Skip to content
MCPOutlookClaudeMicrosoft 365

Claude Outlook MCP: Secure Microsoft 365 Email for Claude

Connect Claude to Outlook 365 securely with PortEden's MCP server. Read, send, and manage Microsoft 365 email from Claude or ChatGPT with granular access controls.

9 min readPortEden Team

If you have searched for Claude Outlook MCP, you are almost certainly trying to do one of two things. Either you want Claude Desktop or Claude Code to read, search, and send email from your Microsoft 365 mailbox, or you are evaluating whether it is safe to do that at all. Both questions have the same answer: PortEden. PortEden is the data firewall for AI, and it ships a hosted MCP server that connects Claude to Outlook 365 with the granular access controls that Microsoft Graph alone does not give you.

This guide walks through what the PortEden MCP server does, how to connect Claude to Outlook in under five minutes, how to use the same server from ChatGPT, and the security controls you should turn on before you let any AI agent touch a corporate inbox.

Why You Need a Secure Claude Outlook MCP Server

The Model Context Protocol (MCP) is the standard way Claude connects to external tools and data. An MCP server for Outlook gives Claude the ability to call Microsoft Graph on your behalf, so prompts like "summarize my unread email from today" or "draft a reply to the latest message from accounting" actually work.

The problem is that the obvious path, registering an Azure AD app and granting Mail.ReadWrite to a self-built MCP server, hands Claude full access to every folder, every contact, every attachment, and every shared mailbox the user can reach. There is no way to say "read the inbox but never the HR folder", no way to enforce draft-only sending, and no audit log of what Claude actually did.

A secure Claude Outlook MCP server has to do three things at once: speak MCP correctly, translate cleanly to Microsoft Graph, and apply per-tool access rules before any data leaves your tenant. That is what PortEden was built for.

What Is the PortEden Claude Outlook MCP Server

PortEden runs a hosted MCP server at https://mcp.porteden.com/email. It exposes a provider-agnostic email surface to Claude and routes every call through PortEden's rules engine before forwarding it to Microsoft Graph (or Gmail, if you connect both). You do not need to register your own Azure AD application, host any infrastructure, or write a single line of code.

How the MCP Connection Works

When you add the PortEden MCP server to Claude Desktop, Claude sees a set of email tools it can invoke. Each tool call travels from Claude to PortEden over MCP, gets checked against your access rules, and is then translated into the corresponding Microsoft Graph request against your Outlook 365 mailbox. The response is sanitized, redacted as required, and returned to Claude in a token-efficient format.

Authentication happens once at my.porteden.com. You connect your Microsoft 365 account through Microsoft's consent flow, and PortEden stores the OAuth token in its vault. Claude never sees the token, never holds the refresh token, and cannot exceed the scopes you have approved.

The Eight Outlook Email Tools

The PortEden MCP email server exposes eight tools, each labelled with the access level Claude needs to call it:

  • email_search (Read) for filtering Outlook messages by sender, recipient, subject, folder, date range, and free text
  • email_get (Read) for retrieving a single message including body, attachments list, and importance
  • email_get_thread (Read) for pulling a full conversation in chronological order
  • email_send (Send) for composing a new Outlook message
  • email_reply (Send) for replying, with optional reply-all
  • email_forward (Send) for forwarding with an optional prepended note
  • email_modify (Update) for marking read or unread and changing folders or categories
  • email_delete (Delete) for moving a message to Deleted Items, recoverable for 30 days

Each tool maps to a permission you grant in PortEden. If you never grant the Send permission, Claude cannot send mail, even if it tries. The MCP server simply rejects the call.

Setting Up Claude MCP for Outlook in Five Minutes

The full path from zero to a working Claude Outlook MCP connection is three steps.

Step 1. Connect Microsoft 365 to PortEden

Sign in at my.porteden.com, choose Add account, and pick Microsoft 365. You will be redirected to Microsoft's consent screen, where you approve the requested Mail and Calendar scopes for your tenant. PortEden stores the resulting token securely. No data is copied to PortEden until Claude actually requests it.

Step 2. Add the MCP Server to Claude Desktop

Open Claude Desktop, go to Settings then Developer, and add the PortEden email server to your config:

{
  "mcpServers": {
    "porteden-email": {
      "url": "https://mcp.porteden.com/email"
    }
  }
}

Restart Claude Desktop. The first tool call will trigger a one-time authentication handshake against your PortEden account. From then on, Claude can search and act on your Outlook 365 mailbox using natural language. For the full walkthrough see the Connect Claude to PortEden guide.

