If you've been trying to connect Claude by Anthropic to your Microsoft 365 environment and keep running into permission errors, blank responses, or a connector that simply refuses to authenticate, you're not alone. The M365 Connector for Claude is one of the most powerful productivity integrations available today, but it comes with a surprisingly unforgiving setup process. One misconfigured admin consent policy or a missing API scope can silently break the entire pipeline without giving you a useful error message. In this guide, I'll walk you through exactly how the connector works, what commonly goes wrong, and how to fix every scenario I've encountered in production M365 tenants.

What Is the M365 Connector for Claude by Anthropic?

The Microsoft 365 Connector for Claude by Anthropic is an integration layer that brings Anthropic's Claude large language model directly into your Microsoft 365 ecosystem. It allows Claude to read, summarize, draft, and reason over content from SharePoint, Teams, Outlook, OneDrive, and other M365 services, all through a secure, tenant-scoped connection governed by your Azure Active Directory (now called Microsoft Entra ID) policies.

At its core, the connector works through the Microsoft Graph API. Claude is granted delegated or application-level permissions to query your Microsoft 365 data on behalf of users or the tenant as a whole. Anthropic's backend communicates with your tenant via OAuth 2.0 tokens, and your organization's data never leaves the Microsoft security perimeter without explicit authorization. Think of it less like a plug-in and more like a trusted enterprise application that's been registered in your Azure tenant.

This differs significantly from simply using Claude.ai in a browser tab. When properly configured, the M365 Connector means Claude can be invoked from within Microsoft Teams, embedded in SharePoint pages, triggered by Power Automate flows, or surfaced through Microsoft 365 Copilot extensibility as a plugin, depending on how your administrator has provisioned it.

The connector is particularly popular in organizations that want Claude's reasoning and writing capabilities applied to internal knowledge bases, email drafting pipelines, IT helpdesk ticket summarization, or legal document review, all with the governance controls that enterprise IT teams require.

Before You Begin: Prerequisites and Required Roles

Before you touch a single setting, make sure the following are in place. Skipping any one of these is the single most common reason the connector fails on first setup.

  • Microsoft Entra ID (Azure AD) Global Administrator or Application Administrator role: You need one of these to register the app and grant admin consent for tenant-wide API permissions.
  • An active Microsoft 365 Business or Enterprise license: The connector requires M365 E3, E5, Business Premium, or an equivalent plan. It does not work with personal Microsoft accounts or M365 Family subscriptions.
  • An Anthropic account with API access enabled: You'll need an Anthropic API key. Free-tier Claude.ai accounts do not provide the API credentials required for the connector. You need a paid API plan from console.anthropic.com.
  • Access to the Microsoft 365 Admin Center and Azure Portal: Both portals are involved. Make sure you can access admin.microsoft.com and portal.azure.com with the same admin credentials.
  • Outbound HTTPS connectivity on port 443: If your organization uses a web proxy or firewall, make sure api.anthropic.com is on the allowlist.
Warning: Do not attempt to install the connector as a non-admin user and then ask an admin to "approve it later." Partial installations that are missing admin consent create orphaned app registrations in Entra ID that can block future clean installations. If you're not the admin, coordinate with your IT team before starting.

Step-by-Step: Setting Up the M365 Connector for Claude

Step 1
Register the Application in Microsoft Entra ID

Sign in to the Azure Portal at portal.azure.com with your Global Administrator account. Navigate to Microsoft Entra ID in the left sidebar, then select App registrations, and click New registration.

Give the application a recognizable name like Claude-M365-Connector. Under Supported account types, select Accounts in this organizational directory only (Single tenant), this is critical for data governance. Do not choose multi-tenant unless your legal team has explicitly approved cross-tenant data sharing.

For the Redirect URI, enter https://api.anthropic.com/oauth/callback and set the type to Web. Click Register. You'll land on the app's overview page, copy the Application (client) ID and the Directory (tenant) ID and save them somewhere safe. You'll need both in a moment.

Step 2
Create a Client Secret

In your new app registration, go to Certificates & secrets in the left menu, then click New client secret. Give it a description like Claude Connector Secret, set an expiration of 12 or 24 months (avoid "Never expires" for security hygiene), and click Add.

