// SCAN REPORT

Outlook

51 tools. 24 can modify or destroy data without limits.

4 destructive tools with no built-in limits. Policy required.

Last updated:

24 can modify or destroy data
27 read-only
51 tools total
// TOOL MAP
Read (27) Write / Execute (20) Destructive / Financial (4)
// WHAT CAN GO WRONG

Destructive tools (OUTLOOK_DELETE_CONTACT, OUTLOOK_DELETE_EMAIL_RULE, OUTLOOK_DELETE_EVENT) permanently delete resources. There is no undo. An agent calling these in a retry loop causes irreversible damage.

Write operations (OUTLOOK_ADD_EVENT_ATTACHMENT, OUTLOOK_ADD_MAIL_ATTACHMENT, OUTLOOK_CALENDAR_CREATE_EVENT) modify state. Without rate limits, an agent can make hundreds of changes in seconds — faster than any human can review or revert.

// RECOMMENDED RULES
Deny destructive operations
OUTLOOK_DELETE_CONTACT:
  rules:
    - action: deny

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations
OUTLOOK_ADD_EVENT_ATTACHMENT:
  rules:
    - rate_limit: 30/hour

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
OUTLOOK_DOWNLOAD_OUTLOOK_ATTACHMENT:
  rules:
    - rate_limit: 60/minute

Controls API costs and prevents retry loops from exhausting upstream rate limits.

// ALL 51 OUTLOOK TOOLS
DESTRUCTIVE 4 tools
Destructive OUTLOOK_DELETE_CONTACT Destructive OUTLOOK_DELETE_EMAIL_RULE Destructive OUTLOOK_DELETE_EVENT Destructive OUTLOOK_DELETE_MAIL_FOLDER
WRITE 20 tools
Write OUTLOOK_ADD_EVENT_ATTACHMENT Write OUTLOOK_ADD_MAIL_ATTACHMENT Write OUTLOOK_CALENDAR_CREATE_EVENT Write OUTLOOK_CREATE_ATTACHMENT_UPLOAD_SESSION Write OUTLOOK_CREATE_CALENDAR Write OUTLOOK_CREATE_CONTACT Write OUTLOOK_CREATE_CONTACT_FOLDER Write OUTLOOK_CREATE_DRAFT Write OUTLOOK_CREATE_DRAFT_REPLY Write OUTLOOK_CREATE_EMAIL_RULE Write OUTLOOK_CREATE_MAIL_FOLDER Write OUTLOOK_CREATE_MASTER_CATEGORY Write OUTLOOK_MOVE_MESSAGE Write OUTLOOK_SEND_DRAFT Write OUTLOOK_SEND_EMAIL Write OUTLOOK_UPDATE_CALENDAR_EVENT Write OUTLOOK_UPDATE_CONTACT Write OUTLOOK_UPDATE_EMAIL Write OUTLOOK_UPDATE_EMAIL_RULE Write OUTLOOK_UPDATE_MAILBOX_SETTINGS
READ 27 tools
Read OUTLOOK_DOWNLOAD_OUTLOOK_ATTACHMENT Read OUTLOOK_GET_CALENDAR_VIEW Read OUTLOOK_GET_CONTACT Read OUTLOOK_GET_CONTACT_FOLDERS Read OUTLOOK_GET_EVENT Read OUTLOOK_GET_MAIL_DELTA Read OUTLOOK_GET_MAIL_TIPS Read OUTLOOK_GET_MAILBOX_SETTINGS Read OUTLOOK_GET_MASTER_CATEGORIES Read OUTLOOK_GET_MESSAGE Read OUTLOOK_GET_PROFILE Read OUTLOOK_GET_SCHEDULE Read OUTLOOK_GET_SUPPORTED_LANGUAGES Read OUTLOOK_GET_SUPPORTED_TIME_ZONES Read OUTLOOK_LIST_CALENDARS Read OUTLOOK_LIST_CONTACTS Read OUTLOOK_LIST_EMAIL_RULES Read OUTLOOK_LIST_EVENT_ATTACHMENTS Read OUTLOOK_LIST_EVENTS Read OUTLOOK_LIST_MAIL_FOLDERS Read OUTLOOK_LIST_MESSAGES Read OUTLOOK_LIST_OUTLOOK_ATTACHMENTS Read OUTLOOK_LIST_REMINDERS Read OUTLOOK_LIST_USERS Read OUTLOOK_QUERY_EMAILS Read OUTLOOK_REPLY_EMAIL Read OUTLOOK_SEARCH_MESSAGES
// FAQ
Can an AI agent delete data through the Outlook MCP server? +

Yes. The Outlook server exposes 4 destructive tools including OUTLOOK_DELETE_CONTACT, OUTLOOK_DELETE_EMAIL_RULE, OUTLOOK_DELETE_EVENT. These permanently remove resources with no undo. Intercept blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through Outlook? +

The Outlook server has 20 write tools including OUTLOOK_ADD_EVENT_ATTACHMENT, OUTLOOK_ADD_MAIL_ATTACHMENT, OUTLOOK_CALENDAR_CREATE_EVENT. Set rate limits in your policy file -- for example, rate_limit: 10/hour prevents an agent from making more than 10 modifications per hour. Intercept enforces this at the transport layer.

How many tools does the Outlook MCP server expose? +

51 tools across 3 categories: Destructive, Read, Write. 27 are read-only. 24 can modify, create, or delete data.

How do I add Intercept to my Outlook setup? +

One line change. Instead of running the Outlook server directly, prefix it with Intercept: intercept -c outlook.yaml -- npx -y @outlook. Download a pre-built policy from policylayer.com/policies/outlook and adjust the limits to match your use case.

// RELATED SERVERS

Other MCP servers with similar tools.

Starter policies available for each. Same risk classification, same one-command setup.

AdButler 622 tools
admin
Mcp Api 314 tools
admin
Aibtc 308 tools
admin
SmartBear MCP 243 tools
admin
Google Super 200 tools
admin
Trello 200 tools
admin
Arcane 180 tools
admin
Propresenter 177 tools
admin

Let agents act without letting them run wild.

Deterministic policy on every MCP tool call. Per-identity grants. Full audit log.

GET STARTED →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.