@softeria/ms-365-mcp-server 0.80.0 → 0.81.0

package/README.md

@@ -273,6 +273,8 @@ Then add connection with URL `http://localhost:3000/mcp` and ID `ms-365`.
 
 ![Open WebUI MCP Connection](https://github.com/user-attachments/assets/dcab71dd-cf02-4bcb-b7db-5725d6be4064)
 
+> **Running in Docker behind a reverse proxy?** Set `--public-url https://your-domain.com` so the OAuth authorize URL handed to the user's browser is reachable from outside the container network. See [docs/deployment.md](docs/deployment.md) for the full guide.
+
 ### Local Development
 
 For local development or testing:
@@ -449,7 +451,15 @@ npx @softeria/ms-365-mcp-server --list-presets  # See all available presets
 
 Available presets: `mail`, `calendar`, `files`, `personal`, `work`, `excel`, `contacts`, `tasks`, `onenote`, `search`, `users`, `all`
 
-**Experimental:** `--discovery` starts with only 2 tools (`search-tools`, `execute-tool`) for minimal token usage.
+## Dynamic Tool Discovery
+
+Instead of loading all 90+ tools upfront, use dynamic discovery so the LLM finds and loads tools only when it needs them:
+
+```bash
+npx @softeria/ms-365-mcp-server --discovery
+```
+
+Keeps the initial context small and cuts token usage, especially useful for long sessions or cost-sensitive setups (e.g. Open WebUI running against a paid API).
 
 ## CLI Options
 
@@ -481,7 +491,8 @@ When running as an MCP server, the following options can be used:
 --preset <names>  Use preset tool categories (comma-separated). See "Tool Presets" section above
 --list-presets    List all available presets and exit
 --toon            (experimental) Enable TOON output format for 30-60% token reduction
---discovery       (experimental) Start with search-tools + execute-tool only
+--discovery       Dynamic tool discovery: loads tools on demand to reduce initial token usage (see "Dynamic Tool Discovery" above)
+--public-url <url> Public base URL for OAuth when behind a reverse proxy (see Open WebUI section and docs/deployment.md)
 ```
 
 Environment variables:

package/dist/endpoints.json

@@ -1442,5 +1442,12 @@
     "toolName": "update-place",
     "workScopes": ["Place.ReadWrite.All"],
     "llmTip": "Updates properties of a place (room, room list, building, floor, section, desk, workspace). Body can include: displayName, phone, capacity, building, floorNumber, floorLabel, tags, audioDeviceName, videoDeviceName, displayDeviceName, isWheelChairAccessible. Use get-room or get-room-list to verify current values before updating."
+  },
+  {
+    "pathPattern": "/me/insights/trending",
+    "method": "get",
+    "toolName": "list-trending-insights",
+    "workScopes": ["Sites.Read.All"],
+    "llmTip": "Lists documents trending around the current user. Each item has resourceVisualization (title, type, previewImageUrl, containerDisplayName), resourceReference (webUrl, id, type), and weight (relevance score). Use $filter=resourceVisualization/type eq 'PowerPoint' to filter by file type. Use $orderby=weight/value desc to sort by relevance."
   }
 ]

package/dist/generated/client.js

@@ -2455,6 +2455,51 @@ const decline_calendar_event_Body = z.object({
   SendResponse: z.boolean().nullable().default(false),
   Comment: z.string().nullable()
 }).partial().passthrough();
+const microsoft_graph_resourceReference = z.object({
+  id: z.string().describe("The item's unique identifier.").nullish(),
+  type: z.string().describe(
+    "A string value that can be used to classify the item, such as 'microsoft.graph.driveItem'"
+  ).nullish(),
+  webUrl: z.string().describe("A URL leading to the referenced item.").nullish()
+}).passthrough();
+const microsoft_graph_resourceVisualization = z.object({
+  containerDisplayName: z.string().describe(
+    "A string describing where the item is stored. For example, the name of a SharePoint site or the user name identifying the owner of the OneDrive storing the item."
+  ).nullish(),
+  containerType: z.string().describe(
+    "Can be used for filtering by the type of container in which the file is stored. Such as Site or OneDriveBusiness."
+  ).nullish(),
+  containerWebUrl: z.string().describe("A path leading to the folder in which the item is stored.").nullish(),
+  mediaType: z.string().describe(
+    "The item's media type. Can be used for filtering for a specific type of file based on supported IANA Media Mime Types. Not all Media Mime Types are supported."
