Claude × Outlook Web + Desktop 5 min setup

Connect Outlook to Claude with PortEden

Bring Microsoft 365, Outlook.com, or Exchange Online mail into Claude. This guide covers both setup paths: the claude.ai Connectors panel and the Claude Desktop config file (via mcp-remote). Tenant admin consent is supported. PortEden redacts attendee identifiers and message content before anything reaches Anthropic, and every Microsoft Graph call is recorded in the PortEden audit log.

Outlook to Claude with PortEden as the data firewall. Same endpoint for both Claude clients.

Two paths, one endpoint

Path A

claude.ai (web)

For Team/Enterprise tenants, the Owner adds the connector once for everyone.

Path B

Claude Desktop

Per-machine config file. No plan gating. Useful when Outlook lives on a specific work device.

What this unlocks

Once active, Claude can search and read your Outlook mailbox, draft replies, send messages (with confirmation), and move or categorize items. PortEden uses delegated Microsoft Graph scopes, so everything Claude does respects the user's native Microsoft permissions. Conditional access (MFA, device compliance) still applies. Mailbox content passes through PortEden's redaction layer before reaching Anthropic; full email addresses, phone numbers, and other identifiers are stripped or tokenized by default.

For regulated organizations specifically, three properties matter:

An admin can pre-consent PortEden tenant-wide, so end users do not see consent dialogs they cannot complete.
Folder-level exclusions (e.g. an Inbox subfolder named Legal or HR) keep specific messages out of Claude's reach without needing to deny the entire Outlook capability.
The audit log captures every Graph call by user, action, decision, and response shape; exportable to SIEM.

Prerequisites

Item	Path A (Web)	Path B (Desktop)
Claude account	Pro, Max, Team, or Enterprise	Any plan, including Free
Claude client	Browser at claude.ai	Claude Desktop installed
Local tools	None	Node.js (for npx mcp-remote)
Mailbox	Microsoft 365, Outlook.com, or Exchange Online	Same
Tenant admin	Only needed for Team/Enterprise: Owner adds the connector once	Not needed: per-user config
PortEden account	Created during the auth window	Same: created during the auth window on first use

Tenant admin consent

For Microsoft 365 work and school accounts, your Entra ID admin may need to grant tenant-wide consent for PortEden. Without it, the Microsoft OAuth screen in Step 4 will say "Need admin approval" (Microsoft error AADSTS65001) and the connection will not complete. Admins can pre-consent from Microsoft Entra admin center > Enterprise applications.

Choose your path

Both paths talk to the same endpoint and respect the same access rules. Pick by environment, not by capability.

Factor	Pick Web (Path A)	Pick Desktop (Path B)
You use Claude in a browser	✓
You use Claude Desktop on a work machine		✓
IT centralizes connector approvals	✓ (Owner adds once)
You are on Claude Free	Limited	✓
Outlook account is locked to a managed device		✓ (config travels with the device)
You want shared org-wide deployment	✓

Path A: claude.ai (web)

Make sure you are signed in to claude.ai.

For Pro/Max users: open the direct link claude.ai/customize/connectors.
For Team/Enterprise (admins only): go to Settings > Organization Settings > Connectors.

Click the + button to add a custom connector.

Fill in the values below and click Add.

Web connector form values

Field	Value
Name	Outlook
URL	https://mcp.porteden.com/email
Advanced Settings	Leave empty (PortEden handles OAuth)

claude.ai Custom Connector form with Name set to Outlook and URL set to https://mcp.porteden.com/email — Path A in claude.ai: the Custom Connector form for Outlook through PortEden.

Continue at Step 3 when Claude opens the PortEden auth window on first use.

Path B: Claude Desktop

Claude Desktop needs mcp-remote (run via npx) to talk to remote MCP servers. Node.js must be installed.

In Claude Desktop, open Settings > Developer > Edit Config.

Add (or merge) the mcpServers entry below.

Save the file, then fully quit and restart Claude Desktop.

Trigger a tool call in a new conversation; the PortEden auth window opens in your browser. Continue at Step 3.

