The Dataverse MCP integration reached a milestone on July 6, 2026: Microsoft's Dataverse coding-agent plugin, previously usable in Claude and GitHub Copilot, can now also drive Cursor. It is a small headline with a large subtext — the same plugin that lets a coding agent read and write your Dynamics 365 and Power Platform data does so through a fixed set of named, individually auditable tools, not open database access.
Most coverage will compress this into “Dataverse expands to Claude, Cursor and Copilot” as if all three landed at once. They didn't. Claude (via the Claude Marketplace) and GitHub Copilot got the plugin on April 30, 2026; only Cursor is new on July 6, alongside a broader push into MCP certification and a catalog of ready-made servers. Getting that timeline right matters, because the governance story underneath is the part an agency actually has to defend to a client.
This guide separates the real news from the rewrite. It maps the router architecture, lays out the full 15-tool inventory in one table, and explains what “respects existing RBAC” mechanically means — per-user security inheritance and explicit human approval on destructive writes — as described by Microsoft in its own posts. Every figure below is sourced to Microsoft's Power Platform announcements and the open-source repository that ships the plugin.
- 01Only Cursor is new on July 6.Claude and GitHub Copilot got the Dataverse plugin on April 30, 2026. The July 6 post adds Cursor plus a broader MCP certification and catalog push — do not present all three as launching together.
- 02The plugin is a router, not a new engine.It dispatches each natural-language request to one of four existing tools — the Dataverse MCP server, the Python SDK, the PAC CLI, or the Dataverse CLI — picking whichever fits the task.
- 0315 named, individually auditable MCP tools.The underlying Dataverse MCP server exposes a fixed inventory across data, schema, discovery, skills, and file operations — capabilities that can be allowed, blocked, and audited one by one, not a blanket database connection.
- 04RBAC is per-user, per Microsoft.Microsoft describes the server as validating that users only reach data they are already permitted to see — the agent inherits the caller's existing Dataverse security role rather than getting a separate elevated identity.
- 05Destructive writes need explicit approval.The delete_record and delete_table tool descriptions themselves state they run only after explicit user approval — the approval gate is baked into the tool shape, not bolted on as policy.
01 — What ShippedThe real July 6 news is Cursor, not all three.
The July 6, 2026 Power Platform Blog post — “Dataverse Is Your Agent Data Platform: Here's What's New in July 2026”, by Julie Koesmarno, Principal Group Product Manager for Microsoft Dataverse — states the plugin is now available for Claude, Cursor and GitHub Copilot. Read on its own, that line invites the misread that all three are brand new. They aren't.
Claude and GitHub Copilot support shipped more than two months earlier, on April 30, 2026, in a separate developer-blog post (“Dataverse Plugin Is Now on the Claude Marketplace”, by Suyash Kshirsagar). The net-new surface on July 6 is Cursor — plus an MCP certification programme and a catalog of ready-made servers. And the repository README lists a fourth coding agent, Codex, beyond the three Microsoft names in its headline, so the plugin's real reach is at least four surfaces.
Claude & Copilot
Claude (via the Claude Marketplace and Claude Code) and GitHub Copilot were the launch surfaces. Install is a one-line plugin command; verify with /skills.
Cursor added
Cursor joins the supported coding agents, announced alongside MCP certification for ISVs and a broader catalog of ready-made MCP servers.
Codex support
The open-source dataverse-skills README lists Codex agent support in addition to Claude Code, Copilot, and Cursor — four surfaces in practice, three in the July 6 headline.
02 — Router, Not EngineOne plugin dispatching to four existing tools.
The plugin does not add a new way to reach Dataverse. It is a router built on an open-source skill architecture (MIT-licensed, hosted at github.com/microsoft/dataverse-skills) that reads a natural-language request and dispatches it to whichever of four existing tools is best-suited: the Dataverse MCP server, the Python SDK, the PAC CLI, or the Dataverse CLI. Conversational queries lean on the MCP server; bulk operations go to the Python SDK; schema work routes to the Web API and CLIs.
That design choice is why the governance conversation is even tractable. Because every path already existed and already enforced its own permissions, the plugin doesn't create a new bypass — it standardises how an agent picks among them. The setup work is handled by the agent; the security approvals stay where they were. If you want the mechanics of the layer it routes into, our walkthrough on how to build an MCP server from scratch covers the protocol end to end.
Dataverse MCP server
The default for conversational queries and record-level work. Exposes the 15 named tools detailed below; endpoint lives at /api/mcp on the target environment.
Python SDK
Routed to for bulk imports and data-heavy operations where a scripted SDK path is more efficient than conversational tool calls.
PAC CLI
Handles environment and schema work through the Power Platform CLI — the surface for authoring and altering the data model.
Dataverse CLI
The fourth dispatch target for solution lifecycle and environment administration tasks that fit a dedicated CLI better than the MCP server.
