npm - @softeria/ms-365-mcp-server - Versions diffs - 0.80.0 → 0.82.0 - Mend

@softeria/ms-365-mcp-server 0.80.0 → 0.82.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +13 -2
package/dist/endpoints.json +49 -0
package/dist/generated/client.js +294 -2
package/docs/deployment.md +2 -0
package/examples/azure-container-apps/README.md +188 -0
package/examples/azure-container-apps/deploy.ps1 +170 -0
package/examples/azure-container-apps/main.bicep +252 -0
package/package.json +1 -1
package/src/endpoints.json +49 -0

package/README.md CHANGED Viewed

@@ -273,6 +273,8 @@ Then add connection with URL `http://localhost:3000/mcp` and ID `ms-365`.
 ![Open WebUI MCP Connection](https://github.com/user-attachments/assets/dcab71dd-cf02-4bcb-b7db-5725d6be4064)
+> **Running in Docker behind a reverse proxy?** Set `--public-url https://your-domain.com` so the OAuth authorize URL handed to the user's browser is reachable from outside the container network. See [docs/deployment.md](docs/deployment.md) for the full guide.
 ### Local Development
 For local development or testing:
@@ -449,7 +451,15 @@ npx @softeria/ms-365-mcp-server --list-presets  # See all available presets
 Available presets: `mail`, `calendar`, `files`, `personal`, `work`, `excel`, `contacts`, `tasks`, `onenote`, `search`, `users`, `all`
-**Experimental:** `--discovery` starts with only 2 tools (`search-tools`, `execute-tool`) for minimal token usage.
+## Dynamic Tool Discovery
+Instead of loading all 90+ tools upfront, use dynamic discovery so the LLM finds and loads tools only when it needs them:
+```bash
+npx @softeria/ms-365-mcp-server --discovery
+```
+Keeps the initial context small and cuts token usage, especially useful for long sessions or cost-sensitive setups (e.g. Open WebUI running against a paid API).
 ## CLI Options
@@ -481,7 +491,8 @@ When running as an MCP server, the following options can be used:
 --preset <names>  Use preset tool categories (comma-separated). See "Tool Presets" section above
 --list-presets    List all available presets and exit
 --toon            (experimental) Enable TOON output format for 30-60% token reduction
---discovery       (experimental) Start with search-tools + execute-tool only
+--discovery       Dynamic tool discovery: loads tools on demand to reduce initial token usage (see "Dynamic Tool Discovery" above)
+--public-url <url> Public base URL for OAuth when behind a reverse proxy (see Open WebUI section and docs/deployment.md)
 ```
 Environment variables:

package/dist/endpoints.json CHANGED Viewed

@@ -1442,5 +1442,54 @@
     "toolName": "update-place",
     "workScopes": ["Place.ReadWrite.All"],
     "llmTip": "Updates properties of a place (room, room list, building, floor, section, desk, workspace). Body can include: displayName, phone, capacity, building, floorNumber, floorLabel, tags, audioDeviceName, videoDeviceName, displayDeviceName, isWheelChairAccessible. Use get-room or get-room-list to verify current values before updating."
+  },
+  {
+    "pathPattern": "/me/insights/trending",
+    "method": "get",
+    "toolName": "list-trending-insights",
+    "workScopes": ["Sites.Read.All"],
+    "llmTip": "Lists documents trending around the current user. Each item has resourceVisualization (title, type, previewImageUrl, containerDisplayName), resourceReference (webUrl, id, type), and weight (relevance score). Use $filter=resourceVisualization/type eq 'PowerPoint' to filter by file type. Use $orderby=weight/value desc to sort by relevance."
+  },
+  {
+    "pathPattern": "/me/events/{event-id}/cancel",
+    "method": "post",
+    "toolName": "cancel-calendar-event",
+    "scopes": ["Calendars.ReadWrite"],
+    "llmTip": "Cancels a meeting (organizer only) and sends a cancellation message to all attendees. Body: { Comment (optional string, custom message) }. Use this instead of delete-calendar-event when you want attendees to see 'Canceled' in their calendar. Attendees calling this get HTTP 400 — they should use decline-calendar-event instead."
+  },
+  {
+    "pathPattern": "/me/events/{event-id}/forward",
+    "method": "post",
+    "toolName": "forward-calendar-event",
+    "scopes": ["Calendars.ReadWrite"],
+    "llmTip": "Forwards a meeting invitation to additional recipients. Body: { ToRecipients: [{ emailAddress: { address, name } }], Comment (optional) }. If the forwarder is an attendee (not organizer), the organizer is also notified and the new recipient is added to the organizer's attendee list."
+  },
+  {
+    "pathPattern": "/me/events/{event-id}/snoozeReminder",
+    "method": "post",
+    "toolName": "snooze-calendar-event-reminder",
+    "scopes": ["Calendars.ReadWrite"],
+    "llmTip": "Postpones a triggered event reminder. Body: { NewReminderTime: { dateTime (ISO 8601), timeZone (IANA or Windows, e.g. 'Pacific Standard Time') } }. The reminder will re-fire at the new time."
+  },
+  {
+    "pathPattern": "/me/events/{event-id}/dismissReminder",
+    "method": "post",
+    "toolName": "dismiss-calendar-event-reminder",
+    "scopes": ["Calendars.ReadWrite"],
+    "llmTip": "Dismisses a triggered event reminder so it won't re-fire. No request body required. Pair with list-calendar-events or get-schedule to find active reminders."
+  },
+  {
+    "pathPattern": "/me/events/delta()",
+    "method": "get",
+    "toolName": "list-calendar-events-delta",
+    "scopes": ["Calendars.Read"],
+    "llmTip": "Incremental sync of events across the default calendar. First call returns all events plus @odata.deltaLink. Subsequent calls with that link return only additions/updates/removals. Use $select to limit fields. Deltas expire after ~30 days — start over if the server returns 410 Gone. For a time-bounded view with delta semantics, use list-calendar-view-delta instead."
+  },
+  {
+    "pathPattern": "/me/calendarView/delta()",
+    "method": "get",
+    "toolName": "list-calendar-view-delta",
+    "scopes": ["Calendars.Read"],
+    "llmTip": "Incremental sync of events within a time window. Required query params on first call: startDateTime, endDateTime (ISO 8601). Returns events in the window plus @odata.deltaLink; subsequent calls with that link return only changes. Expands recurring events to individual occurrences (unlike list-calendar-events-delta which returns the series master). Use this for calendar UIs showing a week/month view."
