Fix: M365 Connector for Claude by Anthropic Won't Deploy
Why This Is Happening
You open the Microsoft 365 admin center, find the Claude by Anthropic connector in the Integrated Apps section, click Deploy , and immediately get slapped with: "We are unable to initiate the deployment. To deploy the app, go to the website where it is hosted." The message is vague to the point of being useless. There's no error code. No log link. Just a dead end.
I've seen this exact error on dozens of tenants, especially since Anthropic's Claude M365 Connector entered the Microsoft marketplace. The message sounds like it's telling you to visit some external website to finish the installation , and that sends people on a wild chase that leads nowhere. Here's the real story: this error is almost always a tenant-side permission or policy block, not a problem with Anthropic's app itself.
The M365 Connector for Claude by Anthropic is an integrated app that plugs into Microsoft Teams and Microsoft 365 services. It relies on Microsoft's app deployment pipeline, which means it needs a clean path through at least four separate policy layers before deployment can even begin:
- Integrated Apps toggle in the Microsoft 365 admin center (this is the most common culprit, it's off by default on many tenants)
- Teams app permission policies in the Teams admin center, which control whether third-party and custom apps can be installed at all
- Admin consent for the OAuth permissions the Claude connector requests (delegated and application-level Graph API permissions)
- Teams app setup policies, which govern whether apps can be pinned or deployed org-wide
If any one of those four layers says "no," Microsoft's deployment pipeline throws its hands up and serves you that useless generic message. It doesn't tell you which layer blocked it. That's the core frustration here.
The error can also appear if your tenant is on a licensing plan that doesn't include Teams app deployment (certain Business Basic configurations, for example), or if a Conditional Access policy is blocking the Azure AD app registration process that happens behind the scenes during deployment. Enterprise tenants with strict third-party app governance policies are especially prone to this.
I know this is frustrating, especially when you're trying to roll out an AI assistant to your team and you can't even get past the first screen. The good news is that this is almost always fixable by an M365 global administrator in under 20 minutes. Let's work through it. Browse all Microsoft fix guides →
The Quick Fix, Try This First
Before you go digging through Group Policy or PowerShell, try this single check. It resolves the M365 Connector for Claude by Anthropic deployment error in roughly 60% of cases I've encountered.
The Integrated Apps feature in the Microsoft 365 admin center has to be explicitly enabled. Even on tenants that have been running for years, this toggle is sometimes off, either because it was never touched, or because a previous admin disabled it for security reasons.
Here's what you do:
- Sign in to admin.microsoft.com with a Global Administrator or Teams Service Administrator account.
- In the left navigation, expand Settings and click Integrated apps.
- Look at the top of the page. If you see a banner that says "Turn on integrated apps to let users install apps from the Microsoft 365 App Store" with a blue Turn on button, that's your problem right there.
- Click Turn on. Confirm the dialog.
- Wait 2–5 minutes for the change to propagate across the service.
- Go back to Integrated apps, search for Claude in the App Store section, and try the deployment again.
If the toggle was already on, or if enabling it doesn't resolve the error, the block is sitting in your Teams admin center app policies. Move on to the step-by-step section below.
The Teams admin center has its own app governance layer that's completely independent of the M365 admin center. Even if Integrated Apps is enabled, Teams can still block third-party applications, including the Claude by Anthropic M365 Connector, at the org-wide permission policy level.
Go to admin.teams.microsoft.com and sign in. In the left sidebar, expand Teams apps and click Permission policies. You'll see one or more policies listed, look for the one marked as Global (Org-wide default).
Click on the Global policy to open it. You'll see three sections: Microsoft apps, Third-party apps, and Custom apps. The Claude connector falls under Third-party apps. If that section shows Block all apps or has a list of specifically blocked apps that includes anything from Anthropic, that's your block.
Change the Third-party apps setting to Allow all apps (or, if your organization requires a curated allow-list, click Allow specific apps and block all others and add Claude by Anthropic explicitly). Click Save.
Then navigate to Teams apps > Manage apps. Use the search bar to find Claude. If you see the app listed with a status of Blocked, click the app name, then toggle the status to Allowed. This org-level block takes precedence over everything else and is a very common cause of the "unable to initiate the deployment" message.
After saving, wait 5 minutes, then return to the M365 admin center and retry the Claude deployment. You should see the deployment wizard progress past the first screen this time.
The Claude by Anthropic M365 Connector registers as an Azure Active Directory (now called Microsoft Entra ID) enterprise application during deployment. It requests a set of OAuth 2.0 permissions, typically delegated permissions like User.Read, offline_access, and potentially Mail.Read or Files.Read depending on which M365 Connector capabilities you're deploying. If your tenant requires admin consent for third-party app registrations and that consent hasn't been given, the deployment pipeline silently fails with the generic error.