+  ).nullish(),
+  previewImageUrl: z.string().describe("A URL leading to the preview image for the item.").nullish(),
+  previewText: z.string().describe("A preview text for the item.").nullish(),
+  title: z.string().describe("The item's title text.").nullish(),
+  type: z.string().describe(
+    "The item's media type. Can be used for filtering for a specific file based on a specific type. See the section Type property values for supported types."
+  ).nullish()
+}).passthrough();
+const microsoft_graph_entity = z.object({ id: z.string().describe("The unique identifier for an entity. Read-only.").optional() }).passthrough();
+const microsoft_graph_trending = z.object({
+  id: z.string().describe("The unique identifier for an entity. Read-only.").optional(),
+  lastModifiedDateTime: z.string().regex(
+    /^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$/
+  ).datetime({ offset: true }).describe(
+    "The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z"
+  ).nullish(),
+  resourceReference: microsoft_graph_resourceReference.optional(),
+  resourceVisualization: microsoft_graph_resourceVisualization.optional(),
+  weight: z.number().describe(
+    "Value indicating how much the document is currently trending. The larger the number, the more the document is currently trending around the user (the more relevant it is). Returned documents are sorted by this value. [Simplified from 3 options]"
+  ).nullish(),
+  resource: microsoft_graph_entity.optional()
+}).passthrough();
+const microsoft_graph_trendingCollectionResponse = z.object({
+  "@odata.count": z.number().int().nullable(),
+  "@odata.nextLink": z.string().nullable(),
+  value: z.array(microsoft_graph_trending)
+}).partial().passthrough();
 const microsoft_graph_giphyRatingType = z.enum(["strict", "moderate", "unknownFutureValue"]);
 const microsoft_graph_teamFunSettings = z.object({
   allowCustomMemes: z.boolean().describe("If set to true, enables users to include custom memes.").nullish(),
@@ -3918,7 +3963,6 @@ const microsoft_graph_searchAggregation = z.object({
   buckets: z.array(microsoft_graph_searchBucket).optional(),
   field: z.string().nullish()
 }).passthrough();
-const microsoft_graph_entity = z.object({ id: z.string().describe("The unique identifier for an entity. Read-only.").optional() }).passthrough();
 const microsoft_graph_searchHit = z.object({
   contentSource: z.string().describe("The name of the content source that the externalItem is part of.").nullish(),
   hitId: z.string().describe(
@@ -4504,6 +4548,11 @@ const schemas = {
   microsoft_graph_driveCollectionResponse,
   accept_calendar_event_Body,
   decline_calendar_event_Body,
+  microsoft_graph_resourceReference,
+  microsoft_graph_resourceVisualization,
+  microsoft_graph_entity,
+  microsoft_graph_trending,
+  microsoft_graph_trendingCollectionResponse,
   microsoft_graph_giphyRatingType,
   microsoft_graph_teamFunSettings,
   microsoft_graph_teamGuestSettings,
@@ -4650,7 +4699,6 @@ const schemas = {
   search_query_Body,
   microsoft_graph_searchBucket,
   microsoft_graph_searchAggregation,
-  microsoft_graph_entity,
   microsoft_graph_searchHit,
   microsoft_graph_searchHitsContainer,
   microsoft_graph_alteredQueryToken,
@@ -7347,6 +7395,56 @@ Based on this value, you can better adjust the parameters and call findMeetingTi
     ],
     response: z.void()
   },
+  {
+    method: "get",
+    path: "/me/insights/trending",
+    alias: "list-trending-insights",
+    description: `Calculated insight that includes a list of documents trending around the user.`,
+    requestFormat: "json",
+    parameters: [
+      {
+        name: "$top",
+        type: "Query",
+        schema: z.number().int().gte(0).describe("Show only the first n items").optional()
+      },
+      {
+        name: "$skip",
+        type: "Query",
+        schema: z.number().int().gte(0).describe("Skip the first n items").optional()
+      },
+      {
+        name: "$search",
+        type: "Query",
+        schema: z.string().describe("Search items by search phrases").optional()
+      },
+      {
+        name: "$filter",
+        type: "Query",
+        schema: z.string().describe("Filter items by property values").optional()
+      },
+      {
+        name: "$count",
+        type: "Query",
+        schema: z.boolean().describe("Include count of items").optional()
+      },
+      {
+        name: "$orderby",
+        type: "Query",
+        schema: z.array(z.string()).describe("Order items by property values").optional()
+      },
+      {
+        name: "$select",
+        type: "Query",
+        schema: z.array(z.string()).describe("Select properties to be returned").optional()
+      },
+      {
+        name: "$expand",
+        type: "Query",
+        schema: z.array(z.string()).describe("Expand related entities").optional()
+      }
+    ],
+    response: z.void()
+  },
   {
     method: "get",
     path: "/me/joinedTeams",

package/docs/deployment.md

@@ -49,6 +49,8 @@ docker run -p 3000:3000 \
 
 ## Azure Container Apps
 
+> **Turnkey Bicep example**: see [`examples/azure-container-apps/`](../examples/azure-container-apps/) for a complete Bicep template + PowerShell deploy script that provisions Log Analytics, UAMI, Key Vault (RBAC), Container Apps Environment and the Container App in one command.
+
 1. **Push the image** to Azure Container Registry:
 
    ```bash

package/examples/azure-container-apps/README.md

@@ -0,0 +1,188 @@
+# Azure Container Apps deployment example
+
+> **Community-contributed example.** This is a turnkey starter — adapt it to your tenant, naming conventions, and security policies before running it in production. See [`docs/deployment.md`](../../docs/deployment.md) for the baseline deployment guide.
+
+Deploys `ms-365-mcp-server` to Azure Container Apps in **Streamable HTTP** mode, with secrets stored in Azure Key Vault and fetched at startup by a user-assigned managed identity (UAMI). No credentials are written to environment variables.
+
+## Contents
+
+- `main.bicep` — full infrastructure: Log Analytics, UAMI, Key Vault (RBAC), Container Apps Environment, Container App
+- `deploy.ps1` — PowerShell 7 orchestrator (login, Resource Group, deployment, outputs)
+
+## Architecture
+
+```
+MCP client (Claude Desktop / claude.ai / ...)
+         │ HTTPS + OAuth 2.0 (Dynamic Client Registration)
+         ▼
+   Container App  (<baseName>-app)
+     - args: --http 3000 [--org-mode] [--read-only]
+     - scale 0-3 on concurrent HTTP requests
+         │ DefaultAzureCredential (UAMI)
+         ▼
+   Key Vault  (<baseName>kv<suffix>)
+     - ms365-mcp-client-id
+     - ms365-mcp-tenant-id
+     - ms365-mcp-cloud-type
+     - ms365-mcp-client-secret  (optional — confidential client)
+         │
+         ▼
+   Microsoft Graph API  (per-user delegated token)
+```
+
+## Prerequisites
+
+### 1. Azure
+
+- Subscription with **Contributor** + **User Access Administrator** roles on the target Resource Group (User Access Administrator is required for the UAMI → Key Vault RBAC assignment).
+- [Azure CLI 2.60+](https://learn.microsoft.com/cli/azure/install-azure-cli).
+- [PowerShell 7+](https://learn.microsoft.com/powershell/scripting/install/installing-powershell).
+
+### 2. Entra ID app registration
+
+Create an app registration in your tenant:
+
+- **Supported account types**: single tenant
+- **Redirect URIs** (initial): `http://localhost:3000/oauth/callback` — update after the first deploy once you know the Container App FQDN
+- **API permissions**: delegated scopes matching your run mode. Print the exact list with:
+  ```bash
+  npx @softeria/ms-365-mcp-server --list-permissions [--org-mode] [--read-only]
+  ```
+  Grant admin consent in Entra ID for all `*.All` scopes.
+- **Authentication → Allow public client flows**: Yes (if you will not use a client secret)
+- **Certificates & secrets** (optional): create a client secret for confidential-client mode
+
+Collect `tenantId`, `clientId`, and (optionally) `clientSecret`.
+
+### 3. Container image
+
+Default: `ghcr.io/softeria/ms-365-mcp-server:latest`.
+Pin a version with `ghcr.io/softeria/ms-365-mcp-server:<tag>`, or push to your own Azure Container Registry and pass the reference via `-ContainerImage`.
+
+## Initial deployment
+
+```powershell
+cd examples/azure-container-apps
+
+# Your own object ID, so you can rotate Key Vault secrets later
+$myOid = az ad signed-in-user show --query id -o tsv
+
+./deploy.ps1 `
+  -ResourceGroup 'rg-ms365mcp' `
+  -Location 'eastus' `
+  -BaseName 'ms365mcp' `
+  -TenantId '<TENANT_GUID>' `
+  -McpClientId '<APP_CLIENT_ID>' `
+  -KvAdminObjectIds @($myOid) `
+  -OrgMode $true
+```
+
+The script prompts for the client secret (leave empty for a public client).
