AI DevelopmentNew Release10 min readPublished July 6, 2026

One plugin · four coding agents · 15 named MCP tools, individually auditable

Dataverse Meets Claude, Cursor and Copilot via MCP

On July 6, 2026 Microsoft added Cursor to the list of coding agents that can drive Dataverse through its plugin — Claude and GitHub Copilot have had it since April 30. The interesting part isn't the platform count. It's that one plugin routes every request through 15 named, auditable MCP tools while inheriting the calling user's existing security role.

DA
Digital Applied Team
Senior strategists · Published Jul 6, 2026
PublishedJul 6, 2026
Read time10 min
SourcesMicrosoft primaries + repo
Coding agents (Jul 6 headline)
3
Claude · Cursor · Copilot
Named MCP tools
15
individually auditable
Specialist skills shipped
8
dv-connect … dv-overview
Tools gated by approval
2
delete_record · delete_table

The Dataverse MCP integration reached a milestone on July 6, 2026: Microsoft's Dataverse coding-agent plugin, previously usable in Claude and GitHub Copilot, can now also drive Cursor. It is a small headline with a large subtext — the same plugin that lets a coding agent read and write your Dynamics 365 and Power Platform data does so through a fixed set of named, individually auditable tools, not open database access.

Most coverage will compress this into “Dataverse expands to Claude, Cursor and Copilot” as if all three landed at once. They didn't. Claude (via the Claude Marketplace) and GitHub Copilot got the plugin on April 30, 2026; only Cursor is new on July 6, alongside a broader push into MCP certification and a catalog of ready-made servers. Getting that timeline right matters, because the governance story underneath is the part an agency actually has to defend to a client.

This guide separates the real news from the rewrite. It maps the router architecture, lays out the full 15-tool inventory in one table, and explains what “respects existing RBAC” mechanically means — per-user security inheritance and explicit human approval on destructive writes — as described by Microsoft in its own posts. Every figure below is sourced to Microsoft's Power Platform announcements and the open-source repository that ships the plugin.

Key takeaways
  1. 01
    Only Cursor is new on July 6.Claude and GitHub Copilot got the Dataverse plugin on April 30, 2026. The July 6 post adds Cursor plus a broader MCP certification and catalog push — do not present all three as launching together.
  2. 02
    The plugin is a router, not a new engine.It dispatches each natural-language request to one of four existing tools — the Dataverse MCP server, the Python SDK, the PAC CLI, or the Dataverse CLI — picking whichever fits the task.
  3. 03
    15 named, individually auditable MCP tools.The underlying Dataverse MCP server exposes a fixed inventory across data, schema, discovery, skills, and file operations — capabilities that can be allowed, blocked, and audited one by one, not a blanket database connection.
  4. 04
    RBAC is per-user, per Microsoft.Microsoft describes the server as validating that users only reach data they are already permitted to see — the agent inherits the caller's existing Dataverse security role rather than getting a separate elevated identity.
  5. 05
    Destructive writes need explicit approval.The delete_record and delete_table tool descriptions themselves state they run only after explicit user approval — the approval gate is baked into the tool shape, not bolted on as policy.

01What ShippedThe real July 6 news is Cursor, not all three.

The July 6, 2026 Power Platform Blog post — “Dataverse Is Your Agent Data Platform: Here's What's New in July 2026”, by Julie Koesmarno, Principal Group Product Manager for Microsoft Dataverse — states the plugin is now available for Claude, Cursor and GitHub Copilot. Read on its own, that line invites the misread that all three are brand new. They aren't.

Claude and GitHub Copilot support shipped more than two months earlier, on April 30, 2026, in a separate developer-blog post (“Dataverse Plugin Is Now on the Claude Marketplace”, by Suyash Kshirsagar). The net-new surface on July 6 is Cursor — plus an MCP certification programme and a catalog of ready-made servers. And the repository README lists a fourth coding agent, Codex, beyond the three Microsoft names in its headline, so the plugin's real reach is at least four surfaces.

