Read, search, and manage Outlook emails and calendar via Microsoft Graph API with delegate support. Supports sending as self, as owner (Send As), and on behalf of owner (Send on Behalf). Modified for delegate access from https://clawhub.ai/jotamed/outlook
Access another user's Outlook/Microsoft 365 email and calendar as a delegate via Microsoft Graph API. Supports three sending modes: as yourself, as the owner, or on behalf of the owner.
This skill is designed for scenarios where:
All three modes use the same Graph API call (/users/{delegate}/sendMail with the from field set). The difference between Send As and Send on Behalf is determined entirely by which Exchange permission is granted, not by the API endpoint.
| Mode | Command |
|---|
| Exchange Permission Required |
|---|
from field |
|---|
sender field |
|---|
| What Recipient Sees |
|---|
| As Self | send | (none extra) | Delegate | Delegate | "From: Assistant" |
| As Owner (Send As) | send-as | SendAs only | Owner | Owner | "From: Owner" |
| On Behalf Of | send-behalf | SendOnBehalf only | Owner | Delegate | "From: Assistant on behalf of Owner" |
⚠️ CRITICAL: Do NOT grant both SendAs and SendOnBehalf permissions. If both are granted, Exchange always uses SendAs, and the "on behalf of" indication will never appear. Choose ONE based on your desired behavior.
When you call send-as or send-behalf, the skill makes the same API call: it sends via the delegate's endpoint with the owner in the from field. Microsoft Graph automatically sets the sender property to the authenticated user (the delegate). Whether the recipient sees "on behalf of" depends solely on the Exchange permission:
sender and from to the owner. No indication of delegation.sender as the delegate and from as the owner. Recipient sees "on behalf of."~/.outlook-mcp/config.json{
"client_id": "your-app-client-id",
"client_secret": "your-app-client-secret",
"tenant_id": "your-tenant-id",
"owner_email": "[email protected]",
"owner_name": "Owner Display Name",
"delegate_email": "[email protected]",
"delegate_name": "AI Assistant",
"timezone": "America/New_York"
}
| Field | Description |
|---|---|
client_id | Microsoft Entra ID App Registration client ID |
client_secret | Microsoft Entra ID App Registration client secret |
tenant_id | Your Microsoft Entra tenant ID (auto-detected during setup) |
owner_email | The mailbox the assistant accesses as delegate |
owner_name | Display name for the owner (used in From field) |
delegate_email | The assistant's own email address |
delegate_name | Display name for the assistant |
timezone | IANA timezone for calendar operations (e.g., America/New_York, Europe/London, UTC) |
Create an app registration in Azure Portal:
http://localhost:8400/callbackIn your app → API permissions → Add a permission → Microsoft Graph → Delegated permissions:
Required for all modes:
Mail.ReadWrite — Read/write assistant's own mailMail.Send — Send mail as assistantCalendars.ReadWrite — Read/write calendarsUser.Read — Read own profileoffline_access — Refresh tokensRequired for delegate access:
Mail.ReadWrite.Shared — Read/write shared mailboxesMail.Send.Shared — Send on behalf of othersCalendars.ReadWrite.Shared — Read/write shared calendarsClick "Grant admin consent" (requires admin).
The owner (or an admin) must grant the assistant access via PowerShell.
Choose your sending mode FIRST, then grant the appropriate permissions:
# Connect to Exchange Online
Install-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName [email protected]
# REQUIRED: Full Mailbox Access (for reading owner's mail)
Add-MailboxPermission -Identity "[email protected]" `
-User "[email protected]" `
-AccessRights FullAccess `
-InheritanceType All `
-AutoMapping $false
# REQUIRED: Calendar Delegate Access
Add-MailboxFolderPermission -Identity "[email protected]:\Calendar" `
-User "[email protected]" `
-AccessRights Editor `
-SharingPermissionFlags Delegate
Then choose ONE of the following — do NOT grant both:
# OPTION A: Send As (emails appear directly from owner, no indication)
Add-RecipientPermission -Identity "[email protected]" `
-Trustee "[email protected]" `
-AccessRights SendAs `
-Confirm:$false
# OPTION B: Send on Behalf (emails show "assistant on behalf of owner")
Set-Mailbox -Identity "[email protected]" `
-GrantSendOnBehalfTo "[email protected]"
Verify permissions:
# Check mailbox permissions
Get-MailboxPermission -Identity "[email protected]" | Where-Object {$_.User -like "*assistant*"}
# Check Send As
Get-RecipientPermission -Identity "[email protected]" | Where-Object {$_.Trustee -like "*assistant*"}
# Check Send on Behalf
Get-Mailbox "[email protected]" | Select-Object GrantSendOnBehalfTo
# Check Calendar permissions
Get-MailboxFolderPermission -Identity "[email protected]:\Calendar"
| Action | Graph Permission | Exchange Permission |
|---|---|---|
| Read owner's mail | Mail.ReadWrite.Shared | FullAccess |
| Send as self | Mail.Send | (none needed) |
| Send as owner | Mail.Send.Shared | SendAs only |
| Send on behalf of owner | Mail.Send.Shared | SendOnBehalf only |
| Read/write owner's calendar | Calendars.ReadWrite.Shared | Editor |
./scripts/outlook-token.sh refresh # Refresh expired token
./scripts/outlook-token.sh test # Test connection to both accounts