Immediately copy the Value field, not the Secret ID. This value is only shown once. If you navigate away before copying it, you'll have to delete the secret and create a new one. Store this securely in a password manager or your organization's secrets vault.

Tip: Set a calendar reminder 30 days before your client secret expires. When the secret rotates, the connector will stop working silently, no alerts, just broken queries. Many IT teams discover the connector is broken only when users start complaining.
Step 3
Configure API Permissions

Still in your app registration, click API permissions in the left menu, then click Add a permission. Select Microsoft Graph, then choose Application permissions (not Delegated, unless your deployment requires user-context permissions).

Add the following permissions based on which M365 services you want Claude to access:

  • Files.Read.All, Read all files in OneDrive and SharePoint
  • Mail.Read, Read email from Exchange Online (if enabling email summarization)
  • Sites.Read.All, Read SharePoint sites and document libraries
  • User.Read.All, Read basic user profiles for context
  • Team.ReadBasic.All, Read Teams membership and structure
  • ChannelMessage.Read.All, Read Teams channel messages (requires Teams license)

Only add what you actually need. Over-permissioning is both a security risk and a compliance problem, your security team will thank you for keeping the scope minimal.

Once you've added the permissions, click Grant admin consent for [Your Organization] at the top of the API permissions page. Confirm the dialog. You should see green checkmarks appear next to each permission. If you see a spinner that never resolves, your account may lack the required role, check that you're logged in as a Global Administrator or Application Administrator.

Step 4
Configure the Connector in the Anthropic Console

Log in to console.anthropic.com with your Anthropic API account. Navigate to Integrations or Connectors (the exact label may vary depending on when you're reading this, Anthropic's console UI is actively evolving). Look for the Microsoft 365 connector option.

You'll be prompted to enter the following values from the Azure app registration you just created:

  • Tenant ID: The Directory (tenant) ID you copied in Step 1
  • Client ID: The Application (client) ID from Step 1
  • Client Secret: The secret value you copied in Step 2
  • Anthropic API Key: Your API key from the same Anthropic account

After entering these values, click Test Connection. A successful test will return a green confirmation and a basic ping response from the Microsoft Graph API. If you see an error here, jump to the troubleshooting section below.

Step 5
Deploy and Assign User Access

With the connection verified, you now need to decide who in your organization can use it. Back in the Azure Portal, go to your app registration and click Enterprise applications in the breadcrumb (or navigate there directly via Entra ID > Enterprise applications > find your app).

Under Properties, set Assignment required to Yes. This ensures only explicitly assigned users or groups can authenticate with the connector, a critical security control in any enterprise deployment.

Then go to Users and groups and click Add user/group. Assign the specific users, security groups, or M365 groups who should have access. In a pilot rollout, start with a small test group before opening it to the entire organization.

Tip: Create a dedicated Entra ID security group called something like Claude-Connector-Users and manage access through that group. Adding individuals directly makes it harder to audit and revoke access at scale later.
Step 6
Verify End-to-End Functionality

Log in as a test user who was assigned in the previous step. If you're using the connector through Teams, check that the Claude app or bot is visible in the Teams app catalog under your organization's apps. If you're using it via the Anthropic Console or a custom integration, run a simple query that reads a known SharePoint document and verify the response is accurate.

A useful first test: ask Claude to summarize a specific SharePoint page you created for testing purposes. If it can accurately describe the content, the connector is working end-to-end. If it returns a generic response or says it can't access the document, there's a permission or token issue to debug.

Advanced Troubleshooting: When the Connector Won't Work

Error: AADSTS700016, Application Not Found in Directory

This error means the Tenant ID you entered in the Anthropic Console doesn't match the tenant where the app was registered. This happens most often when you have access to multiple tenants (for example, a home tenant and a client tenant) and accidentally registered the app in the wrong one. Double-check the Directory ID in your Azure app registration against what you entered in the Anthropic Console. They must be identical, not just similar-looking GUIDs.

Error: AADSTS650052, App Needs Access to a Resource

This cryptic error usually means admin consent was not fully granted. Even if you clicked "Grant admin consent" and saw green checkmarks, consent sometimes doesn't propagate immediately, especially in large tenants with many service principals. Wait 10–15 minutes and try the Test Connection again. If it still fails, go back to API permissions, revoke the existing consent, wait two minutes, and re-grant it. This forces a fresh consent token.

Connector Authenticates But Returns No Data

If the Test Connection passes but actual queries return empty results, the most likely cause is that the service account or application identity doesn't have access to the specific SharePoint sites or mailboxes you're querying. Microsoft Graph application permissions are tenant-wide at the permission level, but SharePoint has its own site-level access controls that layer on top. Make sure the sites you want Claude to access haven't been set to restricted access in SharePoint admin. Go to the SharePoint Admin Center and check the site permissions for the affected libraries.

Teams App Shows as Unavailable or Greyed Out

If you've deployed the Claude Teams app but users see it as unavailable, check your Teams App Setup Policies in the Teams Admin Center. Navigate to Teams apps > Setup policies and verify that the Claude app is either in the global (Org-wide default) policy or a custom policy assigned to your pilot group. Also check under Teams apps > Manage apps that the app status is Allowed and not Blocked at the org level.

Intermittent 401 Errors After Initial Success

Intermittent 401 Unauthorized errors after the connector was working fine almost always mean a token refresh failure. The OAuth 2.0 access tokens issued by Microsoft Entra ID have a one-hour expiry. If the connector's token refresh mechanism fails (due to a network timeout, a brief Azure AD outage, or a service restart on Anthropic's side), subsequent API calls will fail until a new token is obtained. If this happens consistently at or around the one-hour mark, it points to an issue with refresh token persistence. Check whether your Anthropic API key has been rotated recently, as a changed API key will invalidate the stored token context.

Conditional Access Policies Blocking Authentication

Many enterprise tenants have Conditional Access policies that require compliant devices, MFA, or specific network locations for app authentication. Application-level service principals are often excluded from these policies, but if your security team has applied a blanket Conditional Access policy to all applications, it may be blocking the connector. Ask your Entra ID administrator to check the Conditional Access sign-in logs for the Claude-M365-Connector service principal. They can add a specific exclusion if needed without loosening the policy for human users.

Data Compliance and DLP Policy Conflicts

If your organization uses Microsoft Purview Data Loss Prevention (formerly Microsoft 365 DLP), certain queries that trigger sensitive information type detections may be silently blocked or redacted. For example, if you ask Claude to summarize an email thread that contains credit card numbers, Purview DLP may intercept the Graph API response before it reaches the connector. Check the Purview compliance portal for DLP policy match events tied to the Claude connector application ID. You may need to create a policy exception or adjust the sensitivity label thresholds for AI assistant use cases.

Warning: Never disable tenant-wide DLP policies to work around connector issues. Instead, work with your compliance team to create scoped exceptions for the specific application. Disabling DLP affects your entire organization and creates audit findings.

Prevention: Keeping the Connector Healthy Long-Term

Rotate Client Secrets Before They Expire

Set up a recurring task, in your IT service management system, as a Power Automate flow, or even just a calendar reminder, to rotate the client secret at least 30 days before its expiration date. When you create the new secret, update it in the Anthropic Console before deleting the old one to avoid any downtime. Microsoft Entra ID allows multiple active secrets simultaneously, which makes zero-downtime rotation possible.

Monitor the App Registration for Unauthorized Changes

Enable audit logging in Microsoft Entra ID for your app registration. Navigate to Entra ID > Audit logs and filter by the application's object ID. Set up an alert (via Azure Monitor or Microsoft Sentinel if your org uses it) for any changes to the app's API permissions, redirect URIs, or credentials. An unauthorized change here could expose your tenant to data exfiltration, it's worth monitoring.

Review Assigned Permissions Quarterly

Quarterly access reviews are a compliance best practice and a genuinely useful maintenance activity for connectors like this. People leave organizations, teams restructure, and use cases change. Schedule a recurring review of the Claude-Connector-Users security group to prune access for people who no longer need it. This keeps your blast radius small if a user account is ever compromised.

Keep Anthropic's Connector Documentation Bookmarked

Anthropic actively updates the connector's capabilities and configuration requirements. What's true today may change in three months, new permission scopes may be required, deprecated endpoints may be removed, or new configuration options may appear. Bookmark the official Anthropic documentation and check it when you're about to make any changes to the integration.

Test the Connector After Every Major M365 Update

Microsoft 365 receives significant updates on a monthly cadence. Major Graph API changes, Teams platform updates, or SharePoint structural changes can occasionally break connector behavior in subtle ways. After each monthly update cycle completes in your tenant, run your baseline test query, the SharePoint page summarization test from Step 6, to confirm everything is still working as expected.

