-
Suggestion
-
Resolution: Unresolved
-
None
-
2
-
Current State:
The current integration of a Microsoft email channel with a service project using OAuth faces a connection issue under specific circumstances:
- A device is added in MS Entra ID for an email address/account.
- For this email address, add an email channel from a service project using the dedicated Microsoft button.
- After authorization, the connection is established, and emails are processed normally in JSM.
- If the device is then removed from Entra ID, a connection error occurs after about an hour, as JSM cannot retrieve the refresh token from Microsoft.
- This issue arises because if the refresh token is for an SSO user, then this refresh token is bound to the device, with a session key (the same as PRT) or the device key. Once the device is removed, the token will also not work. This has been confirmed by Microsoft as well.
Proposed Future State:
- Implement the integration using the OAuth 2.0 Client Credentials flow instead of the Authorization Code flow. This method is not device-specific or user-specific, yet it allows sending and reading emails on behalf of a specific mailbox.
- JSM should use prompt=login parameter in the OAuth 2.0 authorization code flow, which would also negate SSO and produce refresh token not bound to the device. As per Microsoft, currently, we use prompt=select_account as far as I can tell.
Alternative (e.g. Third Party Plugin):
n/a
You need to create a new email connection to resolve the connection error.