references/setup.md

# Outlook Manual Setup Guide

Use this guide if you prefer manual setup via Azure Portal, or if the automated setup fails.

## Prerequisites

- Microsoft account (Outlook.com, Hotmail, Live, or Microsoft 365)
- Access to [Azure Portal](https://portal.azure.com)
- `jq` installed (`sudo apt install jq`)

## Step 1: Create Azure App Registration

1. Go to https://portal.azure.com
2. Search for **"App registrations"** → Click it
3. Click **"+ New registration"**
4. Configure:
   - **Name:** `Clawdbot-Outlook` (or any name)
   - **Supported account types:** "Accounts in any organizational directory and personal Microsoft accounts"
   - **Redirect URI:** Platform = Web, URI = `http://localhost`
5. Click **Register**

## Step 2: Get Client Credentials

After registration:
1. On the app overview page, copy the **Application (client) ID** → This is your `CLIENT_ID`
2. Go to **Certificates & secrets** in the left menu
3. Click **+ New client secret**
4. Add a description (e.g., "clawdbot") and choose expiration
5. Click **Add**
6. **Immediately copy the Value** (not the ID) → This is your `CLIENT_SECRET`
   - ⚠️ You can only see this once!

## Step 3: Configure API Permissions

1. Go to **API permissions** in the left menu
2. Click **+ Add a permission**
3. Select **Microsoft Graph** → **Delegated permissions**
4. Add these permissions:
   - `Mail.ReadWrite` - Read and write mail
   - `Mail.Send` - Send mail
   - `Calendars.ReadWrite` - Read and write calendar
   - `User.Read` - Read user profile
5. Click **Add permissions**

Note: `offline_access` is requested during auth, not configured here.

## Step 4: Save Configuration

Create the config directory and files:

```bash
mkdir -p ~/.outlook-mcp
```

Create `~/.outlook-mcp/config.json`:
```json
{
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET"
}
```

Secure the file:
```bash
chmod 600 ~/.outlook-mcp/config.json
```

## Step 5: Authorize the App

Build the authorization URL (replace YOUR_CLIENT_ID):

```
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=YOUR_CLIENT_ID&response_type=code&redirect_uri=http://localhost&scope=https://graph.microsoft.com/Mail.ReadWrite%20https://graph.microsoft.com/Mail.Send%20https://graph.microsoft.com/Calendars.ReadWrite%20offline_access&response_mode=query
```

1. Open the URL in a browser
2. Sign in with your Microsoft account
3. Grant the requested permissions
4. You'll be redirected to `http://localhost?code=XXXXX...`
5. Copy the `code` value from the URL (everything after `code=` until `&` or end)

## Step 6: Exchange Code for Tokens

```bash
CLIENT_ID="your-client-id"
CLIENT_SECRET="your-client-secret"
AUTH_CODE="the-code-from-step-5"

curl -s -X POST "https://login.microsoftonline.com/common/oauth2/v2.0/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&code=$AUTH_CODE&redirect_uri=http://localhost&grant_type=authorization_code&scope=https://graph.microsoft.com/Mail.ReadWrite https://graph.microsoft.com/Mail.Send https://graph.microsoft.com/Calendars.ReadWrite offline_access" \
  > ~/.outlook-mcp/credentials.json

chmod 600 ~/.outlook-mcp/credentials.json
```

## Step 7: Verify Setup

```bash
ACCESS_TOKEN=$(jq -r '.access_token' ~/.outlook-mcp/credentials.json)

curl -s "https://graph.microsoft.com/v1.0/me/mailFolders/inbox" \
  -H "Authorization: Bearer $ACCESS_TOKEN" | jq '{total: .totalItemCount, unread: .unreadItemCount}'
```

You should see your inbox statistics.

## Troubleshooting

### "AADSTS700016: Application not found"
- Double-check the client_id is correct
- Ensure you selected "Accounts in any organizational directory and personal Microsoft accounts"

### "AADSTS7000218: Invalid client secret"
- Client secrets can only be viewed once - create a new one if lost

### "AADSTS65001: User hasn't consented"
- Re-run the authorization step (Step 5)
- Make sure you click "Accept" on the consent screen

### "Token expired"
- Access tokens last ~1 hour
- Run `./scripts/outlook-token.sh refresh` to get a new one

### Work/School Account Issues
- Your organization may require admin consent
- Contact your IT admin or use a personal Microsoft account
Initial commit with translated description 2026-03-29 10:19:32 +08:00			`# Outlook Manual Setup Guide`

			`Use this guide if you prefer manual setup via Azure Portal, or if the automated setup fails.`

			`## Prerequisites`

			`- Microsoft account (Outlook.com, Hotmail, Live, or Microsoft 365)`
			`- Access to [Azure Portal](https://portal.azure.com)`
			- `jq` installed (`sudo apt install jq`)

