Skip to content
MCP · Claude · ChatGPT · Outlook · M365

Claude Outlook MCP — Connect Claude to M365 Email

Hosted MCP server that gives Claude Desktop, Claude Web, and ChatGPT controlled access to Outlook 365 email. Folder allow-lists, draft-only mode, audit logs, and instant revocation — five-minute setup, no Azure AD app to register.

See pricing

Free tier · No credit card required

Maps to
SOC 2
GDPR
HIPAA
EU AI Act
Drop-In Configuration

Add One JSON Block to Claude Desktop.

claude_desktop_config.json
{ 
  "mcpServers": { 
    "porteden-email": { 
      "url": "https://mcp.porteden.com/email", 
      "headers": { "Authorization": "Bearer ${PE_API_KEY}" } 
    } 
  } 
}
Same endpoint serves Claude Desktop, Claude Web (via Cowork), ChatGPT (via Connectors), and Cursor. One PortEden token covers Outlook + Gmail + Exchange. Connect Claude to Outlook — full guide
Connect From Any AI Client

One MCP Endpoint, Every Client.

claude_desktop_config.json
{ 
  "mcpServers": { 
    "porteden-email": { 
      "url": "https://mcp.porteden.com/email", 
      "headers": { "Authorization": "Bearer ${PE_API_KEY}" } 
    } 
  } 
}

Edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows), then restart Claude Desktop.

Full connect-to-Claude guide →
The Risk

What Goes Wrong Without PortEden

Building Your Own MCP Server Means Owning Azure AD + Token Storage

Register an Azure AD app, store refresh tokens somewhere safe, handle rotation, host the server, keep it patched. A weekend project that turns into ongoing infra.

Microsoft Graph Permissions Are Coarse — Mail.ReadWrite Means All Mail

There is no native way to say 'read the inbox but never the HR folder' or 'send replies but only to internal recipients'. Mail.ReadWrite hands the agent every folder, every chat, every attachment.

No Audit Log = No SOC 2 Evidence of What the Agent Did

Microsoft logs the app registration's API calls. It does not log which MCP tool Claude called, what arguments it passed, or what the response contained after redaction. Quarterly compliance reviewers want all three.

The Solution

Built For Claude × Outlook MCP

Folder Allow-Lists and Contact Visibility Rules

Restrict Claude to a single Outlook folder (e.g. an 'AI triage' folder), or to messages from approved senders. Per-domain visibility levels — full, headers-only, field-redacted, or hidden — apply across email_search, email_get, and email_reply.

Draft-Only Mode and Send-To Allow-Lists

Force Claude's outbound mail into Drafts for human review. Restrict allowed recipients to your corporate domain. Even if Claude is tricked into composing a message, the MCP server refuses to send it.

Per-Tool-Call Audit Log With Arguments and Redacted Responses

Every email_search, email_get, email_reply call is recorded with the exact arguments, the redacted response, the policy outcome, and the requesting client. Stream to Splunk, Datadog, or S3. SOC 2 and EU AI Act evidence on tap.

Instant Revocation — One Click in Dashboard

Revoke a token in the PortEden dashboard and the next Claude tool call gets denied immediately. No waiting for Microsoft Graph's refresh token to expire. The agent's access ends server-side.

Eight Outlook Email Tools

Every Tool Claude Needs, Governed by Your Rules.

GETemail_searchFilter Outlook messages by sender, recipient, subject, folder, date range, and free text.GETemail_getRetrieve a single message — body, headers, attachments list, importance.GETemail_get_threadPull a full Outlook conversation in chronological order.POSTemail_sendCompose a new Outlook message. Subject to send-to allow-list and draft-only policy.POSTemail_replyReply or reply-all in-thread. Gated by the same send rules as email_send.POSTemail_forwardForward a message with an optional prepended note.PATCHemail_modifyMark read/unread, change folder or category.DELETEemail_deleteMove to Deleted Items — recoverable for 30 days per M365 retention.
Full MCP email docs →
With and Without PortEden

