Improved microsoft auth provider

app/en/references/auth-providers/microsoft/_meta.tsx

@@ -0,0 +1,12 @@
+import type { MetaRecord } from "nextra";
+
+const meta: MetaRecord = {
+  index: {
+    title: "Overview",
+  },
+  "permissions-and-scopes": {
+    title: "Permissions and scopes",
+  },
+};
+
+export default meta;

app/en/references/auth-providers/microsoft/page.mdx

@@ -2,98 +2,219 @@ import { Tabs, Callout, Steps } from "nextra/components";
 
 # Microsoft
 
-<Callout type="info">
-  At this time, Arcade does not offer a default Microsoft Auth Provider. To use
-  Microsoft auth, you must create a custom Auth Provider with your own Microsoft
-  OAuth 2.0 credentials as described below.
-</Callout>
+The Microsoft auth provider enables tools and agents to call the [Microsoft Graph API](https://learn.microsoft.com/en-us/graph/overview) on behalf of a user. It supports Arcade's MCP servers for [Outlook Calendar](/resources/integrations/productivity/outlook-calendar), [Outlook Mail](/resources/integrations/productivity/outlook-mail), [Microsoft Teams](/resources/integrations/social/microsoft-teams), and [SharePoint](/resources/integrations/productivity/sharepoint), as well as your own custom tools and app code.
 
-The Microsoft auth provider enables tools and agents to call the Microsoft Graph API on behalf of a user.
+## On this page
 
-### What's documented here
+- [Configure Microsoft auth](#configure-microsoft-auth) — three options depending on your security posture
+- [Production readiness](#production-readiness) — custom user verifier, admin consent, conditional access
+- [MCP server scopes reference](#mcp-server-scopes-reference) — which permissions each MCP server requires
+- [Use Microsoft auth in app code](#use-microsoft-auth-in-app-code) — get a user token for Graph API calls
+- [Use Microsoft auth in custom tools](#use-microsoft-auth-in-custom-tools) — build tools that call Graph APIs
 
-This page describes how to use and configure Microsoft auth with Arcade.
+## Configure Microsoft auth
 
-This auth provider is used by:
+Arcade supports three ways to connect Microsoft auth. Choose based on your team's security requirements and how much control you need over the Azure app registration.
 
-- Your [app code](#using-microsoft-auth-in-app-code) that needs to call Microsoft Graph APIs
-- Or, your [custom tools](#using-microsoft-auth-in-custom-tools) that need to call Microsoft Graph APIs
+| | Option 1: Included provider | Option 2: Multi-tenant app | Option 3: Tenant-specific app |
+| --- | --- | --- | --- |
+| **Azure setup** | None — Arcade provisions the app | You register in Azure Portal | You register in Azure Portal |
+| **Tenant scope** | Any organization | Any organization | Single tenant only |
+| **Permission control** | Scopes fixed per approval cycle | Full control | Full control |
+| **Branding** | Arcade branding on consent screen | Your app's branding | Your app's branding |
+| **Best for** | Getting started, prototyping | Production with cross-org access | Production with strict tenant isolation |
 
-## Configuring Microsoft auth
+### Option 1: Use Arcade's included provider
 
-<Callout type="info">
-  When using your own app credentials, make sure you configure your project to
-  use a [custom user
-  verifier](/guides/user-facing-agents/secure-auth-production#build-a-custom-user-verifier).
-  Without this, your end-users will not be able to use your app or agent in
-  production.
-</Callout>
+The fastest path. Arcade provides a pre-configured Microsoft OAuth app — no Azure app registration required. Your IT or security team approves the app in Microsoft Entra ID, and you're ready to go.
+
+**Trade-off:** The granted scopes are tied to the specific agent use case. If you add MCP servers or tools that require additional permissions, your security team will need to approve the updated scope set.
 
-In a production environment, you will most likely want to use your own Microsoft app credentials. This way, your users will see your application's name requesting permission.
+<Steps>
 
+#### Go to the Arcade Dashboard
 
-Before showing how to configure your Microsoft app credentials, let's go through the steps to create a Microsoft app.
+Navigate to the [Arcade Dashboard](https://api.arcade.dev/dashboard). If you are self-hosting, the dashboard is available at `http://localhost:9099/dashboard` by default.
 
