To integrate Outlook with OpenClaw via Microsoft Graph, register an Azure app to get MICROSOFT_CLIENT_ID and MICROSOFT_CLIENT_SECRET, configure them in OpenClaw's config, and use the Graph API to access Outlook mail, calendar, and contacts. This integration covers the full Microsoft 365 experience — email, meetings, and contacts — through a single authenticated connection. Intermediate difficulty due to Azure app registration requirements.
Why Use Outlook via Microsoft Graph in OpenClaw?
Microsoft Graph is the single API gateway for the entire Microsoft 365 platform. Through one authenticated connection, you get access to Outlook email, Outlook Calendar, contacts, Teams messages, OneDrive files, SharePoint, and more. For organizations on Microsoft 365 — which describes the majority of enterprise environments — this makes the Graph API integration significantly more valuable than a simple Outlook IMAP connection, which covers only email.
The key advantage of Graph over IMAP/SMTP is scope and richness. Graph gives you structured calendar data (not just raw email), meeting metadata (online meeting links, attendees, organizers), contact lists with full directory information, and the ability to search across all mail and calendar content. It also handles modern authentication properly — IMAP with OAuth is fragile in Microsoft 365 environments where legacy auth is disabled, while Graph is Microsoft's officially supported path forward.
The trade-off is setup complexity. Graph requires an Azure Active Directory app registration, which means navigating Azure Portal, requesting specific API permissions, and getting admin consent for those permissions. In a personal or small business Microsoft account, this is straightforward. In a large enterprise, it may require IT admin involvement. For users who want simpler Outlook email integration without the Azure setup, the plain Outlook IMAP integration is a lower-friction starting point.
Integration method
This integration connects OpenClaw to Outlook and other Microsoft 365 services through the Microsoft Graph REST API. It uses OAuth 2.0 client credentials flow (application permissions) with MICROSOFT_CLIENT_ID and MICROSOFT_CLIENT_SECRET registered in Azure Active Directory. This approach gives OpenClaw read/write access to Outlook mail, calendar events, and contacts without requiring a user to be interactively logged in — suitable for automation workflows running as background services.
Prerequisites
- OpenClaw installed and running (version 1.0 or later)
- A Microsoft account (personal or Microsoft 365 organizational account)
- Access to Azure Portal at portal.azure.com — free for all Microsoft accounts
- For organizational accounts: either admin rights to register applications, or an IT admin who can register the app and grant consent on your behalf
- Your Microsoft 365 tenant ID (found in Azure Portal > Azure Active Directory > Overview)
Step-by-step guide
Register an Azure Application for Microsoft Graph Access
Register an Azure Application for Microsoft Graph Access
Go to portal.azure.com and sign in with your Microsoft account. Navigate to 'Azure Active Directory' (search for it in the top bar). In the left sidebar, click 'App registrations', then 'New registration'. Fill in the registration form: - Name: 'OpenClaw Graph Integration' (or any descriptive name) - Supported account types: 'Accounts in this organizational directory only' for work accounts, or 'Accounts in any organizational directory and personal Microsoft accounts' if you use a personal @outlook.com or @hotmail.com account - Redirect URI: leave blank for now (not needed for client credentials flow) Click 'Register'. Azure creates the application and takes you to its overview page. Copy two values immediately: 1. **Application (client) ID** — this is your MICROSOFT_CLIENT_ID 2. **Directory (tenant) ID** — you will need this for the token endpoint URL Next, create a client secret. Go to 'Certificates & secrets' in the left sidebar, click 'New client secret'. Set a description ('OpenClaw') and an expiry (24 months is standard — add a calendar reminder to rotate before it expires). Click 'Add'. Copy the secret Value immediately — this is your MICROSOFT_CLIENT_SECRET and is only shown once.
1# Values to copy from Azure Portal after registration:2# Application (client) ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (MICROSOFT_CLIENT_ID)3# Directory (tenant) ID: yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy (needed for token URL)4# Client Secret Value: zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz (MICROSOFT_CLIENT_SECRET)56# Test token acquisition (client credentials flow):7curl -X POST \8 "https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token" \9 -d "client_id=YOUR_CLIENT_ID" \10 -d "client_secret=YOUR_CLIENT_SECRET" \11 -d "scope=https://graph.microsoft.com/.default" \12 -d "grant_type=client_credentials"13# Returns access_token if credentials are validPro tip: Set a calendar reminder 1-2 months before your client secret expires. Expired secrets cause silent authentication failures — OpenClaw will suddenly stop connecting to Microsoft Graph with no obvious error until you trace it to the expired credential.
