Secure Exchange CLI for AI Agents
Exchange environments span on-premises servers, Exchange Online, and hybrid setups. The Secure Exchange CLI applies consistent security rules across all of them, securing every Microsoft Graph API request your agents make.
How PortEden Protects You
Six layers of security between AI and your data.
Unified CLI for Microsoft Graph
Write your security rules once and the CLI applies them to every Microsoft Graph API request, across all Exchange environments.
Environment-Aware Policies
Define different rule sets for on-premises, cloud, and hybrid mailboxes within the same config file, with automatic detection of mailbox location.
Consistent Visibility Controls
Apply the same visibility rules (full content, headers only, or redacted) to all Microsoft Graph requests across on-premises, hybrid, and cloud mailboxes.
Distribution List Filtering
Block AI agents from accessing emails sent to or from specific distribution lists, shared mailboxes, or security groups.
EWS vs Graph API: the decision matrix
Exchange Server 2019 and earlier still expose Exchange Web Services (EWS) — a SOAP-based API that pre-dates Microsoft Graph by a decade. Exchange Online supports both, but Microsoft is hard-deprecating EWS for cloud mailboxes (the announced cutover is October 2026). The Exchange CLI auto-detects which surface to use:
- Exchange Server (on-prem): EWS over HTTPS, NTLM or certificate-based auth, REST not available without Hybrid Modern Authentication.
- Exchange Online (cloud): Microsoft Graph REST, OAuth 2.0, throttling via Graph throttling policies.
- Hybrid: Graph for cloud mailboxes routed via Exchange Online, EWS proxy for on-prem mailboxes served by the same client request — handled transparently by the CLI.
On-prem connector setup
$ porteden exchange connect \
--server mail.corp.example.com \
--auth ntlm \
--user PORTEDEN-SVC \
--kerberos-keytab /etc/porteden/svc.keytab
→ Testing EWS endpoint: https://mail.corp.example.com/EWS/Exchange.asmx
→ SPN: HTTP/mail.corp.example.com@CORP.EXAMPLE.COM
✓ Authenticated as PORTEDEN-SVC (impersonation enabled)Certificate-based auth for service accounts
NTLM is fine for pilots; for production, register an app in Azure AD (for cloud) or use a client certificate (for on-prem) tied to a service mailbox with Application Impersonation. The CLI accepts --cert /path/cert.pem and rotates the certificate via your existing PKI without rewriting policy.
Why one CLI for both surfaces
During the EWS-to-Graph cutover window, large organizations run a mix of mailbox locations for 18+ months. The CLI normalizes both into a single audit log so "agent X touched message Y at time Z" is queryable regardless of whether the mailbox lives on-prem or in Exchange Online — the kind of evidence regulators ask for during incident review.
Get Started in 3 Steps
Install and Connect
Install the PortEden CLI and connect to your Exchange environment via Microsoft Graph.
Configure Environment Rules
Define security rules per environment, per agent, and per mailbox type in a single config file.
Enforce Across All Access Points
Route AI agent requests through the PortEden proxy so every Graph API request is filtered with unified audit logging.
Without vs. With PortEden
Without PortEden
- Broad Graph API permissions with no per-agent granularity
- On-premises Exchange lacks scriptable access controls for AI
- Hybrid migrations create gaps in AI access policies
- No unified audit trail across Graph API requests from different agents
With PortEden
- One config file governs all Microsoft Graph API access
- Scriptable, version-controlled rules for on-premises and cloud
- Policies follow mailboxes automatically during hybrid migrations
- Unified audit log across all environments and agents