Skip to main content

Connect Microsoft 365

inboxmcp supports Outlook / Exchange Online through the official Microsoft OAuth flow. You're sent to Microsoft briefly, confirm access there, and the mailbox shows up in your list afterwards. Neither a password nor an app password is stored — only an OAuth refresh token, which you can revoke from your Microsoft account at any time.

Connect your own mailbox

  1. In the portal, open Mailboxes → Add mailbox.
  2. Pick Microsoft 365 → Own mailbox.
  3. Click Sign in with Microsoft.
  4. In the Microsoft login, pick your account and confirm the permissions.

Permissions inboxmcp requests:

  • Mail.ReadWrite — read, move, delete messages
  • Mail.Send — send messages
  • Mail.Read.Shared, Mail.ReadWrite.Shared — access to shared mailboxes
  • User.Read — profile (name, email address, tenant ID)
  • offline_access — refresh token for persistent access

Add a shared mailbox

Shared mailboxes don't require their own Microsoft login — they run through a connected account that has delegate permission.

  1. Connect at least one own mailbox with a Microsoft login first.
  2. Add mailbox → Microsoft 365 → Shared mailbox.
  3. Pick the connected Microsoft account (the one with delegate permission).
  4. Enter the shared mailbox's email address.
  5. Optional: display name.
  6. Save. Before saving, inboxmcp checks the access once — if the check fails (no delegate access, wrong address), nothing is stored.

Revoke access

Visible and revocable at account.microsoft.com → Security → Apps and services. From the inboxmcp portal you can remove the mailbox with Delete.

Tokens & encryption

The refresh token is encrypted with an asymmetric envelope scheme before it's stored; recovery from outside is technically impossible. Microsoft rotates the refresh token on every refresh; inboxmcp rotates its stored value in sync. Details under Security & privacy.