MCP Scorecard

ServersPublishersPlatformsBlogAPI
Mission StatementGitHub
← All posts
Spotlight  March 14, 2026

Microsoft Ships Eight Agent365 MCP Servers — and None of Them Score Above 32

Microsoft registered eight agent365 MCP servers in a single batch — covering Word, Teams, SharePoint, Calendar, Admin, Copilot, OneDrive, and personal profile. Together they form the most comprehensive enterprise suite ever registered by one vendor. Every one of them scores 32. The repo appears empty. There is no license, no source code, no package, and no visible development activity. This is the biggest name in the registry doing the opposite of what high-trust servers do.
MCP Scorecard Research
com.microsoft

Microsoft is not new to MCP. In the last pulse, we noted four entries: Azure/containerization-assist (score 73), microsoft/awesome-copilot (score 79), agent365-mailtools (score 32), and dotnet-template-mcp (score 56). The Azure and Copilot entries followed the open source playbook — public repos with real code, permissive licenses, visible activity — and scored accordingly. The agent365-mailtools entry did not, and scored accordingly.

This week, Microsoft doubled down on the agent365 pattern. Eight new servers, all under the com.microsoft namespace, all linking to the same GitHub repository, all scoring 32. Together with the previously registered mailtools, Microsoft now has nine agent365 servers covering virtually the entire Microsoft 365 surface area. This is the largest enterprise suite ever registered by a single vendor in one batch.

The Eight Servers

ServerDescriptionScore
agent365-admintoolsAdmin tools for Microsoft 365 tenant management32
agent365-meserverPersonal profile and user information32
agent365-m365copilotM365 Copilot integration32
agent365-wordserverWord document creation and editing tools32
agent365-teamsserverMicrosoft Teams messaging and channels32
agent365-sharepointliststoolsSharePoint Lists management32
agent365-odspremoteserverOneDrive and SharePoint remote file operations32
agent365-calendartoolsCalendar and scheduling tools32

All eight use streamable-HTTP transport. None require secrets or API keys at the MCP layer. None have installable packages. All link to the same repository: https://github.com/bap-microsoft/MCP-Platform/.

Why 32

The score is not arbitrary. It is the precise result of the four-category scoring model applied to servers with these characteristics. Here is the breakdown:

Provenance (30% weight): 40 out of 100. The servers have a repo URL (+25 points), an icon (+5), a website (+5), and unique descriptions (+5). They earn nothing else. No license — the repo has none. No installable package. No SECURITY.md. No code of conduct. And critically, the namespace does not match the repo owner: the servers are published as com.microsoft but the repository lives under bap-microsoft. That mismatch costs 10 provenance points. The repo is not archived, but with no visible GitHub data (the repo appears private or empty), the enrichment pipeline returns no data for that signal either. Weighted contribution: 12 points.

Maintenance (25% weight): 5 out of 100. The repo is less than 90 days old. Last push recency is 0.0 — no pushes are visible. Active commit weeks: zero. Contributors: zero. The only points come from the baseline version_count signal (every server that exists gets 5 points for having at least one version). Weighted contribution: 1.25 points.

Popularity (20% weight): 0 out of 100. Zero stars. Zero forks. Zero watchers. When the enrichment pipeline hits this repository, it finds nothing — no community engagement, no social proof, no adoption signals. Weighted contribution: 0 points.

Permissions (25% weight): 75 out of 100. This is the one category where agent365 performs well. No secret environment variables (+40). Streamable-HTTP transport risk (+10). No credentials of any kind (+20). No package, so the default package type risk applies (+5). The servers ask for nothing sensitive at the MCP configuration layer. Weighted contribution: 18.75 points.

Total: 12 + 1.25 + 0 + 18.75 = 32. Very Low Trust.

The bap-microsoft Question

All nine agent365 servers link to github.com/bap-microsoft/MCP-Platform. The bap-microsoft organization is not the official microsoft or Azure GitHub organizations where Microsoft's open source projects typically live. BAP likely stands for Business Application Platform — an internal Microsoft division responsible for Power Platform, Dynamics 365, and enterprise application infrastructure.