   }
 ]

package/dist/generated/client.js CHANGED Viewed

@@ -2455,6 +2455,53 @@ const decline_calendar_event_Body = z.object({
   SendResponse: z.boolean().nullable().default(false),
   Comment: z.string().nullable()
 }).partial().passthrough();
+const forward_calendar_event_Body = z.object({ ToRecipients: z.array(microsoft_graph_recipient), Comment: z.string().nullable() }).partial().passthrough();
+const snooze_calendar_event_reminder_Body = z.object({ NewReminderTime: microsoft_graph_dateTimeTimeZone }).partial().passthrough();
+const microsoft_graph_resourceReference = z.object({
+  id: z.string().describe("The item's unique identifier.").nullish(),
+  type: z.string().describe(
+    "A string value that can be used to classify the item, such as 'microsoft.graph.driveItem'"
+  ).nullish(),
+  webUrl: z.string().describe("A URL leading to the referenced item.").nullish()
+}).passthrough();
+const microsoft_graph_resourceVisualization = z.object({
+  containerDisplayName: z.string().describe(
+    "A string describing where the item is stored. For example, the name of a SharePoint site or the user name identifying the owner of the OneDrive storing the item."
+  ).nullish(),
+  containerType: z.string().describe(
+    "Can be used for filtering by the type of container in which the file is stored. Such as Site or OneDriveBusiness."
+  ).nullish(),
+  containerWebUrl: z.string().describe("A path leading to the folder in which the item is stored.").nullish(),
+  mediaType: z.string().describe(
+    "The item's media type. Can be used for filtering for a specific type of file based on supported IANA Media Mime Types. Not all Media Mime Types are supported."
+  ).nullish(),
+  previewImageUrl: z.string().describe("A URL leading to the preview image for the item.").nullish(),
+  previewText: z.string().describe("A preview text for the item.").nullish(),
+  title: z.string().describe("The item's title text.").nullish(),
+  type: z.string().describe(
+    "The item's media type. Can be used for filtering for a specific file based on a specific type. See the section Type property values for supported types."
+  ).nullish()
+}).passthrough();
+const microsoft_graph_entity = z.object({ id: z.string().describe("The unique identifier for an entity. Read-only.").optional() }).passthrough();
+const microsoft_graph_trending = z.object({
+  id: z.string().describe("The unique identifier for an entity. Read-only.").optional(),
+  lastModifiedDateTime: z.string().regex(
+    /^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$/
+  ).datetime({ offset: true }).describe(
+    "The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z"
+  ).nullish(),
+  resourceReference: microsoft_graph_resourceReference.optional(),
+  resourceVisualization: microsoft_graph_resourceVisualization.optional(),
+  weight: z.number().describe(
+    "Value indicating how much the document is currently trending. The larger the number, the more the document is currently trending around the user (the more relevant it is). Returned documents are sorted by this value. [Simplified from 3 options]"
+  ).nullish(),
+  resource: microsoft_graph_entity.optional()
+}).passthrough();
+const microsoft_graph_trendingCollectionResponse = z.object({
+  "@odata.count": z.number().int().nullable(),
+  "@odata.nextLink": z.string().nullable(),
+  value: z.array(microsoft_graph_trending)
+}).partial().passthrough();
 const microsoft_graph_giphyRatingType = z.enum(["strict", "moderate", "unknownFutureValue"]);
 const microsoft_graph_teamFunSettings = z.object({
   allowCustomMemes: z.boolean().describe("If set to true, enables users to include custom memes.").nullish(),
@@ -3918,7 +3965,6 @@ const microsoft_graph_searchAggregation = z.object({
   buckets: z.array(microsoft_graph_searchBucket).optional(),
   field: z.string().nullish()
 }).passthrough();
-const microsoft_graph_entity = z.object({ id: z.string().describe("The unique identifier for an entity. Read-only.").optional() }).passthrough();
 const microsoft_graph_searchHit = z.object({
   contentSource: z.string().describe("The name of the content source that the externalItem is part of.").nullish(),
   hitId: z.string().describe(
@@ -4504,6 +4550,13 @@ const schemas = {
   microsoft_graph_driveCollectionResponse,
   accept_calendar_event_Body,
   decline_calendar_event_Body,
+  forward_calendar_event_Body,
+  snooze_calendar_event_reminder_Body,
+  microsoft_graph_resourceReference,
+  microsoft_graph_resourceVisualization,
+  microsoft_graph_entity,
+  microsoft_graph_trending,
+  microsoft_graph_trendingCollectionResponse,
   microsoft_graph_giphyRatingType,
   microsoft_graph_teamFunSettings,
   microsoft_graph_teamGuestSettings,
@@ -4650,7 +4703,6 @@ const schemas = {
   search_query_Body,
   microsoft_graph_searchBucket,
   microsoft_graph_searchAggregation,
-  microsoft_graph_entity,
   microsoft_graph_searchHit,
   microsoft_graph_searchHitsContainer,
   microsoft_graph_alteredQueryToken,
@@ -6692,6 +6744,70 @@ or from some other calendar of the user.`,
     ],
     response: z.void()
   },
+  {
+    method: "get",
+    path: "/me/calendarView/delta()",
+    alias: "list-calendar-view-delta",
+    description: `Get a set of event resources that have been added, deleted, or updated in a calendarView (a range of events defined by start and end dates) of the user's primary calendar. Typically, synchronizing events in a calendarView in a local store entails a round of multiple delta function calls. The initial call is a full synchronization, and every subsequent delta call in the same round gets the incremental changes (additions, deletions, or updates). This allows you to maintain and synchronize a local store of events in the specified calendarView, without having to fetch all the events of that calendar from the server every time.`,
+    requestFormat: "json",
+    parameters: [
+      {
+        name: "startDateTime",
+        type: "Query",
+        schema: z.string().describe(
+          "The start date and time of the time range in the function, represented in ISO 8601 format. For example, 2019-11-08T20:00:00-08:00"
+        )
+      },
+      {
+        name: "endDateTime",
+        type: "Query",
+        schema: z.string().describe(
+          "The end date and time of the time range in the function, represented in ISO 8601 format. For example, 2019-11-08T20:00:00-08:00"
+        )
+      },
+      {
+        name: "$top",
