Return to setup guide
Use the setup guide if you still need the owner sequence, one-time consent flow, or pilot rollout checklist.
Open pagePermission matrix
Claude Microsoft 365 connector permission matrix
Use this matrix to map supported Microsoft 365 surfaces to delegated access, review questions, audit checks, and the fastest way to narrow or revoke scope during a pilot.
Last checked
2026-04-11
Permission Matrix
Use only the Microsoft 365 surfaces Anthropic currently documents.
The table below stays inside the permissions and service coverage Anthropic currently names in its support documentation.
| Microsoft 365 surface | What the user is trying to do | How access is granted | Admin review question | Where to verify or audit | How to revoke or limit |
|---|---|---|---|---|---|
| SharePoint | Search SharePoint documents, pages, and folders. | Sites.Read.All delegated access for tenant-wide SharePoint search and folder lookup. | Is tenant-wide SharePoint search acceptable for the pilot, or should SharePoint be excluded until the review is complete? | Review consented scopes in Entra and check Microsoft 365 audit log activity for SharePoint access. | Revoke Sites.Read.All in Microsoft Entra or disable the connector for the tenant or pilot group. |
| OneDrive | Read OneDrive files and analyze file content in Claude. | Files.Read and Files.Read.All delegated access for files the signed-in user can already reach. | Do pilot users already have the right OneDrive sharing boundaries, or will connector access surface files that need cleanup first? | Confirm consented file scopes in Entra and audit the first pilot queries against expected file access. | Revoke Files.Read and Files.Read.All, or remove the user from the assigned pilot group. |
| Outlook email | Search Outlook email and summarize email threads. | Mail.Read, Mail.ReadBasic, Mail.Read.Shared, MailboxFolder.Read, and MailboxItem.Read for the signed-in user and shared mail they already have access to. | Should the pilot include mailbox and shared-mail access, or should email stay out of scope until reviewers sign off? | Check consented mail scopes and confirm that audit logs capture the expected mail-search activity. | Revoke Mail.Read in Entra or keep email workflows out of the approved pilot instructions. |
| Calendar and availability | Search calendar events and find meeting availability. | Calendars.Read, Calendars.Read.Shared, and User.ReadBasic.All for calendar search and meeting availability lookup. | Is calendar and basic directory access acceptable for the pilot, or should meeting lookups wait until a later phase? | Review granted calendar scopes and confirm that the pilot only uses approved meeting-related questions. | Revoke calendar-related scopes or instruct users not to use availability and calendar queries. |
| Teams chat | Search Teams chats and summarize chat discussions. | Chat.Read, Chat.ReadBasic, ChatMember.Read, and ChatMessage.Read for user chat history. | Does the pilot need private Teams chat history, or should Teams access be limited to documents and email only? | Review consented chat scopes and compare pilot results with the user’s existing Teams access. | Revoke Chat.Read in Entra or keep Teams chat workflows out of the pilot. |
| Teams channels and meetings | Read Teams channel messages, meetings, transcripts, recordings, and related artifacts. | Channel.ReadBasic.All, ChannelMessage.Read.All, OnlineMeetings.Read, OnlineMeetingTranscript.Read.All, OnlineMeetingAiInsight.Read, OnlineMeetingArtifact.Read.All, and OnlineMeetingRecording.Read.All. | Do reviewers approve access to channels, meeting artifacts, and transcripts for the initial pilot, or should those surfaces be postponed? | Review meeting and Teams scopes in Entra, then confirm audit coverage and retention with the compliance owner. | Revoke the specific Teams and meeting-related scopes that are out of bounds for the pilot. |
Pilot Scope
Scope the first rollout as if you expect to narrow it later.
A smaller, explicit scope is easier to approve, easier to explain, and easier to shut down if the pilot needs to change.
Start with the fewest Microsoft 365 surfaces that still let the pilot answer a real business question.
Treat SharePoint access as a separate approval conversation because Anthropic documents tenant-wide search rather than site-selected search for this flow.
Use enterprise app assignment and conditional access to keep the first rollout limited to approved users, devices, and networks.
Publish a short user guide that says which surfaces are approved and which ones should not be queried yet.
Minimum-Safe Rollout
Use a minimum-safe rollout checklist before you expand connector access.
These checks keep the pilot aligned with the matrix instead of letting permissions drift beyond what reviewers approved.
Name a Global Administrator, a Claude owner, and a security reviewer before rollout begins.
Record where audit activity will be checked and how often during the pilot window.
Decide in advance which permissions would be revoked first if the pilot needs to narrow scope quickly.
Do not promise that all Microsoft 365 surfaces are approved by default just because the connector is enabled.
Next Steps
Move to setup, troubleshooting, or compliance depending on the next blocker.
This page should answer scope questions. Use the linked page below if the blocker is a different kind of rollout task.