Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-6998

Office 365 using OAuth 2.0 doesn't support GCC customers

XMLWordPrintable

    • 16
    • We collect Jira Service Desk feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Atlassian Update – 07 March 2022

      Hi everyone,

      This is Alex from the Jira Service Management Data Center & Server team.

      As of JSM DC version 4.22 this is now possible with the support of multiple incoming emails.

      You can now configure as many dedicated email channels as required, using a custom URL specific for Microsoft GCC accounts, for better communication with customers.

      For detailed instructions on how to configure a GCC account using a JSM incoming mail handler, please refer to the KB article Guide explaining how to configure a GCC account with a Jira or a Service Management mail handler using Oauth 2.0.

      You can learn more about email channels here, and creating custom links using OAth 2.0 Configuration here.

      Kind regards,

      Alex

      Jira Service Management, Data Center & Server

      Issue Summary

      Since Jira Service Desk 4.12, support to connect mail channels to Office 365 accounts using OAuth 2.0 has been introduced. However, it doesn't support GCC (Government Community Cloud) accounts.

      It isn't supported because regular Office 365 accounts connect to outlook.office365.com whilst GCC accounts connect to outlook.office365.us.

      Therefore, the connection is not established and the mail channel can't be connected using OAuth 2.0

      Workaround

      Manually update the hosts file of the operating system to point to the US domain. However, doing this will remove the automatic failover to a new IP address in case of outages in the primary IP address.

      Example:

      40.66.16.130 outlook.office365.com

            [JSDSERVER-6998] Office 365 using OAuth 2.0 doesn't support GCC customers

            Julien Rey added a comment -

            Hi it1752103726

            Great to hear that you got it to work with IMAP, that's great news

            As for POP, unfortunately, at Atlassian, we don't have access to GCC accounts, so we cannot perform any test with this type of accounts. Theoretically, it should be possible to configure GCC accounts with Oauth 2.0 and with both IMAP and POP, but we cannot confirm with high confidence as we do not have a way to test these scenarios.

            If you are getting the error mentioned below while configuring GCC with POP+Oauth 2.0, then you might be impacted by Root Cause 10 of the KB article https://confluence.atlassian.com/jirakb/jira-mail-handler-or-service-management-mail-handler-cannot-be-configured-using-oauth-2-0-the-authorization-or-connection-test-fails-1095250181.html:

            Unfortunately no connection was possible. Review the errors below and rectify: AuthenticationFailedException: Protocol error. Connection is closed. 10

            If the error does not match and you need more assistance with this configuration, then I would recommend raising a support ticket via our support portal, so that the support team can assist you further.

            Julien Rey added a comment - Hi it1752103726 Great to hear that you got it to work with IMAP, that's great news As for POP, unfortunately, at Atlassian, we don't have access to GCC accounts, so we cannot perform any test with this type of accounts. Theoretically, it should be possible to configure GCC accounts with Oauth 2.0 and with both IMAP and POP, but we cannot confirm with high confidence as we do not have a way to test these scenarios. If you are getting the error mentioned below while configuring GCC with POP+Oauth 2.0, then you might be impacted by Root Cause 10 of the KB article https://confluence.atlassian.com/jirakb/jira-mail-handler-or-service-management-mail-handler-cannot-be-configured-using-oauth-2-0-the-authorization-or-connection-test-fails-1095250181.html: Unfortunately no connection was possible. Review the errors below and rectify: AuthenticationFailedException: Protocol error. Connection is closed. 10 If the error does not match and you need more assistance with this configuration, then I would recommend raising a support ticket via our support portal , so that the support team can assist you further.

            it added a comment -

            Thanks Julien, that was it.  The app link that I was using with Jira Software (which I was trying to reuse) was pointing to the "Microsoft" service provider vs. "Custom."  Recreated the app link and then the Auth method showed the new app link as an option.  So selected that and was good to go.  One thing I couldn't get to work was Secure POP.  As with Jira Software I can only get Secure IMAP to work.  Have you seen Oauth work with Secure POP and GCC-High?

            it added a comment - Thanks Julien, that was it.  The app link that I was using with Jira Software (which I was trying to reuse) was pointing to the "Microsoft" service provider vs. "Custom."  Recreated the app link and then the Auth method showed the new app link as an option.  So selected that and was good to go.  One thing I couldn't get to work was Secure POP.  As with Jira Software I can only get Secure IMAP to work.  Have you seen Oauth work with Secure POP and GCC-High?

            Julien Rey added a comment - - edited

            it1752103726

            Can you check the instructions from the the KB article Guide explaining how to configure a GCC account with a Jira or a Service Management mail handler using Oauth 2.0 and let us know if it helps?

