How does ChatGPT access SharePoint files?

ChatGPT accesses SharePoint files through a Model Context Protocol (MCP) server. The MCP server translates the LLM's natural language tool calls into structured REST API requests against the Microsoft Graph API, handling authentication, pagination, and data schemas automatically.

Does Truto automatically handle SharePoint rate limits?

No. Truto does not retry, throttle, or absorb rate limit errors. When the Microsoft Graph API returns an HTTP 429 error, Truto passes that error directly to the caller (ChatGPT) while normalizing the rate limit information into standardized IETF headers. The AI agent or client framework must implement its own exponential backoff logic.

Can I restrict ChatGPT to read-only access in SharePoint?

Yes. When generating the MCP server in Truto, you can apply method filtering (e.g., setting the allowed methods to ['read']). This ensures the generated MCP server only exposes safe operations like 'list' and 'get', completely preventing the LLM from creating, updating, or deleting SharePoint resources.

Connect SharePoint to ChatGPT: Explore Sites & Drives

If you need to connect SharePoint to ChatGPT to automate document discovery, audit site permissions, or retrieve enterprise knowledge, you need a Model Context Protocol (MCP) server. This server acts as the translation layer between ChatGPT's tool calls and Microsoft's underlying Graph APIs. You can either spend months building and maintaining this infrastructure yourself, or use a managed integration platform like Truto to dynamically generate a secure, authenticated MCP server URL.

If your team uses Claude, check out our guide on connecting SharePoint to Claude and connecting SharePoint to AI Agents.

Giving a Large Language Model (LLM) read and write access to a sprawling enterprise ecosystem like SharePoint is an engineering challenge. You have to handle OAuth 2.0 token lifecycles, map massive JSON schemas to MCP tool definitions, and deal with the specific complexities of the Microsoft Graph API. Every time Microsoft updates an endpoint or deprecates a field, you have to update your server code, redeploy, and test the integration.

This guide breaks down exactly how to use Truto to generate a secure, managed MCP server for SharePoint, connect it natively to ChatGPT, and execute complex workflows using natural language.

The Engineering Reality of the SharePoint API

A custom MCP server is a self-hosted integration layer. While the open MCP standard provides a predictable way for models to discover tools, the reality of implementing it against Microsoft's APIs is painful. You aren't just integrating "SharePoint" - you are integrating the Microsoft Graph API, which carries specific design patterns, error formats, and legacy quirks.

If you decide to build a custom MCP server for SharePoint, you own the entire API lifecycle. Here are the specific integration challenges that break standard CRUD assumptions when working with SharePoint:

The Composite ID Architecture

In most REST APIs, a resource is identified by a single alphanumeric string. In SharePoint, via the Microsoft Graph API, a Site is rarely just a simple string. The siteId is often a composite identifier composed of three parts: the hostname, the site collection GUID, and the site GUID (e.g., contoso.sharepoint.com,a1b2c3d4-e5f6-...,g7h8i9j0-...). When building custom tools, you have to ensure the LLM perfectly extracts, preserves, and passes these composite IDs between separate tool calls (like listing sites, then listing drives within a site). If your custom server fails to validate these formats, the API throws malformed request errors.

Drives vs. Document Libraries

SharePoint users think in terms of "Document Libraries." The Microsoft Graph API thinks in terms of "Drives." To access a file, an LLM cannot just search the SharePoint site. It must first list the drives associated with a siteId, identify the correct drive, and then query the DriveItems inside it. The hierarchical nesting (Sites -> Drives -> DriveItems) requires multiple sequential API calls. Your MCP server must expose discrete, well-documented tools for each step of this hierarchy, or the LLM will hallucinate shortcuts that do not exist in the Graph API.

Rate Limits and 429 Errors

Microsoft enforces strict rate limits across the Graph API, utilizing both client-specific and tenant-wide throttling. When these thresholds are crossed, the API returns a 429 Too Many Requests error.

A factual note on rate limits: Truto does not retry, throttle, or apply backoff on rate limit errors. When an upstream API returns an HTTP 429, Truto passes that error directly to the caller. Truto normalizes the upstream rate limit information into standardized headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset) per the IETF specification. The caller (in this case, your AI agent framework or custom ChatGPT script) is strictly responsible for interpreting these headers and executing its own exponential backoff and retry logic. Do not expect the integration layer to absorb Microsoft's rate limit rejections.

