🇺🇸English

Microsoft Graph Agent Skill

Search, look up, and call any of the 27,700+ Microsoft Graph APIs — all locally, no network calls needed. Use the three search commands to find the right endpoint, check permissions and parameters, then optionally execute calls directly or hand off to a Graph MCP server.

What's Included

The Microsoft Graph API has 27,700+ endpoints updated weekly — well past LLM training cutoffs. This skill bundles the complete API surface as local indexes that you search instantly with no network calls.

How to Run

The msgraph CLI is bundled with this skill. Run all commands through the launcher script in this skill's directory:

• macOS / Linux : bash <path-to-this-skill>/scripts/run.sh <command> [args...]
• Windows : powershell <path-to-this-skill>/scripts/run.ps1 <command> [args...]

For example, to search for mail-related APIs on macOS:

bash /home/user/.opencode/skills/msgraph/scripts/run.sh openapi-search --query "send mail"

In all examples below, msgraph is shorthand for the full launcher invocation.

Finding the Right API

This is the primary purpose of the skill. Follow this progressive lookup strategy — each level adds detail:

1. Your own knowledge — try first for well-known endpoints (/me, /users, /groups).
2. sample-search — curated, hand-verified samples. Highest quality. Use for common tasks and multi-step workflows.
3. api-docs-search — per-endpoint permissions, supported query parameters, required headers, default vs $select-only properties, and resource property details with filter operators.
4. openapi-search — full catalog of 27,700 Graph APIs. Use when you cannot find the endpoint any other way.
5. Reference files — concept docs on query parameters, advanced queries, paging, batching, throttling, errors, and best practices. Read only when you need specific guidance.

This order is guidance — adapt based on the task. For example, jump straight to api-docs-search if you already know the endpoint but need its permissions.

sample-search

Search curated community samples that map natural-language tasks to exact Microsoft Graph API queries:

msgraph sample-search --query "conditional access policies"
msgraph sample-search --product entra
msgraph sample-search --query "managed devices" --product intune

At least one of --query or --product is required. Results include multi-step workflows.

api-docs-search

Look up detailed documentation for a specific endpoint or resource type:

msgraph api-docs-search --endpoint /users --method GET
msgraph api-docs-search --resource user
msgraph api-docs-search --query "ConsistencyLevel"

At least one of --endpoint, --resource, or --query is required.

Endpoint results include: required permissions (delegated work/school, delegated personal, application), supported OData query parameters, required headers, default properties, and endpoint-specific notes.

Resource results include: all properties with types, supported $filter operators (eq, ne, startsWith, etc.), and whether each property is returned by default or requires $select.

openapi-search

Search the full OpenAPI catalog of 27,700 Microsoft Graph APIs:

msgraph openapi-search --query "send mail"
msgraph openapi-search --resource messages --method GET

At least one of --query, --resource, or --method is required.

Using with MCP Servers

If the agent has access to a Microsoft Graph MCP server (such as lokka.dev or any other Microsoft Graph MCP server), use the search tools above to find the right endpoint, permissions, and request syntax, then use the information with the MCP server for execution.

In this mode, no authentication through this skill is needed. The skill acts purely as a knowledge layer — the MCP server handles authentication and API execution.

Direct Microsoft Graph API Execution

When no Graph MCP server is available, this skill can authenticate to Microsoft 365 and execute Microsoft Graph API calls directly.

Authentication

The tool supports delegated (user) and app-only (application) authentication, auto-detected from environment variables.

Quick start:

msgraph auth status          # check if signed in
msgraph auth signin          # sign in (opens browser) - recommended
msgraph auth signin --device-code  # sign in via device code (headless)
msgraph auth signout         # clear the session

• Delegated auth (default): Interactive browser sign-in, with device code fallback for headless environments. Supports incremental consent — on 403, the tool re-authenticates with required scopes and retries automatically.
• App-only auth : Auto-detected when MSGRAPH_CLIENT_SECRET, MSGRAPH_CLIENT_CERTIFICATE_PATH, MSGRAPH_FEDERATED_TOKEN_FILE, or MSGRAPH_AUTH_METHOD=managed-identity is set. Requires MSGRAPH_TENANT_ID.

For detailed authentication configuration including certificates, managed identity, workload identity federation, and all environment variables, see references/docs/authentication.md.

Making Graph API Calls

IMPORTANT : Run msgraph auth status before the first graph-call in a session to verify authentication.

msgraph graph-call <METHOD> <URL> [flags]

Read Operations

msgraph graph-call GET /me
msgraph graph-call GET /users --select "displayName,mail" --top 10
msgraph graph-call GET /me/messages --filter "isRead eq false" --top 5 --select "subject,from,receivedDateTime"
msgraph graph-call GET /users --filter "startsWith(displayName,'John')"

Write Operations

IMPORTANT : YOU MUST ask the user for confirmation before any write operation. Write operations require the --allow-writes flag.

msgraph graph-call POST /me/sendMail --body '{"message":{"subject":"Hello","body":{"content":"Hi"},"toRecipients":[{"emailAddress":{"address":"user@example.com"}}]}}' --allow-writes
msgraph graph-call PATCH /me --body '{"jobTitle":"Engineer"}' --allow-writes

DELETE is always blocked regardless of flags.

graph-call Flags

Critical Rules

Always (search and knowledge)

1. Never guess or fabricate Microsoft Graph endpoints — always verify via search before calling. This skill exists because agents hallucinate endpoints; use it.
2. Use the progressive lookup strategy — start with what you know, then sample-search, api-docs-search, openapi-search as needed.
3. Use--select to reduce response size — only request fields you need.
4. Use--top to limit results — avoid fetching thousands of records.
5. ConsistencyLevel header is required for $count and $search on directory objects (users, groups, etc.). Use --headers "ConsistencyLevel:eventual".
6. Default API version is beta — use --api-version v1.0 for production-stable endpoints.

When using direct execution (graph-call)

1. Check auth status before the first graph-call in a session.
2. GET is the default — no special flags needed.
3. Write operations require--allow-writes — YOU MUST confirm with the user first.
4. DELETE is always blocked — inform the user this is not supported.
5. 403 triggers automatic re-auth — the tool requests additional scopes and retries (delegated auth only).
6. All output is JSON — parse statusCode and body fields from the response.

Error Handling

Environment Variables

For the full list of authentication environment variables, see references/docs/authentication.md.

Compatibility

Search tools run fully offline with no network access required. Direct API execution requires network access to login.microsoftonline.com and graph.microsoft.com. A system browser is used for interactive auth; falls back to device code flow in headless environments.

Reference Files

Load these on demand when you need specific guidance. Do NOT load them preemptively.

Weekly Installs

151

Repository

merill/msgraph

GitHub Stars

37

First Seen

Mar 2, 2026

Security Audits

Gen Agent Trust HubPassSocketPassSnykPass

Installed on

codex149

gemini-cli149

kimi-cli149

cursor149

opencode149

github-copilot149