Apr 30, 2026
Claude & Copilot
First plugin availability

Claude (via the Claude Marketplace and Claude Code) and GitHub Copilot were the launch surfaces. Install is a one-line plugin command; verify with /skills.

Power Platform Developer Blog
Jul 6, 2026
Cursor added
The genuinely new platform

Cursor joins the supported coding agents, announced alongside MCP certification for ISVs and a broader catalog of ready-made MCP servers.

Power Platform Blog, Jul 6
Also listed
Codex support
Per the repo README

The open-source dataverse-skills README lists Codex agent support in addition to Claude Code, Copilot, and Cursor — four surfaces in practice, three in the July 6 headline.

github.com/microsoft/dataverse-skills
Date precision
Do not read the July 6 post as a simultaneous launch. Claude and Copilot got the Dataverse plugin on April 30, 2026; only Cursor is new on July 6. The plugin is a fresh application layered on top of MCP support these hosts already shipped during 2025 — MCP itself is not new to any of them.

02Router, Not EngineOne plugin dispatching to four existing tools.

The plugin does not add a new way to reach Dataverse. It is a router built on an open-source skill architecture (MIT-licensed, hosted at github.com/microsoft/dataverse-skills) that reads a natural-language request and dispatches it to whichever of four existing tools is best-suited: the Dataverse MCP server, the Python SDK, the PAC CLI, or the Dataverse CLI. Conversational queries lean on the MCP server; bulk operations go to the Python SDK; schema work routes to the Web API and CLIs.

That design choice is why the governance conversation is even tractable. Because every path already existed and already enforced its own permissions, the plugin doesn't create a new bypass — it standardises how an agent picks among them. The setup work is handled by the agent; the security approvals stay where they were. If you want the mechanics of the layer it routes into, our walkthrough on how to build an MCP server from scratch covers the protocol end to end.

Conversational
Dataverse MCP server
Read + scoped write

The default for conversational queries and record-level work. Exposes the 15 named tools detailed below; endpoint lives at /api/mcp on the target environment.

search_data · read_query · create_record
Bulk
Python SDK
High-volume operations

Routed to for bulk imports and data-heavy operations where a scripted SDK path is more efficient than conversational tool calls.

dv-data bulk imports
Schema
PAC CLI
Data-model authoring

Handles environment and schema work through the Power Platform CLI — the surface for authoring and altering the data model.

dv-metadata · dv-solution
Lifecycle
Dataverse CLI
Solution + environment ops

The fourth dispatch target for solution lifecycle and environment administration tasks that fit a dedicated CLI better than the MCP server.

dv-admin lifecycle
"The agent is not just connected to Dataverse in a broad sense. It has a set of named capabilities that can be reasoned about, allowed, blocked, audited, and improved over time."— Kent Weare, Principal Product Manager, Dataverse and Agent Data Platform, Microsoft

03Skill ArchitectureEight specialist skills, one router skill.

The repository ships eight specialist skills, each scoped to a slice of the platform. One of them, dv-overview, is the request router that decides which specialist handles a given ask. The rest cover connection, querying, data changes, metadata, solution lifecycle, administration, and security. Splitting the work this way is what makes the capabilities auditable: a security-conscious team can reason about each skill's scope rather than one opaque “Dataverse access.”

Routing
dv-overview
Request router

Reads the request and routes it to the right specialist skill. The entry point the plugin reasons through first.

orchestration
Setup
dv-connect
Auth + setup

Handles authentication and environment connection so the agent can reach the right Dataverse instance under the caller's identity.

auth
Read
dv-query
Retrieval + filtering

Record retrieval and filtering — the read-heavy path for answering questions against existing data.

read
Write
dv-data
CRUD + bulk imports

Create, update, delete, and bulk-import operations. The skill most likely to trigger the approval gates on destructive tools.

write
Model
dv-metadata
Data-model authoring

Authoring and altering tables, columns, and relationships — the schema layer, kept distinct from record data.

schema
Lifecycle
dv-solution
Solution lifecycle

Manages the solution packaging and deployment lifecycle across environments.

solutions
Admin
dv-admin
Environment administration

Environment-level administration tasks that sit above individual records or schema objects.

admin
Security
dv-security
Access + roles

Access and role management — the skill that touches the very security model the whole design leans on to stay least-privilege.

rbac

04Tool InventoryThe 15 tools an agent can actually call.

Underneath the plugin sits the Dataverse MCP server, documented separately in Microsoft's June 8, 2026 post “Dataverse MCP Server: Understanding the New Tool Shape” by Kent Weare. It exposes 15 named tools across five groups. The table below pulls them into a single view with the two facts a security reviewer cares about most: whether each tool reads or writes, and which ones the source says require explicit human approval. The read-or-write column is our own classification derived from each tool's stated function; the approval column is taken verbatim from Microsoft's tool descriptions.

The 15 named tools exposed by the Dataverse MCP server, grouped by category (data operations, schema management, discovery, skills and playbooks, and file operations), showing whether each tool reads or writes and whether it requires explicit human approval before executing. Tool names and approval-gate language are from Microsoft's June 8, 2026 “Dataverse MCP Server: Understanding the New Tool Shape” post; the read-or-write classification is Digital Applied's, derived from each tool's stated function.
ToolRead / writeApproval gateWhat it lets an agent do
Data operations · 5 tools
search_dataReadNoSearch across records to find rows matching a query.
read_queryReadNoRun a structured query and return matching records.
create_recordWriteNoCreate a new row in a table.
update_recordWriteNoModify fields on an existing row.
delete_recordWriteYesDelete a row — only after explicit user approval, per the tool description.
Schema management · 3 tools
create_tableWriteNoAdd a new table to the data model.
update_tableWriteNoAlter an existing table's definition.
delete_tableWriteYesDelete a table from Dataverse — only after explicit user approval, per the tool description.
Discovery · 2 tools
searchReadNoDiscover tables and objects available in the environment.
describeReadNoReturn the schema and shape of a specific object.
Skills & playbooks · 2 tools
upsert_skillWriteNoCreate or update a reusable skill or playbook.
delete_skillWriteNoRemove a stored skill or playbook.
File operations · 3 tools
init_file_uploadWriteNoBegin a file-upload operation.
commit_file_uploadWriteNoFinalise an in-progress upload.
file_downloadReadNoRetrieve a stored file.

Tally the classification and the shape is clear: of the 15 tools, five are read-only (search_data, read_query, search, describe, file_download) and ten can write. Only two — delete_record and delete_table — carry an explicit approval gate in their own descriptions. That is a deliberate asymmetry: the source reserves mandatory human sign-off for the two irreversible destructive operations, while trusting create and update paths to the user’s existing permissions.

05GovernanceWhat “respects RBAC” actually means here.

Microsoft's July 6 framing says the plugin enforces least-privilege security, follows documented auth patterns, and respects existing Dataverse RBAC. Repeated as a marketing line, that says little. The June 8 “tool shape” post gives it a mechanism: the server is designed to validate that users only access data they are already permitted to see. In practice that means the agent runs under the calling user's existing Dataverse security role — it does not receive a separate, elevated identity. A consultant with read-only access to a table gets a read-only agent against that table. For the general version of this idea, our guide to RBAC design patterns for agentic AI covers the same least-privilege principle across any stack.

One honest caveat for anyone recommending this to a client: these are Microsoft-stated design intentions, not the findings of an independent security audit. No third-party penetration test or audit of the Dataverse plugin specifically surfaced in our research. The architecture is sound on paper — named tools, per-user context, approval gates on deletes — but “the vendor says so” is the correct frame until an external review exists.

