Connect to Microsoft MCP integrations
Most Microsoft MCP integrations use the same connection pattern:
- Create an app registration in Microsoft Entra ID.
- Create a client secret.
- Create the integration in Nango and add the client ID and client secret.
- Copy the OAuth callback URL from Nango and add it to the app registration as a Web redirect URI under Authentication.
- Add the Microsoft API permissions required by the integration.
- Complete the Microsoft authorization flow.
This page covers the common setup. Each Microsoft integration still has its own permission list. Use the permission list provided by Kindo for the integration you are connecting.
Applies to
Section titled “Applies to”Use this guide for Microsoft integrations that authenticate through Microsoft Entra ID, including:
- Microsoft Defender
- Microsoft eDiscovery
- Microsoft Entra ID
- Microsoft Entra ID Governance
- Microsoft Excel Online
- Microsoft Fabric
- Microsoft Graph Security
- Microsoft Intune
- Microsoft Outlook
- Microsoft Outlook Calendar
- Microsoft Purview Compliance
- Microsoft Purview Data Governance
- Microsoft Teams
- SharePoint Online
Some integrations need extra tenant, endpoint, subscription, or target-user values. If Kindo gives you additional fields for a specific integration, enter them in the Kindo integration form after you complete the common Entra setup.
Prerequisites
Section titled “Prerequisites”- A Microsoft Entra ID tenant.
- Permission to create or update app registrations in that tenant.
- Permission to grant admin consent if the requested Microsoft API permissions require it.
- Access to the Nango dashboard for your Kindo deployment.
- The permission list for the Microsoft integration you are connecting.
Step 1: Create the Entra app registration
Section titled “Step 1: Create the Entra app registration”-
Open the Microsoft Entra admin center.
-
Go to Entra ID > App registrations.
-
Click New registration.
-
Enter a clear name, such as
Kindo Microsoft MCPorKindo - <Integration Name>. -
Choose the supported account type for your tenant. For most enterprise setups, choose Accounts in this organizational directory only.
-
Leave Redirect URI empty for now. You will add the OAuth callback URL from Nango in a later step.
-
Click Register.
Step 2: Copy the client ID
Section titled “Step 2: Copy the client ID”-
Open the app registration you just created.
-
Go to Overview.
-
Copy Application (client) ID.
-
If the Kindo integration asks for it, also copy Directory (tenant) ID.
Step 3: Create a client secret
Section titled “Step 3: Create a client secret”-
In the app registration, go to Certificates & secrets.
-
Open the Client secrets tab.
-
Click New client secret.
-
Add a description, such as
Kindo integration. -
Choose an expiration period that matches your organization’s policy.
-
Click Add.
-
Copy the secret Value immediately.
Step 4: Create the integration in Nango
Section titled “Step 4: Create the integration in Nango”-
Open the Nango dashboard for your Kindo deployment.
-
Create a new integration for the Microsoft MCP you are connecting.
-
Enter the values from your Entra app registration:
Field Where to find it Client ID App registration > Overview > Application (client) ID Client Secret App registration > Certificates & secrets > Client secrets > Value Tenant ID App registration > Overview > Directory (tenant) ID, if requested -
Add any integration-specific fields that are requested, such as a Purview endpoint URL, Azure subscription ID, or target user ID.
-
Save the integration.
-
Copy the OAuth callback URL shown in the Nango integration setup. You need it in the next step.
The callback URL usually ends with:
/oauth/callback
Step 5: Add the Nango callback URL to the app registration
Section titled “Step 5: Add the Nango callback URL to the app registration”-
In the Microsoft Entra admin center, go back to your app registration.
-
Go to Authentication.
-
Under Platform configurations, click Add a platform and select Web.
-
Paste the OAuth callback URL you copied from Nango as the Redirect URI.
-
Save the configuration.
Step 6: Add Microsoft API permissions
Section titled “Step 6: Add Microsoft API permissions”-
In the app registration, go to API permissions.
-
Click Add a permission.
-
Select the Microsoft API required by your integration. Most Microsoft 365 integrations use Microsoft Graph.
-
Choose Delegated permissions. Kindo integrations use delegated permissions only.
-
Add the permissions from the integration-specific permission list.
-
If required, click Grant admin consent.
How delegated permissions work
Section titled “How delegated permissions work”Delegated permissions act as the signed-in user. The integration’s effective access is the intersection of two grants:
- the permissions granted to the application, and
- the permissions the signed-in user already has in the tenant.