Expected result: You have an Application (client) ID, Directory (tenant) ID, and Client Secret Value from Azure Portal. The test token request returns a JSON response with an access_token field.
Configure Microsoft Graph API Permissions
Configure Microsoft Graph API Permissions
The Azure app registration needs explicit API permissions to access Outlook data. Without these permissions, even a valid token will get 403 errors when calling Graph endpoints. In your Azure app registration, go to 'API permissions' in the left sidebar. Click 'Add a permission' > 'Microsoft Graph' > 'Application permissions' (not Delegated — application permissions work without a user being signed in, which is required for automation workflows). Add these permissions based on what you need: - `Mail.Read` — read Outlook emails - `Mail.ReadWrite` — read and send emails (include if you need to send) - `Calendars.Read` — read calendar events - `Calendars.ReadWrite` — create and update calendar events - `Contacts.Read` — read contacts - `User.Read.All` — read user profile information After adding permissions, click 'Grant admin consent for [your organization]'. This is the critical step that activates the permissions — without admin consent, the permissions are listed but not effective. For personal Microsoft accounts, you grant consent yourself. For organizational accounts, an IT admin may need to approve this step.
1# After granting consent, verify permissions are effective by calling the Graph API:2curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \3 "https://graph.microsoft.com/v1.0/users"45# For personal accounts, test against your own mailbox:6curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \7 "https://graph.microsoft.com/v1.0/me/messages?$top=5"89# If you see 403, permissions were not granted or admin consent is pending10# If you see 200, the permissions are active and the integration can proceedPro tip: For personal use (single mailbox), Delegated permissions with a user access token work as an alternative to Application permissions. However, Application permissions with client credentials are more reliable for automation since they do not require a user session to stay active.
Expected result: All selected API permissions show a green checkmark and 'Granted for [organization]' status in the Azure portal permissions list.
Configure MICROSOFT_CLIENT_ID and MICROSOFT_CLIENT_SECRET in OpenClaw
Configure MICROSOFT_CLIENT_ID and MICROSOFT_CLIENT_SECRET in OpenClaw
Open `~/.openclaw/config.yaml` and add the Microsoft Graph integration block. The config stores both your client credentials and the tenant ID needed to construct the correct OAuth token endpoint URL. The `tenant_id` determines which Azure AD directory is used for authentication. For personal Microsoft accounts (Outlook.com, Hotmail.com), use `consumers` as the tenant ID. For organizational accounts, use your specific tenant ID (the UUID from Step 1). The `mailbox` field specifies which mailbox to operate against. Use `me` to target the service account associated with the client credentials, or specify a full user email address for organizational accounts where the app has been granted access to specific mailboxes. After saving and reloading OpenClaw, the integration will request an access token using the client credentials flow and confirm the token can reach the Graph API. Check the OpenClaw log for the connection status.
1# ~/.openclaw/config.yaml2integrations:3 outlook-graph:4 client_id: "YOUR_AZURE_APP_CLIENT_ID"5 client_secret: "YOUR_AZURE_APP_CLIENT_SECRET"6 tenant_id: "YOUR_AZURE_TENANT_ID" # or 'consumers' for personal accounts7 mailbox: "your-email@outlook.com" # Target mailbox email address8 graph_endpoint: "https://graph.microsoft.com/v1.0"9 token_endpoint: "https://login.microsoftonline.com/{{tenant_id}}/oauth2/v2.0/token"10 scopes:11 - "https://graph.microsoft.com/.default"12 # Optional: configure what data types to enable13 enable_mail: true14 enable_calendar: true15 enable_contacts: truePro tip: If you are on a Microsoft 365 organizational account, ask your IT admin for the tenant ID — it is the UUID shown in Azure Portal > Azure Active Directory > Overview > Tenant ID. Personal accounts use `consumers` as the tenant_id value.
Expected result: Config saves without errors. `openclaw reload` logs a successful Microsoft Graph authentication and token acquisition.