To check and grant consent, go to portal.azure.com (or entra.microsoft.com). Navigate to Azure Active Directory > Enterprise applications. Search for Claude or Anthropic. If the app registration already exists but is in a broken state, delete it and retry the deployment. If it doesn't exist yet, that's expected, proceed to grant consent proactively.
Go to Azure Active Directory > Enterprise applications > Consent and permissions > User consent settings. If this is set to "Do not allow user consent", users can't approve apps, but more importantly, the Teams/M365 deployment pipeline may also be blocked from completing the background consent flow. Set it to "Allow user consent for apps from verified publishers" at minimum, or grant admin consent directly after the app registers.
After your next deployment attempt (once Teams app policy is fixed per Step 1), go back to Enterprise applications, find Claude by Anthropic, click Permissions, and click Grant admin consent for [your tenant]. Sign in when prompted and approve. You'll see a green success message confirming consent was granted. This also resolves scenarios where individual users see consent prompt loops during their first Teams sign-in with the connector.
There's a separate Teams admin setting that specifically controls whether apps can be deployed org-wide from the M365 admin center: the app setup policy combined with the custom app upload setting. This one trips up a lot of admins because it sounds like it only applies to custom/internal apps, but it actually affects how integrated third-party deployments behave too.
In the Teams admin center (admin.teams.microsoft.com), go to Teams apps > Setup policies. Click on the Global (Org-wide default) policy. Look for the toggle labeled "Upload custom apps". If this is set to Off, turn it On and save.
Next, go to Teams apps > Manage apps > Org-wide app settings (the button is in the top-right corner of the Manage apps page). A panel slides out on the right. You'll see three toggles:
- Third-party apps, must be On
- Custom apps, should be On
- Allow interaction with custom apps, should be On
Make sure all three are enabled. Click Save. These org-wide settings act as master overrides, individual app permission policies don't matter if these are off.
Now go back to the M365 admin center, navigate to Settings > Integrated apps, find Claude by Anthropic in the app list, and click Deploy again. The deployment wizard should now show you the user assignment screen, choose whether to deploy to specific users/groups or your entire org, then click Finish deployment. Watch for a green success banner at the top of the page.
The M365 Connector for Claude by Anthropic requires a few things to be true about your Microsoft 365 licensing and admin role assignments before deployment works. This step is often overlooked because admins assume their Global Admin account covers everything, but there are edge cases.
First, confirm your tenant has active Microsoft Teams licenses. Even if users are using Teams daily, the license type matters for app deployment. Go to admin.microsoft.com > Billing > Licenses and verify that your users have one of the following: Microsoft 365 Business Standard, Business Premium, E3, E5, or a standalone Teams Essentials or Teams Enterprise license. Teams Free (the legacy free tier) does not support app deployment from the admin center at all.
Second, confirm the admin account you're using to deploy has the right role. Global Administrator works. Teams Service Administrator and Teams Communications Administrator also have the necessary permissions. However, Helpdesk Administrator, Message Center Reader, and several other roles do NOT have Teams app deployment rights, even though they can log into the Teams admin center. To check your role, go to admin.microsoft.com > Users > Active users, click your account, and look under Roles.
Third, if you're deploying to a specific security group rather than all users, confirm the group exists and has members. The M365 deployment pipeline sometimes silently fails if the target group is empty or if it's a dynamic group that hasn't finished evaluating its membership rules. Use a static security group for initial deployment testing.
Run this PowerShell to quickly verify Teams licenses on your tenant, connect to Microsoft Graph first:
Connect-MgGraph -Scopes "Organization.Read.All","LicenseAssignment.Read.All"
Get-MgSubscribedSku | Where-Object { $_.ServicePlans.ServicePlanName -like "*TEAMS*" } | Select-Object SkuPartNumber, ConsumedUnits, @{N="Total";E={$_.PrepaidUnits.Enabled}}If the output shows Teams-capable SKUs with consumed units, your licensing is fine. Move on to Step 5.
Here's something Microsoft's documentation doesn't tell you: if a deployment attempt fails partway through, especially during the Azure AD app registration phase, it can leave behind a partial, broken entry in your tenant's app catalog. Subsequent deployment attempts then hit this cached broken state and immediately fail, even after you've fixed all the underlying policies. The generic error message gives no indication this is what's happening.
To clear it, go to the Teams admin center (admin.teams.microsoft.com), navigate to Teams apps > Manage apps, and search for Claude. If you see a Claude entry with a status of Submitted, Error, or something other than Allowed or Blocked, that's the stale record. Click it, and if there's an option to remove or delete the app from your org's catalog, use it. This removes the broken registration.