"The agent is not just connected to Dataverse in a broad sense. It has a set of named capabilities that can be reasoned about, allowed, blocked, audited, and improved over time."— Kent Weare, Principal Product Manager, Dataverse and Agent Data Platform, Microsoft
03 — Skill ArchitectureEight specialist skills, one router skill.
The repository ships eight specialist skills, each scoped to a slice of the platform. One of them, dv-overview, is the request router that decides which specialist handles a given ask. The rest cover connection, querying, data changes, metadata, solution lifecycle, administration, and security. Splitting the work this way is what makes the capabilities auditable: a security-conscious team can reason about each skill's scope rather than one opaque “Dataverse access.”
dv-overview
Reads the request and routes it to the right specialist skill. The entry point the plugin reasons through first.
dv-connect
Handles authentication and environment connection so the agent can reach the right Dataverse instance under the caller's identity.
dv-query
Record retrieval and filtering — the read-heavy path for answering questions against existing data.
dv-data
Create, update, delete, and bulk-import operations. The skill most likely to trigger the approval gates on destructive tools.
dv-metadata
Authoring and altering tables, columns, and relationships — the schema layer, kept distinct from record data.
dv-solution
Manages the solution packaging and deployment lifecycle across environments.
dv-admin
Environment-level administration tasks that sit above individual records or schema objects.
dv-security
Access and role management — the skill that touches the very security model the whole design leans on to stay least-privilege.
04 — Tool InventoryThe 15 tools an agent can actually call.
Underneath the plugin sits the Dataverse MCP server, documented separately in Microsoft's June 8, 2026 post “Dataverse MCP Server: Understanding the New Tool Shape” by Kent Weare. It exposes 15 named tools across five groups. The table below pulls them into a single view with the two facts a security reviewer cares about most: whether each tool reads or writes, and which ones the source says require explicit human approval. The read-or-write column is our own classification derived from each tool's stated function; the approval column is taken verbatim from Microsoft's tool descriptions.
| Tool | Read / write | Approval gate | What it lets an agent do |
|---|---|---|---|
| Data operations · 5 tools | |||
| search_data | Read | No | Search across records to find rows matching a query. |
| read_query | Read | No | Run a structured query and return matching records. |
| create_record | Write | No | Create a new row in a table. |
| update_record | Write | No | Modify fields on an existing row. |
| delete_record | Write | Yes | Delete a row — only after explicit user approval, per the tool description. |
| Schema management · 3 tools | |||
| create_table | Write | No | Add a new table to the data model. |
| update_table | Write | No | Alter an existing table's definition. |
| delete_table | Write | Yes | Delete a table from Dataverse — only after explicit user approval, per the tool description. |
| Discovery · 2 tools | |||
| search | Read | No | Discover tables and objects available in the environment. |
| describe | Read | No | Return the schema and shape of a specific object. |
| Skills & playbooks · 2 tools | |||
| upsert_skill | Write | No | Create or update a reusable skill or playbook. |
| delete_skill | Write | No | Remove a stored skill or playbook. |
| File operations · 3 tools | |||
| init_file_upload | Write | No | Begin a file-upload operation. |
| commit_file_upload | Write | No | Finalise an in-progress upload. |
| file_download | Read | No | Retrieve a stored file. |
Tally the classification and the shape is clear: of the 15 tools, five are read-only (search_data, read_query, search, describe, file_download) and ten can write. Only two — delete_record and delete_table — carry an explicit approval gate in their own descriptions. That is a deliberate asymmetry: the source reserves mandatory human sign-off for the two irreversible destructive operations, while trusting create and update paths to the user’s existing permissions.
05 — GovernanceWhat “respects RBAC” actually means here.
Microsoft's July 6 framing says the plugin enforces least-privilege security, follows documented auth patterns, and respects existing Dataverse RBAC. Repeated as a marketing line, that says little. The June 8 “tool shape” post gives it a mechanism: the server is designed to validate that users only access data they are already permitted to see. In practice that means the agent runs under the calling user's existing Dataverse security role — it does not receive a separate, elevated identity. A consultant with read-only access to a table gets a read-only agent against that table. For the general version of this idea, our guide to RBAC design patterns for agentic AI covers the same least-privilege principle across any stack.
One honest caveat for anyone recommending this to a client: these are Microsoft-stated design intentions, not the findings of an independent security audit. No third-party penetration test or audit of the Dataverse plugin specifically surfaced in our research. The architecture is sound on paper — named tools, per-user context, approval gates on deletes — but “the vendor says so” is the correct frame until an external review exists.
Dataverse MCP tool inventory by capability
Source: Dataverse MCP server tool descriptions, Power Platform Blog, June 8, 2026 · classification by Digital Applied06 — Admin ControlsThe controls an administrator holds.
Beyond per-user roles, Microsoft documents administrator-side controls that gate the plugin before any single request is made. Together they describe defence in depth: consent at the tenant, an allowlist at the environment, and credential handling at the device.
Admin consent required
Tenant-level admin consent is required before the plugin can be used at all — an org-wide gate that a single developer cannot self-serve around.
