@softeria/ms-365-mcp-server 0.12.3 → 0.13.0

package/README.md

@@ -21,15 +21,17 @@ API.
 
 ## Supported Services & Tools
 
+### Personal Account Tools (Available by default)
+
 **Email (Outlook)**  
 <sub>list-mail-messages, list-mail-folders, list-mail-folder-messages, get-mail-message, send-mail,
-delete-mail-message</sub>
+delete-mail-message, create-draft-email, move-mail-message</sub>
 
 **Calendar**  
 <sub>list-calendars, list-calendar-events, get-calendar-event, get-calendar-view, create-calendar-event,
 update-calendar-event, delete-calendar-event</sub>
 
-**OneDrive & SharePoint Files**  
+**OneDrive Files**  
 <sub>list-drives, get-drive-root-item, list-folder-files, download-onedrive-file-content, upload-file-content,
 upload-new-file, delete-onedrive-file</sub>
 
@@ -50,21 +52,25 @@ create-onenote-page</sub>
 <sub>list-outlook-contacts, get-outlook-contact, create-outlook-contact, update-outlook-contact,
 delete-outlook-contact</sub>
 
-**Teams & Chats** (Work/School accounts only)  
+**User Profile**  
+<sub>get-current-user</sub>
+
+### Organization Account Tools (Requires --org-mode flag)
+
+**Teams & Chats**  
 <sub>list-chats, get-chat, list-chat-messages, get-chat-message, send-chat-message, list-chat-message-replies,
 reply-to-chat-message, list-joined-teams, get-team, list-team-channels, get-team-channel, list-channel-messages,
 get-channel-message, send-channel-message, list-team-members</sub>
 
-**SharePoint Sites** (Work/School accounts only)  
+**SharePoint Sites**  
 <sub>search-sharepoint-sites, get-sharepoint-site, get-sharepoint-site-by-path, list-sharepoint-site-drives,
 get-sharepoint-site-drive-by-id, list-sharepoint-site-items, get-sharepoint-site-item, list-sharepoint-site-lists,
 get-sharepoint-site-list, list-sharepoint-site-list-items, get-sharepoint-site-list-item,
 get-sharepoint-sites-delta</sub>
 
-### Work Scopes Issues
+## Organization/Work Mode
 
-If you're having issues accessing work/school features (Teams, SharePoint, etc.), you should pass the
-`--force-work-scopes` flag!
+To access work/school features (Teams, SharePoint, etc.), enable organization mode using any of these flags:
 
 ```json
 {
@@ -74,18 +80,15 @@ If you're having issues accessing work/school features (Teams, SharePoint, etc.)
       "args": [
         "-y",
         "@softeria/ms-365-mcp-server",
-        "--force-work-scopes"
+        "--org-mode"
       ]
     }
   }
 }
 ```
 
-While the server should attempt to force a re-login when work scopes are needed, passing the flag explicitly is safer
-and ensures proper scope permissions from the start.
-
-**User Profile**  
-<sub>get-current-user</sub>
+Organization mode must be enabled from the start to access work account features. Without this flag, only personal
+account features (email, calendar, OneDrive, etc.) are available.
 
 ## Quick Start Example
 
@@ -226,7 +229,9 @@ The following options can be used when running ms-365-mcp-server directly from t
 --login           Login using device code flow
 --logout          Log out and clear saved credentials
 --verify-login    Verify login without starting the server
---force-work-scopes Force inclusion of work account scopes during login (includes Teams, SharePoint, etc.)
+--org-mode        Enable organization/work mode from start (includes Teams, SharePoint, etc.)
+--work-mode       Alias for --org-mode
+--force-work-scopes Backwards compatibility alias for --org-mode (deprecated)
 ```
 
 ### Server Options
@@ -246,7 +251,8 @@ Environment variables:
 
 - `READ_ONLY=true|1`: Alternative to --read-only flag
 - `ENABLED_TOOLS`: Filter tools using regex pattern (alternative to --enabled-tools flag)
-- `MS365_MCP_FORCE_WORK_SCOPES=true|1`: Force inclusion of work account scopes (alternative to --force-work-scopes flag)
+- `MS365_MCP_ORG_MODE=true|1`: Enable organization/work mode (alternative to --org-mode flag)
+- `MS365_MCP_FORCE_WORK_SCOPES=true|1`: Backwards compatibility for MS365_MCP_ORG_MODE
 - `LOG_LEVEL`: Set logging level (default: 'info')
 - `SILENT=true|1`: Disable console output
 - `MS365_MCP_CLIENT_ID`: Custom Azure app client ID (defaults to built-in app)

package/dist/auth.js

@@ -49,9 +49,6 @@ function buildScopesFromEndpoints(includeWorkAccountScopes = false) {
   });
   return Array.from(scopesSet);
 }
-function buildAllScopes() {
-  return buildScopesFromEndpoints(true);
-}
 class AuthManager {
   constructor(config = DEFAULT_CONFIG, scopes = buildScopesFromEndpoints()) {
     logger.info(`And scopes are ${scopes.join(", ")}`, scopes);
@@ -324,45 +321,6 @@ class AuthManager {
       return false;
     }
   }
-  async expandToWorkAccountScopes(hack) {
-    try {
-      logger.info("Expanding to work account scopes...");
-      const allScopes = buildAllScopes();
-      const deviceCodeRequest = {
-        scopes: allScopes,
-        deviceCodeCallback: (response2) => {
-          const text = [
-            "\n",
-            "\u{1F504} This feature requires additional permissions (work account scopes)",
-            "\n",
-            response2.message,
-            "\n"
-          ].join("");
-          if (hack) {
-            hack(text + 'After login run the "verify login" command');
-          } else {
-            console.log(text);
-          }
-          logger.info("Work account scope expansion initiated");
-        }
-      };
-      const response = await this.msalApp.acquireTokenByDeviceCode(deviceCodeRequest);
-      logger.info("Work account scope expansion successful");
-      this.accessToken = response?.accessToken || null;
-      this.tokenExpiry = response?.expiresOn ? new Date(response.expiresOn).getTime() : null;
-      this.scopes = allScopes;
-      if (response?.account) {
-        this.selectedAccountId = response.account.homeAccountId;
-        await this.saveSelectedAccount();
-        logger.info(`Updated selected account after scope expansion: ${response.account.username}`);
-      }
-      await this.saveTokenCache();
-      return true;
-    } catch (error) {
-      logger.error(`Error expanding to work account scopes: ${error.message}`);
-      return false;
-    }
-  }
   // Multi-account support methods
   async listAccounts() {
     return await this.msalApp.getTokenCache().getAllAccounts();
@@ -431,7 +389,6 @@ class AuthManager {
 }
 var auth_default = AuthManager;
 export {
-  buildAllScopes,
   buildScopesFromEndpoints,
   auth_default as default
 };

package/dist/cli.js

@@ -17,9 +17,9 @@ program.name("ms-365-mcp-server").description("Microsoft 365 MCP Server").versio
   "--enabled-tools <pattern>",
   'Filter tools using regex pattern (e.g., "excel|contact" to enable Excel and Contact tools)'
 ).option(
-  "--force-work-scopes",
-  "Force inclusion of work account scopes during login (includes Teams, SharePoint, etc.)"
-);
+  "--org-mode",
+  "Enable organization/work mode from start (includes Teams, SharePoint, etc.)"
+).option("--work-mode", "Alias for --org-mode").option("--force-work-scopes", "Backwards compatibility alias for --org-mode (deprecated)");
 function parseArgs() {
   program.parse();
   const options = program.opts();
@@ -29,9 +29,15 @@ function parseArgs() {
   if (process.env.ENABLED_TOOLS) {
     options.enabledTools = process.env.ENABLED_TOOLS;
   }
+  if (process.env.MS365_MCP_ORG_MODE === "true" || process.env.MS365_MCP_ORG_MODE === "1") {
+    options.orgMode = true;
+  }
   if (process.env.MS365_MCP_FORCE_WORK_SCOPES === "true" || process.env.MS365_MCP_FORCE_WORK_SCOPES === "1") {
     options.forceWorkScopes = true;
   }
+  if (options.workMode || options.forceWorkScopes) {
+    options.orgMode = true;
+  }
   return options;
 }
 export {

package/dist/graph-client.js

@@ -90,21 +90,12 @@ class GraphClient {
       if (response.status === 403) {
         const errorText = await response.text();
         if (errorText.includes("scope") || errorText.includes("permission")) {
-          const hasWorkPermissions = await this.authManager.hasWorkAccountPermissions();
-          if (!hasWorkPermissions) {
-            logger.info("403 scope error detected, attempting to expand to work account scopes...");
-            const expanded = await this.authManager.expandToWorkAccountScopes();
-            if (expanded) {
-              const newToken = await this.authManager.getToken();
-              if (newToken) {
-                logger.info("Retrying request with expanded scopes...");
-                return this.performRequest(endpoint, newToken, options);
-              }
-            }
-          }
+          throw new Error(
+            `Microsoft Graph API scope error: ${response.status} ${response.statusText} - ${errorText}. This tool requires organization mode. Please restart with --org-mode flag.`
+          );
         }
         throw new Error(
-          `Microsoft Graph API scope error: ${response.status} ${response.statusText} - ${errorText}`
+          `Microsoft Graph API error: ${response.status} ${response.statusText} - ${errorText}`
         );
       }
       if (!response.ok) {

package/dist/graph-tools.js

@@ -1,7 +1,15 @@
 import logger from "./logger.js";
 import { api } from "./generated/client.js";
 import { z } from "zod";
-function registerGraphTools(server, graphClient, readOnly = false, enabledToolsPattern) {
+import { readFileSync } from "fs";
+import path from "path";
+import { fileURLToPath } from "url";
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const endpointsData = JSON.parse(
+  readFileSync(path.join(__dirname, "endpoints.json"), "utf8")
+);
+function registerGraphTools(server, graphClient, readOnly = false, enabledToolsPattern, orgMode = false) {
   let enabledToolsRegex;
   if (enabledToolsPattern) {
     try {
@@ -12,6 +20,11 @@ function registerGraphTools(server, graphClient, readOnly = false, enabledToolsP
     }
   }
   for (const tool of api.endpoints) {
+    const endpointConfig = endpointsData.find((e) => e.toolName === tool.alias);
+    if (endpointConfig?.requiresWorkAccount && !orgMode) {
+      logger.info(`Skipping work account tool ${tool.alias} - not in org mode`);
+      continue;
+    }
     if (readOnly && tool.method.toUpperCase() !== "GET") {
       logger.info(`Skipping write operation ${tool.alias} in read-only mode`);
       continue;
@@ -46,7 +59,7 @@ function registerGraphTools(server, graphClient, readOnly = false, enabledToolsP
         try {
           logger.info(`params: ${JSON.stringify(params)}`);
           const parameterDefinitions = tool.parameters || [];
-          let path = tool.path;
+          let path2 = tool.path;
           const queryParams = {};
           const headers = {};
           let body = null;
@@ -70,7 +83,7 @@ function registerGraphTools(server, graphClient, readOnly = false, enabledToolsP
             if (paramDef) {
               switch (paramDef.type) {
                 case "Path":
-                  path = path.replace(`{${paramName}}`, encodeURIComponent(paramValue)).replace(`:${paramName}`, encodeURIComponent(paramValue));
+                  path2 = path2.replace(`{${paramName}}`, encodeURIComponent(paramValue)).replace(`:${paramName}`, encodeURIComponent(paramValue));
                   break;
                 case "Query":
                   queryParams[fixedParamName] = `${paramValue}`;
@@ -105,7 +118,7 @@ function registerGraphTools(server, graphClient, readOnly = false, enabledToolsP
           }
           if (Object.keys(queryParams).length > 0) {
             const queryString = Object.entries(queryParams).map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`).join("&");
-            path = `${path}${path.includes("?") ? "&" : "?"}${queryString}`;
+            path2 = `${path2}${path2.includes("?") ? "&" : "?"}${queryString}`;
           }
           const options = {
             method: tool.method.toUpperCase(),
@@ -114,12 +127,12 @@ function registerGraphTools(server, graphClient, readOnly = false, enabledToolsP
           if (options.method !== "GET" && body) {
             options.body = typeof body === "string" ? body : JSON.stringify(body);
           }
-          const isProbablyMediaContent = tool.errors?.some((error) => error.description === "Retrieved media content") || path.endsWith("/content");
+          const isProbablyMediaContent = tool.errors?.some((error) => error.description === "Retrieved media content") || path2.endsWith("/content");
           if (isProbablyMediaContent) {
             options.rawResponse = true;
           }
-          logger.info(`Making graph request to ${path} with options: ${JSON.stringify(options)}`);
-          let response = await graphClient.graphRequest(path, options);
+          logger.info(`Making graph request to ${path2} with options: ${JSON.stringify(options)}`);
+          let response = await graphClient.graphRequest(path2, options);
           const fetchAllPages = params.fetchAllPages === true;
           if (fetchAllPages && response && response.content && response.content.length > 0) {
             try {

package/dist/index.js

@@ -2,22 +2,15 @@
 import "dotenv/config";
 import { parseArgs } from "./cli.js";
 import logger from "./logger.js";
-import AuthManager from "./auth.js";
+import AuthManager, { buildScopesFromEndpoints } from "./auth.js";
 import MicrosoftGraphServer from "./server.js";
 import { version } from "./version.js";
-import { buildScopesFromEndpoints } from "./auth.js";
 async function main() {
   try {
     const args = parseArgs();
-    let includeWorkScopes = args.forceWorkScopes;
-    if (!includeWorkScopes) {
-      const tempAuthManager = new AuthManager(void 0, buildScopesFromEndpoints(false));
-      await tempAuthManager.loadTokenCache();
-      const hasWorkPermissions = await tempAuthManager.hasWorkAccountPermissions();
-      if (hasWorkPermissions) {
-        includeWorkScopes = true;
-        logger.info("Detected existing work account permissions, including work scopes");
-      }
+    const includeWorkScopes = args.orgMode || false;
+    if (includeWorkScopes) {
+      logger.info("Organization mode enabled - including work account scopes");
     }
     const scopes = buildScopesFromEndpoints(includeWorkScopes);
     const authManager = new AuthManager(void 0, scopes);

package/dist/server.js

@@ -9,7 +9,11 @@ import { registerAuthTools } from "./auth-tools.js";
 import { registerGraphTools } from "./graph-tools.js";
 import GraphClient from "./graph-client.js";
 import { MicrosoftOAuthProvider } from "./oauth-provider.js";
-import { microsoftBearerTokenAuthMiddleware, exchangeCodeForToken, refreshAccessToken } from "./lib/microsoft-auth.js";
+import {
+  exchangeCodeForToken,
+  microsoftBearerTokenAuthMiddleware,
+  refreshAccessToken
+} from "./lib/microsoft-auth.js";
 const registeredClients = /* @__PURE__ */ new Map();
 class MicrosoftGraphServer {
   constructor(authManager, options = {}) {
@@ -31,7 +35,8 @@ class MicrosoftGraphServer {
       this.server,
       this.graphClient,
       this.options.readOnly,
-      this.options.enabledTools
+      this.options.enabledTools,
+      this.options.orgMode
     );
   }
   async start() {
@@ -56,7 +61,10 @@ class MicrosoftGraphServer {
       app.use((req, res, next) => {
         res.header("Access-Control-Allow-Origin", "*");
         res.header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
-        res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization, mcp-protocol-version");
+        res.header(
+          "Access-Control-Allow-Headers",
+          "Origin, X-Requested-With, Content-Type, Accept, Authorization, mcp-protocol-version"
+        );
         if (req.method === "OPTIONS") {
           res.sendStatus(200);
           return;
@@ -76,11 +84,7 @@ class MicrosoftGraphServer {
           grant_types_supported: ["authorization_code", "refresh_token"],
           token_endpoint_auth_methods_supported: ["none"],
           code_challenge_methods_supported: ["S256"],
-          scopes_supported: [
-            "User.Read",
-            "Files.Read",
-            "Mail.Read"
-          ]
+          scopes_supported: ["User.Read", "Files.Read", "Mail.Read"]
         });
       });
       app.get("/.well-known/oauth-protected-resource", async (req, res) => {
@@ -88,11 +92,7 @@ class MicrosoftGraphServer {
         res.json({
           resource: `${url.origin}/mcp`,
           authorization_servers: [url.origin],
-          scopes_supported: [
-            "User.Read",
-            "Files.Read",
-            "Mail.Read"
-          ],
+          scopes_supported: ["User.Read", "Files.Read", "Mail.Read"],
           bearer_methods_supported: ["header"],
           resource_documentation: `${url.origin}`
         });
@@ -124,7 +124,9 @@ class MicrosoftGraphServer {
         const url = new URL(req.url, `${req.protocol}://${req.get("host")}`);
         const tenantId = process.env.MS365_MCP_TENANT_ID || "common";
         const clientId = process.env.MS365_MCP_CLIENT_ID || "084a3e9f-a9f4-43f7-89f9-d229cf97853e";
-        const microsoftAuthUrl = new URL(`https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`);
+        const microsoftAuthUrl = new URL(
+          `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`
+        );
         const allowedParams = [
           "response_type",
           "redirect_uri",
@@ -275,7 +277,9 @@ class MicrosoftGraphServer {
         logger.info(`Server listening on HTTP port ${port}`);
         logger.info(`  - MCP endpoint: http://localhost:${port}/mcp`);
         logger.info(`  - OAuth endpoints: http://localhost:${port}/auth/*`);
-        logger.info(`  - OAuth discovery: http://localhost:${port}/.well-known/oauth-authorization-server`);
+        logger.info(
+          `  - OAuth discovery: http://localhost:${port}/.well-known/oauth-authorization-server`
+        );
       });
     } else {
       const transport = new StdioServerTransport();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@softeria/ms-365-mcp-server",
-  "version": "0.12.3",
+  "version": "0.13.0",
   "description": "Microsoft 365 MCP Server",
   "type": "module",
   "main": "dist/index.js",