Skip to content
Email Security

Secure Exchange for AI Agents

Microsoft Graph API offers broad access to Exchange mailboxes with no granular controls. PortEden enforces per-agent rules on every Graph API request, whether your mailboxes are on-premises, hybrid, or fully in the cloud.

Secure Exchange CLI

PortEden's Secure Exchange CLI is a command-line tool that secures Microsoft Graph API access for AI agents. It works across on-premises Exchange Server, Exchange Online, and hybrid environments. Install once, set your rules, and every AI request is filtered before it reaches your mailboxes.

The Problem

Giving AI agents direct access to your data is risky. Here's what can go wrong.

Broad API Access

Microsoft Graph API grants deep mailbox access including read, send, delete, and calendar modification across your entire Exchange infrastructure.

Hybrid Deployment Complexity

Hybrid Exchange splits mailboxes between on-premises and cloud, but Graph API permissions lack granular, per-agent controls for consistent security.

On-Premises Token Management

Exchange environments use OAuth tokens for Graph API access, and AI agents holding these credentials gain persistent, unmonitored mailbox access.

How PortEden Protects You

Six layers of security between AI agents and your data.

Visibility Controls

Choose what agents see: full content, headers only, or redacted versions, with the same rules across on-premises and Exchange Online.

Action Limits

Restrict agents to read-only, draft-only, or full write access across all Microsoft Graph API endpoints.

Contact Rules

Block agents from accessing emails involving specific contacts, distribution lists, or domains regardless of where the mailbox resides.

Time Windows

Limit access to recent emails only, restricting agents to relevant timeframes like the last 30 days.

Get Started in 3 Steps

1

Install the CLI

Install PortEden CLI and connect your Exchange accounts via Microsoft OAuth.

2

Set Your Rules

Configure visibility controls, contact rules, action limits, and time windows. Rules apply consistently across on-premises and cloud mailboxes.

3

Connect Your Agent

Point your AI agent to PortEden instead of Microsoft Graph directly. Every request is filtered through your rules with full audit logging.

Without vs. With PortEden

Without PortEden

  • Graph API grants broad read/write/send/delete with no granular control
  • Hybrid deployments have inconsistent security between on-prem and cloud
  • AI agents hold raw OAuth tokens directly
  • No audit trail of which mailboxes or messages agents accessed
  • Revoking access requires reconfiguring each Exchange environment separately

With PortEden

  • Granular read-only, draft-only, or write access per agent across all Exchange environments
  • Consistent security rules for on-premises, hybrid, and cloud mailboxes
  • Tokens and credentials stay in PortEden. Agents only get filtered data
  • Full audit log of every request across Microsoft Graph API
  • One-click revocation per agent without disrupting other integrations

Related Solutions

Frequently Asked Questions

How does PortEden secure Exchange access from AI agents?
PortEden sits between AI agents and Microsoft Graph API, intercepting every request. It enforces visibility controls, action limits, contact rules, and time windows, so agents only see filtered, policy-compliant data regardless of the underlying Graph API permissions.
Does PortEden work with hybrid Exchange deployments?
Yes. PortEden provides consistent security controls whether your mailboxes are on-premises Exchange Server, Exchange Online, or in a hybrid configuration. The same rules apply across both environments, ensuring no security gaps during migration.
Can I use different AI agent policies for on-premises vs. cloud Exchange mailboxes?
Absolutely. PortEden supports per-account and per-agent rules. You can configure stricter controls for on-premises mailboxes containing sensitive legacy data while allowing broader access to cloud mailboxes, or vice versa.
How does PortEden handle Exchange token management?
PortEden manages all authentication tokens, including OAuth tokens for Exchange Online and on-premises servers. AI agents never touch these credentials directly, eliminating the risk of token exposure in agent environments.
What happens to PortEden security rules when we migrate from on-premises Exchange to Exchange Online?
Your security rules persist through migration. PortEden abstracts the underlying Exchange infrastructure, so visibility controls, contact rules, and action limits continue to apply whether the mailbox is on-premises or in the cloud. No reconfiguration needed.

Ready to secure your data?

Set up PortEden in under 5 minutes. Free tier available.

Read the Docs