This is a Python script and skill for AI agents that provides read-only access to Microsoft 365 email boxes. This project is not affiliated with, endorsed by, or sponsored by Microsoft.
Skill requires an application registration on your Entra. Once registered as an app, you can then use the skill and give access rights to your inbox.
SECURITY NOTE: Even though the skill only gets read-only access to your emails, it can still do serious damage. Consider all the services where you can reset your password by requesting a confirmation link to your email. Giving an agent access to your email can be dangerous in ways you can't imagine.
SECURITY NOTE 2: Accessing the emails requires managing access tokens. Due to way the script works, these need to be stored somewhere between executions. In this case they are stored in temporary folder. They are encrypted, but the agent holds the encryption key. This does not provide true safety, but may help in some cases where old files are left laying around.
Copy the o365 -folder to your agent's skills -directory.
Before using this skill, you need to register an app on Microsoft Entra and obtain client id. This requires admin privileges to your Entra.
Navigate to https://entra.microsoft.com/
From the left menu select App registrations
Select New registration
Enter a name for this app. You can use any name. Probably a good idea to use something that is not too generic so that it's easy to recognize this in the lists and authentication dialogs.
On the authentication, enable "Allow public client flows"
Next you need to setup the permissions for the app.
Start by selecting Microsoft Graph
Add the necessary permissions. The skill requires following permissions:
- Mail.Read
- offline_access
- User.Read
Once done, the app should have these permissions
Go back to the overview page and take a note of the "Application (client) ID". You need to pass this to the skill so that it can do authentication
The script encrypts tokens using the cryptography package, and stores the encrypted data in the OS temp directory.
Install the dependency:
pip install cryptographyWhen you run auth start or auth login, the script prints a Session key. Keep it secret and pass it on every subsequent call using --session-key or the O365CLIENT_SESSION_KEY environment variable. If the key is lost, re-authenticate.
Contact me via email at [email protected] or via X @jpalomak, or juhapalomaki.fi








