- By category level
- By individual tool
- Or both
Manage tool access
To manage Box MCP Server tool access:- Open the Admin Console.
- In the left sidebar, select Integrations.
- Select the Box MCP Server tab.
- An Enablement control
- A Configure button
Set category-level access
To set access for an entire category:- In the Box MCP Server table, find the tool category you want to configure.
- Select the Enablement control.
- Choose one of the following options:
- Disable all tools — No tools in the category are available to users.
- Enable read-only tools — Only tools that read data are available.
- Enable read & write tools — All tools in the category, including those that create or modify data, are available.
- Custom configuration — You choose which individual tools within the category are available. To configure individual tools, see the next section.
Configure individual tools
To control access of the specific tools within a category:- In the Box MCP Server table, find the tool category you want to configure.
- Select Configure.
- Category name and description
- Enablement options
- Tools grouped under:
- Read only MCP tools
- Write MCP tools
- A toggle for each tool
How controls stay in sync
- Selecting an Enablement option updates all tool toggles.
- Enable read & write tools turns on all tools.
- Disable all tools turns everything off.
- Changing individual toggles updates the Enablement selection.
- Only read tools enabled → Enable read-only tools
- All tools enabled → Enable read & write tools
- All tools disabled → Disable all tools
- Any other combination → Custom configuration
- After you click Save, a confirmation message appears.
Search for tools
You can find a specific tool without browsing categories by using Admin Console search.- Select the search bar at the top of any Admin Console page.
- Enter a keyword.
- Select a result.
Enforcement behavior
When a tool is disabled:- Box removes it from the tool list returned to the MCP client.
- Agents cannot discover or use it.
- Box enforces the change at runtime.
- The MCP Server returns an error such as:
Tool has been disabled by the enterprise admin. Contact your enterprise admin for more information.During an active session:
- The user might see a generic error (for example, “tool not found”).
- The exact message depends on the MCP client.
Some MCP clients cache the tool list. After a tool is enabled or disabled, an agent might still reference a cached version of the list and attempt to call a tool that is no longer available, or not yet see a newly enabled tool. If this happens, close and reopen the MCP client so that it fetches an updated tool list.
Audit tool enablement changes
To review when and how tool settings changed:- Open the Admin Console.
- In the left sidebar, select Reports.
- Select Create Report, then select Security Logs.
- Under Integrations, select Changed MCP Tools Enablement Status.
| Field | Description |
|---|---|
| User | Admin who made the change |
| Category | Modified tool category |
| Setting | Setting that changed |
| Original Value | Previous value |
| New Value | Updated value |
| Date | When the change occurred |
- Some categories might be unavailable. Categories such as Hubs or AI might not be available for every enterprise. Check your subscription for details.
- Settings are enterprise-wide. Tool enablement applies to the entire enterprise. Per-client, user-level, or group-level controls are not supported.