Your Users Connected Claude to Microsoft 365 Before You Did
TL;DR
- On Claude's Free, Pro, and Max plans, the September 2025 consumer terms defaulted users toward model training, with conversation retention up to five years for those who opted in.
- If Microsoft Entra allows user consent, any employee can self-authorize Claude's Microsoft 365 connector from a personal account with no IT visibility.
- Claude's Teams plan is the minimum for business data: no model training on your data, admin connector controls, and organizational usage visibility.
- The Microsoft 365 connector uses delegated Graph permissions, so Claude can only read what each connected user already has access to.
- Since January 2026, Anthropic is a Microsoft subprocessor, and Claude models run inside Microsoft 365 Copilot on infrastructure outside the Azure boundary.
Open Microsoft Entra, go to Enterprise Applications, and search for "Claude" or "MCP." If anything comes back and your user consent settings are not locked down, your users beat you to the integration. They connected Claude to Microsoft 365 on their own, from personal accounts, and IT never saw a prompt.
That check takes 60 seconds, and we recommend running it before reading the rest of this post. Claude is one of the most capable AI tools available as of June 2026. MSPs use it, IT admins use it, and the end users you manage absolutely use it. The question is not whether it is in your environment. It is whether you are governing it.
This guide covers the three ways Claude reaches corporate data without IT involvement, what protection each Claude plan actually provides, the correct admin path for the Microsoft 365 connector, and what Anthropic's new role inside Microsoft 365 Copilot means for your tenants.
Three ways Claude touches corporate data without IT
Personal accounts and the training default
The typical pattern: a user goes to claude.ai, signs in with a personal Gmail address, accepts the terms, and starts on the free plan. Nothing malicious. They see the hype, try it out, and within minutes they are pasting in company information, attaching files from their locally synced OneDrive, and uploading client documents without a second thought.

The compliance problem sits in the defaults. On a free or personal paid plan (Pro or Max), Claude's privacy settings default to allowing conversations to be used to train Anthropic's models. Under the September 2025 consumer terms update, the retention window extends to five years for users who opted in, and many opted in by clicking through the prompt without touching the toggle.

That is not a theoretical risk. That is a live data governance gap in most organizations today.
The self-service Microsoft 365 connector
The second exposure point goes further than pasted text. Inside Claude, users can click the plus button in a new chat and add connectors, including a Microsoft 365 connector. On a personal account, a single user can initiate this connection without any admin approval, as long as your Microsoft Entra settings allow user consent.

Once connected, Claude gets delegated read access to that user's Outlook, SharePoint, OneDrive, and Teams data through the Microsoft Graph API. If Entra is not configured to require admin approval for third-party app consent, the app registration is quietly created in your directory.

This is what the Entra search at the top of this post surfaces. Run it on every tenant you manage.
The Office extension nobody's software controls will catch
One more surface area. Users on a paid personal Claude plan can install a Microsoft 365 Office extension directly within Claude. It does not require running an executable, so typical software installation controls never see it. It simply adds Claude as an extension inside Excel, with access to the data users are actively working with.

Which Claude plan is actually safe for business data?

The full plan comparison matrix is available here (opens in new tab). The short version: not all Claude plans carry the same data protections.
Free, Pro, and Max: consumer terms, consumer risk
These plans are governed by Anthropic's consumer terms. The September 2025 update introduced an opt-in data training toggle, but the default UI presented a large Accept button with the toggle pre-set to on. Many users accepted without adjusting it.
What that means in practice:
- Data can be used to train Anthropic models if the user consented (or never opted out)
- Retention up to five years for users who opted in, 30 days for those who opted out
- No admin controls over connectors or data access
- No organizational visibility or audit logging
- Not suitable for use with corporate or client data
Teams and Enterprise: commercial terms, real controls
On a Teams or Enterprise plan, you are under Anthropic's commercial terms. The data training toggle does not exist at this tier because it is not applicable. Your data is never used to train models, full stop.
The Teams plan adds:
- Admin connector controls (enable or restrict the M365 connector for your org)
- A usage dashboard for organizational visibility
- The ability to require admin approval before users connect third-party tools
- SSO support and domain verification
The Enterprise plan extends this with SCIM provisioning, the Compliance API for exporting conversation logs into your SIEM, Zero Data Retention mode available on request, a Data Processing Agreement, and HIPAA BAA eligibility. It is also SOC 2 Type II and ISO 27001 certified.
Our position: for any client handling real business data, the Teams plan is the minimum viable starting point.
The right way to wire the connector as an admin
Once a client is on Teams or Enterprise, the Microsoft 365 connection runs through a deliberate two-party admin path instead of user self-service.

