From microsoft-graph
Use this skill when connecting the Microsoft Graph MCP Server for Enterprise to the Wyre MCP Gateway — registering the BYOC multi-tenant Entra app, supplying tenantId/clientId/clientSecret, and (the part everyone misses) granting per-tenant admin consent for the MCP.* delegated permissions out of band. Also covers the preview status and the 100 calls/min/user rate limit.
How this skill is triggered — by the user, by Claude, or both
Slash command
/microsoft-graph:connectionWhen to use
When setting up, troubleshooting, or explaining the microsoft-graph connection — Entra app registration, redirect URI, client secret, admin consent failures, or 'why is the tenant returning no data'. Use when: connect microsoft graph, microsoft graph mcp, graph enterprise mcp, entra app registration, admin consent, byoc entra, microsoft graph setup, graph mcp no data, tenant consent, or microsoft graph rate limit.
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
The Microsoft Graph MCP Server for Enterprise is a Microsoft-hosted MCP server (public **preview**) at `https://mcp.svc.cloud.microsoft/enterprise`. It is reached through the Wyre MCP Gateway as the `microsoft-graph` vendor. Getting it working is a three-part job: register an Entra app, connect it through the gateway, and — the step that breaks most onboardings — grant per-tenant admin consent ...
The Microsoft Graph MCP Server for Enterprise is a Microsoft-hosted MCP server (public preview) at https://mcp.svc.cloud.microsoft/enterprise. It is reached through the Wyre MCP Gateway as the microsoft-graph vendor. Getting it working is a three-part job: register an Entra app, connect it through the gateway, and — the step that breaks most onboardings — grant per-tenant admin consent out of band.
Read this whole skill before connecting. The admin-consent requirement is non-obvious and the failure mode (a connection that authenticates fine but returns nothing) looks like a different bug.
microsoft-graph vendor that proxies to https://mcp.svc.cloud.microsoft/enterprise.tenantId, clientId, and clientSecret in the gateway connection UI.organizations (the multi-tenant work/school endpoint).api://e8c77dc2-69b3-43f4-bc51-3213c9d915b4/.default — the resource identifier of the Graph Enterprise MCP service.In the customer-facing/partner tenant you control, register a multi-tenant app:
organizations, and you need the app to be consentable in each customer tenant.microsoft-graph connection UI (the gateway's OAuth callback). A Web platform is required because this is a confidential client doing an authorization-code flow.invalid_client on reconnect.MCP.* permissions the Graph Enterprise MCP server requires (the permission set is shown when you add the Graph Enterprise MCP / api://e8c77dc2-... API as a permission target). These are delegated permissions, not application permissions.microsoft-graph vendor.tenantId, clientId, clientSecret.organizations authority and stores the resulting delegated token.At this point the connection exists — but it will still return no data until Step 3 is done for each customer tenant.
This is the single most common reason a Graph MCP connection "works" but returns nothing.
The MCP.* delegated permissions are admin-restricted. The OAuth connect flow in Step 2 authenticates the user and mints a token, but it does not by itself grant the tenant-wide consent those permissions need. A Global Administrator in each customer tenant must grant admin consent out of band — once per customer tenant, before the connection can read that tenant's directory.
Have the customer's Global Admin open the admin-consent URL and approve:
https://login.microsoftonline.com/{customer-tenant-id}/adminconsent?client_id={your-client-id}
{customer-tenant-id} — the customer's Entra tenant ID (or their primary domain).{your-client-id} — the Application (client) ID of the BYOC app from Step 1.After the admin approves, the app gets a service principal in the customer tenant with the MCP.* delegated permissions consented tenant-wide. Calls for that tenant will now return data.
If you skip this: microsoft_graph_get and microsoft_graph_suggest_queries calls will fail or return empty for that tenant even though the gateway connection shows healthy and the token mints fine. Symptom is consent/permission errors (AADSTS65001 or similar) or a successful auth that yields no directory data.
Repeat Step 3 for every customer tenant you want to query. Steps 1 and 2 are one-time per MSP; Step 3 is per customer tenant.
GET requests to Microsoft Graph. There is no write path — by design.suggest_queries → get workflow is deliberately call-efficient; lean on it rather than fanning out many speculative get calls.| Symptom | Likely cause |
|---|---|
| Connection authenticates but every query returns empty/permission error | Per-tenant admin consent (Step 3) not granted for that customer tenant |
invalid_client on connect or reconnect | Client secret expired or the secret ID was pasted instead of the secret value |
| Redirect URI mismatch error during sign-in | The Web platform redirect URI in the app registration doesn't match the gateway's callback URL |
| Works for one tenant, not another | Admin consent granted for the first tenant only — run Step 3 again per tenant |
| PIM / privileged-role data missing | Tenant or caller lacks Microsoft Entra ID P2 |
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin microsoft-graphCreates structured, bite-sized implementation plans from specs or requirements before writing code. Useful for breaking down multi-step tasks into testable steps with file structure and task boundaries.