The Same Workflow, Two Very Different Outcomes

Connecting Claude Desktop to Outlook 365
Without
Register an Azure AD app, build a self-hosted MCP wrapping Microsoft Graph, store refresh tokens, run forever.
With
Drop the hosted MCP URL into claude_desktop_config.json. One PortEden auth covers all Outlook tools.
Limiting Claude to a 'triaged for AI' folder
Without
Microsoft Graph has no folder-scoped permission; you'd have to filter in your wrapper code on every read.
With
Add the folder name to PortEden's allow-list. Every Outlook tool the agent calls is filtered server-side.
Letting Claude reply but only to internal recipients
Without
Mail.Send is binary; you'd build per-message recipient checks yourself and hope you covered every code path.
With
Set send-to allow-list to your corporate domain. email_send and email_reply enforce it before Graph is called.
Compliance asks 'what did Claude read on Tuesday?'
Without
Microsoft's app log says the app called Graph. It does not say which MCP tool, which arguments, or what was returned.
With
Per-tool-call audit log with arguments + redacted response + policy outcome. CSV export or SIEM stream.
Migrating from Claude to ChatGPT (or running both)
Without
Rebuild the integration as a ChatGPT Connector. Re-test every tool. Two access paths to maintain.
With
Same MCP endpoint. Add it to ChatGPT Connectors. Same auth, same rules, one audit log.
Five-Minute Setup

Hosted MCP for Outlook. Free Tier, No Azure AD App.

Connect Microsoft 365 once. Drop the JSON into Claude Desktop. Configure folder rules in the PortEden dashboard. Done.

Read the guide

Frequently Asked Questions

Does this work with Claude Desktop, Claude Web, and Claude Code?
Yes. Claude Desktop reads the MCP endpoint from claude_desktop_config.json. Claude Web (via Cowork) reads it from the Cowork connector list. Claude Code reads it from its MCP config. ChatGPT can use the same endpoint via its Connectors interface. One PortEden auth covers all of them.
Do I need to register my own Azure AD application?
No. PortEden runs a multi-tenant Azure AD application that you consent to once via the standard Microsoft consent screen. PortEden holds the OAuth token in its vault; Claude never sees the token, never holds the refresh token, and cannot exceed the scopes you approved.
Is gogcli safe for Outlook? What about other Outlook MCP servers?
gogcli is Google-only — it does not support Outlook. Most community Outlook MCP servers (and the official Microsoft samples) proxy Mail.ReadWrite as-is: once Claude has the token, it has full read/write/delete on every folder. PortEden adds the access layer those servers don't ship — folder allow-lists, draft-only mode, audit log.
Can Claude only read email, never send?
Yes — read-only mode strips email_send, email_reply, email_forward, email_modify, and email_delete from the MCP surface entirely. Claude can summarize, search, and answer questions about your inbox but cannot mutate anything. Toggled per token; you can give the assistant agent draft-only access while keeping a personal token in full read-only.
How do folder allow-lists work?
In the PortEden dashboard, add the folders Claude is allowed to see (e.g. only 'AI Triage' and 'Customers/Q3'). Everything else in your Outlook — including the Inbox itself, unless you opt it in — becomes invisible to Claude's MCP calls. Common pattern: a dedicated 'Claude' folder that you drag threads into manually.
What if I'm in M365 GCC or a sovereign cloud?
PortEden's Microsoft Graph integration supports commercial Microsoft 365 and M365 GCC. GCC High and DoD support is on the roadmap. If you need it sooner, talk to sales.
What does the audit log capture for Outlook calls?
For every MCP tool call: client (Claude Desktop, ChatGPT, Cursor, etc.), user, tool name, full arguments, the redacted response payload, the policy outcome (allow/block/redact), and a timestamp. Export as CSV or stream to Splunk, Datadog, or S3. This is what SOC 2 reviewers and EU AI Act Article 12 programs typically need.
What about latency? MCP tool calls block the agent.
p50 for Outlook tool calls is under 250 ms; p95 under 600 ms. Redaction adds 30–80 ms. PortEden runs active-active across two regions; status lives at status.porteden.com.

Keep Exploring

Connect Claude to Outlook in Five Minutes.

Hosted MCP server, folder allow-lists, draft-only mode, audit logs. Free tier covers 1,000 tool calls/month. Same endpoint works in Claude Desktop, Cursor, and ChatGPT Connectors.

Read the deep dive

Regulated org or 200+ seats? Talk to sales →