Runlayer Deploy Required: The Outlook server requires Runlayer Deploy to be enabled.
Available Tools
| Tool | Description |
|---|---|
outlook_list_messages | List messages in a folder (inbox, sentitems, drafts, …), newest first |
outlook_list_folders | List top-level mail folders with counts |
outlook_get_message | Fetch one message by id (headers + body, text or html) |
outlook_search_messages | Full-text search via Graph $search (supports KQL-style operators) |
outlook_create_draft | Save a new draft (all fields optional) |
outlook_send_message | Send a new message immediately, optional save-to-sent |
outlook_send_draft | Send a previously-saved draft by id |
outlook_reply_message | Reply / reply-all to an existing message |
Setup
Register a single-tenant Entra application
- Sign in to https://entra.microsoft.com as a user who can create app registrations
- Go to App registrations → New registration
- Name it (e.g. “Runlayer Outlook MCP”)
- Set Supported account types to Single tenant only
- Under Redirect URI, select Web and enter
https://<your-tenant>.runlayer.com/oauth/callback - Click Register
- Copy the Application (client) ID and Directory (tenant) ID — you’ll need both below
Set requestedAccessTokenVersion to 2
- In your app registration, open Manifest
- Find
"requestedAccessTokenVersion"and set it to2 - Click Save
Grant Microsoft Graph permissions
- Go to API permissions → Add a permission → Microsoft Graph → Delegated permissions
- Add:
openid,profile,offline_access,User.Read,Mail.ReadWrite,Mail.Send - Click Grant admin consent for <your tenant> — requires a tenant admin; without this, users see a “Need admin approval” error at first sign-in
Create a client secret
- Go to Certificates & secrets → New client secret
- Add a description and expiry, then click Add
- Copy the Value immediately — it won’t be shown again
Add Server in Runlayer
- In Runlayer, go to My connectors, select Outlook, and click Add connector
- Check Custom OAuth credentials
- Enter your Client ID (Application ID), Client Secret, and Tenant ID (Directory ID)
- Click Deploy Server
OAuth Scopes
| Scope | Description |
|---|---|
openid | Sign-in |
profile | User profile |
offline_access | Refresh tokens for persistent access |
User.Read | Identity resolution via Graph /me |
Mail.ReadWrite | Read messages and create drafts (Mail.ReadWrite is a superset of Mail.Read) |
Mail.Send | Send mail and send drafts |
Troubleshooting
Need admin approval
Need admin approval
Enterprise Entra tenants typically disable user consent. A tenant admin must click Grant admin consent for <tenant> on the app registration’s API permissions page before users can authorize.
Invalid redirect_uri
Invalid redirect_uri
The redirect URI in the authorization request doesn’t match any registered URI. Confirm
https://<your-tenant>.runlayer.com/oauth/callback is listed under Authentication → Redirect URIs in your app registration.Access is denied (Graph 403)
Access is denied (Graph 403)
Token was issued before a required permission was added. In Runlayer, go to the connector’s Settings, revoke access, then Connect again to re-consent.
Invalid grant
Invalid grant
Tokens may have expired. Disconnect and reconnect the server in Runlayer.