Then go to Azure Active Directory (Entra ID) > Enterprise applications and search for Claude or Anthropic. If you find a partially registered application, delete it. This forces a clean registration on the next deployment attempt.
Now, instead of deploying through the M365 admin center's Integrated Apps section, try deploying directly through the Teams admin center this time:
- Go to admin.teams.microsoft.com > Teams apps > Manage apps
- Click + Publish in the top-right, then choose Submit an app from the store, search for Claude by Anthropic and select it
- Alternatively, click the Claude app in the Manage apps list and use the Add to org or Deploy button if available
Going through the Teams admin center's own deployment path sometimes bypasses the M365 admin center's deployment pipeline quirks entirely. Once the app shows Allowed status in the Teams Manage apps page, your users should be able to find and install Claude from within Teams via the Apps tab.
Advanced Troubleshooting
If the five steps above haven't resolved the M365 Connector for Claude by Anthropic deployment error, you're likely dealing with one of the following enterprise-level scenarios. These require deeper access and more careful changes.
Check for Conditional Access Policies Blocking App Registration
In tenants with strict Conditional Access (CA) policies, the OAuth authorization flow that fires during app deployment can be intercepted and blocked. This is especially common when CA policies require compliant devices or specific named locations for all Azure AD authentication. The deployment pipeline typically runs server-side, but the admin consent step involves an interactive OAuth redirect, and if that redirect lands on a CA checkpoint the system can't satisfy, you get a silent failure that surfaces as the generic deployment error.
Go to entra.microsoft.com > Protection > Conditional Access > Policies. Look for any policy that targets All cloud apps or specifically Microsoft Teams and Office 365. Check whether those policies have conditions around device compliance, location, or MFA that could block your admin account during the deployment flow. Temporarily excluding your Global Admin account from those policies (or creating a CA exclusion for the deployment process) can confirm if this is the culprit.
Event Log Analysis for App Deployment Failures
The Microsoft 365 admin center doesn't expose detailed deployment logs in the UI, but you can find relevant audit entries. Go to compliance.microsoft.com, navigate to Audit, and run a search with the following parameters:
- Date range: last 24 hours
- Activities: AppInstallationFailed, TeamsAppInstalled, ConsentToApplication
- User: your admin account
The audit log entries will show you the exact failure reason, whether it's an authorization error (AADSTS error codes like AADSTS90094 for admin consent required, or AADSTS65001 for consent not granted), a policy violation, or a licensing issue. These AADSTS codes are your best diagnostic signal.
Domain-Joined / Hybrid Azure AD Environments
If your organization uses a hybrid Azure AD join configuration (on-premises Active Directory synced to Entra ID via Azure AD Connect), app deployments can fail when the app registration tries to write back to Entra ID but conflicts with the sync cycle. In this case, check your Azure AD Connect sync status in the Azure AD Connect Health portal. A sync error or a sync cycle running at exactly the wrong moment can cause the deployment to fail.
You can also use PowerShell to force-check whether the Anthropic/Claude service principal exists in your tenant after a failed deployment:
Connect-MgGraph -Scopes "Application.Read.All"
Get-MgServicePrincipal -Filter "displayName eq 'Claude'" | Select-Object DisplayName, AppId, AccountEnabledIf this returns a result with AccountEnabled: False, that's a blocked service principal. You can enable it via the Entra ID portal under Enterprise applications > Claude > Properties > Enabled for users to sign-in.
Prevention & Best Practices
Once you've gotten the M365 Connector for Claude by Anthropic successfully deployed, a little housekeeping goes a long way toward preventing the same headaches when you want to deploy other integrated apps in the future, or when you need to redeploy Claude after a tenant configuration change.
The single biggest lesson from this error is that Microsoft's app governance controls are spread across at least three separate admin portals (M365 admin center, Teams admin center, and Entra ID), and those portals don't warn you when their settings conflict with each other. Building a documented baseline for your tenant's app deployment settings is the best insurance against running into this again.
Create a simple "App Deployment Checklist" in your IT runbook, even a SharePoint page works, that captures your current state for: the Integrated Apps toggle, Teams org-wide app settings, your active app permission policies, and your Conditional Access policies that touch Teams and Office 365. Review it before any new app deployment. This sounds bureaucratic, but it takes 10 minutes to document and saves hours of debugging.
For enterprise environments with strict security requirements, consider setting up a dedicated App Governance policy in Microsoft Purview. This gives you a single pane of glass for monitoring what third-party apps (including the Claude connector) are doing with your Microsoft 365 data, which is exactly what your security team wants to see, and it's much cleaner than trying to maintain allow/block lists manually across three different admin portals.
Finally, keep the person who manages your Entra ID Conditional Access policies in the loop whenever you're deploying new integrated apps. That team often sets policies without thinking about how they affect the interactive OAuth flows that app deployments trigger, and a quick heads-up before deployment saves everyone time.
- Document your current Teams app permission policies and Integrated Apps settings in a shared IT runbook before making changes, so you can always roll back cleanly
- Create a dedicated admin account specifically for app deployments, exclude it from the strictest Conditional Access policies, and keep it MFA-registered, this eliminates the interactive OAuth failures that trip up regular admin accounts
- After any successful app deployment, immediately go to Entra ID > Enterprise applications and verify the new app's service principal shows Enabled and has the correct admin consent granted, catching this immediately is easier than debugging it weeks later when users report sign-in issues
- Set up a monthly review of your Teams admin center's Manage apps page, apps can drift from Allowed to Blocked status during major Teams policy updates, and catching this proactively prevents surprise outages
Frequently Asked Questions
Why does it say "go to the website where it is hosted", what website is that supposed to be?
This is genuinely one of the most confusing parts of that error message. The "website where it is hosted" refers to the app developer's own website (in this case, Anthropic's site), which would theoretically have an alternative install path. In practice, for the M365 Connector for Claude by Anthropic, there is no separate install path, the connector is designed to be deployed through the Microsoft 365 admin center. The message is a generic fallback that Microsoft's deployment pipeline displays whenever any deployment fails, regardless of whether visiting an external site would actually help. Ignore that part of the message and focus on fixing the admin center policies instead.
I'm a Global Admin but the deployment still fails, how is that possible?
Global Admin gives you the right to change settings, but the deployment can still fail if a Conditional Access policy is blocking the OAuth consent flow your account needs to complete, even for admins. Also, check whether your Global Admin account has an active Teams license assigned. In some tenants, the break-glass Global Admin account is deliberately unlicensed, and the Teams app deployment pipeline requires the deploying account to have an active Teams license assigned. Go to admin.microsoft.com, find your account under Active users, and confirm a Teams-capable license is assigned to your specific account.
Can individual users install the Claude connector themselves without admin deployment?
Yes, if your tenant's Teams app permission policy allows it. If third-party apps are set to "Allow all apps" in the Teams admin center, and the Claude app is listed as Allowed in Manage apps, individual users can install Claude directly from within Teams by clicking the Apps icon in the left sidebar and searching for Claude. They may be prompted to grant consent for the permissions the connector needs, if your tenant requires admin consent for all apps, they'll see a "Need admin approval" screen and will have to wait for you to grant consent. The M365 admin center's Deploy button is for org-wide or group-wide rollout; individual install doesn't require going through that path.
The deployment succeeded but users say they can't find Claude in Teams, what's wrong?
Deployment completion and app visibility for users are two different things. After a successful deployment, it can take up to 24 hours for the app to appear in users' Teams app catalogs, though most users see it within 1–2 hours. Also check whether you deployed to a specific security group, users who aren't in that group won't see the app. Finally, go to the Teams admin center, navigate to Teams apps > Setup policies, and confirm the Global (Org-wide default) setup policy doesn't have Claude pinned or blocked. Sometimes the app is deployed but the setup policy needs to be updated to make it discoverable in the Teams app bar.
Will deploying the Claude M365 Connector give Anthropic access to our company's Microsoft 365 data?
The Claude connector requests specific Microsoft Graph API permissions during installation, typically to read user profile information (User.Read) and, depending on the connector's features, potentially access to files or mail with delegated permissions scoped to the signed-in user. It does not get broad org-wide access to all your Microsoft 365 data. You can see exactly which permissions were granted by going to Entra ID > Enterprise applications > Claude by Anthropic > Permissions and reviewing the list. Anthropic's privacy documentation covers how data processed through the connector is handled, worth reviewing with your security or legal team before a broad deployment to sensitive user groups.
How do I uninstall or remove the Claude M365 Connector if I need to roll it back?
You have two places to clean up. First, in the M365 admin center under Settings > Integrated apps, find the Claude deployment, click it, and select Remove or Uninstall, this revokes the org-wide deployment. Second, go to the Teams admin center > Teams apps > Manage apps, find Claude, and set its status to Blocked (or delete it if your Teams admin center version supports deletion). Finally, if you want a complete cleanup, go to Entra ID > Enterprise applications, find the Anthropic / Claude service principal, and delete it, this removes the app registration and all granted consents entirely. Users who had Claude installed individually in Teams will lose access within 1–2 hours of the org-level removal.