Skip to main content
The Outlook connector provides full access to Microsoft Outlook mailboxes via the Microsoft Graph API, enabling AI agents and automations to read, search, send, and manage emails.

Read Operations

List folders, messages, and attachments with filtering and pagination

Send Operations

Send, reply, reply-all, forward emails with HTML support

Manage Messages

Move, copy, delete, and update message properties

Prerequisites

  • An Azure AD Application registered in your tenant
  • Application permissions granted (not Delegated):
    • Mail.Read - Read mail in all mailboxes
    • Mail.ReadWrite - Create drafts, update, delete, move, copy
    • Mail.Send - Send, reply, reply-all, forward
    • MailboxSettings.Read - Read mailbox settings
  • Admin consent granted for these permissions
Minimal permissions: If you only need read access, Mail.Read and MailboxSettings.Read are sufficient. Add Mail.Send and/or Mail.ReadWrite only if you use write tools.

Installation

  1. Go to Apps in your workspace
  2. Search for Outlook App and install it
  3. Configure the app instance with your Azure AD credentials

Configuration

FieldValue
Azure Client IDApplication (client) ID from Azure AD
Azure Client SecretClient secret value
Azure Tenant IDDirectory (tenant) ID
Default User IDEmail address or user object ID of the target mailbox

Available Automations

Read Operations

AutomationDescriptionPermission
listMailFoldersList all mail folders with message countsMail.Read
getMailFolderGet folder details by ID or well-known nameMail.Read
listMessagesList messages with filtering, pagination, sortingMail.Read
getMessageGet full message content and metadataMail.Read
searchMessagesSearch messages using KQL syntaxMail.Read
listAttachmentsList all attachments for a messageMail.Read
getAttachmentGet attachment content as base64Mail.Read
getMailboxSettingsGet timezone, locale, automatic repliesMailboxSettings.Read

Send Operations

AutomationDescriptionPermission
sendMailSend an email (to/cc/bcc, HTML/text, importance)Mail.Send
sendDraftSend an existing draft messageMail.Send
replyMessageReply to a messageMail.Send
replyAllMessageReply-all to a messageMail.Send
forwardMessageForward a message to recipientsMail.Send

Write Operations

AutomationDescriptionPermission
createDraftCreate a draft email in Drafts folderMail.ReadWrite
updateMessageUpdate properties (read status, importance)Mail.ReadWrite
deleteMessageSoft-delete (move to Deleted Items)Mail.ReadWrite
moveMessageMove message to another folderMail.ReadWrite
copyMessageCopy message to another folderMail.ReadWrite

DSUL Examples

List Messages

- Outlook App.listMessages:
    userId: user@company.com
    folderId: inbox
    top: 10
    filter: "isRead eq false"
    output: messages

Send an Email

- Outlook App.sendMail:
    userId: user@company.com
    to: recipient@example.com
    subject: Meeting Follow-up
    body: "<p>Thank you for the meeting today.</p>"
    contentType: HTML
    output: result

Search Messages

- Outlook App.searchMessages:
    userId: user@company.com
    query: "from:john@example.com subject:project"
    top: 20
    output: results

Reply to a Message

- Outlook App.replyMessage:
    userId: user@company.com
    messageId: "{{messageId}}"
    comment: "Thanks for the update!"
    output: result

Security: Restrict to One Mailbox

Application permissions grant access to all mailboxes in the tenant by default. To restrict this connector to a single mailbox, use an Application Access Policy in Exchange Online: 
# 1. Connect to Exchange Online
Connect-ExchangeOnline

# 2. Create a mail-enabled security group with only the target mailbox
New-DistributionGroup -Name "OutlookMCP-Allowed" -Type Security -Members user@yourdomain.com

# 3. Restrict the Azure AD app to only access that group's mailboxes
New-ApplicationAccessPolicy -AppId "<your-azure-client-id>" `
  -PolicyScopeGroupId "OutlookMCP-Allowed" `
  -AccessRight RestrictAccess `
  -Description "Restrict Outlook connector to single mailbox"

# 4. Verify (may take up to 30 minutes to propagate)
Test-ApplicationAccessPolicy -AppId "<your-azure-client-id>" -Identity user@yourdomain.com
# Expected: Granted
The PowerShell commands above are provided as general guidance. Always refer to the official Microsoft documentation for the most up-to-date syntax.

Error Handling

HTTP StatusErrorSolution
401UnauthorizedVerify clientId, clientSecret, tenant
403ForbiddenGrant admin consent or check Application Access Policy
404Not FoundVerify user email/ID exists in tenant
429Rate LimitedWait and retry

Common Issues

AADSTS700016 - App not found in the directory. Check tenant ID matches the app registration. MailboxNotEnabledForRESTAPI - The user needs an Exchange Online license assigned. ErrorAccessDenied with Application Access Policy - The target mailbox is not in the allowed security group. Takes up to 30 minutes to propagate after policy changes.

External Resources

Microsoft Graph Mail API

Official API documentation

Application Access Policies

Restrict mailbox access per application

Graph Explorer

Test API calls interactively

MCP Specification

Model Context Protocol specification