Config file paths

Windows

%APPDATA%\Claude\claude_desktop_config.json

macOS

~/Library/Application Support/Claude/claude_desktop_config.json

Linux

~/.config/Claude/claude_desktop_config.json

Config to add

{ 
  "mcpServers": { 
    "Outlook": { 
      "command": "npx", 
      "args": ["mcp-remote", "https://mcp.porteden.com/email"] 
    } 
  } 
}

Pair Outlook with Gmail on the same machine

You can have both connectors at once. Add a Gmail entry as a sibling key inside mcpServers using the same URL. Claude picks between them by name during tool selection, so a user asking "check my Outlook" lands on the right one.

On the first request that uses the connector, PortEden opens an auth window in your browser.

No PortEden account yet? Click Continue with Microsoft for one-click signup with your work account, or use email. Account is created in the same flow.

Already have an account? Sign in. If you are already signed in to my.porteden.com in this browser, the window detects the session.

Approve the connection. PortEden issues a scoped Access Token for this Claude connector.

Step 4: Authorize Outlook

This step runs only if PortEden does not already have Outlook (or Microsoft 365) connected for your account.

First-time users

Click Connect Outlook, complete Microsoft's OAuth consent, and approve the requested Graph scopes. Read by default; send and modify if you want Claude to draft and send.

Existing users

PortEden reuses the existing Outlook connection and skips the OAuth step. Claude returns to the chat in a couple of seconds.

Graph scopes PortEden requests

Scope	Purpose
Mail.Read	List, search, and read messages and folders
Mail.Send	Send mail on behalf of the user (only when permission preset enables it)
Mail.ReadWrite	Move, categorize, archive; create and update drafts
offline_access	Allow PortEden to refresh the token without interactive sign-in
User.Read	Read the user's basic profile (display name, email) for audit log attribution

Admin pre-consent

Admins can grant tenant-wide consent in advance from Microsoft Entra admin center > Enterprise applications. Users will then skip the consent screen entirely.

Step 5: Verify and tighten

Verify

List my 5 most recent unread emails in Outlook. Subject and sender only.

Find emails from my manager in the past 30 days and summarize the themes.

Tighten the token (optional)

Defaults are conservative: email scope, attendee/recipient redaction, confirm-before-write on send and delete. Edit at my.porteden.com under Access Tokens.

Outlook-specific adjustments

Setting	When to change it
Folder exclusions	Add subfolders that hold privileged content (Legal, HR, Finance close, NDA client work)
Category exclusions	If your team uses Outlook categories to tag sensitive items, exclude those categories
Time window	Restrict to last 30/60/90 days unless historical access is needed
Contact blocklist	Add board members, external counsel, and personal aliases
Permission preset	read_send only after the workflow is proven; read_and_draft keeps Claude in the Drafts folder

Suggested prompts

These work well for typical Outlook workflows.

Morning triage

"Show me unread Outlook mail from the past 16 hours. Group into: needs my decision, FYI, and meeting confirmations."

Customer search

"Find every email from contoso.com in the last 60 days. Group by thread and flag any thread where I have not replied in 5+ days."

Calendar prep

"For each meeting on my calendar today, find any recent email thread with the attendees and produce a 3-bullet brief."

Draft

"Draft a reply to the latest email from my manager declining the meeting and proposing next Tuesday morning. Save as draft; do not send."

Cleanup

"Identify newsletters and bulk senders I have not opened in 30 days. Propose a list to move to Archive. I will confirm."

Audit

"Find emails where I was BCC-ed in the last 30 days and group them by sender. Useful for compliance review."

Troubleshooting

Most common: admin consent

ADMIN_CONSENT_REQUIRED

Microsoft says admin approval is required

Symptoms

The Microsoft consent screen shows 'Need admin approval' or returns AADSTS65001.
The Connect Outlook step never completes for users on a managed tenant.

Checks

Ask your Entra ID admin to grant tenant-wide consent for PortEden from the Microsoft Entra admin center > Enterprise applications.
If you are an admin, retry the consent flow and use 'Consent on behalf of your organization' checkbox.
Confirm the requested scopes (Mail.Read, Mail.Send, Mail.ReadWrite, offline_access, User.Read) are not blocked by tenant app consent policy.

