@mindstone/mcp-server-microsoft-files

Microsoft 365 OneDrive Files MCP server — list, search, get, download, upload, delete, move, copy, share files, and read text contents via the Microsoft Graph API.

Cohort-style Microsoft 365 OneDrive MCP. Reuses the OAuth surface owned by @mindstone/mcp-server-microsoft-mail, so the host signs in once and gets files plus mail plus calendar plus Teams plus SharePoint from the same credentials.

Status

• Version: 0.1.1 · npm
• Auth: OAuth (host-orchestrated, shared with mcp-server-microsoft-mail) (MS_CLIENT_ID)
• Tools: 13 (files, folders, sharing)
• Surface: cloud-api
• Hosts tested: Mindstone Rebel
• Machine-readable: STATUS.json
• Shared library: @mindstone/mcp-server-microsoft-shared

Why this exists

When we ported this in May 2026, Microsoft's own Graph MCP lineup did not yet ship a stand-alone OneDrive server, and the community options at the time treated OneDrive as its own login surface — every connector ran a separate OAuth dance and stored its own copy of the refresh token. We pulled the bundled connector out of MindstoneRebel as a 1:1 port so that the same five-connector Microsoft 365 cohort (mail, calendar, files, teams, SharePoint) shares a single set of credentials, a single shared-library package for token persistence and request timeouts, and the structured auth_required envelope the host already knows how to recover from. Files reuses @mindstone/mcp-server-microsoft-mail's authenticate_microsoft_account tool rather than declaring its own.

Example interaction

"Find the latest version of Q3-plan.docx in my OneDrive and give me a sharing link my team can read."

Tools the host calls:

1. search_files — name:Q3-plan.docx, returns the most recent matching item.
2. share_file — creates a read-only sharing link for that item.

Response (trimmed):

{
  "match": {
    "id": "01H7...",
    "name": "Q3-plan.docx",
    "lastModifiedDateTime": "2026-05-18T17:42:00Z"
  },
  "share": {
    "type": "view",
    "scope": "organization",
    "webUrl": "https://example-my.sharepoint.com/:w:/g/personal/.../EZk..."
  }
}

Requirements

• Node.js 20+
• npm
• A host application that performs the Microsoft OAuth flow and writes per-account token files into ${MS_CONFIG_DIR}/credentials/${sanitised-email}.token.json and an ${MS_CONFIG_DIR}/accounts.json index. This server reads those files; it does not initiate OAuth itself.

Quick Start

Install & build

cd <path-to-repo>/connectors/microsoft-files
npm install
npm run build

npx (once published)

npx -y @mindstone/mcp-server-microsoft-files

Local

node dist/index.js

Configuration

This server runs alongside a host application that owns the Microsoft 365 OAuth flow. The host writes credentials to disk; this server reads them.

Required environment variables

| Name | Description | | ---- | ----------- | | MS_CLIENT_ID | Microsoft Entra (Azure AD) application client ID. | | MS_CONFIG_DIR | Path to the per-user Microsoft config directory (credentials/, accounts.json). |

Optional environment variables

| Name | Description | Default | | ---- | ----------- | ------- | | MS_ACCOUNT_EMAIL | Account email when running in multi-account per-instance mode. | First account in accounts.json. | | MS_MCP_PACKAGE_ID | Logical package ID surfaced in error responses. | Microsoft365Files | | MICROSOFT_REQUEST_TIMEOUT_MS | Override the upstream Microsoft Graph request timeout (max 300000 ms). | 60000 | | MICROSOFT_DISABLE_REFRESH | Set to 1 to disable token refresh on this surface. Tools fail closed with the structured auth_required response so the host can drive reauth. Cloud surfaces set this to 1. | unset |

Host configuration examples

Claude Desktop / Cursor

{
  "mcpServers": {
    "Microsoft365Files": {
      "command": "npx",
      "args": ["-y", "@mindstone/mcp-server-microsoft-files"],
      "env": {
        "MS_CLIENT_ID": "your-entra-application-client-id",
        "MS_CONFIG_DIR": "/absolute/path/to/microsoft-config"
      }
    }
  }
}

Sign in via @mindstone/mcp-server-microsoft-mail's authenticate_microsoft_account first; the files tools then reuse the credentials it writes to ${MS_CONFIG_DIR}/.

Local development (no npm publish needed)

{
  "mcpServers": {
    "Microsoft365Files": {
      "command": "node",
      "args": ["<path-to-repo>/connectors/microsoft-files/dist/index.js"],
      "env": {
        "MS_CLIENT_ID": "your-entra-application-client-id",
        "MS_CONFIG_DIR": "/absolute/path/to/microsoft-config"
      }
    }
  }
}

Tools (13)

| Tool | Description | | ---- | ----------- | | list_files | List files and folders in OneDrive (root by default). | | get_file | Get metadata for a specific file or folder. | | download_file | Get a short-lived download URL for a file. | | search_files | Search for files in OneDrive by name or content. | | upload_file | Upload a text file to OneDrive (max 4 MB). | | create_folder | Create a new folder in OneDrive. | | delete_file | Delete a file or folder. | | move_file | Move a file or folder to a new location. | | copy_file | Copy a file or folder to a new location. | | get_recent | List recently accessed files. | | get_shared | List files shared with you by others. | | share_file | Create a sharing link for a file or folder. | | read_text_file | Read the contents of a text file. |

Security notes

• No authentication tool of its own; sign-in is delegated to @mindstone/mcp-server-microsoft-mail so the cohort has a single OAuth surface.
• Token-provider refresh failures map to the structured auth_required response so the host can drive reauth without crashing.
• upload_file enforces empty-content validation in line with the bundled connector to reject zero-byte uploads as a misuse.
• Per-tool Graph calls run under a composed caller + cohort timeout signal.

Licence

FSL-1.1-MIT — Functional Source License, Version 1.1, with MIT future licence. Free for non-competing use; relicenses to MIT on the converter date in LICENSE.