If your organization uses AWS Bedrock, Google Cloud Vertex AI, or an LLM gateway to access Claude, you can use the Claude for Excel and Claude for PowerPoint add-ins without a Claude account. The add-in connects through your organization's infrastructure, so your prompts and responses stay within your existing trust boundary.
There are three connection paths, depending on how your organization accesses Claude:
LLM gateway: The add-in sends requests to your gateway (LiteLLM, Portkey, Kong, etc.), which routes them to the provider of your choice. This is the same pattern used by Claude Code. If your organization already runs Claude Code through an LLM gateway, you can point the Office add-ins at the same endpoint—no new infrastructure is required.
Bedrock direct: The add-in authenticates through Microsoft Entra ID and calls AWS Bedrock directly, with no gateway in between.
Vertex AI direct: The add-in authenticates through Google OAuth and calls Vertex AI directly.
Your IT admin chooses the path during deployment. As an end user, the experience is the same regardless of which path your organization uses.
Requirements
Requirements vary by connection path.
All paths:
Claude for Excel or Claude for PowerPoint installed (from Microsoft AppSource or deployed by your admin)
Microsoft 365 with Entra ID (for admin consent and, in the direct-cloud paths, token issuance)
LLM gateway:
A gateway URL and API token from your IT team
Bedrock direct:
An AWS account with Claude model access enabled in the target region
An IAM OIDC identity provider and role configured to trust Microsoft Entra ID tokens
Vertex AI direct:
A Google Cloud project with the Vertex AI API enabled and Claude model access in the target region
A Google OAuth client configured with the add-in's redirect URI
Your organization's IT team manages these resources. If you don't have the credentials you need, contact them—Anthropic can't provide or reset them for you.
Network allowlist
The add-in needs to reach specific domains to function. Which domains depend on whether your organization uses the Anthropic API directly (1P) or a third-party platform (3P). Share the applicable table with your network or security team so they can allowlist these domains.
Important: In all configurations—including third-party—your prompts and Claude's responses travel only to your chosen inference provider (your gateway, Bedrock, or Vertex AI). The domains listed below that point to Anthropic (such as pivot.claude.ai) serve the add-in's interface, feature configuration, and operational telemetry. They don't carry prompt or response content.
Anthropic API (1P)
Use this table if people in your organization sign in with a Claude account and inference goes to api.anthropic.com.
Domain | Required when | Purpose |
pivot.claude.ai | Always | Add-in host. Serves the task pane UI and proxies analytics, icon search, skill downloads, and telemetry. |
claude.ai | Always | Anthropic OAuth sign-in and feature-flag evaluation. |
api.anthropic.com | Always | Claude inference API, file uploads, code-execution containers, and the MCP connector registry. |
appsforoffice.microsoft.com | Always | Microsoft Office.js runtime script. Required by every Office add-in. |
o1158394.ingest.us.sentry.io | Optional | Crash and error reporting. Blocking this degrades diagnostics only; the add-in still works. |
mcp-proxy.anthropic.com | If using MCP connectors | Proxy for MCP connector tool calls. |
bridge.claudeusercontent.com | If using work across apps | WebSocket bridge for the work across apps feature. |
Third-party platforms (3P)
Use this table if people in your organization sign in with Microsoft Entra ID and inference goes to your LLM gateway, Bedrock, or Vertex AI.
