReadWrite`
`Mail.Send` |
| [Teams](/resources/integrations/social-communication/microsoft-teams) | `Channel.ReadBasic.All`
`ChannelMessage.Read.All`
`ChannelMessage.Send`
`Chat.Create`
`Chat.Read`
`ChatMessage.Read`
`ChatMessage.Send`
`People.Read`
`Team.ReadBasic.All`
`TeamMember.Read.All`
`User.Read` |
| [SharePoint](/resources/integrations/productivity/sharepoint) | `Sites.Read.All` |
## Configuring your own Microsoft Auth Provider in Arcade
### Configure Microsoft Auth Using the Arcade Dashboard GUI
#### Access the Arcade Dashboard
To access the Arcade Cloud dashboard, go to [api.arcade.dev/dashboard](https://api.arcade.dev/dashboard). If you are self-hosting, by default the dashboard will be available at http://localhost:9099/dashboard. Adjust the host and port number to match your environment.
#### Navigate to the OAuth Providers page
- Under the **Connections** section of the Arcade Dashboard left-side menu, click **Connected Apps**.
- Click **Add OAuth Provider** in the top right corner.
- Select the **Included Providers** tab at the top.
- In the **Provider** dropdown, select **Microsoft**.
#### Enter the provider details
- Choose a unique **ID** for your provider (e.g. "my-microsoft-provider").
- Optionally enter a **Description**.
- Enter the **Client ID** and **Client Secret** from your Microsoft app.
- Note the **Redirect URL** generated by Arcade. This must be set as your Microsoft app's redirect URL.
#### Create the provider
Hit the **Create** button and the provider will be ready to be used.
When you use tools that require Microsoft auth using your Arcade account credentials, Arcade will automatically use this Microsoft OAuth provider. If you have multiple Microsoft providers, see [using multiple auth providers of the same type](/references/auth-providers#using-multiple-providers-of-the-same-type) for more information.
## Using Microsoft auth in app code
Use the Microsoft auth provider in your own agents and AI apps to get a user token for Microsoft Graph APIs. See [authorizing agents with Arcade](/get-started/about-arcade) to understand how this works.
Use `client.auth.start()` to get a user token for Microsoft Graph APIs:
```python {8-12}
from arcadepy import Arcade
client = Arcade() # Automatically finds the `ARCADE_API_KEY` env variable
user_id = "{arcade_user_id}"
# Start the authorization process
auth_response = client.auth.start(
user_id=user_id,
provider="microsoft",
scopes=["User.Read", "Files.Read"],
)
if auth_response.status != "completed":
print("Please complete the authorization challenge in your browser:")
print(auth_response.url)
# Wait for the authorization to complete
auth_response = client.auth.wait_for_completion(auth_response)
token = auth_response.context.token
# TODO: Do something interesting with the token...
```
```javascript {8-10}
import { Arcade } from "@arcadeai/arcadejs";
const client = new Arcade();
const userId = "{arcade_user_id}";
// Start the authorization process
let authResponse = await client.auth.start(userId, "microsoft", {
scopes: ["User.Read", "Files.Read"],
});
if (authResponse.status !== "completed") {
console.log("Please complete the authorization challenge in your browser:");
console.log(authResponse.url);
}
// Wait for the authorization to complete
authResponse = await client.auth.waitForCompletion(authResponse);
const token = authResponse.context.token;
// TODO: Do something interesting with the token...
```
## Using Microsoft auth in custom tools
You can author your own [custom tools](/guides/create-tools/tool-basics/build-mcp-server) that interact with Microsoft Graph APIs.
Use the `Microsoft()` auth class to specify that a tool requires authorization with Microsoft. The `context.authorization.token` field will be automatically populated with the user's Microsoft token:
```python {5-6,9-13,20}
from typing import Annotated
import httpx
from arcade_tdk import ToolContext, tool
from arcade_tdk.auth import Microsoft
@tool(
requires_auth=Microsoft(
scopes=["User.Read", "Files.Read"],
)
)
async def get_file_contents(
context: ToolContext,
file_id: Annotated[str, "The ID of the file to get the contents of"],
) -> Annotated[str, "The contents of the file"]:
"""Get the contents of a file from Microsoft Graph."""
url = f"https://graph.microsoft.com/v1.0/me/drive/items/{file_id}"
headers = {"Authorization": f"Bearer {context.authorization.token}"}
async with httpx.AsyncClient() as client:
response = await client.get(
url=url,
headers=headers,
)
response.raise_for_status()
return response.json()
```