Query Outlook Mail and Calendar via Graph
Query Outlook Mail and Calendar via Graph
With authentication configured, test the core operations you will use in workflows. The Graph API uses OData query syntax for filtering, sorting, and selecting specific fields — this is more powerful than what IMAP provides but has a steeper learning curve. Start with a simple mail query to confirm email access works, then test calendar event retrieval. The Graph API returns rich structured data for both — mail messages include all headers and metadata, calendar events include attendees, recurrence rules, online meeting links, and Microsoft Teams join URLs. The key Graph endpoints for Outlook are `/me/messages` for mail, `/me/events` for calendar, and `/me/contacts` for the address book. For organizational accounts with Application permissions targeting other users' mailboxes, replace `/me/` with `/users/USER_EMAIL/`.
1# Query recent Outlook emails (last 10, unread first)2curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \3 "https://graph.microsoft.com/v1.0/me/messages?\$top=10&\$filter=isRead eq false&\$orderby=receivedDateTime desc&\$select=subject,from,receivedDateTime,bodyPreview"45# Query calendar events for the next 7 days6curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \7 "https://graph.microsoft.com/v1.0/me/events?\$filter=start/dateTime ge '2026-03-30T00:00:00'&\$orderby=start/dateTime&\$select=subject,start,end,attendees,onlineMeeting"89# Send an email via Graph10curl -X POST \11 -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \12 -H "Content-Type: application/json" \13 -d '{14 "message": {15 "subject": "Test from OpenClaw",16 "body": { "contentType": "Text", "content": "Testing Graph API send" },17 "toRecipients": [{ "emailAddress": { "address": "recipient@example.com" } }]18 }19 }' \20 "https://graph.microsoft.com/v1.0/me/sendMail"Pro tip: Use `$select` in Graph queries to limit which fields are returned — this reduces response size and speeds up queries significantly when processing many messages or events. Only request the fields your workflow actually needs.
Expected result: Mail query returns recent Outlook emails with subject, sender, and preview. Calendar query returns upcoming meetings with attendees and Teams meeting links.
Build Outlook Automation Workflows in OpenClaw
Build Outlook Automation Workflows in OpenClaw
Configure OpenClaw workflows that use the Microsoft Graph integration to monitor and act on Outlook activity. The most common patterns are: inbox monitoring for specific message criteria, calendar event processing for meeting briefings, and cross-service workflows that combine email data with calendar actions. The workflow trigger for mail monitoring uses the `outlook-graph` integration key with the `new-message` event type. Calendar workflows can use the `schedule` trigger to query events at a set time each day. For RapidDev's recommended approach to complex Microsoft 365 automation, start with a single workflow that logs incoming mail matching a specific sender or subject filter. Once that is working reliably, add downstream actions (calendar creation, notifications, CRM logging) one at a time. Because Graph API tokens expire every 60 minutes, OpenClaw's Graph integration handles token refresh automatically using your client credentials — you do not need to manage this manually.
1# ~/.openclaw/config.yaml — Outlook Graph automation workflows2workflows:3 outlook-vip-alert:4 trigger:5 integration: outlook-graph6 event: new-message7 conditions:8 - field: from.emailAddress.address9 in: ["boss@company.com", "client@important.com"]10 actions:11 - type: log12 message: "VIP email: {{message.subject}} from {{message.from.emailAddress.address}}"1314 morning-calendar-briefing:15 trigger:16 type: schedule17 cron: "0 8 * * MON-FRI" # Weekdays at 8 AM18 actions:19 - type: integration-query20 integration: outlook-graph21 query: calendar-events22 params:23 start: "{{date.today}}T00:00:00"24 end: "{{date.today}}T23:59:59"25 - type: log26 message: "Today's meetings: {{result.count}} events"Pro tip: Set up a dead-letter log for failed webhook deliveries — if an email arrives when OpenClaw is offline, Graph webhooks will retry for up to 72 hours. Having a catch-up polling workflow (every 30 minutes) as a fallback ensures no important emails are missed during downtime.
Expected result: OpenClaw reacts to new Outlook emails and calendar events through the Microsoft Graph integration, executing configured downstream workflow actions.
Common use cases
Intelligent Email Monitoring and Triage
OpenClaw monitors your Outlook inbox through the Graph API, identifies emails matching specified criteria (sender, subject keywords, importance flags), and triggers automated responses or routing. More powerful than IMAP filtering because Graph's query language supports rich metadata filtering and full-text search across mail content.
