Connect Microsoft 365
inboxmcp supports Outlook / Exchange Online through the official Microsoft OAuth flow. You're sent to Microsoft briefly, confirm access there, and the mailbox shows up in your list afterwards. Neither a password nor an app password is stored — only an OAuth refresh token, which you can revoke from your Microsoft account at any time.
Connect your own mailbox
- In the portal, open Mailboxes → Add mailbox.
- Pick Microsoft 365 → Own mailbox.
- Click Sign in with Microsoft.
- In the Microsoft login, pick your account and confirm the permissions.
Permissions inboxmcp requests:
Mail.ReadWrite— read, move, delete messagesMail.Send— send messagesMail.Read.Shared,Mail.ReadWrite.Shared— access to shared mailboxesUser.Read— profile (name, email address, tenant ID)offline_access— refresh token for persistent access
Add a shared mailbox
Shared mailboxes don't require their own Microsoft login — they run through a connected account that has delegate permission.
- Connect at least one own mailbox with a Microsoft login first.
- Add mailbox → Microsoft 365 → Shared mailbox.
- Pick the connected Microsoft account (the one with delegate permission).
- Enter the shared mailbox's email address.
- Optional: display name.
- Save. Before saving, inboxmcp checks the access once — if the check fails (no delegate access, wrong address), nothing is stored.
Revoke access
Visible and revocable at account.microsoft.com → Security → Apps and services. From the inboxmcp portal you can remove the mailbox with Delete.
Tokens & encryption
The refresh token is encrypted with an asymmetric envelope scheme before it's stored; recovery from outside is technically impossible. Microsoft rotates the refresh token on every refresh; inboxmcp rotates its stored value in sync. Details under Security & privacy.