The integration can never reach data the signed-in user cannot access themselves, and the user’s access through the integration is limited to what the registered application’s permissions allow. For example, if the app holds Sites.ReadWrite.All but the signed-in user only has read access to a SharePoint site, the integration cannot write to that site.
Integration-specific permissions
Section titled “Integration-specific permissions”Microsoft Defender
Section titled “Microsoft Defender”This integration uses permissions from three APIs: Microsoft Graph, Microsoft Threat Protection, and WindowsDefenderATP. All of them are Delegated permissions. Find Microsoft Threat Protection and WindowsDefenderATP under the APIs my organization uses tab when adding a permission.
Add the following Microsoft Graph permissions:
| Permission | Description | Admin consent required |
|---|---|---|
SecurityActions.Read.All | Read your organization’s security actions | Yes |
SecurityActions.ReadWrite.All | Read and update your organization’s security actions | Yes |
SecurityEvents.Read.All | Read your organization’s security events | Yes |
SecurityEvents.ReadWrite.All | Read and update your organization’s security events | Yes |
User.Read | Sign in and read user profile | No |
Add the following Microsoft Threat Protection permissions:
| Permission | Description | Admin consent required |
|---|---|---|
AdvancedHunting.Read | Run advanced hunting queries | Yes |
Incident.Read | Read incidents | Yes |
Add the following WindowsDefenderATP permissions:
| Permission | Description | Admin consent required |
|---|---|---|
AdvancedQuery.Read | Run advanced queries | Yes |
Alert.Read | Read alerts | Yes |
Alert.ReadWrite | Read and write alerts | Yes |
File.Read.All | Read file profiles | Yes |
IntegrationConfiguration.ReadWrite | Read and write integration settings | Yes |
Ip.Read.All | Read IP address profiles | Yes |
Library.Manage | Manage live response library files | Yes |
Machine.CollectForensics | Collect forensics | Yes |
Machine.Isolate | Isolate machine | Yes |
Machine.LiveResponse | Run live response on a specific machine | Yes |
Machine.Offboard | Offboard machine | Yes |
Machine.Read | Read machine information | Yes |
Machine.ReadWrite | Read and write machine information | Yes |
Machine.RestrictExecution | Restrict code execution | Yes |
Machine.Scan | Scan machine | Yes |
Machine.StopAndQuarantine | Stop and quarantine file | Yes |
RemediationTasks.Read | Read remediation tasks | Yes |
Score.Read | Read Threat and Vulnerability Management score | Yes |
SecurityBaselinesAssessment.Read | Read security baselines assessment information | Yes |
SecurityConfiguration.Read | Read security configurations | Yes |
SecurityConfiguration.ReadWrite | Read and write security configurations | Yes |
SecurityRecommendation.Read | Read Threat and Vulnerability Management security recommendations | Yes |
Software.Read | Read Threat and Vulnerability Management software information | Yes |
Ti.ReadWrite | Read and write IOCs | Yes |
Url.Read.All | Read URL profiles | Yes |
User.Read.All | Read user profiles | Yes |
Vulnerability.Read | Read Threat and Vulnerability Management vulnerability information | Yes |
Microsoft eDiscovery
Section titled “Microsoft eDiscovery”Add the following Microsoft Graph permissions. All of them are Delegated permissions.
| Permission | Description | Admin consent required |
|---|---|---|
eDiscovery.Read.All | Read all eDiscovery objects | Yes |
eDiscovery.ReadWrite.All | Read and write all eDiscovery objects | Yes |
User.Read | Sign in and read user profile | No |
User.Read.All | Read all users’ full profiles | Yes |
Microsoft Entra ID
Section titled “Microsoft Entra ID”Add the following Microsoft Graph permissions. All of them are Delegated permissions.