+        type: "Query",
+        schema: z.number().int().gte(0).describe("Show only the first n items").optional()
+      },
+      {
+        name: "$skip",
+        type: "Query",
+        schema: z.number().int().gte(0).describe("Skip the first n items").optional()
+      },
+      {
+        name: "$search",
+        type: "Query",
+        schema: z.string().describe("Search items by search phrases").optional()
+      },
+      {
+        name: "$filter",
+        type: "Query",
+        schema: z.string().describe("Filter items by property values").optional()
+      },
+      {
+        name: "$count",
+        type: "Query",
+        schema: z.boolean().describe("Include count of items").optional()
+      },
+      {
+        name: "$select",
+        type: "Query",
+        schema: z.array(z.string()).describe("Select properties to be returned").optional()
+      },
+      {
+        name: "$orderby",
+        type: "Query",
+        schema: z.array(z.string()).describe("Order items by property values").optional()
+      },
+      {
+        name: "$expand",
+        type: "Query",
+        schema: z.array(z.string()).describe("Expand related entities").optional()
+      }
+    ],
+    response: z.void()
+  },
   {
     method: "get",
     path: "/me/chats",
@@ -7298,6 +7414,25 @@ open extensions or extended properties, and how to specify extended properties.`
     ],
     response: z.void()
   },
+  {
+    method: "post",
+    path: "/me/events/:eventId/cancel",
+    alias: "cancel-calendar-event",
+    description: `This action allows the organizer of a meeting to send a cancellation message and cancel the event.  The action moves the event to the Deleted Items folder. The organizer can also cancel an occurrence of a recurring meeting
+by providing the occurrence event ID. An attendee calling this action gets an error (HTTP 400 Bad Request), with the following
+error message: 'Your request can't be completed. You need to be an organizer to cancel a meeting.' This action differs from Delete in that Cancel is available to only the organizer, and lets
+the organizer send a custom message to the attendees about the cancellation.`,
+    requestFormat: "json",
+    parameters: [
+      {
+        name: "body",
+        description: `Action parameters`,
+        type: "Body",
+        schema: z.object({ Comment: z.string().nullable() }).partial().passthrough()
+      }
+    ],
+    response: z.void()
+  },
   {
     method: "post",
     path: "/me/events/:eventId/decline",
@@ -7314,6 +7449,49 @@ open extensions or extended properties, and how to specify extended properties.`
     ],
     response: z.void()
   },
+  {
+    method: "post",
+    path: "/me/events/:eventId/dismissReminder",
+    alias: "dismiss-calendar-event-reminder",
+    description: `Dismiss a reminder that has been triggered for an event in a user calendar.`,
+    requestFormat: "json",
+    response: z.void()
+  },
+  {
+    method: "post",
+    path: "/me/events/:eventId/forward",
+    alias: "forward-calendar-event",
+    description: `This action allows the organizer or attendee of a meeting event to forward the
+meeting request to a new recipient. If the meeting event is forwarded from an attendee's Microsoft 365 mailbox to another recipient, this action
+also sends a message to notify the organizer of the forwarding, and adds the recipient to the organizer's
+copy of the meeting event. This convenience is not available when forwarding from an Outlook.com account.`,
+    requestFormat: "json",
+    parameters: [
+      {
+        name: "body",
+        description: `Action parameters`,
+        type: "Body",
+        schema: forward_calendar_event_Body
+      }
+    ],
+    response: z.void()
+  },
+  {
+    method: "post",
+    path: "/me/events/:eventId/snoozeReminder",
+    alias: "snooze-calendar-event-reminder",
+    description: `Postpone a reminder for an event in a user calendar until a new time.`,
+    requestFormat: "json",
+    parameters: [
+      {
+        name: "body",
+        description: `Action parameters`,
+        type: "Body",
+        schema: snooze_calendar_event_reminder_Body
+      }
+    ],
+    response: z.void()
+  },
   {
     method: "post",
     path: "/me/events/:eventId/tentativelyAccept",
@@ -7330,6 +7508,70 @@ open extensions or extended properties, and how to specify extended properties.`
     ],
     response: z.void()
   },
+  {
+    method: "get",
+    path: "/me/events/delta()",
+    alias: "list-calendar-events-delta",
+    description: `Get a set of event resources that have been added, deleted, or updated in a calendarView (a range of events defined by start and end dates) of the user's primary calendar. Typically, synchronizing events in a calendarView in a local store entails a round of multiple delta function calls. The initial call is a full synchronization, and every subsequent delta call in the same round gets the incremental changes (additions, deletions, or updates). This allows you to maintain and synchronize a local store of events in the specified calendarView, without having to fetch all the events of that calendar from the server every time.`,
+    requestFormat: "json",
+    parameters: [
+      {
+        name: "startDateTime",
+        type: "Query",
+        schema: z.string().describe(
+          "The start date and time of the time range in the function, represented in ISO 8601 format. For example, 2019-11-08T20:00:00-08:00"
+        )
+      },
+      {
+        name: "endDateTime",
+        type: "Query",
+        schema: z.string().describe(
+          "The end date and time of the time range in the function, represented in ISO 8601 format. For example, 2019-11-08T20:00:00-08:00"
+        )
+      },
+      {
+        name: "$top",
+        type: "Query",
+        schema: z.number().int().gte(0).describe("Show only the first n items").optional()
+      },
+      {
+        name: "$skip",
+        type: "Query",
+        schema: z.number().int().gte(0).describe("Skip the first n items").optional()
+      },
+      {
+        name: "$search",
+        type: "Query",
+        schema: z.string().describe("Search items by search phrases").optional()
+      },
+      {
+        name: "$filter",
+        type: "Query",
+        schema: z.string().describe("Filter items by property values").optional()
+      },
+      {
+        name: "$count",
+        type: "Query",