The namespace mismatch is notable. com.microsoft is a verified publisher on the MCP registry — it is in MCP Scorecard's curated list of verified publishers. But verified publisher status confirms that the namespace was claimed legitimately. It does not vouch for the quality, transparency, or trustworthiness of individual servers published under that namespace. The repo owner (bap-microsoft) does not match the namespace (com.microsoft) under the scoring model's fuzzy matching rules, because bap-microsoft neither contains nor is contained by microsoft as a simple substring — the prefix bap- breaks the match.

This is not evidence of anything nefarious. It is evidence that Microsoft's internal organizational structure does not map cleanly onto the MCP registry's trust signals. A large company with dozens of GitHub organizations will inevitably create this kind of mismatch. But the scoring model measures what it can observe, and what it observes is a disconnect between who published the server and where the code nominally lives.

The Invisible Repository

The most striking characteristic of the agent365 suite is the absence of visible source code. The repository URL exists. The GitHub API returns minimal metadata — not archived, recently created. But there are no stars, no forks, no commit history visible to the public, no license file, no README, no security policy. Whether the repo is private, empty, or access-restricted is unclear from the outside. What is clear is that our enrichment pipeline — which makes three API calls per server to collect GitHub metadata — gets back essentially nothing.

This matters because the open source MCP ecosystem has established a clear pattern: the servers that score well are the ones with public code, permissive licenses, visible development activity, and community engagement. Scrapling scores 92 because it has 19,000 stars, BSD-3-Clause, and years of commits. Kubeshark scores 84 because it has 11,800 stars, Apache-2.0, and active contributors. Even SAP's cap-js — another enterprise vendor — chose the open source path and scored 73.

Microsoft's agent365 suite went the opposite direction. The question is whether that matters for a different reason than trust scoring.

What an Autonomous Office Worker Looks Like

Step back from the scores and look at the functional coverage. Nine agent365 servers (including the previously registered mailtools) provide AI agent access to:

  • Email — read, compose, send, manage inbox
  • Calendar — schedule meetings, check availability, manage events
  • Word — create and edit documents
  • Teams — post messages, manage channels, participate in conversations
  • SharePoint Lists — create, read, update structured data
  • OneDrive/SharePoint — file storage, retrieval, sharing
  • Admin tools — tenant management, user administration
  • Copilot — integration with Microsoft's own AI assistant layer
  • Personal profile — user context, identity, preferences

This is the skeleton of an autonomous office worker. An AI agent with access to all nine servers can schedule a meeting, draft the agenda in Word, post it to a Teams channel, upload supporting documents to SharePoint, create a tracking list, send follow-up emails, and administer user permissions — all without a human touching Microsoft 365 directly. The Copilot integration adds another layer: an agent that can invoke Microsoft's own AI capabilities as part of its workflow.

No other vendor has registered anything close to this scope. Individual developers have built email servers, calendar tools, and document editors. But a single vendor providing a unified, authenticated suite that covers the full enterprise productivity stack — email, docs, collaboration, storage, scheduling, administration — is unprecedented in the registry.

Enterprise vs. Open Source: Two Strategies

The contrast with other enterprise MCP entries is instructive. SAP published cap-js — a Cloud Application Programming model server — with a public GitHub repo, Apache-2.0 license, visible development activity, and community engagement. It scored 73. Microsoft's own Azure/containerization-assist followed a similar pattern and scored 73. These entries demonstrate that enterprise vendors can play the open source game when they choose to.

The agent365 suite represents a fundamentally different strategy. These are not developer tools meant to be installed locally and inspected. They are remote services — streamable-HTTP endpoints that run on Microsoft's infrastructure, authenticated through Azure, consumed by enterprise AI agents. The source code is irrelevant to the end user in the same way that the source code of Microsoft Teams itself is irrelevant to someone scheduling a meeting. You don't install agent365-calendartools. You call it.

This creates a genuine tension for trust scoring. The scoring model was designed around the open source MCP pattern: source code you can audit, packages you can inspect, community engagement you can measure. The agent365 servers break that pattern deliberately. They are backed by Microsoft's brand, infrastructure, and enterprise support — none of which the scoring model measures because none of it is an observable signal in the GitHub-centric enrichment pipeline.

What This Signals for Enterprise MCP

Microsoft registering nine servers covering the M365 stack is a significant strategic statement regardless of the scores. It says that Microsoft views MCP as an enterprise integration layer — a standard protocol through which AI agents interact with productivity infrastructure. Not a developer tool protocol. Not a hobby project protocol. An enterprise protocol.

The implications cascade:

  1. Authentication will matter more than source code. Enterprise MCP servers will authenticate through Azure AD, Okta, or similar identity providers. The trust question shifts from "can I read the source code?" to "does my organization's identity provider trust this endpoint?" The scoring model does not yet capture this.
  2. Remote-only is the enterprise default. All nine agent365 servers are streamable-HTTP with no stdio option. Enterprise servers will not ship as npm packages you install locally. They will be cloud endpoints. The transport risk scoring penalizes this — streamable-HTTP scores 10 out of 25 versus stdio's 25 out of 25 — but for enterprise deployments, remote is the only viable option.
  3. Other vendors will follow. If Microsoft is publishing M365 MCP servers, Google Workspace, Salesforce, ServiceNow, and Atlassian are watching. The enterprise MCP wave has not crested. It is just starting.
  4. The trust model needs a second axis. The current model measures open source health signals. Enterprise servers need a parallel evaluation: vendor reputation, service level agreements, compliance certifications, uptime history, security audit status. These are different trust signals for a different trust context.

The Scorecard's Limitation — and Its Purpose

A score of 32 for a Microsoft enterprise product feels intuitively wrong. Microsoft is a $3 trillion company with enterprise support, security teams, compliance certifications, and legal accountability that no indie developer can match. Surely that should count for something.

It does — but not in this model. MCP Scorecard measures observable signals: source code, licenses, packages, community engagement, development activity, permission requirements. It does not measure brand reputation, market capitalization, or corporate accountability, because those are not observable in the enrichment pipeline. A score of 32 does not mean "Microsoft is untrustworthy." It means "these servers have almost no observable trust signals." That is a factual statement about what is publicly visible, not a judgment about what Microsoft will or won't do with them.

The gap between the score and the intuition is itself informative. It tells us that the scoring model is incomplete for enterprise use cases — and that enterprise vendors need to meet the model halfway by providing the signals it measures: public documentation, license clarity, security policies, and visible development practices. Microsoft could close much of this gap by adding a license file, publishing a SECURITY.md, and making the repository readable. Whether they consider that worth doing for remote enterprise services is their strategic call.

Score: 32 across all eight servers. No flags triggered — because the servers are not dead entries, not templates, not staging artifacts. They are real servers with real descriptions and real endpoints. They simply operate in a mode that the scoring model was not designed to evaluate.

Sources: Microsoft agent365 — GitHub (bap-microsoft) · Scorecard: com.microsoft · Previous coverage: Registry Pulse #5
← Gearsystem: A Sega Master System Emulator in the MCP RegistryQiskit: The First Quantum Computing Entry in the MCP Registry →
Article Type
Pulse5Spotlight34Trend6
Archive
March 202627February 202618
Publishers Mentioned
io.github.D4Vinci3io.github.kubeshark3io.github.Skyvern-AI2io.github.duriantaco2io.github.cap-js2io.github.Qiskit2io.github.drhelius2io.github.dgunning2com.arcadedb2io.github.ArcadeData2io.github.kitao2io.github.BurtTheCoder2
~ ~ ~
mcp-scorecard.ai  ·  2026