| Permission | Description | Admin consent required |
|---|---|---|
Application.Read.All | Read applications | Yes |
Application.ReadUpdate.All | Read and update all apps | Yes |
Application.ReadWrite.All | Read and write all applications | Yes |
AuditLog.Read.All | Read audit log data | Yes |
AuditLogsQuery-Entra.Read.All | Read audit logs data from Entra (Azure AD) workload | Yes |
Directory.Read.All | Read directory data | Yes |
Directory.ReadWrite.All | Read and write directory data | Yes |
Group.Read.All | Read all groups | Yes |
Group.ReadWrite.All | Read and write all groups | Yes |
IdentityRiskEvent.Read.All | Read identity risk event information | Yes |
IdentityRiskEvent.ReadWrite.All | Read and write risk event information | Yes |
IdentityRiskyUser.Read.All | Read identity risky user information | Yes |
IdentityRiskyUser.ReadWrite.All | Read and write risky user information | Yes |
offline_access | Maintain access to data you have given it access to | No |
Policy.Read.All | Read your organization’s policies | Yes |
Policy.Read.AuthenticationMethod | Read authentication method policies | Yes |
Policy.Read.ConditionalAccess | Read your organization’s conditional access policies | No |
Policy.Read.DeviceConfiguration | Read your organization’s device configuration policies | Yes |
Policy.Read.IdentityProtection | Read your organization’s identity protection policy | Yes |
Policy.Read.PermissionGrant | Read consent and permission grant policies | Yes |
Policy.ReadWrite.ConditionalAccess | Read and write your organization’s conditional access policies | Yes |
PrivilegedAccess.Read.AzureAD | Read privileged access to Azure AD | Yes |
PrivilegedAccess.Read.AzureADGroup | Read privileged access to Azure AD groups | Yes |
RoleManagement.Read.All | Read role management data for all RBAC providers | Yes |
RoleManagement.Read.Directory | Read directory RBAC settings | Yes |
RoleManagementAlert.Read.Directory | Read all alert data for your company’s directory | Yes |
RoleManagementPolicy.Read.AzureADGroup | Read all policies in PIM for Groups | Yes |
RoleManagementPolicy.Read.Directory | Read all policies for privileged role assignments of your company’s directory | Yes |
SecurityIdentitiesUserActions.Read.All | Read identity security available user actions | Yes |
SecurityIncident.Read.All | Read incidents | Yes |
User.Read | Sign in and read user profile | No |
User.Read.All | Read all users’ full profiles | Yes |
User.ReadBasic.All | Read all users’ basic profiles | No |
User.ReadWrite.All | Read and write all users’ full profiles | Yes |
UserAuthenticationMethod.Read | Read user authentication methods | Yes |
UserAuthenticationMethod.Read.All | Read all users’ authentication methods | Yes |
Microsoft Entra ID Governance
Section titled “Microsoft Entra ID Governance”Add the following Microsoft Graph permissions. All of them are Delegated permissions.
| Permission | Description | Admin consent required |
|---|---|---|
AccessReview.Read.All | Read all access reviews that user can access | Yes |
AccessReview.ReadWrite.All | Manage all access reviews that user can access | Yes |
Directory.Read.All | Read directory data | Yes |
Directory.ReadWrite.All | Read and write directory data | Yes |
EntitlementManagement.Read.All | Read all entitlement management resources | Yes |
LifecycleWorkflows-Reports.Read.All | Read all Lifecycle workflows reports | Yes |
LifecycleWorkflows-Workflow.Activate | Run workflows on demand in Lifecycle workflows | Yes |
LifecycleWorkflows-Workflow.Read.All | Read all workflows in Lifecycle workflows | Yes |
LifecycleWorkflows-Workflow.ReadBasic.All | List all workflows in Lifecycle workflows | Yes |
PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup | Read, create, and delete assignment schedules for access to Azure AD groups | Yes |
PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup | Read, create, and delete eligibility schedules for access to Azure AD groups | Yes |
RoleAssignmentSchedule.ReadWrite.Directory | Read, update, and delete all active role assignments for your company’s directory | Yes |
RoleEligibilitySchedule.ReadWrite.Directory | Read, update, and delete all eligible role assignments for your company’s directory | Yes |
RoleManagement.Read.Directory | Read directory RBAC settings | Yes |
User.Read | Sign in and read user profile | No |
Microsoft Excel Online
Section titled “Microsoft Excel Online”Add the following Microsoft Graph permissions. All of them are Delegated permissions.
| Permission | Description | Admin consent required |
|---|---|---|
Files.ReadWrite | Have full access to user files | No |
Files.ReadWrite.All | Have full access to all files user can access | No |
Sites.ReadWrite.All | Edit or delete items in all site collections | No |
User.Read | Sign in and read user profile | No |
Microsoft Fabric
Section titled “Microsoft Fabric”This integration authenticates as the app itself (a service principal using client credentials) instead of as a signed-in user, so its setup differs from the other integrations on this page:
- No additional API permissions are required. The default
User.Readpermission that Entra adds to every new app registration is enough, and it does not need admin consent. - No redirect URI or user sign-in flow is needed. Skip Step 5, the Callback URL substep of Step 4, and the sign-in portion of Step 7. Use the Fabric connection form below instead of the Step 4 credentials table.
- Access is controlled inside Microsoft Fabric, not in Entra. Queries run with the service principal’s permissions, so grant it only the read access you intend to expose.