Pagination and OData Links

When an LLM requests a list of sites or files, it cannot ingest 10,000 records at once. Microsoft Graph uses OData pagination, often returning an @odata.nextLink containing an opaque $skiptoken. You have to write the logic to handle these pagination cursors. You must explicitly instruct the LLM to pass cursor values back unchanged to fetch the next set of records. If your MCP server does not inject strict cursor-handling instructions into the tool schema, the LLM will attempt to guess the next page number, resulting in a failed request.

Deploying the SharePoint MCP Server

Instead of forcing your engineering team to build custom API wrappers, handle OAuth flows, and manually write JSON-RPC handlers, you can use Truto to generate a production-ready MCP server for SharePoint.

Truto's MCP servers derive tool definitions dynamically from the integration's documented API endpoints. A tool only appears in the MCP server if it has a corresponding documentation entry - acting as a quality gate to ensure only well-defined endpoints are exposed to the LLM.

Each MCP server is scoped to a single connected SharePoint instance and is authenticated via a secure, cryptographic token embedded in the URL.

There are two ways to create this MCP server in Truto:

Method 1: Via the Truto UI

Log into your Truto dashboard and navigate to the integrated account page for your connected SharePoint instance.
Click the MCP Servers tab.
Click Create MCP Server.
Select your desired configuration (such as assigning a name, or applying method filters to restrict access to read-only operations).
Copy the generated MCP server URL. This URL contains the cryptographic token required for access.

Method 2: Via the Truto API

You can programmatically generate MCP servers for your end-users by making an API call to Truto. The API validates the integration, generates a secure token, and returns a ready-to-use URL.

curl -X POST https://api.truto.one/integrated-accounts/{integrated_account_id}/mcp \
  -H "Authorization: Bearer YOUR_TRUTO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "SharePoint Discovery Server",
    "config": {
      "methods": ["read"]
    }
  }'

The response will include the unique url for the newly created MCP server, formatted as https://api.truto.one/mcp/<token>.

Connecting the MCP Server to ChatGPT

Once you have your Truto MCP Server URL, you must connect it to your LLM client. All communication happens over HTTP POST with JSON-RPC 2.0 messages.

There are two ways to connect this server to ChatGPT or other compatible clients:

Method A: Via the ChatGPT UI

If you are using the ChatGPT desktop application or web interface (with Developer Mode enabled for custom connectors):

Copy the MCP server URL generated by Truto.
In ChatGPT, navigate to Settings -> Connectors -> Add custom connector.
Paste the URL into the server configuration field and click Add. (Note: If you are configuring Claude Desktop instead, the path is Settings -> Integrations -> Add MCP Server). ChatGPT will instantly ping the server, execute the MCP handshake (initialize), and call tools/list to discover all available SharePoint operations.

Method B: Via Manual Config File

If you are running a local agent, Cursor, or a custom script that utilizes standard MCP configuration files, you can connect to Truto's remote server using Server-Sent Events (SSE).

Create or update your mcp_config.json file to utilize the @modelcontextprotocol/server-sse transport wrapper:

{
  "mcpServers": {
    "sharepoint_truto": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-sse",
        "--url",
        "https://api.truto.one/mcp/YOUR_SECURE_TOKEN_HERE"
      ]
    }
  }
}

When your client boots, it will route all JSON-RPC requests through the SSE transport natively to Truto's edge routers.

SharePoint Hero Tools

Once connected, the MCP server translates SharePoint's API endpoints into distinct, schema-validated tools. Truto dynamically derives the query and body schemas from internal documentation, mapping flat LLM inputs into the required Graph API structures.

Here are the highest-leverage hero tools your AI agent can immediately use to navigate SharePoint.

list_all_share_point_sites

This tool queries the tenant for all accessible SharePoint sites. It handles pagination automatically via the next_cursor logic injected into the tool description. It is the necessary starting point for any workflow, as agents need the siteId to dive deeper.

"Find the SharePoint site associated with our 'Q3 Marketing Launch' and extract its exact site ID."

list_all_share_point_drives

SharePoint stores documents inside drives (Document Libraries) attached to specific sites. This tool requires a site_id as input. The LLM passes the composite ID it discovered in the previous step to retrieve a list of all document libraries associated with that site.

"Using the site ID you just found, list all the document drives available in the Q3 Marketing Launch site. I need the ID for the 'Public Assets' drive."

list_all_share_point_drive_items

Once the LLM has a drive_id, it uses this tool to list the contents of the drive. It returns files and folders, providing metadata such as file names, creation dates, and MIME types.

"List the items inside the 'Public Assets' drive. Look for any PDF documents uploaded in the last week and return their item IDs."

get_single_share_point_drive_item_by_id

Retrieves the detailed metadata for a specific file or folder using its item_id. This is crucial for verifying file ownership, checking web URLs, or auditing last-modified timestamps before taking action.

"Get the details for the file with ID '01ABCDEF123456'. Tell me who the original author was and when it was last modified."

download_share_point_file

A custom method derived from the Graph API's /content endpoint. It allows the LLM to retrieve the actual raw contents of a file (or obtain the temporary, short-lived microsoft.graph.downloadUrl) so the agent can ingest and summarize the text.

"Download the contents of the Q3 Marketing Launch budget spreadsheet and summarize the total allocated spend for digital ads."

search_share_point_sites

A custom search operation utilizing Microsoft Search APIs. Instead of forcing the LLM to manually paginate through hundreds of sites, it can use this tool to pass a specific search query and locate sites by keyword or description.

"Search our SharePoint tenant for any sites containing the keyword 'Compliance Audit 2025' and return their IDs."

(Note: This is just a selection of hero operations. Truto exposes the full surface area of the integration. For the complete tool inventory, required parameters, and schema definitions, visit the SharePoint integration page.)

Workflows in Action

When you give an LLM the ability to navigate SharePoint programmatically, it can execute multi-step discovery workflows that would normally take a human dozens of clicks.

Scenario 1: Automated Policy Retrieval

An employee asks an internal HR bot to find the latest Remote Work Policy.

"Locate the 2026 Remote Work Policy document in the HR SharePoint site, download it, and tell me the section regarding home office stipends."

Search: The agent calls search_share_point_sites with the query "HR" to locate the human resources site ID.
List Drives: The agent calls list_all_share_point_drives using the HR site ID to find the "Company Policies" document library.
Browse Items: The agent calls list_all_share_point_drive_items on that drive, locating the specific file named "2026_Remote_Work_Policy.pdf" and securing its item ID.
Download & Summarize: The agent calls download_share_point_file with the item ID, reads the contents into its context window, and returns the exact stipend policy to the user.

Scenario 2: Project Asset Audit

An IT administrator needs to audit a deprecated project site to see what data remains.

"Audit the 'Project Alpha 2023' SharePoint site. Tell me how many document libraries it has, and list the five most recently modified files across all of them."

Identify Site: The agent calls list_all_share_point_sites, filtering or searching until it finds the composite ID for Project Alpha.
Map Infrastructure: The agent calls list_all_share_point_drives to map out every document library inside the site.
Audit Contents: For each drive ID returned, the agent sequentially calls list_all_share_point_drive_items, checking the lastModifiedDateTime fields.
Compile Report: The agent aggregates the data across all tool calls and presents a synthesized report of the newest files, saving the admin from manually clicking through multiple deeply-nested UI folders.

Security and Access Control

Exposing Microsoft Graph endpoints to an autonomous agent carries inherent risks. A hallucinating model should not be able to delete an enterprise document library. Truto provides multiple layers of security at the MCP token level to strictly bound LLM behavior.

Method Filtering: When generating the server, you can pass methods: ["read"]. This drops all create, update, and delete tools from the MCP server entirely. If the LLM tries to delete a site, it physically cannot; the tool simply does not exist in its context.
Tag Filtering: You can restrict the server to specific operational domains using tags. If you only want the agent interacting with files, you can filter tools using tags: ["drive_items"], hiding site-level administrative operations.
Require API Token Auth: By default, the MCP token URL is sufficient for access. For higher security scenarios, you can enable require_api_token_auth. This forces the client to also pass a standard Truto API Bearer token in the Authorization header. This ensures that even if the MCP URL is leaked in a log file, the server remains secure.
Automatic Expiration: If you are providing temporary SharePoint access to an external contractor's AI agent, you can set the expires_at field. Cloudflare KV expiration and automated durable object alarms will automatically terminate the token and clean up all access at the precise timestamp.

Escape the Integration Trap

Connecting SharePoint to ChatGPT shouldn't require your team to become experts in Microsoft Graph API composite IDs, OData pagination cursors, or OAuth refresh flows. By deploying a managed MCP server via Truto, you offload the entire infrastructure burden.

You provide the integrated account; Truto handles the dynamic tool generation, the JSON-RPC routing, the schema normalization, and the token management. Your AI agents get immediate, secure access to the enterprise data they need to function.