Frequently Asked Questions

Does the M365 Connector for Claude send my organization's data to Anthropic's training datasets?
No, when you use Claude through the API (which is what the connector uses), your data is not used to train Anthropic's models by default. This is governed by Anthropic's API data usage policy, which is separate from the consumer Claude.ai product. For enterprise customers, Anthropic also offers data processing agreements (DPAs) that provide additional contractual protections. If your organization has compliance requirements around AI data handling, request a DPA from your Anthropic account representative and ensure it's in place before going live.
Can I use the connector with a Microsoft 365 Government (GCC or GCC High) tenant?
This is a common question for public sector organizations. The connector's compatibility with GCC and GCC High tenants depends on which Microsoft Graph API endpoints Anthropic's backend communicates with. Standard commercial Graph API endpoints (graph.microsoft.com) do not have access to GCC High tenant data, those environments use separate endpoint URLs. As of the current connector version, GCC High support is limited and should be verified directly with Anthropic's enterprise team before attempting deployment in a regulated government environment. GCC (standard) tenants generally work with the commercial connector, but test thoroughly before rolling out to any impact-level data.
How do I revoke the connector's access if we decide to stop using it?
Revoking access is a clean two-step process. First, in the Anthropic Console, delete or disable the M365 connector configuration, this stops Anthropic's backend from attempting to use the stored credentials. Second, in the Azure Portal, go to Microsoft Entra ID > App registrations, find your Claude-M365-Connector app, and delete it. This immediately invalidates all tokens issued to that application and removes its Graph API permissions. For extra assurance, also check Entra ID > Enterprise applications and confirm the service principal is removed. Deleting the app registration is the authoritative revocation action, the Anthropic Console step alone does not revoke the Azure-side access.
Why does the connector work for some users in my organization but not others?
This is almost always an assignment or Conditional Access issue. First, verify that the affected users are members of the security group assigned to the Enterprise application (the step where you set "Assignment required" to Yes). If they're assigned but still failing, check whether they're subject to a Conditional Access policy that the connector's service principal doesn't satisfy, for example, a policy requiring a compliant Intune-managed device or a specific named location. Check the Entra ID sign-in logs filtering by the affected user's UPN and look for failed authentication attempts associated with your Claude connector app. The failure reason in the sign-in logs will tell you exactly which policy is blocking them.
Can I connect multiple Microsoft 365 tenants to a single Anthropic account?
Yes, technically, you create a separate app registration in each Azure tenant and configure each one as a distinct connector in the Anthropic Console. However, keep in mind that each tenant's data is logically isolated from the others; Claude won't synthesize information across tenants in a single query. This is by design for security reasons. MSPs and multi-tenant management scenarios are supported this way, but make sure your Anthropic API plan's rate limits and context window size are sufficient to handle the combined query volume across all tenants you're connecting.
The Test Connection button succeeds but Claude says it "doesn't have access to that document" when I try a real query. Why?
The Test Connection check performs a lightweight authentication handshake, it verifies that the credentials are valid and can obtain a token, but it does not check whether the token's permissions actually cover the specific resource you're querying. The most common cause of this disconnect is SharePoint site-level permissions. Even with Sites.Read.All granted at the Entra ID level, SharePoint has its own access control layer. If the site you're targeting has "Restricted Site Access" enabled or is a private channel SharePoint site connected to a private Teams channel, the application may not automatically have read access. In the SharePoint Admin Center, check the site's permissions and explicitly add the app's service principal as a site collection administrator or reader for the affected site.
How do I see what data Claude has accessed through the connector for auditing purposes?
Microsoft Graph API access is logged in two places. The primary audit trail is in Microsoft Purview (formerly the Microsoft 365 Compliance Center) under Audit > Audit search. Filter by the application ID of your Claude connector app to see every Graph API call it has made, including which files were accessed, which mailboxes were read, and when. For real-time monitoring, you can stream these logs to Microsoft Sentinel or a third-party SIEM using the Office 365 Management Activity API. On the Anthropic side, the API console provides query logs showing what prompts were sent and when, though it doesn't log the content of the M365 data returned by the connector, that raw data stays within the Microsoft security boundary.