./scripts/outlook-token.sh get # Print access token
./scripts/outlook-token.sh info # Show configuration info
./scripts/outlook-mail.sh inbox [count] # Owner's inbox
./scripts/outlook-mail.sh unread [count] # Owner's unread
./scripts/outlook-mail.sh search "query" [count] # Search owner's mail
./scripts/outlook-mail.sh from <email> [count] # Owner's mail from sender
./scripts/outlook-mail.sh read <id> # Read email content
./scripts/outlook-mail.sh attachments <id> # List attachments
./scripts/outlook-mail.sh mark-read <id> # Mark as read
./scripts/outlook-mail.sh mark-unread <id> # Mark as unread
./scripts/outlook-mail.sh flag <id> # Flag as important
./scripts/outlook-mail.sh unflag <id> # Remove flag
./scripts/outlook-mail.sh delete <id> # Move to trash
./scripts/outlook-mail.sh archive <id> # Move to archive
./scripts/outlook-mail.sh move <id> <folder> # Move to folder
As Assistant (self):
./scripts/outlook-mail.sh send <to> <subject> <body>
./scripts/outlook-mail.sh reply <id> "body"
./scripts/outlook-mail.sh forward <id> <to> [message]
Recipient sees: "From: AI Assistant [email protected]"
As Owner (Send As — requires SendAs permission, no indication):
./scripts/outlook-mail.sh send-as <to> <subject> <body>
./scripts/outlook-mail.sh reply-as <id> "body"
./scripts/outlook-mail.sh forward-as <id> <to> [message]
Recipient sees: "From: Owner [email protected]"
On Behalf of Owner (requires SendOnBehalf permission):
./scripts/outlook-mail.sh send-behalf <to> <subject> <body>
./scripts/outlook-mail.sh reply-behalf <id> "body"
./scripts/outlook-mail.sh forward-behalf <id> <to> [message]
Recipient sees: "From: AI Assistant on behalf of Owner [email protected]"
./scripts/outlook-mail.sh draft <to> <subject> <body> # Create draft in owner's mailbox
./scripts/outlook-mail.sh drafts [count] # List owner's drafts
./scripts/outlook-mail.sh send-draft <id> # Send draft as self
./scripts/outlook-mail.sh send-draft-as <id> # Send draft as owner
./scripts/outlook-mail.sh send-draft-behalf <id> # Send draft on behalf of owner
./scripts/outlook-mail.sh folders # List mail folders
./scripts/outlook-mail.sh stats # Inbox statistics
./scripts/outlook-mail.sh whoami # Show delegate info
Viewing Events:
./scripts/outlook-calendar.sh events [count] # Owner's upcoming events (future only)
./scripts/outlook-calendar.sh today # Today's events (timezone-aware)
./scripts/outlook-calendar.sh week # This week's events
./scripts/outlook-calendar.sh read <id> # Event details
./scripts/outlook-calendar.sh calendars # List all calendars
./scripts/outlook-calendar.sh free <start> <end> # Check availability
Creating Events:
./scripts/outlook-calendar.sh create <subject> <start> <end> [location]
./scripts/outlook-calendar.sh quick <subject> [time]
Date format: YYYY-MM-DDTHH:MM (e.g., 2026-01-26T10:00)
Managing Events:
./scripts/outlook-calendar.sh update <id> <field> <value>
./scripts/outlook-calendar.sh delete <id>
Fields: subject, location, start, end
Where the sent copy is saved depends on the endpoint used, not the sending mode:
| Command | Endpoint Used | Saved To |
|---|---|---|
send (as self) | /users/{delegate}/sendMail | Delegate's Sent Items |
send-as | /users/{delegate}/sendMail | Delegate's Sent Items * |
send-behalf | /users/{delegate}/sendMail | Delegate's Sent Items * |
| All draft sends | /users/{owner}/messages/{id}/send | Owner's Sent Items |
* Administrators can configure Exchange to also save a copy in the owner's Sent Items using:
Set-Mailbox -Identity "[email protected]" -MessageCopyForSentAsEnabled $true -MessageCopyForSendOnBehalfEnabled $true
"Access denied" or "403 Forbidden" → Check that the assistant has MailboxPermission on the owner's mailbox
"ErrorSendAsDenied" → Missing SendAs or SendOnBehalf permission. Run the PowerShell commands above.
Emails don't show "on behalf of" → You may have both SendAs and SendOnBehalf granted. When both exist, Exchange always uses SendAs (which hides the delegate). Remove the SendAs permission if you want "on behalf of" to appear.
"The mailbox is not found"
→ Verify owner_email in config.json is correct
"AADSTS90002: Tenant not found"
→ Check tenant_id in config.json matches your Microsoft Entra tenant
"Token expired"
→ Run outlook-token.sh refresh
Wrong timezone for calendar
→ Update timezone in config.json (use IANA format like America/New_York)
~/.outlook-mcp/ directory is automatically set to 700 and credential files to 600jq to prevent injection# Remove all permissions
Remove-MailboxPermission -Identity "[email protected]" -User "[email protected]" -AccessRights FullAccess -Confirm:$false
# Remove Send As (if granted)
Remove-RecipientPermission -Identity "[email protected]" -Trustee "[email protected]" -AccessRights SendAs -Confirm:$false
# Remove Send on Behalf (if granted)
Set-Mailbox -Identity "[email protected]" -GrantSendOnBehalfTo @{Remove="[email protected]"}
# Remove Calendar access
Remove-MailboxFolderPermission -Identity "[email protected]:\Calendar" -User "[email protected]" -Confirm:$false
~/.outlook-mcp/config.json — Configuration (client ID, tenant ID, emails, timezone)~/.outlook-mcp/credentials.json — OAuth tokens (access + refresh)jq to prevent injection and malformed payloadschmod 600)chmod 700)events command now shows only future events/common endpoint)