-### Create a Microsoft app
+#### Add the included Microsoft provider
 
-- Follow Microsoft's guide to [registering an app with the Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)
-- Choose the permissions (scopes) you need for your app. Refer to the [section below](#arcade-microsoft-MCP Servers-scopes) for a list of scopes needed by the Arcade Microsoft MCP Servers, in case you intend to use them.
-- Set the redirect URL to the redirect URL generated by Arcade (see below)
-- Copy the client ID and client secret to use below
+1. Under **Connections**, click **Connected Apps**
+2. Click **+ Add OAuth Provider**
+3. Select the **Included Providers** tab
+4. In the **Provider** dropdown, select **Microsoft**
 
-Next, add the Microsoft app to Arcade.
-### Arcade Microsoft MCP Servers Scopes
+#### Configure the provider
 
+1. Choose a unique **ID** for your provider (e.g., `my-microsoft-provider`)
+2. Optionally enter a **Description**
+3. Click **Create**
 Below is the list of scopes required by the Arcade Microsoft MCP servers that have integration documentation:
 
 | MCP Server                                                     | Required Permissions                                                                                                                                                                                                                                 |
 | -------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | [Teams](/resources/integrations/social/microsoft-teams)             | `Channel.ReadBasic.All`<br/>`ChannelMessage.Read.All`<br/>`ChannelMessage.Send`<br/>`Chat.Create`<br/>`Chat.Read`<br/>`ChatMessage.Read`<br/>`ChatMessage.Send`<br/>`People.Read`<br/>`Team.ReadBasic.All`<br/>`TeamMember.Read.All`<br/>`User.Read` |
 | [SharePoint](/resources/integrations/productivity/microsoft-sharepoint)             | `Sites.Read.All`                                                                                                                                                                                                                                     |
 
-## Configuring your own Microsoft Auth Provider in Arcade
+#### IT / security approval
 
+Share the app details with your IT or security team. They will need to:
 
+1. Locate the Arcade app in **Enterprise Applications** in the [Azure Portal](https://portal.azure.com)
+2. Review the requested permissions
+3. Grant admin consent for your organization
 
-<Tabs items={["Dashboard GUI"]}>
-<Tabs.Tab>
+Once approved, users in your organization can authorize through the standard OAuth flow.
+
+</Steps>
+
+### Option 2: Register a multi-tenant Azure app
+
+Register your own app in Azure to get full control over branding, permissions, and token policies. This configuration allows users from any Azure AD tenant to authenticate.
+
+<Steps>
+
+#### Create app registration
+
+1. Go to [Azure Portal](https://portal.azure.com)
+2. Search for **App Registrations**
+3. Click **+ New Registration**
+4. Configure:
+   - **Name:** Your preferred name (e.g., "Acme OAuth App")
+   - **Supported account types:** "Accounts in any organizational directory (Multitenant)"
+   - **Redirect URI:**
+     - **Type:** Web
+     - **URL:** `https://cloud.arcade.dev/api/v1/oauth/XXXXX/callback` (copy from your [Arcade Dashboard](https://api.arcade.dev/dashboard))
+5. Click **Register**
+
+#### Create client secret
+
+1. In your app registration, go to **Certificates & secrets**
+2. Click **+ New client secret**
+3. Add a description (e.g., "Acme Arcade Integration")
+4. Set the expiry period (recommended: 24 months)
+5. Click **Add**
+
+<Callout type="warning">
+  Copy and save the secret value immediately. It won't be shown again.
+</Callout>
+
+#### Configure API permissions
+
+1. Go to **API permissions** in your app registration
+2. Click **+ Add a permission**
+3. Select **Microsoft Graph**
+4. Select **Delegated permissions**
+5. Add the required scopes based on which MCP servers you're using (see [MCP server scopes reference](#mcp-server-scopes-reference) or the [detailed per-tool breakdown](/references/auth-providers/microsoft/permissions-and-scopes))
+6. Click **Add permissions**
+7. If any permissions require admin consent, click **Grant admin consent for [Your Organization]**
+
+#### Configure in Arcade
+
+1. Go to the [Arcade Dashboard](https://api.arcade.dev/dashboard)
+2. Under **Connections**, click **Connected Apps**
+3. Click **+ Add OAuth Provider**
+4. Select **Microsoft** from the included providers list
+5. Configure:
+   - **Provider ID:** Your preferred identifier (e.g., `acme-microsoft`)
+   - **Client ID:** Copy from Azure App Registration "Application (client) ID"
+   - **Client Secret:** The secret value you saved earlier
+6. Click **Create**
+
+</Steps>
+
+### Option 3: Register a tenant-specific Azure app
 