Configure OpenClaw to query the Outlook inbox via Microsoft Graph for all unread emails received in the last 24 hours from external senders and summarize them by sender and subject
Copy this prompt to try it in OpenClaw
Calendar and Meeting Intelligence
Pull detailed meeting data from Outlook Calendar including attendee lists, online meeting links (Teams/Zoom), organizer information, and recurrence patterns — data that IMAP cannot provide. OpenClaw can build meeting briefings, check availability for scheduling automation, or extract meeting metadata for reporting.
Query my Outlook Calendar via Microsoft Graph for all meetings scheduled in the next 7 days and return a structured list with meeting titles, attendees, Teams links, and start times
Copy this prompt to try it in OpenClaw
Cross-Microsoft-365 Automation
Use a single authenticated Graph connection to coordinate across multiple Microsoft 365 services — read an email, extract a date from it, create a calendar event, and save the attachment to OneDrive in a single workflow. Graph's unified API makes cross-service automation far cleaner than managing separate credentials for each Microsoft service.
Set up an OpenClaw workflow that reads new Outlook emails from the contracts@company.com folder, extracts meeting date/time information, and creates a corresponding Outlook Calendar event for each one
Copy this prompt to try it in OpenClaw
Troubleshooting
Token request fails with 'invalid_client' or 'unauthorized_client' error
Cause: The MICROSOFT_CLIENT_SECRET is incorrect, has expired, or the client ID does not match the tenant where the app is registered.
Solution: Go to Azure Portal > App Registrations > your app > Certificates & secrets. Check the expiry date of your secret. If expired, generate a new one and update your OpenClaw config. If the secret looks valid, verify the client ID in your config matches the Application (client) ID shown in the app's Overview page.
1# Test credentials directly:2curl -X POST \3 "https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token" \4 -d "client_id=YOUR_CLIENT_ID&client_secret=YOUR_SECRET&scope=https://graph.microsoft.com/.default&grant_type=client_credentials"5# 'access_token' in response = credentials valid6# 'unauthorized_client' = check permissions and consentGraph API returns 403 with 'Authorization_RequestDenied' when querying mail or calendar
Cause: The required API permissions (Mail.Read, Calendars.Read, etc.) are listed on the Azure app but admin consent has not been granted — permissions require both being added AND having admin consent granted.
Solution: Go to Azure Portal > App Registrations > your app > API permissions. Check that each permission has a green checkmark and shows 'Granted for [organization]'. If any show 'Not granted', click 'Grant admin consent for [org]'. For organizational accounts, this may require an Azure AD administrator.
1# Verify what permissions your token actually has:2curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \3 "https://graph.microsoft.com/v1.0/me"4# If this returns 403, the basic User.Read permission is missing or consent not grantedOpenClaw config reports 'invalid tenant_id' on startup
Cause: The tenant_id value in the config is incorrect. Common mistakes include using the app's client ID instead of the tenant ID, or using 'common' or 'organizations' when the app requires a specific tenant.
Solution: Find your tenant ID in Azure Portal > Azure Active Directory > Overview > Tenant ID (not the app's client ID). For personal @outlook.com accounts, use `consumers`. For work accounts, use the specific tenant UUID.
1# Personal Microsoft account:2tenant_id: "consumers"34# Organizational account (get the UUID from Azure AD Overview):5tenant_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"Integration stops working after several weeks with 'invalid_client_secret' error
Cause: The Azure app client secret has expired. Secrets have configurable expiry (1, 2, or 24 months) — when they expire, all token requests fail immediately.
Solution: Go to Azure Portal > App Registrations > your app > Certificates & secrets. Generate a new secret, immediately copy the Value (shown only once), and update `client_secret` in your OpenClaw config. Run `openclaw reload` to apply the new secret.
1# After generating new secret in Azure Portal, update config:2# ~/.openclaw/config.yaml3integrations:4 outlook-graph:5 client_secret: "NEW_SECRET_VALUE_HERE"6# Then reload:7# openclaw reloadBest practices
- Set a calendar reminder 1 month before your Azure app client secret expires — expiry is the most common cause of sudden Microsoft Graph authentication failures, and it is entirely preventable with a reminder.
