DiscordSign up
SKILLS.SH

msgraph

Up-to-date Microsoft Graph API knowledge for AI agents. Search 27,700+ Graph APIs, endpoint docs, resource schemas, and community samples — all locally, no…

INSTALLATION
npx skills add https://github.com/merill/msgraph --skill msgraph
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

$27

  • macOS / Linux: bash <path-to-this-skill>/scripts/run.sh <command> [args...]
  • Windows: powershell <path-to-this-skill>/scripts/run.ps1 <command> [args...]

For example, to search for mail-related APIs on macOS:

bash /home/user/.opencode/skills/msgraph/scripts/run.sh openapi-search --query "send mail"

In all examples below, msgraph is shorthand for the full launcher invocation.

Finding the Right API

This is the primary purpose of the skill. Follow this progressive lookup strategy — each level adds detail:

  • Your own knowledge — try first for well-known endpoints (/me, /users, /groups).
  • **sample-search** — curated, hand-verified samples. Highest quality. Use for common tasks and multi-step workflows.
  • **api-docs-search** — per-endpoint permissions, supported query parameters, required headers, default vs $select-only properties, and resource property details with filter operators.
  • **openapi-search** — full catalog of 27,700 Graph APIs. Use when you cannot find the endpoint any other way.
  • Reference files — concept docs on query parameters, advanced queries, paging, batching, throttling, errors, and best practices. Read only when you need specific guidance.

This order is guidance — adapt based on the task. For example, jump straight to api-docs-search if you already know the endpoint but need its permissions.

sample-search

Search curated community samples that map natural-language tasks to exact Microsoft Graph API queries:

msgraph sample-search --query "conditional access policies"

msgraph sample-search --product entra

msgraph sample-search --query "managed devices" --product intune

Flag

Description

--query

Free-text search (searches intent and query fields)

--product

Filter by product: entra, intune, exchange, teams, sharepoint, security, general

--limit

Max results (default 10)

At least one of --query or --product is required. Results include multi-step workflows.

api-docs-search

Look up detailed documentation for a specific endpoint or resource type:

msgraph api-docs-search --endpoint /users --method GET

msgraph api-docs-search --resource user

msgraph api-docs-search --query "ConsistencyLevel"

Flag

Description

--endpoint

Search by endpoint path (e.g. /users, /me/messages)

--resource

Search by resource type name (e.g. user, group, message)

--method

Filter by HTTP method: GET, POST, PUT, PATCH

--query

Free-text search across all fields

--limit

Max results (default 10)

At least one of --endpoint, --resource, or --query is required.

Endpoint results include: required permissions (delegated work/school, delegated personal, application), supported OData query parameters, required headers, default properties, and endpoint-specific notes.

Resource results include: all properties with types, supported $filter operators (eq, ne, startsWith, etc.), and whether each property is returned by default or requires $select.

openapi-search

Search the full OpenAPI catalog of 27,700 Microsoft Graph APIs:

msgraph openapi-search --query "send mail"

msgraph openapi-search --resource messages --method GET

Flag

Description

--query

Free-text search (searches path, summary, description)

--resource

Filter by resource name (e.g. users, groups, messages)

--method

Filter by HTTP method

--limit

Max results (default 20)

At least one of --query, --resource, or --method is required.

Using with MCP Servers

If the agent has access to a Microsoft Graph MCP server (such as lokka.dev or any other Microsoft Graph MCP server), use the search tools above to find the right endpoint, permissions, and request syntax, then use the information with the MCP server for execution.

In this mode, no authentication through this skill is needed. The skill acts purely as a knowledge layer — the MCP server handles authentication and API execution.

Direct Microsoft Graph API Execution

When no Graph MCP server is available, this skill can authenticate to Microsoft 365 and execute Microsoft Graph API calls directly.

Authentication

The tool supports delegated (user) and app-only (application) authentication, auto-detected from environment variables.