- Enable the connector at the org level. Log into Claude with an Owner account. Go to Organization Settings, then Connectors. Click Add, find Microsoft 365, and click "Add to your team." This makes the connector available for your users but does not automatically connect anyone.
- Grant Microsoft Entra admin consent. Before any user can connect, a Microsoft Entra Global Administrator must grant tenant-wide consent. This is a one-time step. When you proceed through the connector setup, you are redirected to the Microsoft consent screen showing the permissions being requested. The list can look alarming at first glance: Sites.Read.All sounds like Claude can read your entire SharePoint environment. It cannot. These are delegated permissions, so Claude operates as the individual user and can only access what that user already has access to. Existing SharePoint permissions, sensitivity labels, and folder-level sharing settings are all respected.
- Review the per-connector settings. After consent is granted, you can configure settings per tool within the connector. Individual capabilities like SharePoint search, email access, and Teams chat search can each be set to require user approval, be blocked by default, or be allowed by default. That gives you fine-grained control over what users can actually do through the connector.
Claude is also inside Microsoft 365 Copilot now
This one has flown under the radar for many IT admins: since January 2026, Anthropic is officially a Microsoft subprocessor, which means Claude models are available inside Microsoft 365 Copilot itself. This is separate from the standalone Claude connector.

Where the models show up:
- Copilot Cowork: available in the frontier program
- Researcher agent: Claude Opus 4.1 can be selected for deep reasoning tasks instead of the default OpenAI model
- Copilot Studio: Claude Sonnet 4 or Opus 4.1 can be chosen from the model dropdown when building custom agents
- Agent Mode in Excel: Claude Opus 4.5 is available for web-based Agent Mode
US commercial Copilot tenants already have Anthropic models enabled by default. EU, UK, and EFTA organizations need to opt in. Check your admin center either way.
The data residency caveat
When Anthropic operates as a Microsoft subprocessor, your data is governed by Microsoft's Data Processing Addendum rather than Anthropic's consumer terms, and Anthropic does not train on your M365 data in this configuration.
The caveat matters, though. Anthropic's models run outside Microsoft's Azure boundary, on AWS or GCP infrastructure primarily located in the United States. Data is transferred out of Azure for processing, and Microsoft explicitly states that data processed by Anthropic falls outside Microsoft's data-residency commitments and audit controls.
For organizations with strict GDPR requirements or data residency mandates, that is disqualifying until reviewed. If it applies to any of your clients, disable Anthropic in the admin center until your compliance team has answered the questions.
Where CloudCapsule fits
If you manage multiple Microsoft 365 tenants and want to see which AI tools are already active, which users are connecting them, and where the governance gaps are, that is exactly what we built CloudCapsule for. The security assessment includes a Shadow AI report showing the AI tools users are accessing today, broken down by user: Claude, GPT, Gemini, and the rest, with the individual users behind each one.

Frequently asked questions
Can Claude read your entire SharePoint environment once the connector is approved?
No. The connector uses delegated permissions, which means Claude operates as the individual user. Scopes like Sites.Read.All look alarming on the consent screen, but Claude can only access what that specific user already can. Existing SharePoint permissions, sensitivity labels, and folder-level sharing settings are all respected.
How do you check whether users have already connected Claude to a tenant?
Open Microsoft Entra, go to Enterprise Applications, and search for Claude or MCP. If entries exist and your user consent settings are not locked down, personal accounts have already registered the connector in your directory.
Should organizations with data residency requirements enable Claude models in Copilot?
Not until compliance has reviewed it. Anthropic's models run outside Microsoft's Azure boundary on AWS or GCP infrastructure primarily located in the United States, and Microsoft states that data processed by Anthropic falls outside its data-residency commitments and audit controls. If GDPR or residency mandates apply, disable Anthropic in the admin center first.
See every AI tool your tenants are already running
CloudCapsule's Shadow AI report shows which AI tools users in each tenant are accessing today, broken down user by user. Claude, GPT, Gemini, and the rest, surfaced in a scan that reads 250+ controls in about 60 seconds.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