Debug prompt for Claude

Quote the exact Microsoft error code and AADSTS message from the last consent attempt.

Path A: web-specific

WEB_OWNER_REQUIRED

The + button to add a connector is missing

Symptoms

You are on a Team or Enterprise Claude plan and see directory connectors but no + to add a custom one.

Checks

Only an Owner or Primary Owner can add custom connectors at the organization level. Confirm your role.
If you are an Owner, the path is Settings > Organization Settings > Connectors, not the personal Customize panel.
If you are not an Owner, ask one to add the connector centrally; once added, it appears for all members.

Debug prompt for Claude

Tell me my current Claude role in this workspace and where the connector management UI should be for that role.

Path B: desktop-specific

DESKTOP_CONFIG_INVALID

Claude Desktop ignores the connector after restart

Symptoms

You added the mcpServers entry, restarted, but the Outlook tools do not appear in Claude Desktop.

Checks

Validate the config file with a JSON linter (a missing comma is the usual culprit).
Confirm mcpServers is a top-level key.
Fully quit Claude Desktop (not just close window) before reopening.
Check logs via Settings > Developer > Open Logs Folder for MCP startup errors.

Debug prompt for Claude

Show me the contents of my Claude Desktop config file and any MCP startup errors from the logs.

DESKTOP_NPX_NOT_FOUND

npx is not available

Symptoms

Claude Desktop logs report 'command not found' or 'spawn npx ENOENT'.

Checks

Install Node.js (any LTS release).
Run npx --version in a terminal to confirm it works.
If you use a node version manager (nvm, asdf, fnm), make sure GUI apps can also see the active version.

Debug prompt for Claude

Tell me whether Node.js is installed and propose the install command for my operating system if not.

Shared (both paths)

MCP_UNREACHABLE

Claude cannot reach the PortEden MCP server

Symptoms

Claude reports the connector is unavailable or timing out.
Nothing appears in the PortEden audit log.

Checks

Confirm the URL is exactly https://mcp.porteden.com/email.
Check whether your network blocks outbound traffic to mcp.porteden.com.
Visit the URL in a browser; it should return an MCP handshake response, not 404.

Debug prompt for Claude

Attempt a connection to the Outlook MCP server and quote any HTTP status, error code, or response body you receive.

GRAPH_THROTTLED

429 Too Many Requests from Microsoft Graph

Symptoms

Bursts of email operations start failing.
Audit log shows graph_throttled entries.

Checks

Microsoft Graph throttles per app, per user, per resource. Spread bursty work over time.
Ask Claude to batch operations: list 50 messages in one call instead of 50 single gets.
PortEden surfaces Microsoft's retry-after value in the response. Respect it.

Debug prompt for Claude

Quote the last graph_throttled response, including the retry_after value and the operation that hit the limit.

OUTLOOK_REAUTH_REQUIRED

Outlook connection went stale

Symptoms

Calls were working, then all Outlook tool calls fail.
Audit log shows provider_reauth_required.
Often follows a tenant conditional access change or password reset.

Checks

Open my.porteden.com > Connections. Outlook shows a yellow Needs reauth badge.
Click Reconnect and complete Microsoft OAuth again.
If conditional access requires MFA, complete the MFA prompt during the reconnect.

Debug prompt for Claude

Quote the last provider_reauth_required entry from PortEden and explain whether it looks like a routine token refresh issue or a conditional access policy change.

Debug prompts

Paste these into Claude when an error message is vague.

Tools not appearing

"Please list every tool you have available from the Outlook connector. If you see none, tell me explicitly and propose what to check."

Health check

"Call the whoami or health tool on the Outlook connector and quote the full JSON response."

Admin consent

"I just hit AADSTS65001. Tell me the exact wording and propose a message I can send to my Entra ID admin."

Throttling

"Quote the last response with graph_throttled or retry_after fields, including all numeric values and the operation that was throttled."

Permission scope

"Re-run the call that failed and quote the accessInfo field from the response. Identify which permission, folder rule, or contact rule blocked it."

Conditional access

"Tell me when the Outlook token last refreshed successfully and whether any conditional access challenges were involved."

