How does Claude access SharePoint files?

Claude accesses SharePoint files through a Model Context Protocol (MCP) server. The MCP server translates Claude's JSON-RPC tool calls into secure Microsoft Graph API requests, handling pagination and authentication.

Does Truto automatically handle Microsoft Graph rate limits?

No. When the Graph API returns a 429 Too Many Requests error, Truto passes the error directly to the client while normalizing the rate limit data into standard ratelimit-limit, ratelimit-remaining, and ratelimit-reset headers. The calling agent must handle the retry and backoff logic.

Can I restrict Claude to read-only access in SharePoint?

Yes. When generating the MCP server in Truto, you can apply method filters like `["read"]` to ensure the server only exposes GET and LIST operations, preventing the LLM from creating or modifying files.

Do I have to write custom JSON schemas for SharePoint endpoints?

No. Truto dynamically generates the MCP tool definitions, including all required JSON schemas for query parameters and request bodies, directly from the underlying integration documentation.

Connect SharePoint to Claude: Navigate Organizational Sites and Drives

If you need to connect SharePoint to Claude to navigate organizational sites, audit document drives, or automate intranet workflows, you need a Model Context Protocol (MCP) server. This server acts as the critical translation layer between Claude's function-calling capabilities and the Microsoft Graph API. You can choose to build and maintain this infrastructure entirely in-house, or you can use a managed integration platform like Truto to dynamically generate a secure, authenticated MCP server URL.

If your team uses ChatGPT, check out our guide on connecting SharePoint to ChatGPT or explore our broader architectural overview on connecting SharePoint to AI Agents.

Giving a Large Language Model (LLM) programmatic access to a sprawling enterprise ecosystem like SharePoint is an engineering challenge. Microsoft Graph is immensely powerful, but its data models are deeply nested, its pagination is complex, and its authorization layers require continuous lifecycle management. Every time an API endpoint evolves, your server code must adapt. This guide breaks down exactly how to use Truto to generate a secure, managed MCP server for SharePoint, connect it natively to Claude Desktop, and execute complex site and drive workflows using natural language.

The Engineering Reality of the SharePoint API

A custom MCP server is essentially a self-hosted integration layer. While the open MCP standard provides a predictable, JSON-RPC based mechanism for models to discover and execute tools, the reality of implementing it against Microsoft Graph's SharePoint endpoints is painful. You are not just integrating a simple REST API - you are navigating an enterprise entity graph.

If you decide to build a custom MCP server for SharePoint, you own the entire API lifecycle. Here are the specific challenges you will face:

Deeply Nested Resource Hierarchies SharePoint data is highly relational. To retrieve a single file, an API client must often sequence multiple calls: find the Site ID, find the Drive ID within that site, and finally locate the Item ID within that drive (e.g., /sites/{site-id}/drives/{drive-id}/items/{item-id}). If you expose raw Microsoft Graph endpoints directly to Claude, the model frequently hallucinates IDs or attempts to skip required structural steps. An effective MCP server must provide atomic tools that enforce this hierarchy step-by-step.

OData Pagination and Response Formatting Microsoft Graph relies heavily on OData conventions. Pagination is handled via @odata.nextLink or $skipToken parameters, and field selection requires precise $select and $expand queries. Exposing these raw OData constructs to an LLM usually results in malformed requests. Truto normalizes SharePoint's pagination into a standardized limit and next_cursor schema, explicitly instructing Claude to pass cursor values back unchanged without attempting to decode or modify them.

Strict API Throttling and Rate Limits Microsoft Graph enforces aggressive throttling, returning HTTP 429 errors when limits are exceeded. If an AI agent attempts to recursively crawl a large SharePoint document library, it will inevitably hit these limits. Truto does not silently absorb or retry these errors. Instead, when SharePoint returns a 429, Truto passes the error back to the caller while normalizing the upstream rate limit information into standard IETF headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset). This design ensures your agent orchestration layer maintains full control over its retry and exponential backoff logic.

Rather than engineering these abstraction layers from scratch, you can use Truto. Truto normalizes authentication and pagination, exposing SharePoint's deeply nested architecture as flat, callable MCP tools.

How to Generate a SharePoint MCP Server with Truto

Truto dynamically generates MCP tools based on the resources and documentation defined within an integration. When you connect a SharePoint instance, Truto automatically maps the available endpoints into standardized tools, complete with JSON Schemas for both query parameters and request bodies.

Because tool generation is documentation-driven, endpoints only appear as MCP tools if they have corresponding documentation records. This acts as a quality gate, ensuring Claude only sees well-described, context-rich operations.