Quick start:

msgraph auth status          # check if signed in

msgraph auth signin          # sign in (opens browser) - recommended

msgraph auth signin --device-code  # sign in via device code (headless)

msgraph auth signout         # clear the session
  • Delegated auth (default): Interactive browser sign-in, with device code fallback for headless environments. Supports incremental consent — on 403, the tool re-authenticates with required scopes and retries automatically.
  • App-only auth: Auto-detected when MSGRAPH_CLIENT_SECRET, MSGRAPH_CLIENT_CERTIFICATE_PATH, MSGRAPH_FEDERATED_TOKEN_FILE, or MSGRAPH_AUTH_METHOD=managed-identity is set. Requires MSGRAPH_TENANT_ID.

For detailed authentication configuration including certificates, managed identity, workload identity federation, and all environment variables, see references/docs/authentication.md.

Making Graph API Calls

IMPORTANT: Run msgraph auth status before the first graph-call in a session to verify authentication.

msgraph graph-call <METHOD> <URL> [flags]

#### Read Operations

msgraph graph-call GET /me

msgraph graph-call GET /users --select "displayName,mail" --top 10

msgraph graph-call GET /me/messages --filter "isRead eq false" --top 5 --select "subject,from,receivedDateTime"

msgraph graph-call GET /users --filter "startsWith(displayName,'John')"

#### Write Operations

IMPORTANT: YOU MUST ask the user for confirmation before any write operation. Write operations require the --allow-writes flag.

msgraph graph-call POST /me/sendMail --body '{"message":{"subject":"Hello","body":{"content":"Hi"},"toRecipients":[{"emailAddress":{"address":"user@example.com"}}]}}' --allow-writes

msgraph graph-call PATCH /me --body '{"jobTitle":"Engineer"}' --allow-writes

DELETE is always blocked regardless of flags.

#### graph-call Flags

Flag

Description

Example

--select

OData $select

--select "displayName,mail"

--filter

OData $filter

--filter "isRead eq false"

--top

OData $top (limit results)

--top 10

--expand

OData $expand

--expand "members"

--orderby

OData $orderby

--orderby "displayName desc"

--api-version

v1.0 or beta (default: beta)

--api-version v1.0

--scopes

Request additional permission scopes

--scopes "Mail.Read"

--headers

Custom HTTP headers

--headers "ConsistencyLevel:eventual"

--body

Request body (JSON)

--body '{"key":"value"}'

--output

json (default) or raw

--output raw

--allow-writes

Allow POST/PUT/PATCH (requires user confirmation)

Critical Rules

Always (search and knowledge)

  • Never guess or fabricate Microsoft Graph endpoints — always verify via search before calling. This skill exists because agents hallucinate endpoints; use it.
  • Use the progressive lookup strategy — start with what you know, then sample-search, api-docs-search, openapi-search as needed.
  • **Use --select** to reduce response size — only request fields you need.
  • **Use --top** to limit results — avoid fetching thousands of records.
  • ConsistencyLevel header is required for $count and $search on directory objects (users, groups, etc.). Use --headers "ConsistencyLevel:eventual".
  • Default API version is beta — use --api-version v1.0 for production-stable endpoints.

When using direct execution (graph-call)

  • Check auth status before the first graph-call in a session.
  • GET is the default — no special flags needed.
  • **Write operations require --allow-writes** — YOU MUST confirm with the user first.
  • DELETE is always blocked — inform the user this is not supported.
  • 403 triggers automatic re-auth — the tool requests additional scopes and retries (delegated auth only).
  • All output is JSON — parse statusCode and body fields from the response.

Error Handling

Status

Meaning

Action

401

Token expired

Run msgraph auth signin again

403

Insufficient permissions

Tool auto-retries with incremental consent. If still fails, user needs admin consent.

404

Resource not found

Verify the endpoint path

429

Rate limited

Wait for Retry-After duration, then retry

Environment Variables

Variable

Description

Default

MSGRAPH_CLIENT_ID

Custom Entra ID app client ID

Microsoft Graph CLI Tools app

MSGRAPH_TENANT_ID

Target tenant ID (required for app-only)

common

MSGRAPH_API_VERSION

Default API version

beta

MSGRAPH_INDEX_DB_PATH

Path to OpenAPI index database

Auto-detected

MSGRAPH_SAMPLES_DB_PATH

Path to samples index database

Auto-detected

MSGRAPH_API_DOCS_DB_PATH

Path to API docs index database

Auto-detected

MSGRAPH_NO_TOKEN_CACHE

Disable persistent token cache (in-memory only)

false

For the full list of authentication environment variables, see references/docs/authentication.md.

Compatibility

Search tools run fully offline with no network access required. Direct API execution requires network access to login.microsoftonline.com and graph.microsoft.com. A system browser is used for interactive auth; falls back to device code flow in headless environments.

Reference Files

Load these on demand when you need specific guidance. Do NOT load them preemptively.

File

When to Read

Size

references/REFERENCE.md

Common resource paths, OData patterns, permission scopes

~230 lines

references/docs/authentication.md

Detailed auth configuration: certificates, managed identity, workload identity, all env vars

~200 lines

references/docs/query-parameters.md

OData $select, $filter, $expand, $top, $orderby, $search syntax and gotchas

~300 lines

references/docs/advanced-queries.md

ConsistencyLevel header, $count, $search, ne/not/endsWith on directory objects

~190 lines

references/docs/paging.md

@odata.nextLink pagination, server-side vs client-side paging

~50 lines

references/docs/batching.md

$batch endpoint, combining multiple requests, dependsOn sequencing

~280 lines

references/docs/throttling.md

429 handling, Retry-After, backoff strategy

~90 lines

references/docs/errors.md

HTTP status codes, error response format, error codes

~105 lines

references/docs/best-practices.md

$select for performance, pagination, delta queries, batching

~155 lines

BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

find-skills
2/3

Discover and install specialized agent skills from the open ecosystem when users need extended capabilities. Helps identify relevant skills by domain and task when users ask "how do I do X" or "find a skill for X" Integrates with the Skills CLI ( npx skills find , npx skills add ) to search, verify, and install packages from the skills.sh directory Recommends skills based on install count, source reputation, and GitHub stars to ensure quality before suggesting installation Presents skill options with install commands and links to skills.sh for user review and one-click installation

Verified authorvercel-labs
SKILLS.SH
1.5M19.6K
2026-05-22
vercel-react-best-practices
3/3

React and Next.js performance optimization guide with 64 prioritized rules across 8 categories. Organized by impact level, from critical waterfalls and bundle optimization down to advanced patterns, each rule includes incorrect/correct code examples and explanations Covers eight domains: async patterns, bundle size, server-side caching, client-side data fetching, re-render optimization, rendering performance, JavaScript efficiency, and advanced patterns Designed for use during component writing, code review, refactoring, and performance audits on React and Next.js applications Each rule has a prefix code (e.g., async-parallel , bundle-barrel-imports ) for easy reference in automated tooling and documentation

Verified authorvercel-labs
SKILLS.SH
389K26.9K
2026-05-22
azure-validate
2/3

Pre-deployment validation for Azure infrastructure, configuration, and permissions before deployment. Requires .azure/plan.md from a prior azure-prepare run; stops immediately if the plan is missing Executes recipe-specific validation commands (azd provision, bicep build, terraform validate) and records proof in the plan document Performs build verification, configuration checks, and permission validation; blocks deployment if any check fails Only authorized method to set plan status to Validated ; must be followed by azure-deploy skill to execute the actual deployment

Verified authormicrosoft
SKILLS.SH
324K1.1K
2026-05-22
appinsights-instrumentation
3/3

Guidance and reference material for instrumenting webapps with Azure Application Insights. Covers SDK setup, telemetry patterns, and configuration for ASP.NET Core and Node.js applications hosted in Azure Distinguishes between this skill (reference and guidance) and azure-prepare (actual implementation); invoke azure-prepare when the user wants to add instrumentation to their project Provides auto-instrumentation guidance for C# ASP.NET Core apps in Azure App Service, plus manual instrumentation paths for creating App Insights resources via Bicep templates or Azure CLI Includes language-specific code modification guides for ASP.NET Core, Node.js, and Python, plus quick references for OpenTelemetry SDKs and exporters

Verified authormicrosoft
SKILLS.SH
324K1.1K
2026-05-22

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card