+
+### Dry-run
+
+```powershell
+./deploy.ps1 ... -WhatIf
+```
+
+## Post-deployment
+
+### 1. Update the redirect URI in Entra ID
+
+The first deployment produces an FQDN such as `ms365mcp-app.<suffix>.<region>.azurecontainerapps.io`. Add `https://<fqdn>/oauth/callback` to your app registration → Authentication → Redirect URIs.
+
+### 2. Redeploy with `publicBaseUrl`
+
+So the server advertises the correct public URL in OAuth metadata:
+
+```powershell
+./deploy.ps1 ... -PublicBaseUrl 'https://<fqdn>'
+```
+
+### 3. Smoke test
+
+```bash
+# OAuth metadata (should return 200 with JSON)
+curl https://<fqdn>/.well-known/oauth-authorization-server
+
+# MCP endpoint (should return 401 without Authorization header)
+curl -i https://<fqdn>/mcp
+```
+
+### 4. Connect an MCP client
+
+See the [Client Configuration section](../../docs/deployment.md#client-configuration) in the main deployment guide.
+
+## Operations
+
+### Stream logs
+
+```bash
+az containerapp logs show -n <baseName>-app -g <rg> --follow
+```
+
+### Force a new revision
+
+```bash
+az containerapp update -n <baseName>-app -g <rg> --revision-suffix "manual$(date +%s)"
+```
+
+### Update the image
+
+```bash
+az containerapp update -n <baseName>-app -g <rg> \
+  --image ghcr.io/softeria/ms-365-mcp-server:<new-tag>
+```
+
+### Rotate the client secret
+
+```bash
+# 1. Create a new secret in Entra ID (Certificates & secrets)
+# 2. Update Key Vault
+az keyvault secret set --vault-name <kv-name> --name ms365-mcp-client-secret --value "<new-secret>"
+# 3. Restart to pick up the new value
+az containerapp update -n <baseName>-app -g <rg> --revision-suffix "rotate$(date +%s)"
+```
+
+### Pin minimum replicas (eliminate cold start)
+
+```bash
+az containerapp update -n <baseName>-app -g <rg> --min-replicas 1 --max-replicas 5
+```
+
+## Cost (order of magnitude)
+
+| Resource      | Config                 | Monthly (idle)                             |
+| ------------- | ---------------------- | ------------------------------------------ |
+| Container App | Consumption, scale 0-3 | ~$0 with scale-to-zero, ~$15-25 with min=1 |
+| Log Analytics | 30-day retention       | ~$2-5 depending on log volume              |
+| Key Vault     | Standard, low ops      | <$1                                        |
+| UAMI          | —                      | free                                       |
+
+Regional pricing varies — consult the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/) for your region. Scale-to-zero introduces a ~2–5 s cold start on the first request after idle.
+
+## Security notes
+
+- **Secrets**: never in environment variables — always via Key Vault + UAMI
+- **Ingress**: external HTTPS only. To restrict by IP, add `ipSecurityRestrictions` under `configuration.ingress`
+- **RBAC**: UAMI receives only `Key Vault Secrets User` (read). Rotation is done by the admin principals listed in `-KvAdminObjectIds`
+- **Purge protection** is enabled on Key Vault (90-day soft-delete) — accidental deletions are recoverable
+- **CORS**: defaults to `http://localhost:3000`. Set `-CorsOrigin 'https://claude.ai'` (or your client URL) for hosted clients
+
+## Cleanup
+
+```bash
+az group delete -n <rg> --yes --no-wait
+# Key Vault remains in soft-delete for 30 days. To purge immediately:
+az keyvault purge --name <kv-name>
+```
+
+## Troubleshooting
+
+| Symptom                                  | Likely cause                              | Fix                                                                                                   |
+| ---------------------------------------- | ----------------------------------------- | ----------------------------------------------------------------------------------------------------- |
+| Container restarts in a loop             | UAMI can't read Key Vault secrets         | Wait ~5 min for role propagation, then check `az role assignment list --assignee <uami-principal-id>` |
+| 401 on `/mcp` even with a valid token    | Wrong `tenantId`/`clientId` in Key Vault  | `az keyvault secret show --vault-name <kv> --name ms365-mcp-client-id`                                |
+| OAuth fails with `redirect_uri mismatch` | Redirect URI in Entra ID not updated      | Add `https://<fqdn>/oauth/callback` in the app registration                                           |
+| Graph returns 403                        | Missing scope / admin consent not granted | Re-run `--list-permissions` and grant admin consent                                                   |
+| Cold start > 10 s                        | Heavy startup work in custom image        | Verify the image does not run `npm install` in its ENTRYPOINT                                         |

package/examples/azure-container-apps/deploy.ps1

@@ -0,0 +1,170 @@
+#Requires -Version 7.0
+<#
+.SYNOPSIS
+Deploys ms-365-mcp-server to Azure Container Apps using the colocated Bicep template.