Configure the service principal in Microsoft Fabric:
-
In the Fabric admin portal, enable the Service principals can use Fabric APIs tenant setting.
-
Open the target Fabric workspace and select Manage access.
-
Add the app registration by name.
-
Assign the least-privileged role that can reach the target Lakehouse or Warehouse — typically a Viewer role or explicit
SELECTrights.
When linking the Microsoft Fabric account, the connection form asks for the following values:
| Field | Description |
|---|---|
| Tenant ID | App registration > Overview > Directory (tenant) ID |
| SQL Endpoint Host | Full host,port of the Fabric Lakehouse SQL endpoint, for example foo.datawarehouse.fabric.microsoft.com,1433 |
| Lakehouse Database | Database/lakehouse name |
| Client ID | App registration > Overview > Application (client) ID |
| Client Secret | App registration > Certificates & secrets > Client secrets > Value |
Microsoft Graph Security
Section titled “Microsoft Graph Security”Add the following Microsoft Graph permissions. All of them are Delegated permissions.
| Permission | Description | Admin consent required |
|---|---|---|
IdentityRiskyUser.Read.All | Read identity risky user information | Yes |
IdentityRiskyUser.ReadWrite.All | Read and write risky user information | Yes |
SecurityAlert.Read.All | Read all security alerts | Yes |
SecurityAlert.ReadWrite.All | Read and write to all security alerts | Yes |
SecurityEvents.Read.All | Read your organization’s security events | Yes |
SecurityIncident.Read.All | Read incidents | Yes |
SecurityIncident.ReadWrite.All | Read and write to incidents | Yes |
ThreatHunting.Read.All | Run hunting queries | Yes |
User.Read | Sign in and read user profile | No |
Microsoft Intune
Section titled “Microsoft Intune”Add the following Microsoft Graph permissions. All of them are Delegated permissions.
| Permission | Description | Admin consent required |
|---|---|---|
DeviceManagementApps.Read.All | Read Microsoft Intune apps | Yes |
DeviceManagementConfiguration.Read.All | Read Microsoft Intune device configuration and policies | Yes |
DeviceManagementManagedDevices.PrivilegedOperations.All | Perform user-impacting remote actions on Microsoft Intune devices | Yes |
DeviceManagementManagedDevices.Read.All | Read Microsoft Intune devices | Yes |
User.Read | Sign in and read user profile | No |
Microsoft Outlook
Section titled “Microsoft Outlook”Add the following Microsoft Graph permissions. All of them are Delegated permissions. This integration sends mail as the signed-in user — it does not need mail-reading permissions.
| Permission | Description | Admin consent required |
|---|---|---|
Contacts.Read | Read user contacts | No |
Mail.Send | Send mail as a user | No |
People.Read | Read users’ relevant people lists | No |
User.Read | Sign in and read user profile | No |
Microsoft Outlook Calendar
Section titled “Microsoft Outlook Calendar”Add the following Microsoft Graph permissions. All of them are Delegated permissions.
| Permission | Description | Admin consent required |
|---|---|---|
Calendars.Read | Read user calendars | No |
Calendars.Read.Shared | Read user and shared calendars | No |
Calendars.ReadBasic | Read basic details of user calendars | No |
Calendars.ReadWrite | Have full access to user calendars | No |
Calendars.ReadWrite.Shared | Read and write user and shared calendars | No |
Contacts.Read | Read user contacts | No |
People.Read | Read users’ relevant people lists | No |
User.Read | Sign in and read user profile | No |
Microsoft Purview Compliance
Section titled “Microsoft Purview Compliance”Add the following Microsoft Graph permissions. All of them are Delegated permissions.
| Permission | Description | Admin consent required |
|---|---|---|
AuditLogsQuery.Read.All | Read audit logs data from all services | Yes |
Content.Process.User | Process content for data security, governance and compliance | Yes |
Files.ReadWrite.All | Have full access to all files user can access | No |
InformationProtectionPolicy.Read | Read user sensitivity labels and label policies | No |
ProtectionScopes.Compute.User | Compute Purview policies for an individual user | Yes |
SecurityAlert.ReadWrite.All | Read and write to all security alerts | Yes |
SecurityIncident.ReadWrite.All | Read and write to incidents | Yes |
ThreatHunting.Read.All | Run hunting queries | Yes |
User.Read | Sign in and read user profile | No |
User.Read.All | Read all users’ full profiles | Yes |
Microsoft Purview Data Governance
Section titled “Microsoft Purview Data Governance”This integration uses permissions from two APIs: Microsoft Graph and Microsoft Purview. All of them are Delegated permissions. Find Microsoft Purview under the APIs my organization uses tab when adding a permission.