-### Configure Microsoft Auth Using the Arcade Dashboard GUI
+Restrict authentication to a single Microsoft Entra ID tenant. Use this when your organization's security policy requires tenant isolation.
 
 <Steps>
 
-#### Access the Arcade Dashboard
+#### Get your tenant ID
 
-To access the Arcade Cloud dashboard, go to [api.arcade.dev/dashboard](https://api.arcade.dev/dashboard). If you are self-hosting, by default the dashboard will be available at http://localhost:9099/dashboard. Adjust the host and port number to match your environment.
+1. Go to [Azure Portal](https://portal.azure.com)
+2. Search for **Microsoft Entra ID** (formerly Azure Active Directory)
+3. On the Overview page, find your **Tenant ID** (a GUID like `12345678-1234-1234-1234-123456789abc`)
+4. Copy and save this Tenant ID
 
-#### Navigate to the OAuth Providers page
+#### Create app registration
 
-- Under the **Connections** section of the Arcade Dashboard left-side menu, click **Connected Apps**.
-- Click **Add OAuth Provider** in the top right corner.
-- Select the **Included Providers** tab at the top.
-- In the **Provider** dropdown, select **Microsoft**.
+Follow the same steps as [Option 2](#option-2-register-a-multi-tenant-azure-app), but for **Supported account types**, select:
 
-#### Enter the provider details
+- "Accounts in this organizational directory only (Single tenant)"
 
-- Choose a unique **ID** for your provider (e.g. "my-microsoft-provider").
-- Optionally enter a **Description**.
-- Enter the **Client ID** and **Client Secret** from your Microsoft app.
-- Note the **Redirect URL** generated by Arcade. This must be set as your Microsoft app's redirect URL.
+#### Configure API permissions
 
-#### Create the provider
+Follow the same steps as [Option 2](#configure-api-permissions).
 
-Hit the **Create** button and the provider will be ready to be used.
+#### Configure in Arcade (custom provider)
+
+Tenant-specific endpoints require the **Custom Provider** option in Arcade:
+
+1. Go to the [Arcade Dashboard](https://api.arcade.dev/dashboard)
+2. Under **Connections**, click **Connected Apps**
+3. Click **+ Add OAuth Provider**
+4. Select **Custom Provider**
+5. Configure:
+   - **Provider ID:** Your preferred identifier (e.g., `acme-microsoft-tenant`)
+   - **Client ID:** Copy from Azure App Registration
+   - **Client Secret:** The secret value you saved
+   - **Authorization Endpoint:** `https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize`
+   - **Token Endpoint:** `https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token`
+   - **Scopes:** `https://graph.microsoft.com/.default offline_access`
+
+   Replace `{tenant-id}` with your actual Tenant ID.
+
+6. Click **Create**
 
 </Steps>
 
-When you use tools that require Microsoft auth using your Arcade account credentials, Arcade will automatically use this Microsoft OAuth provider. If you have multiple Microsoft providers, see [using multiple auth providers of the same type](/references/auth-providers#using-multiple-providers-of-the-same-type) for more information.
+## Production readiness
 