Domain | Required when | Purpose |
pivot.claude.ai | Always | Add-in host. Serves the task pane UI and proxies analytics, icon search, and telemetry. |
claude.ai/api/ | Always | Feature-flag evaluation. No sign-in; the add-in only fetches its configuration from here. |
appsforoffice.microsoft.com | Always | Microsoft Office.js runtime script (required by every Office add-in). |
login.microsoftonline.com | Always | Microsoft Entra ID sign-in via Nested App Auth. Reads admin-provisioned gateway config and issues tokens for direct-cloud auth. |
o1158394.ingest.us.sentry.io | Optional | Crash and error reporting. Blocking this degrades diagnostics only; the add-in still works. |
Your LLM gateway URL | If using an LLM gateway | Your organization's LLM gateway (LiteLLM, Portkey, Kong, etc.). Inference goes here instead of api.anthropic.com. |
sts.amazonaws.com | If using Bedrock direct | AWS STS. Exchanges the Entra ID token for temporary Bedrock credentials. |
bedrock-runtime.<region>.amazonaws.com | If using Bedrock direct | Bedrock inference endpoint. Replace <region> with your configured AWS region (for example, us-east-1). |
accounts.google.com | If using Vertex AI direct | Google OAuth consent screen. |
oauth2.googleapis.com | If using Vertex AI direct | Google OAuth token exchange and refresh. |
aiplatform.googleapis.com | If using Vertex AI direct | Vertex AI global inference endpoint. |
<region>-aiplatform.googleapis.com | If using Vertex AI direct | Vertex AI regional inference endpoint. Replace <region> with your configured GCP region (for example, us-east5). |
Deploy the add-in for third-party use (IT admins)
Use the claude-in-office plugin to configure and deploy the add-in across your organization. This tool handles provisioning cloud resources (if using Bedrock or Vertex AI direct), generating the add-in manifest, and obtaining admin consent in a single guided flow.
Use the setup wizard
Install the plugin and run the interactive setup wizard.
macOS and Linux:
curl -LO https://pivot.claude.ai/plugins/claude-in-office.zip
unzip claude-in-office.zip -d claude-in-office
claude --plugin-dir ./claude-in-office
Windows (PowerShell):
curl.exe -LO https://pivot.claude.ai/plugins/claude-in-office.zip
Expand-Archive claude-in-office.zip -DestinationPath claude-in-office
claude --plugin-dir .\claude-in-office
The wizard walks you through your connection path:
LLM gateway: Collects your gateway URL and token, generates the manifest, and handles Azure admin consent.
Bedrock direct: Creates the IAM OIDC identity provider and role, generates the manifest, and handles Azure admin consent.
Vertex AI direct: Walks you through creating the Google OAuth client, generates the manifest, and handles Azure admin consent.
When the wizard completes, the add-in is ready to deploy tenant-wide.
Note: The Bedrock and Vertex AI paths require Node.js for manifest generation and validation. The wizard checks for it and prompts you to install it if it's missing.
You can use the following commands inside a claude-in-office session:
Command | What it does |
| Interactive wizard—provisions cloud resources, admin consent, writes manifest |
| Generates the customized add-in manifest XML |
| Generates the Azure admin consent URL for the add-in's app registration |
| Writes per-user config via Microsoft Graph extension attributes |
What the wizard provisions
The wizard automates resource creation based on your connection path. Here's what it sets up:
LLM gateway: No cloud resources to provision. The wizard collects your gateway URL and token, then generates the manifest.
Bedrock direct: Creates an IAM OIDC identity provider that trusts Microsoft Entra ID tokens, a role with bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream permissions, and a trust policy scoped to the Claude add-in's application ID.
Vertex AI direct: Walks you through creating a Google OAuth client in the GCP Console (this step can't be automated via CLI), enables the Vertex AI API, and captures the client ID and secret for the manifest.
Per-user configuration
If some values vary per user—for example, different gateway tokens or different AWS roles for different teams—the wizard can write per-user configuration via Microsoft Graph extension attributes. Run /claude-in-office:update-user-attrs with the per-user keys after the initial setup.
Deploy to Microsoft 365
After the wizard generates your manifest:
Open the Microsoft 365 Admin Center and go to Settings > Integrated Apps > Upload custom apps.
Select “Office Add-in” as the app type, then upload the manifest.xml file.
Choose who gets the add-in:
If all users share the same configuration, select “Entire organization.”
If you wrote per-user attributes in the previous step, assign to Specific users/groups matching exactly who was configured. Anyone else would open the add-in with no configuration.
Accept permissions and finish deployment.
Propagation to users takes up to 24 hours (usually much faster). The add-in appears under Home > Add-ins in Excel and PowerPoint once it lands.
Note: Start with a pilot group to confirm the add-in works, then widen the assignment. You can change assignment later without redeploying.
After deploying the add-in, your users can connect by following the steps below.
Connection instructions for end users
LLM gateway
Open Excel or PowerPoint and launch the Claude add-in.
On the sign-in screen, select "Enterprise gateway."
Enter the Gateway URL and API token your IT team provided.