+        schema: z.boolean().describe("Include count of items").optional()
+      },
+      {
+        name: "$select",
+        type: "Query",
+        schema: z.array(z.string()).describe("Select properties to be returned").optional()
+      },
+      {
+        name: "$orderby",
+        type: "Query",
+        schema: z.array(z.string()).describe("Order items by property values").optional()
+      },
+      {
+        name: "$expand",
+        type: "Query",
+        schema: z.array(z.string()).describe("Expand related entities").optional()
+      }
+    ],
+    response: z.void()
+  },
   {
     method: "post",
     path: "/me/findMeetingTimes",
@@ -7347,6 +7589,56 @@ Based on this value, you can better adjust the parameters and call findMeetingTi
     ],
     response: z.void()
   },
+  {
+    method: "get",
+    path: "/me/insights/trending",
+    alias: "list-trending-insights",
+    description: `Calculated insight that includes a list of documents trending around the user.`,
+    requestFormat: "json",
+    parameters: [
+      {
+        name: "$top",
+        type: "Query",
+        schema: z.number().int().gte(0).describe("Show only the first n items").optional()
+      },
+      {
+        name: "$skip",
+        type: "Query",
+        schema: z.number().int().gte(0).describe("Skip the first n items").optional()
+      },
+      {
+        name: "$search",
+        type: "Query",
+        schema: z.string().describe("Search items by search phrases").optional()
+      },
+      {
+        name: "$filter",
+        type: "Query",
+        schema: z.string().describe("Filter items by property values").optional()
+      },
+      {
+        name: "$count",
+        type: "Query",
+        schema: z.boolean().describe("Include count of items").optional()
+      },
+      {
+        name: "$orderby",
+        type: "Query",
+        schema: z.array(z.string()).describe("Order items by property values").optional()
+      },
+      {
+        name: "$select",
+        type: "Query",
+        schema: z.array(z.string()).describe("Select properties to be returned").optional()
+      },
+      {
+        name: "$expand",
+        type: "Query",
+        schema: z.array(z.string()).describe("Expand related entities").optional()
+      }
+    ],
+    response: z.void()
+  },
   {
     method: "get",
     path: "/me/joinedTeams",

package/docs/deployment.md CHANGED Viewed

@@ -49,6 +49,8 @@ docker run -p 3000:3000 \
 ## Azure Container Apps
+> **Turnkey Bicep example**: see [`examples/azure-container-apps/`](../examples/azure-container-apps/) for a complete Bicep template + PowerShell deploy script that provisions Log Analytics, UAMI, Key Vault (RBAC), Container Apps Environment and the Container App in one command.
 1. **Push the image** to Azure Container Registry:
    ```bash

package/examples/azure-container-apps/README.md ADDED Viewed

@@ -0,0 +1,188 @@
+# Azure Container Apps deployment example
+> **Community-contributed example.** This is a turnkey starter — adapt it to your tenant, naming conventions, and security policies before running it in production. See [`docs/deployment.md`](../../docs/deployment.md) for the baseline deployment guide.
+Deploys `ms-365-mcp-server` to Azure Container Apps in **Streamable HTTP** mode, with secrets stored in Azure Key Vault and fetched at startup by a user-assigned managed identity (UAMI). No credentials are written to environment variables.
+## Contents
+- `main.bicep` — full infrastructure: Log Analytics, UAMI, Key Vault (RBAC), Container Apps Environment, Container App
+- `deploy.ps1` — PowerShell 7 orchestrator (login, Resource Group, deployment, outputs)
+## Architecture
+```
+MCP client (Claude Desktop / claude.ai / ...)
+         │ HTTPS + OAuth 2.0 (Dynamic Client Registration)
+         ▼
+   Container App  (<baseName>-app)
+     - args: --http 3000 [--org-mode] [--read-only]
+     - scale 0-3 on concurrent HTTP requests
+         │ DefaultAzureCredential (UAMI)
+         ▼
+   Key Vault  (<baseName>kv<suffix>)
+     - ms365-mcp-client-id
+     - ms365-mcp-tenant-id
+     - ms365-mcp-cloud-type
+     - ms365-mcp-client-secret  (optional — confidential client)
+         │
+         ▼
+   Microsoft Graph API  (per-user delegated token)
+```
+## Prerequisites
+### 1. Azure
+- Subscription with **Contributor** + **User Access Administrator** roles on the target Resource Group (User Access Administrator is required for the UAMI → Key Vault RBAC assignment).
+- [Azure CLI 2.60+](https://learn.microsoft.com/cli/azure/install-azure-cli).
+- [PowerShell 7+](https://learn.microsoft.com/powershell/scripting/install/installing-powershell).
+### 2. Entra ID app registration
+Create an app registration in your tenant:
+- **Supported account types**: single tenant
+- **Redirect URIs** (initial): `http://localhost:3000/oauth/callback` — update after the first deploy once you know the Container App FQDN
+- **API permissions**: delegated scopes matching your run mode. Print the exact list with:
+  ```bash
+  npx @softeria/ms-365-mcp-server --list-permissions [--org-mode] [--read-only]
+  ```
+  Grant admin consent in Entra ID for all `*.All` scopes.
+- **Authentication → Allow public client flows**: Yes (if you will not use a client secret)
+- **Certificates & secrets** (optional): create a client secret for confidential-client mode
+Collect `tenantId`, `clientId`, and (optionally) `clientSecret`.
+### 3. Container image
+Default: `ghcr.io/softeria/ms-365-mcp-server:latest`.
+Pin a version with `ghcr.io/softeria/ms-365-mcp-server:<tag>`, or push to your own Azure Container Registry and pass the reference via `-ContainerImage`.
+## Initial deployment
+```powershell
+cd examples/azure-container-apps
+# Your own object ID, so you can rotate Key Vault secrets later
+$myOid = az ad signed-in-user show --query id -o tsv
+./deploy.ps1 `
+  -ResourceGroup 'rg-ms365mcp' `
+  -Location 'eastus' `
+  -BaseName 'ms365mcp' `
+  -TenantId '<TENANT_GUID>' `
+  -McpClientId '<APP_CLIENT_ID>' `
+  -KvAdminObjectIds @($myOid) `
+  -OrgMode $true
+```
+The script prompts for the client secret (leave empty for a public client).
+### Dry-run
+```powershell
+./deploy.ps1 ... -WhatIf
+```
+## Post-deployment
+### 1. Update the redirect URI in Entra ID
+The first deployment produces an FQDN such as `ms365mcp-app.<suffix>.<region>.azurecontainerapps.io`. Add `https://<fqdn>/oauth/callback` to your app registration → Authentication → Redirect URIs.
