
Your agent needs to read and write Microsoft Word documents. Microsoft now ships an official Word MCP server, the Work IQ Word server inside Microsoft Agent 365, and Word has long been reachable through Microsoft Graph. They are not the same object: different capability coverage, a different auth path, and a different operational surface in production. The choice is not permanent either. What your agent actually does with Word decides which path fits. Here is how to pick.
The official Word MCP server is the Work IQ Word server, identified as mcp_WordServer, shipped as part of Microsoft Agent 365. It is in preview. It is a Microsoft-built, Microsoft-hosted remote MCP server, and the remote endpoint takes the form https://agent365.svc.cloud.microsoft/agents/tenants/{tenant_id}/servers/mcp_WordServer.
An agent connects through Microsoft Entra. Authentication is OAuth, either an On-Behalf-Of delegated user flow or an agent identity, and a Microsoft 365 Copilot license is required. There is no API key or static credential option on this path.
There is no standalone Word REST API. Word documents are reached through Microsoft Graph as driveItem resources in OneDrive or SharePoint. You download a .docx with GET /drives/{drive-id}/items/{item-id}/content, and replace it with PUT .../content for small files or a resumable upload session for files over 4 MB.
Authentication is the Microsoft identity platform: OAuth Authorization Code for delegated access, and client credentials or JWT-bearer patterns for app-only, server-to-server access with no user in the loop.
The Work IQ Word MCP covers a narrow, document-lifecycle slice: create a document from HTML or plain text, read its text and comments, and run comment threads. The Graph path covers more, but with a sharp limit of its own: it has no structured Word body model, so any real editing happens in your code after a download.
The MCP ceiling is the tool count. Four tools is enough for a comment-and-create assistant, not enough for an agent that edits documents or browses a workspace. The server has no list, no search, and no body-editing surface.
The Graph ceiling is different but just as real. Word has no equivalent to the Excel /workbook content model. You cannot patch a paragraph or a run through an endpoint. The agent downloads the binary, edits it with a library such as python-docx or the Open XML SDK, and uploads the result. That is more control and more code.
The Work IQ Word MCP is OAuth-only through Microsoft Entra, and it requires a Microsoft 365 Copilot license. An agent either runs the On-Behalf-Of flow, exchanging a signed-in user's token to act with that user's permissions, or uses an agent identity with its own assigned permissions. Interactive consent or a pre-provisioned agent identity is required. There is no static credential.
Microsoft Graph is broader. Delegated OAuth Authorization Code works for user-present agents, and app-only client credentials or JWT-bearer flows give clean server-to-server access for headless work. A background job that processes documents on a schedule has a first-class auth path on Graph; on the MCP path it does not.
For a B2B agent serving 40 users across several tenants, both paths converge on the same shape: one OAuth identity per user, scoped to that user's OneDrive and SharePoint permissions. The Copilot license requirement on the MCP path is the extra gate to plan for. Neither path stores, refreshes, or revokes those per-user tokens for you. That is infrastructure you build or buy.
On the MCP path, Microsoft manages hosting, tool schemas, and runtime governance through the Microsoft 365 admin center, and tool calls are traceable in Microsoft Defender. You still own per-user token acquisition through Entra, the Copilot license footprint, and adapting to schema changes while the server is in preview.
On the Graph path, you own everything above the wire: endpoint selection, the download-edit-upload loop, local document parsing, retry and pagination logic, change-notification subscriptions and their renewal, and the full token lifecycle. The maintenance surface is larger; the determinism is higher because you pin behavior rather than consume a preview contract.
Use the Work IQ Word MCP when:
Use Microsoft Graph directly when:
Both paths hand you a token per user. Neither hands you a vault, rotation logic, or a revocation flow. In a multi-tenant agent, which is the B2B default, every user has their own Microsoft credential. That is N tokens to store encrypted, refresh proactively, and revoke when someone leaves.
The MCP path gives you an Entra-issued delegated token per user. The Graph path gives you an OAuth access token per user, or an app-only token per tenant for background work. In both cases the token must live somewhere isolated per tenant, never in the agent runtime, never in LLM context, and revocable on disconnect. The token type differs; the credential infrastructure required does not.
Scalekit's Microsoft Word connector handles the OAuth flow, encrypted token storage, and automatic refresh for both paths, so the MCP versus API decision does not change your auth infrastructure. What the user can't do, the agent can't do, because access is resolved from the user's own connected account, not a shared service credential.
A document agent rarely needs raw Word alone. It reads a proposal, drafts a follow-up, files a contract, and posts a summary somewhere else. Every one of those steps is a separate OAuth dialect if you wire it yourself. Scalekit's AgentKit gives the agent authenticated access to Microsoft Word, and to the other connectors the workflow touches, behind one execution model. The agent calls a tool; Scalekit resolves the right per-user token server-side and runs the call.
Credentials live in Scalekit's managed Token Vault, encrypted at rest and namespaced per tenant. They are resolved at request time and never appear in the agent runtime or the LLM context. User A's documents are never reachable by an agent acting for user B, even on the same connection. Revocation is a single action, and the next tool call for that user fails closed without affecting anyone else.
The Scalekit Microsoft Word connector exposes prebuilt, LLM-ready tools. The two documented tools are microsoftword_read_document, which exports a .docx from OneDrive as a PDF for client-side parsing, and microsoftword_create_document, which starts a resumable upload session for a new document. You call them through execute_tool after the user authorizes once. Note that connection_name must match the connection you configured in the Scalekit dashboard exactly; a mismatch is the most common integration error.
The agent should see only the tools the current user is authorized to call, not a full catalog. A bloated tool surface degrades selection accuracy and burns tokens before the agent does any work. Scoping the surface is the lever, and you set it with a tool filter when you list the user's scoped tools.
If you would rather hand any MCP-compatible framework a pre-authenticated endpoint instead of driving the loop yourself, use Scalekit's Virtual MCP server. You declare a config once with create_config, naming the connections and the exact tools to expose, then call ensure_instance per user. Scalekit mints a per-user URL of the form https://yourcompany.scalekit.com/mcp/v3/servers/<server-id>. One server definition serves every user; each run resolves that user's own credentials. The endpoint is static; the identity is per-user, and there is no MCP server to deploy, host, or maintain.
Every Microsoft Word tool call is logged: who triggered it, which document was touched, and what came back, tied to the user who authorized it rather than a shared bot account. For a multi-tenant agent that also reaches into Slack, a CRM, or a ticketing system, that per-user attribution is what makes the audit trail accurate and the agent answerable to a security review.
The documented connector centers on creating and reading documents. If your agent needs a Word action that is not yet in the catalog, request it: join the Scalekit Slack community or talk to the team. New tool requests are typically turned around quickly, on the same auth plumbing as every other connector.
If your agent is interactive, user-present, and its job is creating documents and managing comments, the Work IQ Word MCP is the faster path, provided you have Microsoft 365 Copilot licenses and can live with a preview surface. If your agent runs headless, edits document content, or needs to list, search, and convert across a drive, build on Microsoft Graph and own the download-edit-upload loop. Most production Word agents end up using both: the MCP for the interactive assistant, Graph for the background pipeline. Either way, the credential management problem is the same, and that is what needs production-grade infrastructure.