Gateway URL: The HTTPS base URL of your LLM proxy (for example, https://llm-gateway.yourcompany.com).
API token: The bearer token your proxy expects. The add-in sends this in the Authorization: Bearer <token> header with every request.
The add-in checks the connection by sending a test request to the gateway. If it succeeds, you'll see the main app experience.
Your credentials are stored locally in your browser's localStorage within the add-in's sandboxed iframe. They aren't synced to Anthropic's servers. Because the Office add-in runs inside a sandboxed iframe within the Microsoft application, it can't use your OS keychain the way Claude Code does—for this reason, only enter gateway-issued tokens, not raw cloud provider credentials.
Bedrock or Vertex AI direct
Open Excel or PowerPoint and launch the Claude add-in.
Sign in with your Microsoft work account. The add-in uses your Entra ID token to authenticate with your cloud provider—no separate cloud credentials are needed.
The add-in reads the configuration your admin provisioned and connects to Bedrock or Vertex AI directly.
If you see an error at sign-in, confirm with your IT team that your account is in the group assigned to the add-in.
Change or update your connection
If your API token expires or your IT team gives you a new URL, go to "Settings" in the add-in sidebar, enter the new values, and select "Test connection."
Gateway requirements for IT teams
The Office add-ins only support the Anthropic Messages API format via the Unified endpoint. This is more specific than Claude Code, which also supports Bedrock InvokeModel and Vertex rawPredict formats directly.
Required endpoints
Your gateway must expose these two endpoints:
Endpoint | Description |
/v1/messages | Send messages to Claude. Supports both streaming and non-streaming responses. |
/v1/models | List available models. |
Required headers
The gateway must forward the following request headers from the add-in to the upstream provider:
anthropic-beta — Enables beta features required by the add-in.
anthropic-version — Specifies the API version for request/response format.
Failure to forward these headers may result in reduced functionality or prevent the add-in from working.
Model discovery
On login, the add-in validates the token via GET /v1/messages and then attempts to discover available Claude models via GET /v1/models. If your gateway doesn't expose a model list at that path, the add-in falls back to prompting the user for a model ID manually.
Differences from Claude Code gateway setup
Aspect | Claude Code | Claude for Excel and PowerPoint |
Supported API formats | Anthropic Messages, Bedrock InvokeModel, Vertex rawPredict | Anthropic Messages only (Unified endpoint) |
Endpoint types | Unified and pass-through | Unified only |
Credential storage | OS keychain or environment variables | Browser localStorage (sandboxed iframe) |
Auth configuration | Environment variables, settings file, helper scripts | Manual entry in add-in UI (gateway) or Entra ID (direct cloud) |
Token refresh | Supports helper scripts for rotation | Manual re-entry in settings (gateway) or automatic via Entra ID (direct cloud) |
Custom model names | Configurable via environment variables | Not configurable in v1 |
Example gateway configuration with LiteLLM
Warning: LiteLLM PyPI versions 1.82.7 and 1.82.8 were compromised with credential-stealing malware. Do not install these versions. If you have already installed them:
Remove the package
Rotate all credentials on affected systems
Follow the remediation steps in BerriAI/litellm#24518
LiteLLM is a third-party proxy service. Anthropic doesn’t endorse, maintain, or audit LiteLLM’s security or functionality. This guide is provided for informational purposes and may become outdated. Use at your own discretion.
Many organizations use LiteLLM as their gateway. Below is a minimal litellm_config.yaml for routing Office add-in requests to Anthropic, Bedrock, or Vertex.
Routing to Anthropic directly
yaml
model_list:
- model_name: claude-sonnet-4-5-20250929
litellm_params:
model: claude-sonnet-4-5-20250929
api_key: os.environ/ANTHROPIC_API_KEY
litellm_settings:
drop_params: true
Routing to Amazon Bedrock
yaml
model_list:
- model_name: claude-sonnet-4-5-20250929
litellm_params:
model: bedrock/anthropic.claude-sonnet-4-5-20250929-v1:0
aws_region_name: us-east-1
litellm_settings:
drop_params: true
Routing to Google Cloud Vertex AI
yaml
model_list:
- model_name: claude-sonnet-4-5-20250929
litellm_params:
model: vertex_ai/claude-sonnet-4-5-20250929
vertex_project: your-gcp-project-id
vertex_location: us-east5
litellm_settings:
drop_params: true
Routing to Azure
yaml
model_list:
- model_name: claude-sonnet-4-5-20250929
litellm_params:
model: azure_ai/claude-sonnet-4-5-20250929
api_base: https://your-resource.services.ai.azure.com/anthropic
api_key: os.environ/AZURE_API_KEY
extra_headers:
x-api-key: os.environ/AZURE_API_KEY
litellm_settings:
drop_params: true
For detailed setup instructions, refer to LiteLLM's Anthropic format documentation.