+### 2. Redeploy with `publicBaseUrl`
+So the server advertises the correct public URL in OAuth metadata:
+```powershell
+./deploy.ps1 ... -PublicBaseUrl 'https://<fqdn>'
+```
+### 3. Smoke test
+```bash
+# OAuth metadata (should return 200 with JSON)
+curl https://<fqdn>/.well-known/oauth-authorization-server
+# MCP endpoint (should return 401 without Authorization header)
+curl -i https://<fqdn>/mcp
+```
+### 4. Connect an MCP client
+See the [Client Configuration section](../../docs/deployment.md#client-configuration) in the main deployment guide.
+## Operations
+### Stream logs
+```bash
+az containerapp logs show -n <baseName>-app -g <rg> --follow
+```
+### Force a new revision
+```bash
+az containerapp update -n <baseName>-app -g <rg> --revision-suffix "manual$(date +%s)"
+```
+### Update the image
+```bash
+az containerapp update -n <baseName>-app -g <rg> \
+  --image ghcr.io/softeria/ms-365-mcp-server:<new-tag>
+```
+### Rotate the client secret
+```bash
+# 1. Create a new secret in Entra ID (Certificates & secrets)
+# 2. Update Key Vault
+az keyvault secret set --vault-name <kv-name> --name ms365-mcp-client-secret --value "<new-secret>"
+# 3. Restart to pick up the new value
+az containerapp update -n <baseName>-app -g <rg> --revision-suffix "rotate$(date +%s)"
+```
+### Pin minimum replicas (eliminate cold start)
+```bash
+az containerapp update -n <baseName>-app -g <rg> --min-replicas 1 --max-replicas 5
+```
+## Cost (order of magnitude)
+| Resource      | Config                 | Monthly (idle)                             |
+| ------------- | ---------------------- | ------------------------------------------ |
+| Container App | Consumption, scale 0-3 | ~$0 with scale-to-zero, ~$15-25 with min=1 |
+| Log Analytics | 30-day retention       | ~$2-5 depending on log volume              |
+| Key Vault     | Standard, low ops      | <$1                                        |
+| UAMI          | —                      | free                                       |
+Regional pricing varies — consult the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/) for your region. Scale-to-zero introduces a ~2–5 s cold start on the first request after idle.
+## Security notes
+- **Secrets**: never in environment variables — always via Key Vault + UAMI
+- **Ingress**: external HTTPS only. To restrict by IP, add `ipSecurityRestrictions` under `configuration.ingress`
+- **RBAC**: UAMI receives only `Key Vault Secrets User` (read). Rotation is done by the admin principals listed in `-KvAdminObjectIds`
+- **Purge protection** is enabled on Key Vault (90-day soft-delete) — accidental deletions are recoverable
+- **CORS**: defaults to `http://localhost:3000`. Set `-CorsOrigin 'https://claude.ai'` (or your client URL) for hosted clients
+## Cleanup
+```bash
+az group delete -n <rg> --yes --no-wait
+# Key Vault remains in soft-delete for 30 days. To purge immediately:
+az keyvault purge --name <kv-name>
+```
+## Troubleshooting
+| Symptom                                  | Likely cause                              | Fix                                                                                                   |
+| ---------------------------------------- | ----------------------------------------- | ----------------------------------------------------------------------------------------------------- |
+| Container restarts in a loop             | UAMI can't read Key Vault secrets         | Wait ~5 min for role propagation, then check `az role assignment list --assignee <uami-principal-id>` |
+| 401 on `/mcp` even with a valid token    | Wrong `tenantId`/`clientId` in Key Vault  | `az keyvault secret show --vault-name <kv> --name ms365-mcp-client-id`                                |
+| OAuth fails with `redirect_uri mismatch` | Redirect URI in Entra ID not updated      | Add `https://<fqdn>/oauth/callback` in the app registration                                           |
+| Graph returns 403                        | Missing scope / admin consent not granted | Re-run `--list-permissions` and grant admin consent                                                   |
+| Cold start > 10 s                        | Heavy startup work in custom image        | Verify the image does not run `npm install` in its ENTRYPOINT                                         |

package/examples/azure-container-apps/deploy.ps1 ADDED Viewed

@@ -0,0 +1,170 @@
+#Requires -Version 7.0
+<#
+.SYNOPSIS
+Deploys ms-365-mcp-server to Azure Container Apps using the colocated Bicep template.
+.DESCRIPTION
+Creates (or updates) the target Resource Group and runs the Bicep deployment.
+The Entra ID client secret is prompted interactively and stored in Key Vault.
+.EXAMPLE
+./deploy.ps1 -ResourceGroup rg-ms365mcp -BaseName ms365mcp `
+  -TenantId "<tenant-guid>" -McpClientId "<app-guid>" `
+  -KvAdminObjectIds @("<your-object-id>")
+.NOTES
+Requirements:
+  - Azure CLI 2.60+ (az)
+  - PowerShell 7+
+  - Azure subscription with Contributor + User Access Administrator roles
+    (User Access Administrator is needed for the UAMI -> Key Vault RBAC assignment)
+  - Entra ID app registration created beforehand, with a redirect URI matching
+    the Container App FQDN (update it after the first deployment).
