Skip to main content
Runlayer Deploy Required: All Microsoft 365 servers require Runlayer Deploy to be enabled.
Connect your AI assistant to Microsoft 365 services. All Microsoft 365 servers share the same Entra app registration setup process.
ServerDescription
Microsoft OutlookRead, search, send emails, and manage drafts
Microsoft OneDriveBrowse, search, and manage files and folders
Microsoft SharePointAccess sites, document libraries, lists, and list items

Available Tools

Microsoft Outlook

ToolDescription
outlook_list_messagesList messages in a folder (inbox, sentitems, drafts, …), newest first
outlook_list_foldersList top-level mail folders with counts
outlook_get_messageFetch one message by id (headers + body, text or html)
outlook_search_messagesFull-text search via Graph $search (supports KQL-style operators)
outlook_create_draftSave a new draft (all fields optional)
outlook_send_messageSend a new message immediately, optional save-to-sent
outlook_send_draftSend a previously-saved draft by id
outlook_reply_messageReply / reply-all to an existing message

Microsoft OneDrive

ToolDescription
onedrive_list_itemsList the immediate children of a folder (defaults to drive root)
onedrive_get_itemFetch metadata for a single file or folder by id
onedrive_search_itemsFull-text search across the caller’s OneDrive
onedrive_list_shared_with_meList items shared with the caller by other users
onedrive_read_fileDownload and return the text content of a file (≤ 5 MB)
onedrive_create_folderCreate a new folder
onedrive_upload_fileCreate or overwrite a text file with provided content (≤ 5 MB)
onedrive_rename_itemRename a file or folder
onedrive_move_itemMove a file or folder to a different folder
onedrive_delete_itemMove a file or folder to the Recycle Bin
onedrive_create_share_linkGenerate a shareable view/edit/embed link for an item

Microsoft SharePoint

ToolDescription
sharepoint_list_sitesList SharePoint sites the caller follows
sharepoint_search_sitesTenant-wide search for sites by name or description
sharepoint_get_siteFetch metadata for a single site by id or hostname/path
sharepoint_list_drivesList document libraries (drives) in a site
sharepoint_list_folder_itemsBrowse files and folders inside a document library
sharepoint_read_fileDownload and return the text content of a file in a document library (≤ 5 MB)
sharepoint_list_listsList SharePoint lists in a site
sharepoint_list_list_itemsList items in a SharePoint list, with optional field expansion
sharepoint_get_list_itemFetch a single list item by id, including all field values
sharepoint_create_list_itemCreate a new item in a SharePoint list
sharepoint_update_list_itemUpdate fields on an existing list item
sharepoint_delete_list_itemDelete an item from a SharePoint list

Setup

1

Register a single-tenant Entra application

  1. Sign in to https://entra.microsoft.com as a user who can create app registrations
  2. Go to App registrations → New registration
  3. Name it (e.g. “Runlayer Microsoft 365 MCP”)
  4. Set Supported account types to Single tenant only
  5. Under Redirect URI, select Web and enter https://<your-tenant>.runlayer.com/oauth/callback
  6. Click Register
  7. Copy the Application (client) ID and Directory (tenant) ID — you’ll need both below
2

Set requestedAccessTokenVersion to 2

  1. In your app registration, open Manifest
  2. Find "requestedAccessTokenVersion" and set it to 2
  3. Click Save
3

Grant Microsoft Graph permissions

  1. Go to API permissions → Add a permission → Microsoft Graph → Delegated permissions
  2. Add the scopes for each server you want to use (see OAuth Scopes below)
  3. Click Grant admin consent for <your tenant> — requires a tenant admin; without this, users see a “Need admin approval” error at first sign-in
4

Create a client secret

  1. Go to Certificates & secrets → New client secret
  2. Add a description and expiry, then click Add
  3. Copy the Value immediately — it won’t be shown again
5

Add connectors in Runlayer

For each Microsoft 365 server you want to use:
  1. In Runlayer, go to My connectors and click + Add connector
  2. Search for the server (e.g. Microsoft Outlook) and click its card
  3. Click + Create New
  4. Enter:
    • MICROSOFT_OAUTH_CLIENT_ID — the Application (client) ID from Entra
    • MICROSOFT_OAUTH_CLIENT_SECRET — the client secret value you copied
    • MICROSOFT_OAUTH_TENANT — the Directory (tenant) ID from Entra
  5. Click Deploy Server and wait for deployment to complete (typically a few minutes)
  6. When the button changes to Go to Connector, click it
6

Authorize

  1. Click Connect on the connector page
  2. Sign in with a Microsoft account that exists in your Entra tenant and grant permissions

OAuth Scopes

Add these scopes when configuring delegated permissions on your Entra app registration. Only add the scopes for the servers you intend to deploy — and only go as far down the read/write split as your use case requires.
ServerScopeRequired for
AllopenidSign-in
AllprofileUser profile
Alloffline_accessRefresh tokens for persistent access
AllUser.ReadIdentity resolution via Graph /me
OutlookMail.ReadWriteReading messages, listing folders, searching, and creating drafts (Mail.ReadWrite is a superset of Mail.Read)
OutlookMail.SendSending messages and sending saved drafts
OneDrive (read)Files.Read.AllListing items, getting metadata, searching, reading file content, listing shared-with-me
OneDrive (write)Files.ReadWrite.AllCreating folders, uploading files, renaming, moving, deleting, creating share links (superset of Files.Read.All)
SharePoint (read)Sites.Read.AllListing and searching sites, browsing document libraries, reading list items and file content
SharePoint (write)Sites.ReadWrite.AllCreating, updating, and deleting list items (superset of Sites.Read.All)

Troubleshooting

Enterprise Entra tenants typically disable user consent. A tenant admin must click Grant admin consent for <tenant> on the app registration’s API permissions page before users can authorize.
The redirect URI in the authorization request doesn’t match any registered URI. Confirm https://<your-tenant>.runlayer.com/oauth/callback is listed under Authentication → Redirect URIs in your app registration.
Token was issued before a required permission was added. In Runlayer, go to the connector’s Settings, revoke access, then Connect again to re-consent.
Tokens may have expired. Disconnect and reconnect the server in Runlayer.
sharepoint_list_sites returns sites the user explicitly follows in SharePoint. If the list is empty, use sharepoint_search_sites to discover sites by name, or navigate to a site in the browser and follow it first.