Audit log is the source of truth

When Claude's answer disagrees with what PortEden recorded, trust the audit log at my.porteden.com.

Security best practices

✓

On managed Microsoft 365 tenants, pair PortEden with a conditional access policy that requires MFA before granting mailbox scopes. PortEden honors the resulting session.

✓

Exclude Legal, HR, Finance close, and named-client folders from the token via folder rules. The connector cannot see what the token does not allow.

✓

For Team/Enterprise deployments, set the token rules at the most cautious user's level. The connector is shared; the rules should reflect that.

✓

Keep Confirm-before-write on for send and delete. Claude is good at proposing actions; you stay in the loop.

✓

Use the Outlook category system to mark messages PortEden should never show to AI. Configure category exclusion on the token.

✓

Review the audit log weekly. Filter by the Claude token. Compliance-relevant events should be exported to your SIEM.

FAQ

Does this work with Microsoft 365, Outlook.com, and Exchange Online?

Yes. PortEden's email capability covers all three via Microsoft Graph. The MCP endpoint is the same: https://mcp.porteden.com/email. During Step 4's Microsoft OAuth, you sign in with the account type you have and PortEden routes to the right Graph endpoint automatically.

My tenant requires admin consent. What does PortEden request?

PortEden requests delegated Microsoft Graph scopes: Mail.Read, Mail.Send, Mail.ReadWrite, offline_access, and User.Read. An Entra ID admin can grant tenant-wide consent in advance from the Microsoft Entra admin center under Enterprise applications. Otherwise the consent dialog appears the first time a user tries to connect Outlook.

Which Claude plan do I need for Custom Connectors on the web?

Per Anthropic's docs, Custom Connectors on claude.ai are available on Pro, Max, Team, and Enterprise plans. Free users are limited to one custom connector. Claude Desktop's config-file path works for any Claude account, including Free, with no plan gating.

What if conditional access (MFA, device compliance) is enforced on my Microsoft tenant?

PortEden honors the underlying Microsoft session. If conditional access requires MFA or device compliance, the user completes those checks during Step 4 (Microsoft OAuth). The token PortEden receives inherits the resulting session's properties. If the policy later invalidates the session, you will see GMAIL_REAUTH_REQUIRED-style errors and need to reconnect.

Should I use the web path or Desktop path for Outlook?

Use the web path if your team's IT centralizes connector approvals through Claude's Team/Enterprise admin console. Use the Desktop path if you want per-machine control or if you are on Claude Free. Both call the same PortEden endpoint and produce identical audit log entries; the choice is environmental, not functional.

Can I connect both Outlook and Gmail to Claude?

Yes. Add two connectors pointing at https://mcp.porteden.com/email, named Outlook and Gmail respectively. During each PortEden sign-in, the provider you connect determines which mailbox that connector talks to. Claude picks between them by name when you ask things like 'check my Outlook inbox'.

Two paths, one endpoint

claude.ai (web)

Claude Desktop

What this unlocks

Prerequisites

Choose your path

Path A: claude.ai (web)

Path B: Claude Desktop

Config file paths

Config to add

Step 3: Sign in to PortEden

Step 4: Authorize Outlook

First-time users

Existing users

Graph scopes PortEden requests

Step 5: Verify and tighten

Verify

Tighten the token (optional)

Suggested prompts

Troubleshooting

Most common: admin consent

Microsoft says admin approval is required

Path A: web-specific

The + button to add a connector is missing

Path B: desktop-specific

Claude Desktop ignores the connector after restart

npx is not available

Shared (both paths)

Claude cannot reach the PortEden MCP server

429 Too Many Requests from Microsoft Graph

Outlook connection went stale

Debug prompts

Security best practices

FAQ

Does this work with Microsoft 365, Outlook.com, and Exchange Online?

My tenant requires admin consent. What does PortEden request?

Which Claude plan do I need for Custom Connectors on the web?

What if conditional access (MFA, device compliance) is enforced on my Microsoft tenant?

Should I use the web path or Desktop path for Outlook?

Can I connect both Outlook and Gmail to Claude?

Next steps

Connect Gmail to Claude

Connect Google Drive to Claude

PortEden for Claude

Risks of connecting email to AI