-</Tabs.Tab>
-</Tabs>
+### Custom user verifier
+
+For Options 2 and 3, where you bring your own Azure app credentials, you must configure a [custom user verifier](/guides/user-facing-agents/secure-auth-production#build-a-custom-user-verifier) before deploying to production.
+
+Without a custom verifier, your end-users would need an Arcade.dev account to complete the OAuth flow — which is not what you want in a production environment. The custom verifier lets your application handle user identity, so the auth flow stays within your own UX.
+
+<Callout type="warning">
+  Production deployments with custom app credentials will not work without a custom user verifier. Set this up before going live.
+</Callout>
+
+### Enterprise environment configuration
+
+For organizations that require additional security controls beyond the app registration:
+
+1. **Admin consent and conditional access:**
+   - Go to **Enterprise Applications** in Azure Portal
+   - Find your application
+   - Configure conditional access policies as required by your security team
+   - Set up user assignment requirements to control which users can authorize
+   - Grant tenant-wide admin consent if needed
+
+2. **Security team coordination:**
+   - Review the [required permissions per MCP server](#mcp-server-scopes-reference) with your security team before granting consent
+   - Ensure conditional access policies don't block Microsoft Graph API access
+   - Configure token lifetime policies that align with your organization's session management standards
+
+If you have multiple Microsoft providers configured in Arcade, see [using multiple auth providers of the same type](/references/auth-providers#using-multiple-providers-of-the-same-type).
+
+## MCP server scopes reference
+
+Each Arcade Microsoft MCP server requires a specific set of Microsoft Graph API delegated permissions. The table below summarizes the scopes per server. For a detailed breakdown of scopes per tool, including API endpoints, see [permissions and scopes](/references/auth-providers/microsoft/permissions-and-scopes).
+
+| MCP Server | Required Permissions |
+| --- | --- |
+| [Outlook Calendar](/resources/integrations/productivity/outlook-calendar) | `User.Read`, `Calendars.ReadBasic`, `Calendars.ReadWrite`, `MailboxSettings.Read` |
+| [Outlook Mail](/resources/integrations/productivity/outlook-mail) | `Mail.Read`, `Mail.ReadWrite`, `Mail.Send` |
+| [Microsoft Teams](/resources/integrations/social/microsoft-teams) | `User.Read`, `Team.ReadBasic.All`, `TeamMember.Read.All`, `Channel.ReadBasic.All`, `ChannelMessage.Read.All`, `ChannelMessage.Send`, `Chat.Read`, `Chat.Create`, `ChatMessage.Read`, `ChatMessage.Send`, `People.Read` |
+| [SharePoint](/resources/integrations/productivity/sharepoint) | `User.Read`, `Sites.Read.All` |
+
+<Callout type="info">
+  All Microsoft MCP servers use the default scope `https://graph.microsoft.com/.default`. When running locally or with custom deployments, you can update the base URL to point to your custom Microsoft Graph endpoint. API endpoints remain consistent across deployments.
+</Callout>
 
-## Using Microsoft auth in app code
+## Use Microsoft auth in app code
 
-Use the Microsoft auth provider in your own agents and AI apps to get a user token for Microsoft Graph APIs. See [authorizing agents with Arcade](/get-started/about-arcade) to understand how this works.
+Use the Microsoft auth provider in your agents and AI apps to get a user token for Microsoft Graph APIs. See [authorizing agents with Arcade](/get-started/about-arcade) to understand how this works.
 
 Use `client.auth.start()` to get a user token for Microsoft Graph APIs:
 
@@ -157,11 +278,11 @@ const token = authResponse.context.token;
 
 </Tabs>
 
-## Using Microsoft auth in custom tools
+## Use Microsoft auth in custom tools
 
-You can author your own [custom tools](/guides/create-tools/tool-basics/build-mcp-server) that interact with Microsoft Graph APIs.
+You can build your own [custom tools](/guides/create-tools/tool-basics/build-mcp-server) that interact with Microsoft Graph APIs.
 
-Use the `Microsoft()` auth class to specify that a tool requires authorization with Microsoft. The `context.authorization.token` field will be automatically populated with the user's Microsoft token:
+Use the `Microsoft()` auth class to specify that a tool requires authorization with Microsoft. The `context.authorization.token` field is automatically populated with the user's Microsoft token:
 
 ```python {5-6,9-13,20}
 from typing import Annotated