Add the following Microsoft Graph permission:
| Permission | Description | Admin consent required |
|---|---|---|
User.Read | Sign in and read user profile | No |
Add the following Microsoft Purview permission:
| Permission | Description | Admin consent required |
|---|---|---|
Purview.DelegatedAccess | Purview Delegated API Access | No |
Microsoft Teams
Section titled “Microsoft Teams”Add the following Microsoft Graph permissions. All of them are Delegated permissions.
| Permission | Description | Admin consent required |
|---|---|---|
Channel.ReadBasic.All | Read the names and descriptions of channels | No |
ChannelMessage.Read.All | Read user channel messages | Yes |
ChannelMessage.ReadWrite | Read and write user channel messages | Yes |
ChannelMessage.Send | Send channel messages | No |
Chat.ReadWrite | Read and write user chat messages | No |
offline_access | Maintain access to data you have given it access to | No |
Team.ReadBasic.All | Read the names and descriptions of teams | No |
User.Read | Sign in and read user profile | No |
SharePoint Online
Section titled “SharePoint Online”Add the following Microsoft Graph permissions. All of them are Delegated permissions.
| Permission | Description | Admin consent required |
|---|---|---|
offline_access | Maintain access to data you have given it access to | No |
Sites.Read.All | Read items in all site collections | No |
Sites.ReadWrite.All | Edit or delete items in all site collections | No |
User.Read | Sign in and read user profile | No |
Step 7: Authorize and test
Section titled “Step 7: Authorize and test”-
Start the connection flow from Kindo.
-
Sign in with the Microsoft account that should authorize the integration.
-
Review the requested permissions.
-
Approve the connection.
-
In Kindo, run a low-risk read action first, such as listing calendars, searching a site, or listing available records.
-
After read access works, test any write actions in a safe test location before using the integration on production data.
Notes on service principals
Section titled “Notes on service principals”If you look for an integration’s app under App registrations and only find it under Enterprise applications, you are looking at its service principal.
- An app registration is the blueprint — the global definition of an application. It lives only in the tenant where the app was created.
- An enterprise application (service principal) is an instance of that blueprint inside each tenant that uses the app. It is the app’s actual account in your directory.
What you see in your tenant depends on how you use Kindo:
- Kindo SaaS: the app registration lives in Kindo’s tenant. The first time you authorize an integration, Entra ID creates a service principal in your tenant under Enterprise applications, and that is what you authenticate against on every subsequent connection. You will not see an app registration in your tenant.
- Self-managed Kindo: you create the app registration in your own tenant by following the steps on this page. When the app is first authorized, Entra ID still creates a matching service principal under Enterprise applications.
In both cases, the service principal is what Microsoft Entra ID uses to let the app operate in your tenant:
- It holds the permission grants. When a user or admin consents, the grant is recorded against the service principal. It is the ledger of what the app is allowed to access in your tenant.
- It is the identity that tokens are issued to. When Entra ID issues the app an access token for your tenant, the service principal is the actor that token represents.
- It is your admin’s control point. Your admin manages the app under Enterprise applications: assign or restrict users, apply Conditional Access policies, disable the app, or revoke its access — all without touching the underlying registration.
- It is where sign-in and audit activity lands. Sign-in logs and consent events for the app in your tenant attach to the service principal.
Troubleshooting
Section titled “Troubleshooting”| Problem | What to check |
|---|---|
| Microsoft says the redirect URI is invalid | Make sure the redirect URI in Entra exactly matches the callback URL shown in Nango, including https:// and /oauth/callback. |
| The consent screen does not show the expected permissions | Confirm the permissions were added to the same app registration whose client ID you entered in Nango. Reconnect after changing permissions. |
Kindo reports Unauthorized or cannot refresh the connection | Recreate the connection and confirm the integration includes offline_access when delegated refresh is required. |
Kindo reports Forbidden | The signed-in user may not have access to the Microsoft resource, admin consent may be missing, or the app may not have the required permission. |
| A write action fails but read actions work | The app may have read-only permissions. Add only the specific write permission required by the integration. |
Security guidance
Section titled “Security guidance”- Use least-privilege permissions for every Microsoft integration.
- Rotate client secrets according to your organization’s policy.
- Remove unused app registrations and old client secrets.
- Keep a record of which Kindo integration uses each Entra app registration.