Outlook / Exchange for Permissioned Agents
Outlook and Exchange give agents access to email send, calendar manipulation, and contact reads via Microsoft Graph. An unpermissioned agent with Mail.Send scope can exfiltrate data, impersonate users, or spam external recipients in seconds. Connecting Outlook / Exchange to an OpenClaw agent requires enterprise buildout via the official Microsoft Graph API, gated by a Work Policy Contract (WPC) that pins exactly which Graph scopes, mailboxes, and actions the agent may touch.
This integration is not available as a native connector today. It can be connected via official API with enterprise buildout controls, and write or admin actions require WPC approval gates, scoped tokens (CST), and explicit least-privilege auth scopes.
Step-by-step runbook
- Register an Entra ID app registration. Request only the minimum Microsoft Graph permissions needed:
Mail.Readfor inbox triage,Calendars.ReadWritefor scheduling. Do not grantMail.Sendunless the WPC explicitly authorizes outbound email. - Author a WPC for the Outlook skill. Define allowed Graph scopes, target mailboxes (by UPN or group), and action verbs (read, draft, send, delete). The WPC is signed and hash-addressed in clawcontrols, so any mutation is detectable.
- Issue a job-scoped CST. Use clawscope to mint a scoped token pinned to the WPC policy hash. The CST binds the agent session to the specific job, preventing token reuse across unrelated runs.
- Route model calls through clawproxy. All LLM inference for the Outlook skill flows through clawproxy, which emits gateway receipts for each model call. This creates a verifiable record of what the model was asked to do and what it returned.
- Configure Conditional Access in Entra ID. Restrict the app registration to named locations, compliant devices, or specific IP ranges. Layer Privileged Identity Management (PIM) for any admin-level Exchange scopes.
- Collect proof bundle after each run. The proof bundle aggregates gateway receipts, the WPC hash, CST metadata, and action logs into a single auditable artifact.
- Review Trust Pulse artifacts. Store completed proof bundles as Trust Pulse artifacts in the marketplace for post-run audit and replay verification.
Threat model
Prompt-only guardrails ("please do not send emails to external domains") fail under adversarial input. An injected prompt in an email body can override system instructions. Policy-as-code enforced at the execution layer is the only reliable control because it operates below the model's decision boundary.
| Threat | What happens | Control |
|---|---|---|
| Prompt injection via inbound email body | Agent reads a crafted email that instructs it to forward all inbox contents to an external address | WPC restricts Mail.Send to internal domains only; CST scope hash prevents scope escalation |
| Over-scoped Graph permissions | Agent granted Mail.ReadWrite + Mail.Send deletes evidence emails after exfiltration | WPC allowlists only Mail.Read; Entra ID Conditional Access blocks write scopes outside approved contexts |
| Token replay across jobs | Stolen CST reused to access a different user's mailbox in a later session | Marketplace anti-replay binding ties CST to a single job; clawscope revocation invalidates the token post-run |
| Calendar manipulation for social engineering | Agent creates fake meeting invites from an executive's calendar | WPC limits Calendars.ReadWrite to specific calendar IDs; gateway receipts log every model decision leading to the action |
Policy-as-code example
{
"wpc_version": "1.0",
"integration": "outlook-exchange",
"allowed_graph_scopes": [
"Mail.Read",
"Calendars.Read"
],
"denied_graph_scopes": [
"Mail.Send",
"Mail.ReadWrite",
"Contacts.ReadWrite"
],
"mailbox_allowlist": [
"support-queue@contoso.com",
"scheduling@contoso.com"
],
"external_send_domains": [],
"max_actions_per_run": 50,
"require_human_approval": ["Mail.Send"],
"cst_policy_hash_pin": true
}This WPC blocks all send and write scopes by default. If Mail.Send is ever added to allowed_graph_scopes, the require_human_approval gate forces a human confirmation before each outbound email. The signed WPC hash changes on any edit, so clawproxy will reject requests carrying a stale policy reference.
What proof do you get?
Gateway receipts are emitted by clawproxy for every model call made during the Outlook skill run. Each receipt includes a timestamp, model identifier, token counts, and the CST scope hash that authorized the call.
Proof bundles aggregate all gateway receipts for a job alongside the WPC hash, CST metadata, and action-level logs. Model-assisted runs against Outlook / Exchange can produce these bundles for audit and replay checks.
Trust Pulse artifacts store the completed proof bundle in the marketplace viewer, giving auditors and compliance teams a single place to verify what the agent did, which policy governed it, and whether any scope violations occurred.
Rollback posture
| Action | Safe rollback | Evidence |
|---|---|---|
| Email sent to wrong recipient | Recall via Graph message/recall endpoint (Exchange Online only); notify recipient manually if recall fails | Gateway receipt logs the model call that produced the send decision; proof bundle preserves full chain |
| Calendar event created in error | Delete event via Graph API; attendees receive cancellation automatically | WPC action log records the calendar ID and event payload hash |
| Inbox rules modified | Revert via mailboxSettings Graph endpoint; compare against pre-run snapshot | Proof bundle includes pre/post state hashes if the skill captures them |
| CST compromised mid-run | Revoke CST immediately via clawscope; anti-replay binding prevents reuse | Revocation event logged in clawscope audit trail |
FAQ
Is Outlook / Exchange available as a native Claw EA connector today?
No. Outlook / Exchange can be connected via the official Microsoft Graph API with enterprise buildout controls. It is not shipped as an out-of-the-box connector. The integration requires an Entra ID app registration and a WPC that defines allowed scopes and mailboxes.
Why can't prompt-level instructions replace policy-as-code for email?
Email bodies are attacker-controlled input. A prompt injection embedded in a message can override system-level instructions, causing the agent to ignore "do not send externally" rules. A WPC enforced at the execution layer operates independently of the model's output and cannot be overridden by prompt content.
Which Microsoft Graph scopes should an Outlook agent start with?
Start with Mail.Read and Calendars.Read only. Add write or send scopes to the WPC only when a specific workflow requires them, and gate those scopes behind require_human_approval. Use Entra ID Conditional Access to further restrict when and where those scopes are exercisable.
How do gateway receipts help if something goes wrong?
Each gateway receipt is a signed record of a model call, including what the model was asked and what it returned. During incident response, you can replay the receipt chain from the proof bundle to identify exactly which model output led to an unauthorized action, without relying on the agent's self-reported logs.
Can I enforce cost budgets on Outlook agent runs automatically?
Automatic cost budget enforcement is planned but not shipped. Today, you can set max_actions_per_run in the WPC and monitor token usage via gateway receipts. Hard spending caps at the proxy layer are on the roadmap.