Hi everyone,
I’m running into a permissions-related limitation when integrating MCP SharePoint into an Agent Builder flow, and I want to confirm whether this is expected behavior or if there’s a recommended workaround.
Context
I have an Azure AD–registered application with:
1. Delegated permissions:
- User.Read
This is tied to my personal Microsoft Graph session.
2. Application permissions:
- Sites.Selected
The app is granted explicit access to a specific SharePoint site created for this project.
Due to organizational policy, we cannot enable Sites.Read.All or any broad “all sites” permissions.
Both permission sets are valid and have been confirmed by our technical support team.
I can successfully perform Graph API operations with the app-only token in Postman.
What Works
When I connect MCP SharePoint inside Agent Builder using my personal delegated token, everything works:
-
Listing files
-
Retrieving content
-
Searching
-
General flow execution
However, I do not want to rely on delegated/personal tokens in production because:
-
They expire (after 1 hour) and cannot be extended due to policy
-
They rely on my personal identity, not an application identity
-
They do not scale for a production workflow
What Fails
When I switch to the application-level token (App ID + Secret + Certificates) with Sites.Selected:
-
The MCP connector fails to browse or index the SharePoint site
-
Agent Builder cannot execute file listing or search
-
The flow effectively breaks, even though the app token works in Postman
After testing and troubleshooting, it looks like Agent Builder currently requires broad site access (e.g., Sites.Read.All) to perform its internal operations such as:
-
Search
-
Autocomplete
-
Recursive browsing
-
Directory walking
The issue is that app-only access with Sites.Selected does not permit global search operations in SharePoint Online, and therefore Agent Builder can’t resolve queries or list content.
What I Cannot Change
Due to enterprise security policy:
-
I cannot request Sites.Read.All or Files.Read.All for the application
-
I cannot expand delegated permissions
-
I cannot rely on a personal Graph token for production
Possible Workaround (But Imperfect)
I could use the File Search connector with a separate file-sync job and deploy via the Agent SDK — but this adds:
-
Additional maintenance
-
A separate syncing script
-
Responsibility for keeping file lists current
This defeats the purpose of using a managed connector.
My Questions
1. Is it expected that MCP SharePoint currently works only with delegated tokens or global app permissions?
And not with Sites.Selected app-only scopes?
2. Is there a planned update for MCP SharePoint to support:
-
Least-privilege app-only access,
-
Per-site permissions,
-
Or Sites.Selected for restricted enterprise environments?
3. Is there any current way to make MCP SharePoint work in Agent Builder with app-only, site-scoped access without changing our tenant’s security policies?
4. If support for restricted scopes is on the roadmap, is there an approximate timeline?
Desired Outcome
I want to connect Agent Builder to a SharePoint site exclusively using an application-level Sites.Selected token, without:
-
escalating permissions globally,
-
relying on delegated personal tokens, or
-
maintaining a custom sync pipeline.
Any insights from the OpenAI team or the community would be incredibly helpful.
Thank you!