			`## Step 1: Create Azure App Registration`

			`1. Go to https://portal.azure.com`
			`2. Search for "App registrations" → Click it`
			`3. Click "+ New registration"`
			`4. Configure:`
			- Name: `Clawdbot-Outlook` (or any name)
			`- Supported account types: "Accounts in any organizational directory and personal Microsoft accounts"`
			- Redirect URI: Platform = Web, URI = `http://localhost`
			`5. Click Register`

			`## Step 2: Get Client Credentials`

			`After registration:`
			1. On the app overview page, copy the Application (client) ID → This is your `CLIENT_ID`
			`2. Go to Certificates & secrets in the left menu`
			`3. Click + New client secret`
			`4. Add a description (e.g., "clawdbot") and choose expiration`
			`5. Click Add`
			6. Immediately copy the Value (not the ID) → This is your `CLIENT_SECRET`
			`- ⚠️ You can only see this once!`

			`## Step 3: Configure API Permissions`

			`1. Go to API permissions in the left menu`
			`2. Click + Add a permission`
			`3. Select Microsoft Graph → Delegated permissions`
			`4. Add these permissions:`
			- `Mail.ReadWrite` - Read and write mail
			- `Mail.Send` - Send mail
			- `Calendars.ReadWrite` - Read and write calendar
			- `User.Read` - Read user profile
			`5. Click Add permissions`

			Note: `offline_access` is requested during auth, not configured here.

			`## Step 4: Save Configuration`

			`Create the config directory and files:`

			```bash
			`mkdir -p ~/.outlook-mcp`
			```

			Create `~/.outlook-mcp/config.json`:
			```json
			`{`
			`"client_id": "YOUR_CLIENT_ID",`
			`"client_secret": "YOUR_CLIENT_SECRET"`
			`}`
			```

			`Secure the file:`
			```bash
			`chmod 600 ~/.outlook-mcp/config.json`
			```

			`## Step 5: Authorize the App`

			`Build the authorization URL (replace YOUR_CLIENT_ID):`

			```
			`https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=YOUR_CLIENT_ID&response_type=code&redirect_uri=http://localhost&scope=https://graph.microsoft.com/Mail.ReadWrite%20https://graph.microsoft.com/Mail.Send%20https://graph.microsoft.com/Calendars.ReadWrite%20offline_access&response_mode=query`
			```

			`1. Open the URL in a browser`
			`2. Sign in with your Microsoft account`
			`3. Grant the requested permissions`
			4. You'll be redirected to `http://localhost?code=XXXXX...`
			5. Copy the `code` value from the URL (everything after `code=` until `&` or end)

			`## Step 6: Exchange Code for Tokens`

			```bash
			`CLIENT_ID="your-client-id"`
			`CLIENT_SECRET="your-client-secret"`
			`AUTH_CODE="the-code-from-step-5"`

			`curl -s -X POST "https://login.microsoftonline.com/common/oauth2/v2.0/token" \`
			`-H "Content-Type: application/x-www-form-urlencoded" \`
			`-d "client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&code=$AUTH_CODE&redirect_uri=http://localhost&grant_type=authorization_code&scope=https://graph.microsoft.com/Mail.ReadWrite https://graph.microsoft.com/Mail.Send https://graph.microsoft.com/Calendars.ReadWrite offline_access" \`
			`> ~/.outlook-mcp/credentials.json`

			`chmod 600 ~/.outlook-mcp/credentials.json`
			```

			`## Step 7: Verify Setup`

			```bash
			`ACCESS_TOKEN=$(jq -r '.access_token' ~/.outlook-mcp/credentials.json)`

			`curl -s "https://graph.microsoft.com/v1.0/me/mailFolders/inbox" \`
			`-H "Authorization: Bearer $ACCESS_TOKEN" \| jq '{total: .totalItemCount, unread: .unreadItemCount}'`
			```

			`You should see your inbox statistics.`

			`## Troubleshooting`

			`### "AADSTS700016: Application not found"`
			`- Double-check the client_id is correct`
			`- Ensure you selected "Accounts in any organizational directory and personal Microsoft accounts"`

			`### "AADSTS7000218: Invalid client secret"`
			`- Client secrets can only be viewed once - create a new one if lost`

			`### "AADSTS65001: User hasn't consented"`
			`- Re-run the authorization step (Step 5)`
			`- Make sure you click "Accept" on the consent screen`

			`### "Token expired"`
			`- Access tokens last ~1 hour`
			- Run `./scripts/outlook-token.sh refresh` to get a new one

			`### Work/School Account Issues`
			`- Your organization may require admin consent`
			`- Contact your IT admin or use a personal Microsoft account`