+#>
+[CmdletBinding()]
+param(
+  [Parameter(Mandatory)][string]$ResourceGroup,
+  [Parameter(Mandatory)]
+  [ValidatePattern('^[a-z0-9]{3,20}$')]
+  [string]$BaseName,
+  [Parameter(Mandatory)][string]$TenantId,
+  [Parameter(Mandatory)][string]$McpClientId,
+  [string]$Location = 'eastus',
+  [string]$ContainerImage = 'ghcr.io/softeria/ms-365-mcp-server:latest',
+  [ValidateSet('global', 'gcc-high', 'dod', 'china')]
+  [string]$CloudType = 'global',
+  [string]$CorsOrigin = 'http://localhost:3000',
+  [string]$PublicBaseUrl = '',
+  [string[]]$KvAdminObjectIds = @(),
+  [bool]$OrgMode = $true,
+  [bool]$ReadOnly = $false,
+  [int]$MinReplicas = 0,
+  [int]$MaxReplicas = 3,
+  [switch]$SkipLogin,
+  [switch]$WhatIf
+)
+$ErrorActionPreference = 'Stop'
+$bicepFile = Join-Path $PSScriptRoot 'main.bicep'
+if (-not (Test-Path $bicepFile)) {
+  throw "Bicep file not found: $bicepFile"
+}
+# --- Prerequisites ---
+if (-not (Get-Command az -ErrorAction SilentlyContinue)) {
+  throw 'Azure CLI not found. Install via: https://learn.microsoft.com/cli/azure/install-azure-cli'
+}
+Write-Host 'Checking/installing Bicep CLI...' -ForegroundColor DarkGray
+az bicep install 2>$null | Out-Null
+az bicep upgrade 2>$null | Out-Null
+# --- Authentication ---
+if (-not $SkipLogin) {
+  $acct = az account show --only-show-errors 2>$null | ConvertFrom-Json
+  if (-not $acct) {
+    Write-Host 'No active Azure session — launching az login...' -ForegroundColor Yellow
+    az login --tenant $TenantId --only-show-errors | Out-Null
+    $acct = az account show | ConvertFrom-Json
+  }
+  Write-Host "Active subscription : $($acct.name) ($($acct.id))" -ForegroundColor Green
+  Write-Host "Tenant              : $($acct.tenantId)" -ForegroundColor Green
+  if ($acct.tenantId -ne $TenantId) {
+    Write-Warning "Active tenant ($($acct.tenantId)) does not match target tenant ($TenantId)."
+    $confirm = Read-Host 'Continue anyway? [y/N]'
+    if ($confirm -ne 'y') { throw 'Cancelled by user.' }
+  }
+}
+# --- Client secret (interactive, SecureString) ---
+$secretSecure = Read-Host 'Entra ID client secret (leave empty for public client)' -AsSecureString
+$secretPlain = ''
+if ($secretSecure.Length -gt 0) {
+  $bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secretSecure)
+  try {
+    $secretPlain = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr)
+  } finally {
+    [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($bstr)
+  }
+}
+# --- Resource Group ---
+$rg = az group show -n $ResourceGroup --only-show-errors 2>$null | ConvertFrom-Json
+if (-not $rg) {
+  Write-Host "Creating Resource Group '$ResourceGroup' in '$Location'..." -ForegroundColor Cyan
+  az group create -n $ResourceGroup -l $Location --tags project=ms-365-mcp-server managedBy=bicep -o none
+} else {
+  Write-Host "Resource Group '$ResourceGroup' exists ($($rg.location))" -ForegroundColor Green
+}
+# --- Deployment parameters ---
+$deployName = "ms365mcp-$(Get-Date -Format 'yyyyMMddHHmmss')"
+$params = @{
+  baseName       = @{ value = $BaseName }
+  tenantId       = @{ value = $TenantId }
+  mcpClientId    = @{ value = $McpClientId }
+  mcpClientSecret = @{ value = $secretPlain }
+  cloudType      = @{ value = $CloudType }
+  containerImage = @{ value = $ContainerImage }
+  corsOrigin     = @{ value = $CorsOrigin }
+  publicBaseUrl  = @{ value = $PublicBaseUrl }
+  orgMode        = @{ value = $OrgMode }
+  readOnly       = @{ value = $ReadOnly }
+  minReplicas    = @{ value = $MinReplicas }
+  maxReplicas    = @{ value = $MaxReplicas }
+  kvAdminObjectIds = @{ value = $KvAdminObjectIds }
+}
+$paramsFile = New-TemporaryFile
+try {
+  @{
+    '$schema'      = 'https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#'
+    contentVersion = '1.0.0.0'
+    parameters     = $params
+  } | ConvertTo-Json -Depth 10 | Set-Content -Path $paramsFile.FullName
+  # --- Validation (what-if) ---
+  if ($WhatIf) {
+    Write-Host '--- what-if ---' -ForegroundColor Magenta
+    az deployment group what-if `
+      -g $ResourceGroup `
+      -n $deployName `
+      -f $bicepFile `
+      -p "@$($paramsFile.FullName)"
+    return
+  }
+  # --- Deployment ---
+  Write-Host "Starting deployment '$deployName'..." -ForegroundColor Cyan
+  $outputs = az deployment group create `
+    -g $ResourceGroup `
+    -n $deployName `
+    -f $bicepFile `
+    -p "@$($paramsFile.FullName)" `
+    --query properties.outputs `
+    -o json | ConvertFrom-Json
+  # --- Summary ---
+  Write-Host ''
+  Write-Host 'Deployment succeeded.' -ForegroundColor Green
+  Write-Host "  Public URL          : $($outputs.appUrl.value)" -ForegroundColor Yellow
+  Write-Host "  Key Vault URI       : $($outputs.keyVaultUri.value)"
+  Write-Host "  Key Vault name      : $($outputs.keyVaultName.value)"
+  Write-Host "  Managed identity    : $($outputs.uamiName.value)"
+  Write-Host "  UAMI clientId       : $($outputs.uamiClientId.value)"
+  Write-Host "  Log Analytics       : $($outputs.logAnalyticsName.value)"
+  Write-Host ''
+  Write-Host 'Next steps:' -ForegroundColor Cyan
+  Write-Host "  1. Add '$($outputs.appUrl.value)/oauth/callback' as a redirect URI in your Entra ID app."
+  Write-Host "  2. Re-run with -PublicBaseUrl '$($outputs.appUrl.value)' so OAuth metadata returns the public URL."
+  Write-Host "  3. Test : curl $($outputs.appUrl.value)/.well-known/oauth-authorization-server"
+  Write-Host "  4. Logs : az containerapp logs show -n '$BaseName-app' -g '$ResourceGroup' --follow"
+}
+finally {
+  Remove-Item $paramsFile.FullName -ErrorAction SilentlyContinue
+  $secretPlain = $null
+  [GC]::Collect()
+}

package/examples/azure-container-apps/main.bicep ADDED Viewed

@@ -0,0 +1,252 @@
+// ms-365-mcp-server — Azure Container Apps deployment (community example)
+//
+// Deploys a turnkey stack:
+//   - Log Analytics workspace
+//   - User-Assigned Managed Identity (UAMI)
+//   - Key Vault (RBAC) with MCP secrets
+//   - Container Apps Environment (Consumption)
+//   - Container App running the server in Streamable HTTP mode
+//
+// The container uses DefaultAzureCredential (via the UAMI) to read secrets
+// from Key Vault at startup — credentials never appear in environment variables.
