Problem Definition

Jira does not allow to access Exchange resources, mailboxes specifically, through managed identities and requires a user identity instead.
This is not considered a best practice anymore because:

•  OWASP has relabeled secrets under "Cryptographic Failures" and moved this category up the OWASP Top Ten to number 2.
• Another OWASP article, CI/CD-SEC-6: Insufficient Credential Hygiene, discusses the critical impact of secrets across the software supply chain.
• NIST offers extensive guidance on secrets usage and reports on secrets as a common entry point for attackers. ref: https://learn.microsoft.com/en-us/devsecops/playbook/enterprise-solutions/governance-solutions/secrets-lifecycle/managed-identities

Suggested Solution

Implement support for Azure managed identities.

Why this is important

Managed Identities offer a large number of benefits including:

• Secret/key management. Rotating secrets is best practice. This is done automatically with Managed Identities. Complicated if changing passwords manually/scripting.
• Secret/key inventory. Makes it easier to see what apps have what permissions.
• Revoking access. Makes it easy to revoke access for a certain app.
• Better granularity. User identity will give full access to everything in that account. By using MI/RBAC on resources it is possible to set for just read access to a specific resource.
• Managed identities are more cost-efficient.
• It's harder to guess/brute force credentials and even then exploited service/user/resource cannot be impersonated by the attacker.
• Future proof. Managed identities are becoming the new standard for unmanned access to resources.

Workaround

Use OAuth to connect the external mailbox according to the guidelines on this page.