Step 3. Configure Access Rules

This is the step that most people skip and later regret. Open the access rules editor and decide what Claude is allowed to see and do. At minimum, set a default visibility level (full, headers only, or field-level redaction), add per-domain rules for sensitive senders such as legal, HR, and finance (typically headers-only or hidden), and decide whether Claude can send mail or only draft it. The defaults are conservative on purpose.

Using the Same MCP Server Inside ChatGPT

ChatGPT now supports MCP servers through its connectors interface for ChatGPT Plus, Pro, Team, and Enterprise plans. The same https://mcp.porteden.com/email endpoint works without modification. Add it as a custom connector inside ChatGPT, complete the PortEden authentication, and your Outlook 365 mailbox is available to ChatGPT under the exact same access rules you configured for Claude.

This is the point most teams miss. Your security policy lives inside PortEden, not inside the AI client. Switching from Claude to ChatGPT, or running both at the same time, does not require a second round of OAuth grants and does not create a second blast radius. Step-by-step instructions are in the Connect ChatGPT to PortEden guide.

Security Controls You Should Enable

A Claude Outlook MCP integration is only as safe as the rules wrapped around it. These are the controls every team should turn on before pointing Claude at a real Microsoft 365 mailbox.

Read-Only and Draft-Only Modes

Read-only mode strips the Send, Update, and Delete tools from the MCP surface entirely. Claude can summarize, search, and answer questions about your inbox, but it cannot mutate anything. Draft-only mode is the middle ground: Claude composes outgoing messages but they land in your Outlook Drafts folder for human review. Both modes are toggled per token, so you can give your assistant agent draft-only access while keeping a personal token in full read-only.

Folder and Label Restrictions

Restrict Claude to a specific Outlook folder, such as a project inbox or a triaged-for-AI folder. This is the cleanest way to keep Claude useful without exposing decades of historical mail. Combined with time-based limits (last 30 days only), it shrinks the surface area dramatically.

Audit Logs and Instant Revocation

Every MCP tool call is logged with the requesting client, the tool name, the arguments, and what was returned, blocked, or redacted. If something goes wrong, you can see exactly which messages Claude touched. And if you ever need to cut access in a hurry, one click in the PortEden dashboard revokes the token across both Claude and ChatGPT immediately. No waiting for the Microsoft Graph token to expire.

Allow Lists and Block Lists for Outlook

Allow lists and block lists are the workhorse of any Claude MCP Outlook deployment. In PortEden they are not a binary allow/deny switch. They are visibility levels keyed by email address or domain that decide, per sender, how much of a message Claude actually sees: full content, headers and metadata only, field-level redaction, or fully hidden.

This matches the way real inboxes work. Mail from your CEO is not the same as mail from a vendor newsletter, which is not the same as mail from your outside counsel. With per-contact and per-domain visibility rules you can let Claude work on the messages that benefit from AI while quietly redacting or hiding the ones that should not leave your tenant.

Contact and Domain Block Lists

A block list is a per-sender or per-domain rule that reduces or removes information Claude would otherwise see. PortEden supports four levels, applied independently to each contact or domain on the list:

  • Full content — Claude sees the complete message, body, and attachments (the default for unlisted senders, unless you flip the surface to deny-by-default)
  • Headers and metadata only — Claude sees sender, recipient, subject, date, and labels, but the body and attachments are stripped
  • Field-level redaction — body is returned with names, amounts, dates, or other configured fields replaced by markers like [REDACTED], so Claude can still summarize the shape of a thread without seeing the sensitive specifics
  • Hidden — the message is suppressed entirely; it does not appear in email_search,email_get, or email_get_thread and cannot be replied to or forwarded

Common Outlook block-list patterns:

  • @legal.acme.com and outside counsel firms set to hidden, to preserve attorney-client privilege
  • hr@acme.com and HR distribution lists set to headers only, so Claude can tell you a message exists without exposing salary or performance content
  • Investor and M&A contacts set to field-level redaction during deal windows, redacting deal codenames and figures
  • Vendor invoice senders set to full content on an explicit allow list, so Claude can extract amounts and due dates while everything unlisted defaults to a stricter level

The rule applies across every email tool on the MCP surface, not just email_search. A redaction set on a domain is enforced when Claude reads a single message, when it pulls a thread, when it composes a reply, and when it forwards. Hidden senders cannot become reply or forward targets either. This also defangs the most common Outlook prompt injection vector: a hostile external sender whose body Claude never sees cannot inject instructions into a prompt.

Folder Allow Lists

The folder allow list is the strictest control PortEden offers for Outlook visibility. When enabled, Claude can only see messages inside the folders you explicitly opt in. Everything else, including the Inbox itself if it is not on the list, is invisible to the MCP server and to Claude.