+@description('Base name prefix for all resources (lowercase, 3-20 chars, e.g. ms365mcpprod)')
+@minLength(3)
+@maxLength(20)
+param baseName string
+@description('Azure region. Defaults to the resource group location.')
+param location string = resourceGroup().location
+@description('Container image reference (public image by default).')
+param containerImage string = 'ghcr.io/softeria/ms-365-mcp-server:latest'
+@description('Entra ID tenant ID (GUID).')
+param tenantId string
+@description('Entra ID app registration clientId used by the MCP server.')
+param mcpClientId string
+@secure()
+@description('Client secret for the MCP app registration. Leave empty for a public client.')
+param mcpClientSecret string = ''
+@description('Microsoft cloud type: global, gcc-high, dod, china. Defaults to global.')
+@allowed([
+  'global'
+  'gcc-high'
+  'dod'
+  'china'
+])
+param cloudType string = 'global'
+@description('CORS origin for the MCP HTTP endpoint. Set to your client URL (e.g. https://claude.ai).')
+param corsOrigin string = 'http://localhost:3000'
+@description('Public base URL advertised in OAuth metadata. Derived from ingress FQDN after first deploy — leave empty initially, then redeploy with the assigned URL.')
+param publicBaseUrl string = ''
+@description('Object IDs of users/groups granted Key Vault Administrator role (for rotating secrets).')
+param kvAdminObjectIds array = []
+@description('Enable --org-mode (Teams, SharePoint, Groups, etc.). Defaults to true.')
+param orgMode bool = true
+@description('Enable --read-only flag (disables write operations).')
+param readOnly bool = false
+@description('Min replicas for autoscale. Set to 0 for scale-to-zero (cold start ~2-5s).')
+param minReplicas int = 0
+@description('Max replicas for autoscale.')
+param maxReplicas int = 3
+@description('Tags applied to all resources.')
+param tags object = {
+  project: 'ms-365-mcp-server'
+  managedBy: 'bicep'
+}
+// ---------- Derived ----------
+var suffix = toLower(substring(uniqueString(resourceGroup().id), 0, 5))
+var logName = '${baseName}-log-${suffix}'
+var uamiName = '${baseName}-uami'
+var kvName = take('${baseName}kv${suffix}', 24)
+var caeName = '${baseName}-cae'
+var appName = '${baseName}-app'
+// Built-in role definition IDs
+var roleKvSecretsUser = '4633458b-17de-408a-b874-0445c86b69e6'
+var roleKvAdministrator = '00482a5a-887f-4fb3-b363-3b7fe8e74483'
+// ---------- Log Analytics ----------
+resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2023-09-01' = {
+  name: logName
+  location: location
+  tags: tags
+  properties: {
+    sku: { name: 'PerGB2018' }
+    retentionInDays: 30
+    features: { enableLogAccessUsingOnlyResourcePermissions: true }
+  }
+}
+// ---------- User-Assigned Managed Identity ----------
+resource uami 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' = {
+  name: uamiName
+  location: location
+  tags: tags
+}
+// ---------- Key Vault (RBAC) ----------
+resource kv 'Microsoft.KeyVault/vaults@2024-04-01-preview' = {
+  name: kvName
+  location: location
+  tags: tags
+  properties: {
+    sku: { family: 'A', name: 'standard' }
+    tenantId: tenantId
+    enableRbacAuthorization: true
+    enableSoftDelete: true
+    softDeleteRetentionInDays: 30
+    enablePurgeProtection: true
+    publicNetworkAccess: 'Enabled'
+    networkAcls: {
+      bypass: 'AzureServices'
+      defaultAction: 'Allow'
+    }
+  }
+}
+resource secretClientId 'Microsoft.KeyVault/vaults/secrets@2024-04-01-preview' = {
+  parent: kv
+  name: 'ms365-mcp-client-id'
+  properties: { value: mcpClientId }
+}
+resource secretTenantId 'Microsoft.KeyVault/vaults/secrets@2024-04-01-preview' = {
+  parent: kv
+  name: 'ms365-mcp-tenant-id'
+  properties: { value: tenantId }
+}
+resource secretCloudType 'Microsoft.KeyVault/vaults/secrets@2024-04-01-preview' = {
+  parent: kv
+  name: 'ms365-mcp-cloud-type'
+  properties: { value: cloudType }
+}
+resource secretClientSecret 'Microsoft.KeyVault/vaults/secrets@2024-04-01-preview' = if (!empty(mcpClientSecret)) {
+  parent: kv
+  name: 'ms365-mcp-client-secret'
+  properties: { value: mcpClientSecret }
+}
+// Grant UAMI the Key Vault Secrets User role on the vault
+resource roleUami 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  scope: kv
+  name: guid(kv.id, uami.id, roleKvSecretsUser)
+  properties: {
+    principalId: uami.properties.principalId
+    principalType: 'ServicePrincipal'
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleKvSecretsUser)
+  }
+}
+// Grant human admins the Key Vault Administrator role (to rotate secrets)
+resource roleAdmins 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for oid in kvAdminObjectIds: {
+  scope: kv
+  name: guid(kv.id, oid, roleKvAdministrator)
+  properties: {
+    principalId: oid
+    principalType: 'User'
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleKvAdministrator)
+  }
+}]
+// ---------- Container Apps Environment ----------
+resource cae 'Microsoft.App/managedEnvironments@2024-03-01' = {
+  name: caeName
+  location: location
+  tags: tags
+  properties: {
+    appLogsConfiguration: {
+      destination: 'log-analytics'
+      logAnalyticsConfiguration: {
+        customerId: logAnalytics.properties.customerId
+        sharedKey: logAnalytics.listKeys().primarySharedKey
+      }
+    }
+    workloadProfiles: [
+      { name: 'Consumption', workloadProfileType: 'Consumption' }
+    ]
+  }
+}
+// ---------- Container App ----------
+var containerArgs = concat(['--http', '3000'], orgMode ? ['--org-mode'] : [], readOnly ? ['--read-only'] : [])
+resource app 'Microsoft.App/containerApps@2024-03-01' = {
+  name: appName
+  location: location
+  tags: tags
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${uami.id}': {}
+    }
+  }
+  properties: {
+    managedEnvironmentId: cae.id
+    configuration: {