Per-environment allowlisting
Access is allowlisted per environment via the Power Platform Admin Center, with tool-level restrictions that distinguish read-only from write-capable tools and an approved-client list.
OS-native credential storage
Credentials are stored in the operating system's native credential manager — never transmitted or stored in plaintext, per Microsoft's documentation.
The MCP endpoint itself lives at /api/mcp on the target environment, reached over a stdio transport through an npm proxy. None of these controls is exotic; the point is that they are the same controls Dataverse administrators already operate, now applied to an agent surface rather than a human one. For a team that already runs Power Platform governance, the mental model transfers cleanly — and the checklist in our MCP server security best practices guide is a useful companion when you harden your own surface.
07 — MCP EcosystemThe catalog and certification push around it.
The Dataverse plugin arrives inside a wider Microsoft MCP move. The July 6 post cites a catalog of 60-plus ready-made MCP servers — a figure worth reading carefully. It is Microsoft's own stated aggregate spanning several products (Microsoft 365 Copilot, Copilot Studio, Azure AI Foundry, and GitHub Copilot), not an independently tallied or Dataverse-specific number. Treat it as a vendor-stated catalog count, not a verified market statistic.
The more consequential piece for partners is an MCP certification programme for ISVs. It is a three-step path: prepare a certification package with the MCP manifest and endpoint URL, a Tools JSON file, and Key Vault-backed auth details; select the “Apps and Agents for M365 and Copilot” offer type and submit via Partner Center; and, once certified, the MCP becomes available for customer adoption across Copilot Studio and Azure AI Foundry. Microsoft also supports a “bring your own MCP” path for connecting custom tools and internal workflows under enterprise governance controls.
All of this lands on ground that was already MCP-native. The protocol's connector ecosystem has been growing fast — third-party registry trackers counted on the order of 10,000 MCP servers by April 2026, up from roughly 6,800 at the end of 2025 (an increase of about 47% in four months), and every major coding host, from Claude Code and Cursor to VS Code's Copilot, shipped MCP support during 2025. The Dataverse news is Microsoft shipping an application on top of that existing layer, not the layer itself arriving. Our deeper look at how fast MCP adoption is moving puts these figures in fuller context.
08 — For AgenciesThe concrete answer to “is it safe?”
For an agency that builds custom, agentic systems for clients, this release is useful less as a product to adopt and more as a reference architecture to point at. When a client asks whether it is safe to let an AI coding agent touch their CRM data, “named tools, per-user roles, approval gates on destructive writes” is a concrete, defensible answer — and now there is a shipped Microsoft example that embodies it. That is worth more in a governance conversation than any abstraction.
Clients already on Dataverse
The most direct fit. If a client runs Dynamics 365 or Power Platform, the plugin lets agentic workflows reach their data through governed tools rather than a bespoke integration. Pilot on a read-heavy skill first.
Reference architecture
Even where you're building on your own stack, borrow the pattern: expose named, individually auditable tools; inherit the caller's role; gate irreversible writes behind explicit approval. It's a template for governed agent access.
The 'is it safe?' client
Lead with the mechanism, not the slogan. Show the 15-tool inventory and the two approval-gated deletes. Be explicit that RBAC claims are Microsoft-stated design intent, not an independent audit — honesty builds the trust.
Weighing Dataverse vs alternatives
For clients choosing a CRM data backbone, governed MCP access is now a real evaluation axis. Compare it against other vendors' MCP offerings on tool granularity and approval controls, not just feature checklists.
Looking forward, the pattern here — a fixed, named tool surface with per-user identity and human gates on the dangerous operations — is likely to become the default shape for how enterprise platforms expose themselves to agents. The specific artifact that matters isn't Cursor support; it is that a major vendor has now shipped “governed agent access to enterprise data” as a concrete product rather than a whitepaper. Agencies that internalise the pattern will be able to answer the safety question long before the next platform ships its own version. If you're scoping this kind of governed agent access into a client's CRM automation build, that mechanism-first framing is exactly where the conversation should start.
09 — ConclusionA small headline over a large pattern.
The news is Cursor. The story is the tool shape.
Strip away the platform-count headline and what Microsoft shipped is a working example of governed agent access to enterprise data: one plugin routing to four existing tools, a Dataverse MCP server with 15 named and auditable capabilities, per-user role inheritance, and explicit human approval on the two irreversible deletes. Cursor joining Claude and Copilot is the news; the tool shape underneath is the part worth studying.
The honest caveats stay attached: the governance claims are Microsoft-stated design intent rather than audited fact, the “60+ servers” figure is a vendor aggregate, and MCP was never new to any of these hosts. Hold those lines and the release is still significant — because it turns an abstract promise into something a security-conscious buyer can inspect tool by tool.
For agencies building agentic systems, the takeaway is a template, not a purchase. Named tools, inherited identity, approval gates on the destructive operations: that is how you make an AI agent safe to point at a client's CRM, and now there is a shipped reference to point at when someone asks whether it can be done responsibly.