The most common pattern is a dedicated AI or Claude folder in Outlook. You drag in the threads you want Claude to triage, draft, or summarize, and nothing else is reachable. Variations:

  • Project allow list: only the Projects/Q3-Launch subfolder, so Claude is scoped to one initiative
  • Customer allow list: only folders matching Customers/*, so Claude can answer support questions but never sees internal mail
  • Inbox-only allow list: only the top-level Inbox, so archived and project folders stay private

Combine a folder allow list with a 30-day time window and you have shrunk the data surface from your entire Outlook history to messages you actively chose. The difference in blast radius is dramatic.

Send-To Allow Lists

Visibility is half the story. Outbound action needs its own allow list. The send-to allow list restricts which recipients email_send, email_reply, and email_forward can target. If a domain or address is not on the list, the MCP server rejects the call and the recipient never gets the message, even if Claude was tricked into composing it.

Typical configurations:

  • Internal-only: allow only your own corporate domain, so Claude can never email external parties
  • Customer-facing assistant: allow your domain plus a curated list of customer domains, so the agent can answer support tickets but not contact arbitrary recipients
  • Single-recipient agent: allow only self, so all outbound mail goes to your own inbox for review before any human action

Pair the send-to allow list with draft-only mode for the tightest possible posture: Claude can compose, but the message sits in Drafts and can only be sent to a pre-approved recipient.

Org-Wide Block Lists via Account Policies

Per-token rules are useful, but they do not scale to a team where every employee creates their own MCP token for Claude. That is what Account Policies are for. An org-wide block list applies to every token, on every connected provider, with no way to override. Add @competitor.com to the account-level block list and no employee's Claude or ChatGPT instance can read or write to that domain, regardless of how their personal token is configured.

Account Policies are the right place for hard organizational constraints: legal hold lists, compliance-driven exclusions, terminated-employee accounts, and any domain that should be categorically off-limits to AI. Per-token rules then layer on top for project-specific tightening.

Common Use Cases for Claude Outlook MCP

Once the MCP server is wired up, the prompts that suddenly start working inside Claude Desktop tend to fall into a few buckets:

  • Inbox triage: "Show me unread Outlook messages from the last 24 hours grouped by sender."
  • Drafting replies: "Draft a reply to the latest email from procurement@acme.com matching the tone of my previous responses."
  • Thread summarization: "Summarize the contract negotiation thread with counsel and list every open question."
  • Cross-account search: "Search my Outlook and Gmail for any message mentioning the Q3 launch plan."
  • Forwarding and routing: "Forward this expense report to accounting@company.com with a one-line summary."

None of these require a custom integration. They are all served by the same eight tools listed above, governed by the same access rules.

Why Not Use a Direct Microsoft Graph Connection

A do-it-yourself Claude Outlook MCP setup is technically possible. Register an Azure AD app, build an MCP server that wraps Microsoft Graph, host it somewhere, and point Claude at it. The reasons most teams stop doing that within a quarter:

  • Microsoft Graph permissions are coarse. Mail.Read gives access to every folder including shared mailboxes, with no in-protocol way to scope down.
  • There is no audit trail for what the AI did, only what Microsoft sees from the app registration. That is not enough for SOC 2 or GDPR evidence.
  • You inherit responsibility for token storage, refresh, and rotation. A leaked refresh token gives an attacker the same access Claude has.
  • You build it once for Claude, then again for ChatGPT, then again for the next AI client your team adopts. PortEden gives you one MCP endpoint that all of them can use.
  • Raw Microsoft Graph responses are bloated with metadata that wastes context tokens and increases the chance of context compaction dropping safety instructions. PortEden returns clean, structured data.

For a deeper comparison of the Outlook surface specifically, see our solution page on securing Outlook for AI agents.

The Bottom Line

Claude Outlook MCP is no longer a research project. The PortEden MCP server gives Claude (and ChatGPT) safe, controlled access to Microsoft 365 email in under five minutes, with the granular rules, audit logs, and instant revocation that Microsoft Graph cannot provide on its own.

One MCP endpoint. Every AI client. Every access decision logged and reversible. That is what a data firewall for AI looks like.

Your Outlook. Your rules. Claude on the other side.

Connect Claude to Outlook 365 the secure way

PortEden's MCP server gives Claude and ChatGPT controlled access to Microsoft 365 email. Set up in five minutes.

MCP Email DocsClaude Setup Guide

Continue Reading

AI Agent SecurityEmail Security

AI Business Email Security: How to Protect Your Inbox from AI Agents

11 min read

OpenClawEmail Security

How to Secure Your Email When Using OpenClaw

8 min read