What Anthropic collects
Even when inference goes through your own infrastructure, the add-in communicates with pivot.claude.ai to load its interface and with claude.ai/api/ to evaluate feature flags. These connections transmit operational telemetry—such as which features are used, performance timings, and error rates—so Anthropic can maintain and improve the add-in experience. They don't transmit your prompts or Claude's responses.
Anthropic collects information in accordance with AWS Bedrock, Google Cloud Vertex AI, or Microsoft Azure's terms, consistent with Anthropic's arrangements with customers. Anthropic doesn't have access to a customer's AWS, Google, or Microsoft instance, including prompts or outputs it contains. Anthropic doesn't train generative models with such content or use it for other purposes. Anthropic can access metadata—such as tool use, token counts, and similar items—and use such metadata for analytic and product improvement purposes.
For details on what your organization's gateway or cloud provider logs, contact your IT team.
How this differs from signing in with a Claude account
When you sign in with a Claude account, the add-ins connect directly to Anthropic. When you connect through a third-party platform, the add-ins send inference requests to your organization's infrastructure instead, and your IT team controls how that traffic is routed and logged.
Some features that rely on having a Claude account aren't available through third-party platforms yet, but we're working on adding support:
Feature | Claude account | Third-party platform |
Chat with your spreadsheet or deck | ✓ | ✓ |
Read and edit cells, slides, formulas | ✓ | ✓ |
Connectors (S&P, FactSet, etc.) | ✓ | Coming soon |
Working across apps | ✓ | — |
Skills | ✓ | Coming soon |
File uploads | ✓ | — |
Web search | ✓ | Vertex only |
If your team needs these features, talk to your Claude admin about which sign-in path fits your organization.
Troubleshooting
"Connection refused" or network error
The gateway URL or cloud endpoint is unreachable from the user's network. Verify the URL is correct, the service is running, and there are no firewall or VPN restrictions blocking the connection. Check the Network allowlist section above to confirm all required domains are allowed.
401 Unauthorized or "Invalid token"
The auth token is invalid or expired. For gateway connections, confirm the token with your IT team. For direct-cloud connections, verify the user's Entra ID account is in the assigned group and that the OIDC trust or OAuth client is configured correctly.
403 Forbidden or "Access denied"
The token is valid but lacks the right permissions. For Bedrock, verify the IAM role has bedrock:InvokeModel permissions. For Vertex, verify the service account has aiplatform.endpoints.predict permissions. For gateways, check the token's scope with your IT admin.
404 Not found
The add-in couldn't reach the expected API path. For gateways, verify the URL is the base URL (for example, https://litellm-server:4000)—don't include /v1/messages in the URL field.
500 or other server errors
The gateway or cloud provider encountered an internal error. Check your gateway logs (for example, docker logs litellm if using LiteLLM) for upstream provider errors. Try the request again, and contact your IT admin if the issue persists.
"No models available"
The add-in couldn't find Claude models. For gateways, your gateway may not expose a model list at GET /v1/models. Your IT team can either configure the gateway to serve a model list or give you a specific model ID to enter manually. For Bedrock or Vertex, confirm that at least one Claude model (Claude Sonnet 4.5 or later) is enabled in your account and region.
Streaming responses fail or hang
Verify that your gateway supports Server-Sent Events (SSE) pass-through. Some proxy configurations strip or buffer SSE connections, which prevents streaming responses from reaching the add-in.
A feature I expected isn't available
Connectors, skills, file uploads, and Working Across Apps aren't available through third-party platforms yet. If you need these, ask your admin about signing in with a Claude account instead.