You can generate an MCP server for a connected SharePoint account via the Truto UI or programmatically via the API.

Method 1: Via the Truto UI

Navigate to the Integrated Accounts page in your Truto dashboard.
Select your connected SharePoint instance.
Click the MCP Servers tab.
Click Create MCP Server.
Configure your access rules (e.g., setting method filters to ["read"] or defining an expiration date).
Copy the generated MCP server URL. This URL contains a secure, hashed cryptographic token.

Method 2: Via the Truto API

For teams managing AI agent infrastructure as code, you can provision MCP servers programmatically. Send a POST request to /integrated-account/:id/mcp. Truto will validate the requested filters, generate a secure token in Cloudflare KV, and return the server URL.

curl -X POST "https://api.truto.one/integrated-account/<INTEGRATED_ACCOUNT_ID>/mcp" \
  -H "Authorization: Bearer <YOUR_TRUTO_API_KEY>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "SharePoint IT Operations MCP",
    "config": {
      "methods": ["read"],
      "tags": ["directory", "files"]
    },
    "expires_at": "2026-12-31T23:59:59Z"
  }'

The API responds with the active configuration and the endpoint URL:

{
  "id": "mcp-shp-12345",
  "name": "SharePoint IT Operations MCP",
  "config": { "methods": ["read"], "tags": ["directory", "files"] },
  "expires_at": "2026-12-31T23:59:59Z",
  "url": "https://api.truto.one/mcp/a1b2c3d4e5f67890..."
}

How to Connect the MCP Server to Claude

Because Truto's MCP servers are fully self-contained, the generated URL securely encodes the tenant context, the integrated account mapping, and the tool definitions. You do not need to manage local environment variables or pass OAuth tokens directly to the client.

There are two primary ways to connect this URL to Claude.

Method A: Via the Claude UI (Desktop/Web)

If you are using the Claude Desktop application or a web interface that supports external tool connections:

Open Claude and navigate to Settings.
Locate the Integrations or Connectors panel (depending on your tier).
Click Add MCP Server or Add custom connector.
Paste the Truto MCP URL (e.g., https://api.truto.one/mcp/a1b2c3d4e...).
Click Save.

Claude will immediately execute the JSON-RPC initialize handshake, request tools/list, and populate its context window with the available SharePoint operations.

Method B: Via Manual Config File

For advanced users running Claude Desktop, you can configure the MCP server by modifying the claude_desktop_config.json file. Because the Truto endpoint communicates over HTTP using standard JSON-RPC, you can utilize the official SSE (Server-Sent Events) transport wrapper provided by the MCP SDK.

Update your configuration file (typically located at ~/Library/Application Support/Claude/claude_desktop_config.json on macOS):

{
  "mcpServers": {
    "sharepoint-truto": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-sse",
        "--url",
        "https://api.truto.one/mcp/a1b2c3d4e5f67890..."
      ]
    }
  }
}

Restart Claude Desktop. The application will spawn the SSE transport process, connect to Truto, and pull down the SharePoint schemas.

SharePoint Hero Tools for Claude

Truto flattens the Microsoft Graph hierarchy into descriptive, snake_case tool names that clearly indicate their function to the LLM. When Claude executes a tool, the input is validated against the dynamic JSON Schema before being proxied to the underlying Microsoft Graph endpoints.

Below are the most critical operations for navigating SharePoint.

list_all_share_point_sites

This tool retrieves all SharePoint sites available to the authenticated account. Because SharePoint is inherently distributed, this is almost always the first tool Claude must call. It returns the id of each site, which is a required parameter for downstream file and list operations.

"I need to find the HR department's intranet. Please list all the SharePoint sites we have access to and find the one that looks like it belongs to Human Resources. Return its ID."

list_all_share_point_drives

A SharePoint "drive" is a document library. Once Claude identifies a site, it must use this tool to discover the document libraries within that specific site. It requires a site_id.

"Now that we have the HR Site ID, list all the document drives located on this site. I am looking for the drive that stores employee policy documents."

list_all_share_point_drive_items

This tool enumerates the files and folders (items) within a specific drive. It handles SharePoint's pagination natively via the limit and next_cursor parameters. Claude uses this to browse the contents of a directory. It requires a site_id and a drive_id.

"List the items in the 'Policies 2026' drive. If there are more than 50 files, use the cursor to fetch the next page. Show me all the file names and their corresponding item IDs."

get_single_share_point_drive_item_by_id

This tool retrieves the full metadata and properties of a specific file or folder. It requires the site_id, drive_id, and item_id. Claude uses this to inspect file types, creation dates, and Web URLs before deciding to process or download content.

