Set up the SharePoint MCP server

The SharePoint MCP server gives AI agents access to files and content in a specific SharePoint site. This guide covers registering an Azure app, granting it site-restricted access through Microsoft Graph, and deploying it to MintMCP as a Hosted Connector with per-user OAuth.

Prerequisites

• A MintMCP admin account
• An Azure account with permission to register apps in Azure Active Directory
• A Global Admin account for your Microsoft 365 tenant (for the Graph Explorer consent step)

Register an Azure app

1. Go to portal.azure.com.

2. Navigate to Azure Active Directory > App registrations.

3. Click New registration.

4. Enter a name — for example, MintMCP SharePoint.

5. Under Redirect URI, select Web and enter:

   https://app.mintmcp.com/oauth/callback

6. Click Register.

7. Go to API permissions > Add a permission > Microsoft Graph > Delegated permissions.

8. Search for and add each of the following permissions:

   Permission	Purpose
   Sites.Selected	Access only sites explicitly granted to this app
   email	Read user email
   offline_access	Maintain access with refresh tokens
   openid	Sign in users
   profile	Read user profile
   User.Read	Read the signed-in user's profile

9. Click Add permissions.

Create a client secret

1. Go to Certificates & secrets > New client secret.
2. Enter a description and select an expiry period.
3. Click Add.
4. Copy the Value immediately — it won't be shown again.

Copy the client ID and tenant ID

1. Go to Overview.
2. Copy the Application (client) ID — this is your Client ID.
3. Copy the Directory (tenant) ID — you'll need it for the OAuth URLs.

Grant the app access to a specific SharePoint site

This step uses Microsoft Graph Explorer to give the registered app read and write access to a single SharePoint site. Log in as a Global Admin.

1. Go to developer.microsoft.com/en-us/graph/graph-explorer and sign in.

2. Click Modify permissions to open the permissions panel.

3. Find Sites.FullControl.All, grant it, and consent on behalf of your organization.

4. In the request builder, send this POST request:

   URL:

   POST https://graph.microsoft.com/v1.0/sites/{site_id}/permissions

   Body:

   {
     "roles": ["write", "read"],
     "grantedToIdentities": [
       {
         "application": {
           "id": "<your-client-app-id>",
           "displayName": "MintMCP SiteRestricted Sharepoint"
         }
       }
     ]
   }

   Replace {site_id} with your SharePoint site ID and <your-client-app-id> with the Application (client) ID from the previous step.

The site ID is a three-part string in the format hostname,siteGuid,webGuid — for example, contoso.sharepoint.com,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy. To find it, run GET https://graph.microsoft.com/v1.0/sites/{hostname}:/sites/{site-name} in Graph Explorer and copy the id field from the response.

Add SharePoint to MintMCP

1. In MintMCP, go to MCP store > Manage store.

2. Click + Add an MCP to your registry → Host an open source or custom MCP.

3. Click the Hosted Server tab, then select Advanced from the dropdown.

4. Set Container Image to:

   docker.io/mintmcp/sharepoint-mcp:0.1.0

5. Set Transport to http.

6. Add this environment variable and set its scope to Global:

   Variable	Value
   SHAREPOINT_SCOPED_SITE_ID	Your SharePoint site ID (the hostname,siteGuid,webGuid string)

7. Click Create.

Configure OAuth

After the connector is created:

1. In MintMCP, open the connector settings and go to Hosted Connector > Advanced.

2. Configure the OAuth fields:

   Field	Value
   Authorization URL	https://login.microsoftonline.com/<your-tenant-id>/oauth2/v2.0/authorize
   Token URL	https://login.microsoftonline.com/<your-tenant-id>/oauth2/v2.0/token
   Client ID	Your Application (client) ID
   Client Secret	Your client secret value
   Scopes	Sites.Selected email offline_access openid profile User.Read
   Token field	access_token
   Header name	Authorization
   Prefix	Bearer

   Replace <your-tenant-id> with your Directory (tenant) ID.

3. Click Connect.

Security considerations

• Sites.Selected limits this app to only the site you explicitly granted — it cannot access other SharePoint sites in your tenant.
• Each user authenticates through their own Microsoft account, so access reflects their existing permissions on the site.
• Keep the client secret secure — anyone with it can authenticate as your Azure app.
• SHAREPOINT_SCOPED_SITE_ID is set globally so all users are restricted to the same site.

Next steps

• Tool customization — Control which SharePoint tools are exposed to users
• MCP gateway administration — Manage access and permissions