Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-79044

Jira Mail Handlers configured to use the Microsoft Graph API don't support GCC High customers

XMLWordPrintable

    • 0
    • 1
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Issue Summary

      Jira Data Center 9.9.0 introduced support to connect Incoming Mai Servers to Office 365 accounts using OAuth 2.0 as the authentication method and MS Graph API as the protocol. Reference: Jira DC 9.9 Release notes

      The problem is that this new integration doesn't support Microsoft GCC High (Government Community Cloud High) accounts.

      Such combination is not supported because:

      • Regular GCC Office 365 accounts connect to the graph.microsoft.com host to fetch emails via the MS Graph API protocol, whilst GCC High accounts connect to the graph.microsoft.us host
      • The hostname graph.microsoft.com is hardcoded in the front end and back end, and cannot be changed

      As a result, customers using Microsoft GCCH Mail accounts are unable to configure Jira Incoming Mail Handlers with the MS Graph API protocol.

      Steps to replicate

      • Configure an outgoing application link with the right end points and scopes the MS Graph API integration via ⚙ > Applications > Application Links
      • Try to configure a new Jira Incoming Mail Server via ⚙ > System > Incoming Mail
        • Select either Microsoft or Custom as the "Service Provider"
        • Select MS_GRAPH as the "Protocol"
        • Note that the Hostname field is automatically hidden after the Protocol is set to MS_GRAPH, preventing the Jira user from setting it to the graph.microsoft.us host, which is required for GCCH accounts

      Notes

      Even if you follow the workaround from the JRASERVER-76747 to make the hostname field appear and set the host to graph.microsoft.us, this host will be ignored in the backend, as it is hardcoded to graph.microsoft.com. Therefore this workaround is actually not an option.

      Additionally, the error below will be thrown in the Jira logs, indicating that Jira is using graph.microsoft.com to access the Mailbox via the MS Graph API protocol:

      2025-08-22 11:10:57,965-0400 http-nio-8080-exec-25 ERROR <ANONYMYZED> 670x1471880x1 <ANONYMYZED> 10.135.32.247 /secure/admin/VerifyMsGraphServerConnection!add.jspa [global] Throwable detail: com.microsoft.graph.http.GraphServiceException: Error code: InvalidAuthenticationToken
    Error message: InvalidCloudInstance
    
    GET https://graph.microsoft.com/v1.0/users/<ANONYMYZED>/mailFolders/inbox/messages?%24filter=isRead%20eq%20false%20and%20receivedDateTime%20ge%201969-12-31T19%3A00%3A00.000-05%3A00&%24orderBy=receivedDateTime%20asc&%24top=10&%24select=id
    SdkVersion : graph-java/v5.42.0
    
    
    401 : 
    [...]
    
    [Some information was truncated for brevity, enable debug logging for more details]

        1. StepsToReplicate1.png
          StepsToReplicate1.png
          126 kB
        2. StepsToReplicate2.png
          StepsToReplicate2.png
          49 kB

              mmarzecki Mateusz Marzęcki
              jrey Julien Rey (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: