98
/ 100
5 days ago
npm
Softeria/ms-365-mcp-server
A Model Context Protocol (MCP) server for interacting with Microsoft 365 and Office services through the Graph API
Is this your MCP?
Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.
Install from
M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.
// key findings
✅
9 tools verified — handlers match their declared behaviour
3 read-only tools verified — handlers contain no write/delete/exec
✅
No credential exfiltration, no sensitive file access, no obfuscation
Static analysis found nothing flowing your secrets to unexpected places.
✅
Open source with a license and README
Anyone can audit the code, the license is declared, and the publisher documents what it does.
🔐
You'll be asked for 2 credentials: MS365_MCP_CLIENT_SECRET, MS365_MCP_OAUTH_TOKEN
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// required environment variables
This server reads these from
process.env. You'll be asked to provide them before it can run.config
ENABLED_TOOLS— Filter tools using a regex pattern (alternative to --enabled-tools flag)config
LOG_LEVEL— Set logging level (default: 'info')config
MS365_MCP_ALLOWED_REDIRECT_URISconfig
MS365_MCP_ALLOWED_SCOPESconfig
MS365_MCP_AUDIT_LOGconfig
MS365_MCP_AUTH_CACHE_COMMAND— External executable wrapper for provider-neutral auth-cache storage (see Token Storage below)config
MS365_MCP_BASE_URLconfig
MS365_MCP_BODY_FORMAT— html: Return email bodies as HTML instead of plain text (default: text)config
MS365_MCP_CLIENT_ID— your-azure-ad-app-client-id-here🔐 secret
MS365_MCP_CLIENT_SECRET— your-secret-here # Optional for public appsconfig
MS365_MCP_CLOUD_TYPE— globalchina: Microsoft cloud environment (alternative to --cloud flag)config
MS365_MCP_CORS_ORIGINconfig
MS365_MCP_EXPECTED_HOME_ACCOUNT_ID— CLI values (--expected-username, --expected-home-account-id) take precedence over MS365_MCP_EXPECTED_USERNAME and .config
MS365_MCP_EXPECTED_USERNAME— work@company.com npx @softeria/ms-365-mcp-server --loginconfig
MS365_MCP_FORCE_WORK_SCOPES— true1: Backwards compatibility for MS365_MCP_ORG_MODEconfig
MS365_MCP_GRAPH_CIRCUIT_DISABLEDconfig
MS365_MCP_GRAPH_MAX_RETRIESconfig
MS365_MCP_GRAPH_TIMEOUT_MSconfig
MS365_MCP_KEYVAULT_URL— Azure Key Vault URL for secrets management (see Azure Key Vault section)config
MS365_MCP_LOG_DIRconfig
MS365_MCP_MAX_TOP— n>: Hard cap for Graph $top / top on list requests (positive integer). When the model passes a larger value, the server clamps it to n so responses stay smaller. Example: MS365_MCP_MAX_TOP=15🔐 secret
MS365_MCP_OAUTH_TOKEN— your_oauth_token npx @softeria/ms-365-mcp-serverconfig
MS365_MCP_OBOconfig
MS365_MCP_ORG_MODE— true1: Enable organization/work mode (alternative to --org-mode flag)config
MS365_MCP_OUTPUT_FORMAT— toon npx @softeria/ms-365-mcp-serverconfig
MS365_MCP_PUBLIC_URLconfig
MS365_MCP_SELECTED_ACCOUNT_PATH— Custom file path for selected account metadata (see Token Storage below)config
MS365_MCP_TENANT_ID— Custom tenant ID (defaults to 'common' for multi-tenant)config
MS365_MCP_TOKEN_CACHE_PATH— Custom file path for MSAL token cache (see Token Storage below)config
MS365_MCP_TRUST_PROXY_AUTHconfig
READ_ONLY— true1: Alternative to --read-only flagconfig
SILENT— true1: Disable console outputconfig
VITEST// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance — verified publishers only
We have 6 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[](https://m8ven.ai/mcp/softeria-ms-365-mcp-server-1m9te5)commit: 26806573ea91079566eceb7b1d15cc93f38a7e57
code hash: 3f9efff529ab49e45ba1cf3e4e8789f3959e8735a6a212e2817e9f3427d03a14
verified: 5/29/2026, 12:01:44 PM