inboxmcp

← Back to the blog

Update

Microsoft 365 is now officially supported

Microsoft 365 mailboxes now work in inboxmcp the same way IMAP mailboxes do. You connect Outlook with one click via OAuth — no app password, no admin consent dance, no second mailbox account. Reading, drafts and filing all work right out of the gate, side by side with IMAP and shared mailboxes.

How to connect

In the customer portal, pick Add mailbox → Microsoft 365. Microsoft's standard sign-in screen opens, you grant permission to read and manage your own mail, and you land back in the portal with the new mailbox ready to go. The whole flow takes under a minute. You only need to be able to sign in to your Microsoft account — no global admin role required for personal or single-user mailboxes.

If you're connecting a mailbox in a managed tenant where the admin has restricted third-party app consent, the OAuth screen will tell you so and offer a one-click admin consent link your IT team can approve. After that, you and any colleagues can connect their own mailboxes individually.

What you can ask the AI to do

Everything that already works for IMAP mailboxes now works for Microsoft 365: searching across folders, opening a thread, downloading attachments, drafting replies that thread cleanly into Outlook conversations, moving messages, and creating new folders. The audit log captures every action the same way — so if you have a Business plan and need to show what the AI did, the export covers Outlook mailboxes too.

From the AI's perspective, an Outlook mailbox is indistinguishable from a mailbox.org account or a self-hosted Dovecot. You pick which mailbox in your prompt — "in my Outlook" or just by name — and the AI uses whichever one matches.

Tokens stay in our infrastructure

Microsoft hands us a short-lived access token and a longer-lived refresh token after you sign in. Both are stored encrypted on our side — the same AES-256-GCM envelope we use for IMAP passwords, with the decryption key only available to the component that actually talks to Microsoft Graph, never to the API process that serves your browser. When the access token expires (usually after an hour), we silently refresh it. If you revoke our app in your Microsoft account settings, the refresh token stops working and the mailbox is disconnected on our side — no action needed from you to clean up.

What's next

Gmail is next on the list — we expect to launch it the same way: OAuth sign-in, one click, no app passwords. After that, we'll start filling out the remaining write tools — sending drafts directly, marking messages, moving to trash — all gated behind a confirmation prompt so nothing leaves your mailbox without you saying so.

As always, feedback on what should come next is welcome at hi@inboxmcp.io.

More articles