M365

Headless OAuth flow for Microsoft 365 integrations.

Default State

• Bundled with KafClaw
• Disabled by default

What It Does

• Supports headless OAuth enrollment for Microsoft 365/Graph APIs.
• Stores token state securely for runtime use by the local agent.
• Enables policy-gated Outlook/Calendar/Drive/Teams operations.

For key backend options and storage/security posture, see Skills.

Install / Enable

No external install needed (bundled skill). Enable it:

kafclaw skills enable-skill m365

Start

kafclaw skills auth start m365 \
  --client-id '<client-id>' \
  --client-secret '<client-secret>' \
  --redirect-uri 'http://localhost:53682/callback' \
  --tenant-id '<tenant-or-common>' \
  --access 'mail,calendar,files'

Complete

kafclaw skills auth complete m365 \
  --callback-url 'http://localhost:53682/callback?code=...&state=...'

Usage

• Start flow, sign in, approve scopes, then paste callback URL to complete enrollment.
• Prefer tenant-specific app registration and least-privilege scopes.
• OAuth flow start/complete events are recorded in chained security audit logs (see Skills).
• Agent read-only tool:
  • m365_read with operation=mail_list_messages|calendar_list_events|onedrive_list_children
  • include Mail.Read / Calendars.Read / Files.Read scopes during auth start for the operation you need.
• Configure capability defaults (used by skills auth start when --scopes is omitted):
  • kafclaw configure --m365-read mail,files

Troubleshooting

• If token exchange fails, verify tenant ID, redirect URI, and Graph app permissions.
• If callback parsing fails, pass the full URL including query string.
• If you rotate app credentials, re-enroll token state with a new start/complete flow.