- Request only the permissions your workflows actually need when configuring the Azure app — avoiding overly broad permissions like Mail.ReadWrite if you only need Mail.Read reduces the blast radius if credentials are ever compromised.
- Use `$select` in all Microsoft Graph queries to limit returned fields to only what your workflow needs — Graph responses include dozens of fields by default, and selecting only relevant ones can reduce response size by 70-80%.
- Test all Graph queries against a dedicated test mailbox before pointing them at production inboxes — this prevents automation bugs from affecting real emails while you are iterating on workflow logic.
- Store MICROSOFT_CLIENT_SECRET only in `~/.openclaw/config.yaml` with appropriate file permissions — the secret grants application-level access to all mailboxes the app has been permitted to access.
- For organizational accounts, document the Azure app registration so IT administrators understand what it does and who owns it — unrecognized app registrations are sometimes disabled during security audits.
- Combine the Graph integration with the plain Outlook IMAP integration as a fallback — if Graph API has an outage, simple IMAP can maintain basic email monitoring continuity.
Alternatives
The plain Outlook IMAP integration is simpler to set up (no Azure registration required) but covers only email — use it if you just need to read and send mail without calendar, contacts, or Teams data.
Google Calendar via Maton is the equivalent integration for Google Workspace users — use it instead if your team is on Google rather than Microsoft 365.
Calendly handles the external booking workflow (letting people schedule time with you via a link) rather than direct calendar management — use it alongside the Graph integration rather than instead of it.
The Microsoft Excel integration also uses Microsoft Graph credentials — if you have already registered an Azure app for Graph, you can reuse the same client ID and secret for Excel integration with minimal extra setup.
Frequently asked questions
How do I set up the Outlook Microsoft Graph integration in OpenClaw?
Register an application in Azure Portal at portal.azure.com, generate a client secret, add the required Microsoft Graph API permissions (Mail.Read, Calendars.Read, etc.), grant admin consent, then add the client ID, client secret, and tenant ID to `~/.openclaw/config.yaml` under the `outlook-graph` integration key. Reload OpenClaw to activate.
What are MICROSOFT_CLIENT_ID and MICROSOFT_CLIENT_SECRET?
These are credentials from an Azure Active Directory app registration. The Client ID (also called Application ID) identifies your registered app. The Client Secret is a password-like string that your app uses to prove its identity when requesting Microsoft Graph tokens. Both are generated in Azure Portal > App Registrations.
Do I need to be an Azure administrator to set up this integration?
For personal Microsoft accounts, you can register apps and grant consent yourself. For organizational Microsoft 365 accounts, you need either Azure AD administrator rights or an IT admin who can register the application and grant admin consent for the API permissions. In many organizations, IT admins can approve pre-registered app registrations without major bureaucratic overhead.
How is Microsoft Graph different from using Outlook IMAP in OpenClaw?
Microsoft Graph is Microsoft's full API for all M365 services — it provides calendar events with rich metadata, contacts, Teams meeting links, and advanced mail filtering through OData queries. IMAP only provides raw email read/write access. Graph requires Azure app registration; IMAP requires only your email credentials. Use Graph for rich automation; use IMAP for simple email workflows.
Why does my client secret expire and how do I renew it?
Azure app client secrets have configurable expiry dates (1, 2, or 24 months) as a security measure — they prevent leaked credentials from being valid indefinitely. When expired, generate a new secret in Azure Portal > App Registrations > your app > Certificates & secrets, copy the Value immediately (only shown once), and update your OpenClaw config. RapidDev recommends setting a calendar reminder to rotate secrets before they expire.
Can OpenClaw access multiple Outlook mailboxes with one registration?
Yes — with Application permissions (rather than Delegated permissions), a single Azure app registration can access any mailbox in your Microsoft 365 tenant that an administrator has permitted. This is useful for team-wide automation, such as monitoring a shared support inbox alongside individual team member mailboxes.
Can RapidDev help configure the Microsoft Graph OpenClaw integration?
Yes — RapidDev's team can assist with the full setup process including Azure app registration, permission configuration, and building OpenClaw workflows that use Microsoft Graph data. The Azure Portal navigation and permission model can be confusing on first setup, and expert guidance reduces the time to a working integration significantly.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation