← Back to Skills Marketplace

Outlook Entra

Name: Outlook Entra
Author: fredguile

by Fred Ghilini · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install outlook-entra

Description

Microsoft Outlook via OAuth 2.0 (device code flow) et Microsoft Graph API. Lecture seule — Mail.Read, Calendars.Read, Contacts.Read.

README (SKILL.md)

Outlook Entra — SKILL.md

Microsoft Outlook via OAuth 2.0 (device code flow) et Microsoft Graph API. Lecture seule — seules les permissions Mail.Read, Calendars.Read, Contacts.Read sont utilisées.

Prérequis

App enregistrée sur Entra (Azure AD) avec permissions :
- Mail.Read, Calendars.Read, Contacts.Read
- OAuth 2.0 device code flow activé
Python 3.8+ avec requests, html2text, cryptography
Python 3.8+ avec un .venv créé dans le répertoire du skill (uv venv .venv && uv pip install html2text requests cryptography)
Fichier .env configuré (voir .env.example)

Installation

# Créer l'environnement virtuel (obligatoire)
cd ~/.openclaw/workspace/skills/outlook-entra
uv venv .venv
uv pip install html2text requests cryptography

# Copier et éditer la config
cp .env.example .env
# ⚠️ Remplir client_id, client_secret, tenant_id dans .env

Authentification (Flow)

Le device code flow (RFC 8628) nécessite une intervention utilisateur unique.

Étape 1 — Lancer le script d'auth

.venv/bin/python scripts/outlook_auth.py

Le script va :

Demander un device code à Microsoft
Afficher un code utilisateur et une URL de vérification

Étape 2 — S'authentifier

Aller sur https://login.microsoft.com/device et entrer le code affiché. Délai : 15 minutes maximum.

Étape 3 — Attendre la confirmation

Le script poll automatiquement le endpoint Microsoft jusqu'à obtention du token. Une fois confirmé, les tokens sont sauvegardés localement.

Fonctionnement des tokens

L'access_token expire après ~1h
Le refresh_token permet d'obtenir un nouvel access_token sans intervention
Le refresh est automatisé par cron toutes les heures (voir section Cron)
Si le refresh_token expire aussi (plusieurs mois d'inactivité) → relancer le flow complet

Commandes utiles

# Vérifier le statut du token
.venv/bin/python scripts/outlook_auth.py --status

# Rafraîchir le token manuellement
.venv/bin/python scripts/outlook_refresh.py

# Révoquer et supprimer les tokens
.venv/bin/python scripts/outlook_auth.py --revoke

Commandes (lecture seule)

# Statut de connexion
.venv/bin/python scripts/outlook_auth.py --status

# Lire les derniers messages
.venv/bin/python scripts/outlook_graph.py messages --folder Inbox --top 10

# Détail d'un message (corps complet, Markdown par défaut)
.venv/bin/python scripts/outlook_graph.py message \x3CmessageId>

# Détail en HTML brut (pour extraction/collage)
.venv/bin/python scripts/outlook_graph.py message \x3CmessageId> --raw

# Lister les dossiers mail
.venv/bin/python scripts/outlook_graph.py folders

# Pièces jointes d'un message
.venv/bin/python scripts/outlook_graph.py attachments \x3CmessageId>

# Télécharger une pièce jointe
.venv/bin/python scripts/outlook_graph.py download \x3CmessageId> --attach-id \x3CattachmentId> --output /path/to/file

# Événements calendrier
.venv/bin/python scripts/outlook_graph.py events --top 10

# Contacts
.venv/bin/python scripts/outlook_graph.py contacts --top 20

# Rechercher dans les mails
.venv/bin/python scripts/outlook_graph.py search "mot-clé"

# Profil utilisateur
.venv/bin/python scripts/outlook_graph.py profile

Variables d'environnement (.env)

Variable	Description	Exemple
`AZURE_TENANT_ID`	GUID du tenant Entra	`52ffb8b9-…`
`AZURE_CLIENT_ID`	ID de l'app (Application ID)	`xxxxxxxx-…`
`AZURE_CLIENT_SECRET`	Secret de l'app	`~`
`AZURE_REDIRECT_URI`	Redirect URI (device flow : tout fait)	`http://localhost`
`OAUTH_TOKEN_URL`	URL token endpoint	`https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token`
`OAUTH_DEVICE_CODE_URL`	URL device code endpoint	`https://login.microsoftonline.com/{tenant}/oauth2/v2.0/devicecode`
`MS_GRAPH_BASE_URL`	Base URL Microsoft Graph	`https://graph.microsoft.com/v1.0`
`TOKEN_FILE`	Chemin du fichier de stockage des tokens	`~/.openclaw/outlook_tokens.json`
`TOKEN_FILE_KEY`	Clé de chiffrement (optionnel)	(vide par défaut)

Structure du skill

outlook-entra/
├── SKILL.md
├── README.md
├── .env.example
├── .gitignore
├── .venv/                   # Environnement virtuel Python (créé via uv venv)
├── scripts/
│   ├── outlook_auth.py      # OAuth device code flow + status/revoke
│   ├── outlook_graph.py     # Appels Graph API (lecture seule)
│   ├── outlook_refresh.py   # Refresh token automatisé (pour cron)
│   └── outlook_token.py     # Module partagé (lecture/refresh tokens)
└── tests/
    └── test_outlook.py      # Tests unitaires

Notes

Le device code flow (RFC 8628) : l'utilisateur authentifie via https://microsoft.com/devicelogin. Une seule fois.
Les refresh tokens sont automatiquement utilisés quand l'access token expire.
Si TOKEN_FILE_KEY est défini, les tokens sont chiffrés AES-GCM avant stockage.
Les erreurs 401 du Graph API déclenchent un refresh automatique.

Cron — Refresh automatique du token

Le script outlook_refresh.py vérifie si le token expire bientôt et le rafraîchit automatiquement.

Crontab — refresh toutes les heures à HH:55 :

55 * * * * /home/fred-ghilini/.openclaw/workspace/skills/outlook-entra/.venv/bin/python /home/fred-ghilini/.openclaw/workspace/skills/outlook-entra/scripts/outlook_refresh.py >> /home/fred-ghilini/.openclaw/outlook_refresh.log 2>&1

Installation :

SKILL_DIR="/home/fred-ghilini/.openclaw/workspace/skills/outlook-entra"
( crontab -l 2>/dev/null | grep -v outlook_refresh; echo "55 * * * * ${SKILL_DIR}/.venv/bin/python ${SKILL_DIR}/scripts/outlook_refresh.py >> ~/.openclaw/outlook_refresh.log 2>&1" ) | crontab -

Vérification :

crontab -l | grep outlook_refresh

Ressources

Usage Guidance

Install only if you are comfortable granting this skill durable access to Microsoft account data. Use the narrowest Graph scopes possible, set TOKEN_FILE_KEY, protect the token file, avoid the cron job unless you truly need always-on refresh, and download attachments only into a dedicated safe directory.

Capability Tags

requires-oauth-tokenrequires-sensitive-credentials

Capability Assessment

⚠ Purpose & Capability

The core Outlook Graph purpose is coherent, but the documentation emphasizes Mail.Read, Calendars.Read, and Contacts.Read while the code defaults to requesting user.read, openid, profile, and offline_access and includes a profile command. That creates a real mismatch between the stated read-only Outlook scope and actual identity/session access.

⚠ Instruction Scope

Most sensitive behaviors are mentioned somewhere, but not consistently: token encryption is described as available yet optional, profile access is not reflected in the declared permissions, and attachment download risks are not explained.

ℹ Install Mechanism

Installation is user-directed through a local Python virtual environment and dependencies. The cron setup is explicit rather than automatic, but the provided command installs recurring host-level token refresh.

⚠ Credentials

Network access to Microsoft OAuth and Graph, local .env secrets, token file writes, and attachment writes are broadly expected for this integration, but storing refresh tokens locally without mandatory encryption or restrictive permissions is high impact for a mail/calendar/contact skill.

⚠ Persistence & Privilege

The skill stores OAuth access and refresh tokens under ~/.openclaw and recommends hourly cron refresh. This is purpose-aligned convenience, but it creates durable session persistence without enough hardening, scoping, or removal guidance.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install outlook-entra
After installation, invoke the skill by name or use /outlook-entra
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Outlook Entra 1.0.0 — Initial Release - Secure Microsoft Outlook integration using OAuth 2.0 device code flow and Microsoft Graph API. - Read-only access to mail, calendar, and contacts (`Mail.Read`, `Calendars.Read`, `Contacts.Read`). - Step-by-step authentication guide with token management and refresh (manual or cron). - Python scripts for listing emails, events, contacts, downloading attachments, and checking user profile. - Optional local AES-GCM encryption for token storage. - Example `.env` configuration and automated cron setup included.

Metadata

Slug outlook-entra

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Outlook Entra?

Microsoft Outlook via OAuth 2.0 (device code flow) et Microsoft Graph API. Lecture seule — Mail.Read, Calendars.Read, Contacts.Read. It is an AI Agent Skill for Claude Code / OpenClaw, with 28 downloads so far.

How do I install Outlook Entra?

Run "/install outlook-entra" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Outlook Entra free?

Yes, Outlook Entra is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Outlook Entra support?

Outlook Entra is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Outlook Entra?

It is built and maintained by Fred Ghilini (@fredguile); the current version is v1.0.0.

More Skills