MCP Server for Multiple Outlook Accounts
Enables AI assistants to manage multiple Outlook/Microsoft 365 mailboxes simultaneously through MCP tools, with local OAuth token storage.
README
MCP Server for Multiple Outlook Accounts
A local, single-connector Model Context Protocol server that lets an AI assistant operate several Outlook / Microsoft 365 mailboxes at once โ searching, reading, drafting, sending, and organising mail โ through one safety-annotated tool surface, with OAuth tokens that never leave your machine.
This is the Outlook / Microsoft Graph provider variant of a provider-neutral specification.
- ๐
doc/business-specification.mdโ provider-neutral business + functional spec (the contract). - ๐
doc/provider-mapping.mdโ how neutral requirements bind to Microsoft Graph. - ๐๏ธ
doc/architecture.mdโ how this variant is designed and built. - โ
doc/traceability-matrix.mdโ every requirement โ module โ test.
Project status: phase 1 (auth core + list_accounts)
Built with TypeScript 6.0.3; build, typecheck, tests (29), and format all green. What exists today:
- โ
Architecture design + requirements traceability matrix (
doc/). - โ
Neutral domain types + subsystem contracts; tested config loader (
src/domain/,src/config.ts). - โ
Auth core: Entra credential-source discovery, MSAL public-client (consent + silent refresh),
secure token store (
0600/0700, atomic + cross-process-locked), account-selection registry. - โ
Account-management CLI:
outlook-mcp-auth connect | list | remove. - โ
C1
list_accountsMCP tool (with behavioural annotations), served over stdio.
Not yet implemented: capabilities C2โC8 (search, read, draft, send, labels, organise) and the
Microsoft Graph client (timeout/retry/error-mapping). These are designed in doc/architecture.md ยง13
(build phases 2โ4) and tracked as Planned in the traceability matrix.
Tests mock Microsoft Graph and MSAL. Live
ยง13acceptance โ real browser consent and Graph calls โ requires an Entra app registration + Outlook mailboxes and is run locally by the operator.
Planned capabilities (spec ยง5)
| Tool | Purpose | Destructive? |
|---|---|---|
list_accounts |
List connected mailboxes | No |
search_conversations |
Search a mailbox (paged) | No |
read_conversation |
Read a full conversation | No |
create_draft |
Compose a draft (not sent) | No |
send_message |
Send immediately | Yes |
list_labels |
List categories + folders | No |
create_label |
Create a category/folder | No |
organize_mail |
Tag / move / read-state | Yes |
Plus an out-of-band account-management CLI (outlook-mcp-auth connect | list | remove).
Development
Requires Node.js โฅ 18 (developed on Node 22).
npm install
npm run typecheck # tsc --noEmit
npm run build # compile to dist/
npm test # vitest (Graph/MSAL mocked)
npm run format:check # prettier
Configuration
All operational knobs are environment variables (see .env.example):
| Env var | Meaning | Default |
|---|---|---|
OUTLOOK_MCP_DATA_DIR |
tokens + app-registration configs | ~/.outlook-mcp |
OUTLOOK_OAUTH_CREDENTIALS |
pin one app registration (disables discovery) | unset |
OUTLOOK_MCP_ATTACHMENTS_DIR |
allow-list for path attachments |
unset (disabled) |
OUTLOOK_MCP_LOCK_TIMEOUT_MS |
token-store lock wait | 12000 |
OUTLOOK_MCP_REQUEST_TIMEOUT_MS |
per-Graph-call timeout | 30000 |
Connecting a mailbox
-
Register a public-client app in Entra ID with the redirect URI
http://localhostand the delegated scopesMail.ReadWrite,Mail.Send,User.Read,offline_access. -
Drop a
credentials*.jsoninto the data dir (or pointOUTLOOK_OAUTH_CREDENTIALSat it):{ "clientId": "<application-client-id>", "tenant": "common" }Multiple
credentials*.jsonfiles are auto-discovered, so accounts under different app registrations each refresh with the client that authorised them. -
Connect, list, and remove mailboxes:
outlook-mcp-auth connect # opens the browser for consent outlook-mcp-auth connect --source acme # pick a specific app registration outlook-mcp-auth list outlook-mcp-auth remove user@example.com
Security posture
OAuth tokens are stored only on the local machine (file mode 600 in a 700 data dir). Reading
local files by path for attachments is disabled by default and only allowed from an explicit
allow-list. The server never logs tokens, credentials, or message content. See
doc/architecture.md ยง9.
License
MIT โ see LICENSE.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.