Amplifier meets the enterprise.
Agents that work natively with Outlook, Teams, SharePoint — the entire Microsoft 365 stack.
Billions of emails, documents, and calendar events sit inside M365 — accessible only through manual point-and-click interfaces. Agents can't touch them.
Giving an LLM raw Microsoft Graph API access is like handing it the keys to the building. One bad call deletes a mailbox or shares confidential files externally.
No rollback, no approval gates, no DLP, no cost controls, no audit trail. Enterprise IT cannot approve what it cannot govern.
Non-technical people need the power to use LLMs on their enterprise data — emails, documents, calendars, SharePoint — without the risk of data loss, security breaches, or irreversible mistakes.
Type what you want. OpenM365 decomposes intent into a plan, enforces safety policy at every step, and executes against Microsoft Graph — with full rollback.
Natural language is classified and decomposed by the Intent Kernel into a structured, inspectable execution plan. No ambiguity reaches the API.
The Planner validates scope, estimates cost, resolves resource dependencies, and pre-checks RBAC permissions — before a single API call is made.
The Executor runs each step through 8 constitutional safety hooks — identity, RBAC, DLP, cost control, approval, audit, rate limiting, and tool gateway — then calls Microsoft Graph.
Every mutating operation creates a checkpoint. If anything goes wrong, roll back to any prior state with one command.
The safe path is the only path. Compliance is not advisory — it is structurally enforced by the execution kernel before application code runs.
NL → structured dispatch via classifier, mapper, and OpenAI provider
Plan builder, cost estimator, scope analyzer, validator
Step runner with checkpoint manager and dry-run mode
8 hooks, policy engine, constitutional enforcement
Mail, Calendar, Contacts, OneDrive, SharePoint, Teams, Tasks, Groups — each with pagination, throttling, batch support
MSAL device code + service principal flows, Entra ID identity, scoped tokens, 401 retry with invalidation
FastAPI gateway with rate limiting, request correlation, security headers, streaming, graceful shutdown
The executor invokes the full hook pipeline before every tool call. There is no “skip hooks” mode. There is no fast path that bypasses safety.
Validates caller identity against Azure AD. Every operation is tied to a real Entra ID principal.
YAML-driven role hierarchy with inheritance. Pre-flight permission checks block unauthorized operations.
Data Loss Prevention scanning. Detects sensitive content before it leaves the safety boundary.
Per-operation cost estimation. Rejects plans that exceed configured budget thresholds.
State machine for human-in-the-loop gates. Destructive operations require explicit approval.
Every action logged with caller identity, timestamp, parameters, and outcome. Full forensic trail.
Per-user and per-tenant throttling. Prevents runaway agents from burning through Graph API quotas.
Sandboxed tool execution with path control. Tools cannot reach beyond their declared scope.
Each domain has a typed Graph client, a gateway handler, and a CLI command group — from reading mail to restructuring SharePoint sites.
Read, send, move, delete, draft batch responses. Attachments via base64.
Events, scheduling, calendar management. Create, update, delete events.
Files, folders, sharing. Upload, download, organize cloud storage.
Sites, lists, document libraries, pages. Full site restructuring.
Teams, channels, messages, tabs. Send and read channel messages.
To Do and Planner tasks. Create, update, complete, organize task lists.
People, contact lists. Read, create, update organizational contacts.
M365 Groups, membership. List, inspect, manage group members.
A user types natural language. The system does the rest — safely.
Intent kernel classifies the utterance, maps to mail domain tools, builds a multi-step execution plan.
Before any mutation, a rollback point captures current state. One-click undo if anything goes wrong.
Identity verified, RBAC checked, DLP scanned, cost estimated, approval gate evaluated, audit logged — then the Graph API call executes.
User sees what changed, can approve the batch, or roll everything back to the checkpoint.
81,153 lines of tests vs 28,781 lines of source across 226 test files. Strict type checking with Pyright in strict mode.
Clean separation: intent, planner, executor, graph, auth, safety, approval, rbac, gateway, audit, store, models, config, errors, service, context, CLI.
OpenM365 is the core. A constellation of packages extends it for autonomous agents, multi-agent collaboration, and enterprise productivity bundles.
Core library. Graph API clients, safety hooks, intent kernel, executor, CLI. 154 source files, 17 modules.
Worker-machine task tools wrapping Graph API clients for autonomous M365 operations. Actions for mail, calendar, teams, SharePoint, OneDrive, tasks.
Amplifier bundle enabling multi-agent collaboration via Microsoft 365. Agents coordinate through SharePoint.
The information-worker bundle combines M365 integration with Slack and collaboration tools into a single enterprise productivity suite — everything an office worker's agent needs.
Execute any plan without touching M365. See exactly what would happen, review the plan, then run it for real.
scopes_for_tools() narrows OAuth scopes per-operation. Never request more permissions than the current plan requires.
Policy bridge loads safety rules from the organization's context store. IT defines the rules; the system enforces them.
OpenM365 is the safety layer between AI agents and the Microsoft 365 data that enterprises live in. It makes the entire M365 stack agent-native — without asking IT to lower their guard.
All metrics are derived from real repository data. No estimates or fabricated numbers.
git log --oneline --all | wc -l in ramparte/openm365find src/openm365 -name "*.py" -not -path "*__pycache__*" | wc -lfind tests -name "*.py" -not -path "*__pycache__*" | wc -lfind src/openm365 -name "*.py" ... | xargs wc -lfind tests -name "*.py" ... | xargs wc -lls -d src/openm365/*/ excluding __pycache__git log --all --format='%an' | sort -u → Amplifier, openm365 Monitorgit log --all --format='%s' | grep -ic "^feat"git log --all --format='%s' | grep -ic "^fix"
Architecture: Sourced from specs/architecture.md (Gate 3 — Sufficient Architecture).
Project Intent: Sourced from PROJECT-INTENT.md.
Safety hooks & domain handlers: Enumerated from src/openm365/safety/hooks/ and src/openm365/gateway/handlers/.
Ecosystem repos: Discovered via team_knowledge(operation="search", query="openM365").
Primary contributor: ramparte · Generated: May 2026