+
+.DESCRIPTION
+Creates (or updates) the target Resource Group and runs the Bicep deployment.
+The Entra ID client secret is prompted interactively and stored in Key Vault.
+
+.EXAMPLE
+./deploy.ps1 -ResourceGroup rg-ms365mcp -BaseName ms365mcp `
+  -TenantId "<tenant-guid>" -McpClientId "<app-guid>" `
+  -KvAdminObjectIds @("<your-object-id>")
+
+.NOTES
+Requirements:
+  - Azure CLI 2.60+ (az)
+  - PowerShell 7+
+  - Azure subscription with Contributor + User Access Administrator roles
+    (User Access Administrator is needed for the UAMI -> Key Vault RBAC assignment)
+  - Entra ID app registration created beforehand, with a redirect URI matching
+    the Container App FQDN (update it after the first deployment).
+#>
+[CmdletBinding()]
+param(
+  [Parameter(Mandatory)][string]$ResourceGroup,
+
+  [Parameter(Mandatory)]
+  [ValidatePattern('^[a-z0-9]{3,20}$')]
+  [string]$BaseName,
+
+  [Parameter(Mandatory)][string]$TenantId,
+  [Parameter(Mandatory)][string]$McpClientId,
+
+  [string]$Location = 'eastus',
+  [string]$ContainerImage = 'ghcr.io/softeria/ms-365-mcp-server:latest',
+  [ValidateSet('global', 'gcc-high', 'dod', 'china')]
+  [string]$CloudType = 'global',
+  [string]$CorsOrigin = 'http://localhost:3000',
+  [string]$PublicBaseUrl = '',
+  [string[]]$KvAdminObjectIds = @(),
+  [bool]$OrgMode = $true,
+  [bool]$ReadOnly = $false,
+  [int]$MinReplicas = 0,
+  [int]$MaxReplicas = 3,
+  [switch]$SkipLogin,
+  [switch]$WhatIf
+)
+
+$ErrorActionPreference = 'Stop'
+$bicepFile = Join-Path $PSScriptRoot 'main.bicep'
+
+if (-not (Test-Path $bicepFile)) {
+  throw "Bicep file not found: $bicepFile"
+}
+
+# --- Prerequisites ---
+if (-not (Get-Command az -ErrorAction SilentlyContinue)) {
+  throw 'Azure CLI not found. Install via: https://learn.microsoft.com/cli/azure/install-azure-cli'
+}
+
+Write-Host 'Checking/installing Bicep CLI...' -ForegroundColor DarkGray
+az bicep install 2>$null | Out-Null
+az bicep upgrade 2>$null | Out-Null
+
+# --- Authentication ---
+if (-not $SkipLogin) {
+  $acct = az account show --only-show-errors 2>$null | ConvertFrom-Json
+  if (-not $acct) {
+    Write-Host 'No active Azure session — launching az login...' -ForegroundColor Yellow
+    az login --tenant $TenantId --only-show-errors | Out-Null
+    $acct = az account show | ConvertFrom-Json
+  }
+  Write-Host "Active subscription : $($acct.name) ($($acct.id))" -ForegroundColor Green
+  Write-Host "Tenant              : $($acct.tenantId)" -ForegroundColor Green
+  if ($acct.tenantId -ne $TenantId) {
+    Write-Warning "Active tenant ($($acct.tenantId)) does not match target tenant ($TenantId)."
+    $confirm = Read-Host 'Continue anyway? [y/N]'
+    if ($confirm -ne 'y') { throw 'Cancelled by user.' }
+  }
+}
+
+# --- Client secret (interactive, SecureString) ---
+$secretSecure = Read-Host 'Entra ID client secret (leave empty for public client)' -AsSecureString
+$secretPlain = ''
+if ($secretSecure.Length -gt 0) {
+  $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secretSecure)
+  try {
+    $secretPlain = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr)
+  } finally {
+    [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($bstr)
+  }
+}
+
+# --- Resource Group ---
+$rg = az group show -n $ResourceGroup --only-show-errors 2>$null | ConvertFrom-Json
+if (-not $rg) {
+  Write-Host "Creating Resource Group '$ResourceGroup' in '$Location'..." -ForegroundColor Cyan
+  az group create -n $ResourceGroup -l $Location --tags project=ms-365-mcp-server managedBy=bicep -o none
+} else {
+  Write-Host "Resource Group '$ResourceGroup' exists ($($rg.location))" -ForegroundColor Green
+}
+
+# --- Deployment parameters ---
+$deployName = "ms365mcp-$(Get-Date -Format 'yyyyMMddHHmmss')"
+$params = @{
+  baseName       = @{ value = $BaseName }
+  tenantId       = @{ value = $TenantId }
+  mcpClientId    = @{ value = $McpClientId }
+  mcpClientSecret = @{ value = $secretPlain }
+  cloudType      = @{ value = $CloudType }
+  containerImage = @{ value = $ContainerImage }
+  corsOrigin     = @{ value = $CorsOrigin }
+  publicBaseUrl  = @{ value = $PublicBaseUrl }
+  orgMode        = @{ value = $OrgMode }
+  readOnly       = @{ value = $ReadOnly }
+  minReplicas    = @{ value = $MinReplicas }
+  maxReplicas    = @{ value = $MaxReplicas }
+  kvAdminObjectIds = @{ value = $KvAdminObjectIds }
+}
+$paramsFile = New-TemporaryFile
+try {
+  @{
+    '$schema'      = 'https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#'
+    contentVersion = '1.0.0.0'
+    parameters     = $params
+  } | ConvertTo-Json -Depth 10 | Set-Content -Path $paramsFile.FullName
+
+  # --- Validation (what-if) ---
+  if ($WhatIf) {
+    Write-Host '--- what-if ---' -ForegroundColor Magenta
+    az deployment group what-if `
+      -g $ResourceGroup `
+      -n $deployName `
+      -f $bicepFile `
+      -p "@$($paramsFile.FullName)"
+    return
+  }
+
+  # --- Deployment ---
+  Write-Host "Starting deployment '$deployName'..." -ForegroundColor Cyan
+  $outputs = az deployment group create `
+    -g $ResourceGroup `
+    -n $deployName `
+    -f $bicepFile `
+    -p "@$($paramsFile.FullName)" `
+    --query properties.outputs `
+    -o json | ConvertFrom-Json
+
+  # --- Summary ---
+  Write-Host ''
+  Write-Host 'Deployment succeeded.' -ForegroundColor Green
+  Write-Host "  Public URL          : $($outputs.appUrl.value)" -ForegroundColor Yellow
+  Write-Host "  Key Vault URI       : $($outputs.keyVaultUri.value)"
+  Write-Host "  Key Vault name      : $($outputs.keyVaultName.value)"
+  Write-Host "  Managed identity    : $($outputs.uamiName.value)"
+  Write-Host "  UAMI clientId       : $($outputs.uamiClientId.value)"
+  Write-Host "  Log Analytics       : $($outputs.logAnalyticsName.value)"
+  Write-Host ''
+  Write-Host 'Next steps:' -ForegroundColor Cyan
+  Write-Host "  1. Add '$($outputs.appUrl.value)/oauth/callback' as a redirect URI in your Entra ID app."
+  Write-Host "  2. Re-run with -PublicBaseUrl '$($outputs.appUrl.value)' so OAuth metadata returns the public URL."
+  Write-Host "  3. Test : curl $($outputs.appUrl.value)/.well-known/oauth-authorization-server"
+  Write-Host "  4. Logs : az containerapp logs show -n '$BaseName-app' -g '$ResourceGroup' --follow"
+}
+finally {
+  Remove-Item $paramsFile.FullName -ErrorAction SilentlyContinue
+  $secretPlain = $null
+  [GC]::Collect()
+}

package/examples/azure-container-apps/main.bicep

@@ -0,0 +1,252 @@
+// ms-365-mcp-server — Azure Container Apps deployment (community example)
+//
+// Deploys a turnkey stack:
+//   - Log Analytics workspace
+//   - User-Assigned Managed Identity (UAMI)
+//   - Key Vault (RBAC) with MCP secrets
+//   - Container Apps Environment (Consumption)
+//   - Container App running the server in Streamable HTTP mode
+//
+// The container uses DefaultAzureCredential (via the UAMI) to read secrets
+// from Key Vault at startup — credentials never appear in environment variables.
+
+@description('Base name prefix for all resources (lowercase, 3-20 chars, e.g. ms365mcpprod)')
+@minLength(3)
+@maxLength(20)
+param baseName string
+
+@description('Azure region. Defaults to the resource group location.')
+param location string = resourceGroup().location
+
+@description('Container image reference (public image by default).')
+param containerImage string = 'ghcr.io/softeria/ms-365-mcp-server:latest'
+
+@description('Entra ID tenant ID (GUID).')
+param tenantId string
+
+@description('Entra ID app registration clientId used by the MCP server.')
+param mcpClientId string
+
+@secure()
+@description('Client secret for the MCP app registration. Leave empty for a public client.')
+param mcpClientSecret string = ''
+
+@description('Microsoft cloud type: global, gcc-high, dod, china. Defaults to global.')
+@allowed([
+  'global'
+  'gcc-high'
+  'dod'
+  'china'
+])
+param cloudType string = 'global'
+
+@description('CORS origin for the MCP HTTP endpoint. Set to your client URL (e.g. https://claude.ai).')
+param corsOrigin string = 'http://localhost:3000'
+
+@description('Public base URL advertised in OAuth metadata. Derived from ingress FQDN after first deploy — leave empty initially, then redeploy with the assigned URL.')
+param publicBaseUrl string = ''
+
+@description('Object IDs of users/groups granted Key Vault Administrator role (for rotating secrets).')
+param kvAdminObjectIds array = []
+
+@description('Enable --org-mode (Teams, SharePoint, Groups, etc.). Defaults to true.')
+param orgMode bool = true
+
+@description('Enable --read-only flag (disables write operations).')
+param readOnly bool = false
+
+@description('Min replicas for autoscale. Set to 0 for scale-to-zero (cold start ~2-5s).')
+param minReplicas int = 0
+
+@description('Max replicas for autoscale.')
+param maxReplicas int = 3
+
+@description('Tags applied to all resources.')
+param tags object = {
+  project: 'ms-365-mcp-server'
+  managedBy: 'bicep'
+}
+
+// ---------- Derived ----------
+var suffix = toLower(substring(uniqueString(resourceGroup().id), 0, 5))
+var logName = '${baseName}-log-${suffix}'
+var uamiName = '${baseName}-uami'
+var kvName = take('${baseName}kv${suffix}', 24)
+var caeName = '${baseName}-cae'
+var appName = '${baseName}-app'
+
+// Built-in role definition IDs
+var roleKvSecretsUser = '4633458b-17de-408a-b874-0445c86b69e6'
+var roleKvAdministrator = '00482a5a-887f-4fb3-b363-3b7fe8e74483'
+
+// ---------- Log Analytics ----------
+resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2023-09-01' = {
+  name: logName
+  location: location
+  tags: tags
+  properties: {
+    sku: { name: 'PerGB2018' }
+    retentionInDays: 30
+    features: { enableLogAccessUsingOnlyResourcePermissions: true }
+  }
+}
+
+// ---------- User-Assigned Managed Identity ----------
+resource uami 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' = {
+  name: uamiName
+  location: location
+  tags: tags
+}
+
+// ---------- Key Vault (RBAC) ----------
+resource kv 'Microsoft.KeyVault/vaults@2024-04-01-preview' = {
+  name: kvName
+  location: location
+  tags: tags
+  properties: {
+    sku: { family: 'A', name: 'standard' }
+    tenantId: tenantId
+    enableRbacAuthorization: true
+    enableSoftDelete: true
+    softDeleteRetentionInDays: 30
+    enablePurgeProtection: true
+    publicNetworkAccess: 'Enabled'
+    networkAcls: {
+      bypass: 'AzureServices'
+      defaultAction: 'Allow'
+    }
+  }
+}
+
+resource secretClientId 'Microsoft.KeyVault/vaults/secrets@2024-04-01-preview' = {
+  parent: kv
+  name: 'ms365-mcp-client-id'
+  properties: { value: mcpClientId }
+}
+
+resource secretTenantId 'Microsoft.KeyVault/vaults/secrets@2024-04-01-preview' = {
+  parent: kv
+  name: 'ms365-mcp-tenant-id'
+  properties: { value: tenantId }
+}
+
+resource secretCloudType 'Microsoft.KeyVault/vaults/secrets@2024-04-01-preview' = {
+  parent: kv
+  name: 'ms365-mcp-cloud-type'
+  properties: { value: cloudType }
+}
+
+resource secretClientSecret 'Microsoft.KeyVault/vaults/secrets@2024-04-01-preview' = if (!empty(mcpClientSecret)) {
+  parent: kv
+  name: 'ms365-mcp-client-secret'
+  properties: { value: mcpClientSecret }
+}
+
+// Grant UAMI the Key Vault Secrets User role on the vault
+resource roleUami 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  scope: kv
+  name: guid(kv.id, uami.id, roleKvSecretsUser)
+  properties: {
+    principalId: uami.properties.principalId
+    principalType: 'ServicePrincipal'
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleKvSecretsUser)
+  }
+}
+
+// Grant human admins the Key Vault Administrator role (to rotate secrets)
+resource roleAdmins 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for oid in kvAdminObjectIds: {
+  scope: kv
+  name: guid(kv.id, oid, roleKvAdministrator)
+  properties: {
+    principalId: oid
+    principalType: 'User'
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleKvAdministrator)
+  }
+}]
+
+// ---------- Container Apps Environment ----------
+resource cae 'Microsoft.App/managedEnvironments@2024-03-01' = {
+  name: caeName
+  location: location
+  tags: tags
+  properties: {
+    appLogsConfiguration: {
+      destination: 'log-analytics'
+      logAnalyticsConfiguration: {
+        customerId: logAnalytics.properties.customerId
+        sharedKey: logAnalytics.listKeys().primarySharedKey
+      }
+    }
+    workloadProfiles: [
+      { name: 'Consumption', workloadProfileType: 'Consumption' }
+    ]
+  }
+}
+
+// ---------- Container App ----------
+var containerArgs = concat(['--http', '3000'], orgMode ? ['--org-mode'] : [], readOnly ? ['--read-only'] : [])
+
+resource app 'Microsoft.App/containerApps@2024-03-01' = {
+  name: appName
+  location: location
+  tags: tags
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${uami.id}': {}
+    }
+  }
+  properties: {
+    managedEnvironmentId: cae.id
+    configuration: {
+      activeRevisionsMode: 'Single'
+      ingress: {
+        external: true
+        targetPort: 3000
+        transport: 'auto'
+        allowInsecure: false
+        traffic: [ { latestRevision: true, weight: 100 } ]
+      }
+    }
+    template: {
+      containers: [
+        {
+          name: 'mcp'
+          image: containerImage
+          args: containerArgs
+          resources: {
+            cpu: json('0.5')
+            memory: '1.0Gi'
+          }
+          env: [
+            { name: 'MS365_MCP_KEYVAULT_URL', value: kv.properties.vaultUri }
+            { name: 'MS365_MCP_CORS_ORIGIN', value: corsOrigin }
+            { name: 'MS365_MCP_BASE_URL', value: empty(publicBaseUrl) ? '' : publicBaseUrl }
+            { name: 'AZURE_CLIENT_ID', value: uami.properties.clientId }
+            { name: 'NODE_ENV', value: 'production' }
+          ]
+        }
+      ]
+      scale: {
+        minReplicas: minReplicas
+        maxReplicas: maxReplicas
+        rules: [
+          {
+            name: 'http-scale'
+            http: { metadata: { concurrentRequests: '10' } }
+          }
+        ]
+      }
+    }
+  }
+  dependsOn: [ roleUami, secretClientId, secretTenantId, secretCloudType ]
+}
+
+// ---------- Outputs ----------
+output appFqdn string = app.properties.configuration.ingress.fqdn
+output appUrl string = 'https://${app.properties.configuration.ingress.fqdn}'
+output keyVaultUri string = kv.properties.vaultUri
+output keyVaultName string = kv.name
+output uamiName string = uami.name
+output uamiClientId string = uami.properties.clientId
+output logAnalyticsName string = logAnalytics.name

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@softeria/ms-365-mcp-server",
-  "version": "0.80.0",
+  "version": "0.81.0",
   "description": " A Model Context Protocol (MCP) server for interacting with Microsoft 365 and Office services through the Graph API",
   "type": "module",
   "main": "dist/index.js",

package/src/endpoints.json

@@ -1442,5 +1442,12 @@
     "toolName": "update-place",
     "workScopes": ["Place.ReadWrite.All"],
     "llmTip": "Updates properties of a place (room, room list, building, floor, section, desk, workspace). Body can include: displayName, phone, capacity, building, floorNumber, floorLabel, tags, audioDeviceName, videoDeviceName, displayDeviceName, isWheelChairAccessible. Use get-room or get-room-list to verify current values before updating."
+  },
+  {
+    "pathPattern": "/me/insights/trending",
+    "method": "get",
+    "toolName": "list-trending-insights",
+    "workScopes": ["Sites.Read.All"],
+    "llmTip": "Lists documents trending around the current user. Each item has resourceVisualization (title, type, previewImageUrl, containerDisplayName), resourceReference (webUrl, id, type), and weight (relevance score). Use $filter=resourceVisualization/type eq 'PowerPoint' to filter by file type. Use $orderby=weight/value desc to sort by relevance."
   }
 ]