Announcement: Microsoft Oauth for incoming emails on Jira Software Cloud

TL;DR

Jira admins on Jira Software Cloud can now set up their Jira incoming email servers using Microsoft Oauth for Microsoft Exchange email accounts.

 

What has shipped?

Back in 2019, Microsoft announced the retirement of Basic Authentication for the Enterprise Web Services (EWS) API for Office 365. (link). In Microsoft’s March 2020 update (link), the company announced that due to the COVID-19 pandemic, it would postpone the disabling of Basic Authentication in Exchange Online for active tenants till the second half of 2021.

However, starting in October 2020, tenants with no recorded usage will be disabled, and newly created tenants by default will require OAuth.

Until now, Jira Software Cloud only supported Basic Authentication. Jira admins set up Jira to automatically create issues or comments based on incoming emails from licensed users using Basic Authentication. Incoming emails are first pulled from the respective mail server using the credentials stored and then details (with attachments) for a specific issue are automatically added to the Jira ticket.

What this means for our users is that, from October 2020, Jira admins will be able to create new Microsoft mail servers for incoming emails using only OAuth. In order to facilitate this, we are happy to announce that incoming emails for Jira Software Cloud now supports OAuth for Microsoft mail servers.

 

How do I use it?

Add a Microsoft mail server with OAuth 2.0 integration

If you are using Microsoft Exchange Online to create issues and comments from your email and would like to set up a mail server for your incoming emails on Jira, then you need to configure OAuth 2.0 for your Microsoft email server.

To add an incoming Microsoft mail server:

  1. Choose cog System

  2. Select Mail > Incoming Mail.

  3. Click Add incoming mail server.

  4. Give your mail server a name and description.

  5. Choose Microsoft as an email service provider.

  6. Click Add.

  7. Enter your Microsoft sign-in credentials to use your Microsoft mail server.

For Microsoft mail servers, Jira will auto-fill authorization and the token endpoint data. You’ll need to review and confirm permissions to let Jira access your information.

Upgrade your mail server from basic authentication to OAuth 2.0

We recommend that you upgrade your existing mail servers that have basic authentication to OAuth 2.0. To upgrade your mail server:

  1. Click Add incoming mail server.

  2. Give your mail server a name and description.

  3. Choose Microsoft as an email service provider.

  4. Click Add.

  5. Configure an incoming mail handler with the Microsoft mail server you configured from step 1. Alternatively, you can use a Microsoft mail server that you’ve configured earlier.

  6. Delete the incoming mail server that uses basic authentication. 

 

Some additional points to note:

  • If Microsoft OAuth authentication is not successful for your mail server, you can still see the mail server in the list of your configured mail servers. But, this mail server will not be visible to you while you’re configuring the mail handler.
  • While configuring an incoming mail handler for your Microsoft mail server, you can use the same name as the mail server which uses basic authentication. If you’ve configured a mail handler with a mail server that uses basic authentication, you can edit the mail handler. You can then select the Microsoft mail server that uses OAuth 2.0 integration for your mail handler configuration to upgrade the configuration.


Questions or Feedback?

If you have any questions or would like to provide us with some feedback, please do comment on this article and we will respond to you as soon as possible.

17 comments

Walter Buggenhout
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
October 13, 2020

Am I correct that this announcement is also incorporated in Jira Cloud documentation? 

Arjoon Som
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 13, 2020

Hi @Walter Buggenhout , yes the Jira Cloud documentation has also been updated to include sections on how to:

Add a Microsoft mail server with OAuth 2.0 integration

Upgrade your mail server from basic authentication to OAuth 2.0

 

Thank you!

Desiree_Anson
Contributor
October 13, 2020

How do I change the email address for the username?  It's automatically using my personal email address and I need to change it to a different email address.

Arjoon Som
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 13, 2020

Hi @Desiree_Anson 

 

I would first ensure that I have signed out of any Microsoft accounts that may have already been signed in on the same browser. When prompted for the username password by Microsoft, please enter the details of the email account for which you would like to set up the mail server for. 

 

I hope this helps.

Desiree_Anson
Contributor
October 13, 2020

@Arjoon Som 

Thank you!  That worked - I ended up using a private window in FireFox and set up a new mail handler (incoming mail server).  Thank you for the help!

Des

Smaran.bg
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
October 21, 2020

@Arjoon Som How do i enable this in Jira Service Desk Emailed Requests?

Sean
Contributor
October 21, 2020

In Jira Service Desk you add the incoming mail server per project (we use different email addresses for different projects). If I connect a custom email address under Project Settings > Email Requests and choose Microsoft will it use modern auth? How would I upgrade my existing custom email address to modern auth since I can add only one custom email address per project?

Also... per the instructions above, if we use Microsoft to authenticate to Jira via Azure SSO, there does not seem to be a way to sign into Jira with one Microsoft account and authenticate a different Microsoft account for email. (As a workaround I suppose I could elevate an external test account that doesn't use SSO to admin in order to set this up.) 

Like # people like this
Pierce Radtke
Contributor
December 3, 2020

When I am attempting to setup connections for our Service Email account the system says I do not have sufficient permissions and that I need to reach out to an administrator.

After we enter the appropriate admin credentials to approve access it switches from using the intended Microsoft service email account and changes to the administrator account? 

We do not want to grant the service account the permissions to authorize itself.  Help!

Like Stephen Cannon likes this
Taranjeet Singh
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
December 6, 2020

This is great! Thanks for sharing!

John Del Forno
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
August 23, 2021

How does this work when Azure AD has SSO enabled to JIRA?

An Administrator can't really grant access to their own mailbox for Jira to send from/to.

Signing into JIRA using a shared mailbox account takes up 2 licenses - one on the Jira side, the other on M365 side.

And continuing to use POP/IMAP when it's a requirement to disable Legacy Authentication across a tenant makes it even more difficult.

Edit:

Open Private window.
Login to Atlassian Cloud using SSO
Log out of portal.office.com
Login to portal.office.com using your shared mailbox account (Does not need a license it seems)
Auth Atlassian using the SMB account.

Like # people like this
Brian Kohler September 2, 2021

@Arjoon Som 

I feel that there is a gap for multi-tenant azure environments.  Currently that there is no way to configure this to a specific tenant when in a multi tenant Microsoft environment.  Meaning the application registered in Azure needs to have "Accounts in any organization directory and personal microsoft accounts"

I haven't seen anything on the roadmap either that might address this, or any documentation really that talked about it, and found it through trial and error.

Am I missing something about the configuration that we would be able to make a Service Management email integration to an account in a multi-tenant azure environment with the account in a specific tenant, or is the 'Go Global' the only option?

John Del Forno
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
September 2, 2021

@Brian Kohler 

Does scoping the Enterprise Application using a Dynamic Group that targets the Company Name field on a user account work?

VMhosts Support
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
October 31, 2022

Could I ask which version of Jira we need for the "auto-fill authorization and the token endpoint data" We have our accounts set to Microsoft, but they appear to still be using basic auth

Timo Pitkäranta
Contributor
December 29, 2023

@Sean how did you set up email requests using different email accounts in the end?

Mathieu Lapointe
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
October 23, 2024

I found out the OAuth is really cumbersome as we have to reauthorize after some time and jira is not notify about the token being not valide anymore.

this integration need to be something like an application registration to azureAD instead 

Like Jason Buhagiar likes this
Jason Buhagiar
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
December 2, 2024

same happens to us time and time again. No notification that mailboxes need re-auth just a banner in jira. I agree with @Mathieu Lapointe if we could integrate via an App Registration and Application permission rather than delegated that would remove all the hassle.

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events