Dataverse MCP tool inventory by capability

Source: Dataverse MCP server tool descriptions, Power Platform Blog, June 8, 2026 · classification by Digital Applied
Read-only toolssearch_data · read_query · search · describe · file_download
5 / 15
Write-capable toolscreate / update / delete · schema · skills · uploads
10 / 15
Approval-gated toolsdelete_record · delete_table — explicit user approval
2 / 15
The mechanism, not the slogan
The distinction worth carrying into a client conversation: the agent does not get its own keys to the database. It borrows the calling user's existing role, and the two irreversible operations — deleting a row and deleting a table — stop for human approval before they run. Governance here is expressed in the tool shape itself, which is what makes it auditable.

06Admin ControlsThe controls an administrator holds.

Beyond per-user roles, Microsoft documents administrator-side controls that gate the plugin before any single request is made. Together they describe defence in depth: consent at the tenant, an allowlist at the environment, and credential handling at the device.

Tenant
Admin consent required
1consent

Tenant-level admin consent is required before the plugin can be used at all — an org-wide gate that a single developer cannot self-serve around.

org-wide gate
Environment
Per-environment allowlisting
Nallow

Access is allowlisted per environment via the Power Platform Admin Center, with tool-level restrictions that distinguish read-only from write-capable tools and an approved-client list.

admin center
Device
OS-native credential storage
0plaintext

Credentials are stored in the operating system's native credential manager — never transmitted or stored in plaintext, per Microsoft's documentation.

no plaintext creds

The MCP endpoint itself lives at /api/mcp on the target environment, reached over a stdio transport through an npm proxy. None of these controls is exotic; the point is that they are the same controls Dataverse administrators already operate, now applied to an agent surface rather than a human one. For a team that already runs Power Platform governance, the mental model transfers cleanly — and the checklist in our MCP server security best practices guide is a useful companion when you harden your own surface.

07MCP EcosystemThe catalog and certification push around it.

The Dataverse plugin arrives inside a wider Microsoft MCP move. The July 6 post cites a catalog of 60-plus ready-made MCP servers — a figure worth reading carefully. It is Microsoft's own stated aggregate spanning several products (Microsoft 365 Copilot, Copilot Studio, Azure AI Foundry, and GitHub Copilot), not an independently tallied or Dataverse-specific number. Treat it as a vendor-stated catalog count, not a verified market statistic.

The more consequential piece for partners is an MCP certification programme for ISVs. It is a three-step path: prepare a certification package with the MCP manifest and endpoint URL, a Tools JSON file, and Key Vault-backed auth details; select the “Apps and Agents for M365 and Copilot” offer type and submit via Partner Center; and, once certified, the MCP becomes available for customer adoption across Copilot Studio and Azure AI Foundry. Microsoft also supports a “bring your own MCP” path for connecting custom tools and internal workflows under enterprise governance controls.

All of this lands on ground that was already MCP-native. The protocol's connector ecosystem has been growing fast — third-party registry trackers counted on the order of 10,000 MCP servers by April 2026, up from roughly 6,800 at the end of 2025 (an increase of about 47% in four months), and every major coding host, from Claude Code and Cursor to VS Code's Copilot, shipped MCP support during 2025. The Dataverse news is Microsoft shipping an application on top of that existing layer, not the layer itself arriving. Our deeper look at how fast MCP adoption is moving puts these figures in fuller context.

Read the 60+ figure carefully
The “60+ MCP servers” number is a Microsoft-stated aggregate across multiple products, not a per-product Dataverse count and not independently verified. Cite it as a catalog claim from the vendor, not as an audited market total.

08For AgenciesThe concrete answer to “is it safe?”

For an agency that builds custom, agentic systems for clients, this release is useful less as a product to adopt and more as a reference architecture to point at. When a client asks whether it is safe to let an AI coding agent touch their CRM data, “named tools, per-user roles, approval gates on destructive writes” is a concrete, defensible answer — and now there is a shipped Microsoft example that embodies it. That is worth more in a governance conversation than any abstraction.

Dynamics 365 shops
Clients already on Dataverse

The most direct fit. If a client runs Dynamics 365 or Power Platform, the plugin lets agentic workflows reach their data through governed tools rather than a bespoke integration. Pilot on a read-heavy skill first.

Evaluate the plugin directly
Custom-build clients
Reference architecture

Even where you're building on your own stack, borrow the pattern: expose named, individually auditable tools; inherit the caller's role; gate irreversible writes behind explicit approval. It's a template for governed agent access.

Copy the tool-shape pattern
Security-first buyers
The 'is it safe?' client

Lead with the mechanism, not the slogan. Show the 15-tool inventory and the two approval-gated deletes. Be explicit that RBAC claims are Microsoft-stated design intent, not an independent audit — honesty builds the trust.

Frame governance honestly
CRM platform choice
Weighing Dataverse vs alternatives

For clients choosing a CRM data backbone, governed MCP access is now a real evaluation axis. Compare it against other vendors' MCP offerings on tool granularity and approval controls, not just feature checklists.

Add MCP governance to the scorecard

Looking forward, the pattern here — a fixed, named tool surface with per-user identity and human gates on the dangerous operations — is likely to become the default shape for how enterprise platforms expose themselves to agents. The specific artifact that matters isn't Cursor support; it is that a major vendor has now shipped “governed agent access to enterprise data” as a concrete product rather than a whitepaper. Agencies that internalise the pattern will be able to answer the safety question long before the next platform ships its own version. If you're scoping this kind of governed agent access into a client's CRM automation build, that mechanism-first framing is exactly where the conversation should start.

09ConclusionA small headline over a large pattern.

The shape of governed agent access, July 2026

The news is Cursor. The story is the tool shape.

Strip away the platform-count headline and what Microsoft shipped is a working example of governed agent access to enterprise data: one plugin routing to four existing tools, a Dataverse MCP server with 15 named and auditable capabilities, per-user role inheritance, and explicit human approval on the two irreversible deletes. Cursor joining Claude and Copilot is the news; the tool shape underneath is the part worth studying.

The honest caveats stay attached: the governance claims are Microsoft-stated design intent rather than audited fact, the “60+ servers” figure is a vendor aggregate, and MCP was never new to any of these hosts. Hold those lines and the release is still significant — because it turns an abstract promise into something a security-conscious buyer can inspect tool by tool.

For agencies building agentic systems, the takeaway is a template, not a purchase. Named tools, inherited identity, approval gates on the destructive operations: that is how you make an AI agent safe to point at a client's CRM, and now there is a shipped reference to point at when someone asks whether it can be done responsibly.

Ship governed agent access to your CRM

Governed agent access to enterprise data, built to be inspected.

We build governed, agentic systems on top of Dataverse, Zoho, and custom stacks — named tools, per-user roles, and human approval gates on the operations that matter, delivered in days not quarters.

Free consultationExpert guidanceTailored solutions
What we work on

Governed agent engagements

  • Named-tool MCP surfaces over CRM and ops data
  • Per-user role inheritance, no elevated agent identity
  • Approval gates on destructive writes
  • Dataverse / Dynamics 365 and Zoho integrations
  • Governance framing your security team can defend
FAQ · Dataverse MCP governance

The questions teams ask about governed agent access.

No — and this is the most common misread of the announcement. Claude (via the Claude Marketplace and Claude Code) and GitHub Copilot got the Dataverse coding-agent plugin on April 30, 2026, in a separate Power Platform Developer Blog post. The July 6, 2026 post adds Cursor as a newly supported platform, alongside an MCP certification programme for partners and a broader catalog of ready-made servers. So on July 6, only Cursor is genuinely new. The repository README also lists Codex support, which means the plugin reaches at least four coding-agent surfaces in practice even though Microsoft's headline names three.
Related dispatches

Continue exploring MCP and agentic development.