+      activeRevisionsMode: 'Single'
+      ingress: {
+        external: true
+        targetPort: 3000
+        transport: 'auto'
+        allowInsecure: false
+        traffic: [ { latestRevision: true, weight: 100 } ]
+      }
+    }
+    template: {
+      containers: [
+        {
+          name: 'mcp'
+          image: containerImage
+          args: containerArgs
+          resources: {
+            cpu: json('0.5')
+            memory: '1.0Gi'
+          }
+          env: [
+            { name: 'MS365_MCP_KEYVAULT_URL', value: kv.properties.vaultUri }
+            { name: 'MS365_MCP_CORS_ORIGIN', value: corsOrigin }
+            { name: 'MS365_MCP_BASE_URL', value: empty(publicBaseUrl) ? '' : publicBaseUrl }
+            { name: 'AZURE_CLIENT_ID', value: uami.properties.clientId }
+            { name: 'NODE_ENV', value: 'production' }
+          ]
+        }
+      ]
+      scale: {
+        minReplicas: minReplicas
+        maxReplicas: maxReplicas
+        rules: [
+          {
+            name: 'http-scale'
+            http: { metadata: { concurrentRequests: '10' } }
+          }
+        ]
+      }
+    }
+  }
+  dependsOn: [ roleUami, secretClientId, secretTenantId, secretCloudType ]
+}
+// ---------- Outputs ----------
+output appFqdn string = app.properties.configuration.ingress.fqdn
+output appUrl string = 'https://${app.properties.configuration.ingress.fqdn}'
+output keyVaultUri string = kv.properties.vaultUri
+output keyVaultName string = kv.name
+output uamiName string = uami.name
+output uamiClientId string = uami.properties.clientId
+output logAnalyticsName string = logAnalytics.name

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@softeria/ms-365-mcp-server",
-  "version": "0.80.0",
+  "version": "0.82.0",
   "description": " A Model Context Protocol (MCP) server for interacting with Microsoft 365 and Office services through the Graph API",
   "type": "module",
   "main": "dist/index.js",

package/src/endpoints.json CHANGED Viewed

@@ -1442,5 +1442,54 @@
     "toolName": "update-place",
     "workScopes": ["Place.ReadWrite.All"],
     "llmTip": "Updates properties of a place (room, room list, building, floor, section, desk, workspace). Body can include: displayName, phone, capacity, building, floorNumber, floorLabel, tags, audioDeviceName, videoDeviceName, displayDeviceName, isWheelChairAccessible. Use get-room or get-room-list to verify current values before updating."
+  },
+  {
+    "pathPattern": "/me/insights/trending",
+    "method": "get",
+    "toolName": "list-trending-insights",
+    "workScopes": ["Sites.Read.All"],
+    "llmTip": "Lists documents trending around the current user. Each item has resourceVisualization (title, type, previewImageUrl, containerDisplayName), resourceReference (webUrl, id, type), and weight (relevance score). Use $filter=resourceVisualization/type eq 'PowerPoint' to filter by file type. Use $orderby=weight/value desc to sort by relevance."
+  },
+  {
+    "pathPattern": "/me/events/{event-id}/cancel",
+    "method": "post",
+    "toolName": "cancel-calendar-event",
+    "scopes": ["Calendars.ReadWrite"],
+    "llmTip": "Cancels a meeting (organizer only) and sends a cancellation message to all attendees. Body: { Comment (optional string, custom message) }. Use this instead of delete-calendar-event when you want attendees to see 'Canceled' in their calendar. Attendees calling this get HTTP 400 — they should use decline-calendar-event instead."
+  },
+  {
+    "pathPattern": "/me/events/{event-id}/forward",
+    "method": "post",
+    "toolName": "forward-calendar-event",
+    "scopes": ["Calendars.ReadWrite"],
+    "llmTip": "Forwards a meeting invitation to additional recipients. Body: { ToRecipients: [{ emailAddress: { address, name } }], Comment (optional) }. If the forwarder is an attendee (not organizer), the organizer is also notified and the new recipient is added to the organizer's attendee list."
+  },
+  {
+    "pathPattern": "/me/events/{event-id}/snoozeReminder",
+    "method": "post",
+    "toolName": "snooze-calendar-event-reminder",
+    "scopes": ["Calendars.ReadWrite"],
+    "llmTip": "Postpones a triggered event reminder. Body: { NewReminderTime: { dateTime (ISO 8601), timeZone (IANA or Windows, e.g. 'Pacific Standard Time') } }. The reminder will re-fire at the new time."
+  },
+  {
+    "pathPattern": "/me/events/{event-id}/dismissReminder",
+    "method": "post",
+    "toolName": "dismiss-calendar-event-reminder",
+    "scopes": ["Calendars.ReadWrite"],
+    "llmTip": "Dismisses a triggered event reminder so it won't re-fire. No request body required. Pair with list-calendar-events or get-schedule to find active reminders."
+  },
+  {
+    "pathPattern": "/me/events/delta()",
+    "method": "get",
+    "toolName": "list-calendar-events-delta",
+    "scopes": ["Calendars.Read"],
+    "llmTip": "Incremental sync of events across the default calendar. First call returns all events plus @odata.deltaLink. Subsequent calls with that link return only additions/updates/removals. Use $select to limit fields. Deltas expire after ~30 days — start over if the server returns 410 Gone. For a time-bounded view with delta semantics, use list-calendar-view-delta instead."
+  },
+  {
+    "pathPattern": "/me/calendarView/delta()",
+    "method": "get",
+    "toolName": "list-calendar-view-delta",
+    "scopes": ["Calendars.Read"],
+    "llmTip": "Incremental sync of events within a time window. Required query params on first call: startDateTime, endDateTime (ISO 8601). Returns events in the window plus @odata.deltaLink; subsequent calls with that link return only changes. Expands recurring events to individual occurrences (unlike list-calendar-events-delta which returns the series master). Use this for calendar UIs showing a week/month view."
   }
 ]