"Get the details for the file with ID '01ABCD1234'. I need to know when it was last modified and what its web URL is so I can link it to the user."

list_all_share_point_lists

Beyond files, SharePoint relies heavily on Lists for structured data (issue trackers, asset registries, contact rosters). This tool retrieves all custom Lists within a specific site, providing the list IDs needed to query actual list items.

"Check the IT Operations site and list all the SharePoint Lists available. I am looking for the Hardware Asset Registry list."

search_share_point_sites

Instead of manually traversing the hierarchy, this tool allows Claude to execute a Graph Search across the tenant to locate sites, lists, or drives based on keyword matching.

"Search across all SharePoint sites for the keyword 'Q3 Marketing Roadmap' and return the top 5 results."

For the complete inventory of available SharePoint operations, including custom list item creation and advanced drive metadata manipulation, refer to the SharePoint integration page.

Workflows in Action

By chaining these atomic tools together, Claude can execute complex, multi-step reasoning tasks across your organization's intranet without requiring any hardcoded scripts.

Scenario 1: Employee Onboarding Policy Discovery

User Prompt:

"Find the 2026 Remote Work Policy document. It should be somewhere in the Human Resources site. Once you find it, give me the direct web link and tell me who last modified it."

Step-by-step Execution:

Claude calls list_all_share_point_sites to retrieve the directory of sites.
It identifies the site named "Human Resources" and extracts its id.
Claude calls list_all_share_point_drives using the HR site_id.
It identifies a drive named "Corporate Policies" and extracts its id.
Claude calls list_all_share_point_drive_items using both IDs. It inspects the filenames in the response.
It locates "2026_Remote_Work_Policy.pdf" and extracts its item_id.
Claude calls get_single_share_point_drive_item_by_id to retrieve the exact web URL and the lastModifiedBy metadata.

Result: Claude responds conversationally with the direct link to the policy and notes that it was last updated by the HR Director, successfully navigating a deeply nested Microsoft Graph hierarchy autonomously.

Scenario 2: Cross-Site IT Asset Audit

User Prompt:

"We need to audit our hardware. Go into the IT Admin site, find the 'Hardware Assets' list, and summarize how many laptops are currently marked as 'In Repair'."

Step-by-step Execution:

Claude calls search_share_point_sites using the query "IT Admin" to quickly locate the target site without manually listing everything.
It extracts the site_id from the search results.
Claude calls list_all_share_point_lists with the site_id to retrieve available structured lists.
It identifies the "Hardware Assets" list and extracts its id.
(Assuming the standard list_all_share_point_list_items tool is available in the full inventory), Claude calls it using the site_id and list_id to retrieve the rows of data.
Claude processes the returned JSON array, filters the items where the status column equals "In Repair", and counts the total.

Result: Claude provides an accurate count of laptops currently under repair, pulling structured data out of a specific SharePoint List without requiring the user to know any Graph API endpoints.

Security and Access Control

Giving an AI agent unconstrained access to a corporate SharePoint tenant is a massive security risk. Truto's managed MCP server architecture enforces strict governance at the server generation level, allowing you to limit what the LLM can actually do.

Method Filtering: By defining config.methods: ["read"] during server creation, Truto filters out all create, update, and delete operations. Even if Claude attempts to hallucinate a tool call to delete a file, the MCP server will reject it because the tool simply does not exist in the defined schema.
Tag Filtering: Integration resources can be tagged by domain (e.g., "files", "lists"). Using config.tags, you can restrict an MCP server to only expose tools related to specific subsets of the API.
Secondary Authentication (require_api_token_auth): By default, possessing the MCP URL grants access. By setting require_api_token_auth: true, Truto forces the connecting client to also pass a valid Truto API token in the Authorization header, preventing unauthorized lateral movement if the URL is leaked.
Time-Limited Access (expires_at): You can assign a strict expiration datetime to the MCP server. Truto uses distributed alarms and Cloudflare KV expiration to automatically destroy the server and its hashed token at the exact microsecond the TTL expires. This is ideal for granting temporary, session-based agent access to sensitive SharePoint data.

Moving Forward with Agentic SharePoint Workflows

Connecting Claude to SharePoint via a custom-built integration layer means taking on the perpetual burden of maintaining Microsoft Graph abstractions. By utilizing a managed MCP server, you offload authentication state, pagination normalization, and schema generation to Truto.

Your engineers can focus on prompt engineering, orchestration logic, and ensuring the AI handles 429 rate limit backoffs gracefully, while Truto handles the unpredictable reality of enterprise APIs.