            To configure a JSM mail handler (=mail channel) with a GCC account, you will need to:

            • configure an Oauth 2.0 integration in âš™ > Applications > Application Links using Custom in the Service Provider field (make sure not to use Microsoft)
            • configure a new mail channel in Project Settings > Email Requests using Other in the Email Service Provider field (make sure not to use Microsoft)

            Julien Rey added a comment - - edited it1752103726 Can you check the instructions from the the KB article Guide explaining how to configure a GCC account with a Jira or a Service Management mail handler using Oauth 2.0 and let us know if it helps? To configure a JSM mail handler (=mail channel) with a GCC account, you will need to: configure an Oauth 2.0 integration in âš™ > Applications > Application Links using Custom in the Service Provider field (make sure not to use Microsoft ) configure a new mail channel in Project Settings > Email Requests using Other in the Email Service Provider field (make sure not to use Microsoft )

            it added a comment - - edited

            Hi Alex,

            When I select the built-in Microsoft handler and point my auth method to my Application Link (which I use in Jira Software for OAuth and it works), I'm seeing in the outgoing logs that it's trying to connect to the commercial .com endpoint (see comment above).  When I switch the handler to Other (custom) and don't have the capability to point to my Application Link (thus can't reach my OAuth endpoints).  So I'm not sure how this is supposed to work.

            it added a comment - - edited Hi Alex, When I select the built-in Microsoft handler and point my auth method to my Application Link (which I use in Jira Software for OAuth and it works), I'm seeing in the outgoing logs that it's trying to connect to the commercial .com endpoint (see comment above).  When I switch the handler to Other (custom) and don't have the capability to point to my Application Link (thus can't reach my OAuth endpoints).  So I'm not sure how this is supposed to work.

            it added a comment - - edited

            Hey Derek,

             

            The custom handler doesn't allow you to select Authentication Method (e.g. the Application Link).  I would think I would need both (server and auth method).

            it added a comment - - edited Hey Derek,   The custom handler doesn't allow you to select Authentication Method (e.g. the Application Link).  I would think I would need both (server and auth method).

            Derek Fields (RightStar) added a comment -

            Did you try adding it as a custom email handler rather than the built-in Microsoft handler? 

            Derek Fields (RightStar) added a comment - Did you try adding it as a custom email handler rather than the built-in Microsoft handler? 

            it added a comment -

            Hey Alex,

            When you say GCC accounts, does that include GCC-High?  I've upgraded JSM to 4.22 and pointed our Email Channel to use our Application Link (which we're using on the Jira Software side for OAuth and it's working) and when I click Test Connection it fails to connect to the server.  When I look in the incoming log it looks like it's still trying to connect to the Commercial URL (outlook.office365.com) instead of the Government (outlook.office365.us)

            72.117.13.1,10.3.0.1 /rest/servicedesk/1/servicedesk/admin/email/test Unable to connect to the server at outlook.office365.com due to the following exception:
            com.atlassian.jira.internal.mail.processor.errors.MailConnectionException: OAuth token not defined for connection. OAuth Authorisation required.

            Maybe I'm missing something in my configuration?

            it added a comment - Hey Alex, When you say GCC accounts, does that include GCC-High?  I've upgraded JSM to 4.22 and pointed our Email Channel to use our Application Link (which we're using on the Jira Software side for OAuth and it's working) and when I click Test Connection it fails to connect to the server.  When I look in the incoming log it looks like it's still trying to connect to the Commercial URL (outlook.office365.com) instead of the Government (outlook.office365.us) 72.117.13.1,10.3.0.1 /rest/servicedesk/1/servicedesk/admin/email/test Unable to connect to the server at outlook.office365.com due to the following exception: com.atlassian.jira.internal.mail.processor.errors.MailConnectionException: OAuth token not defined for connection. OAuth Authorisation required. Maybe I'm missing something in my configuration?

            Alex Cooksey added a comment -
            Atlassian Update – 07 March 2022

            Hi everyone,

            This is Alex from the Jira Service Management Data Center & Server team.

            As of JSM DC version 4.22 this is now possible with the support of multiple incoming emails.

            You can now configure as many dedicated email channels as required, using a custom URL specific for Microsoft GCC accounts, for better communication with customers.

            You can learn more about email channels here, and creating custom links using OAth 2.0 Configuration here.

            Kind regards,

            Alex

            Jira Service Management, Data Center & Server

            Alex Cooksey added a comment - Atlassian Update – 07 March 2022 Hi everyone, This is Alex from the Jira Service Management Data Center & Server team. As of JSM DC version 4.22 this is now possible with the support of multiple incoming emails. You can now configure as many dedicated email channels as required, using a custom URL specific for Microsoft GCC accounts, for better communication with customers. You can learn more about email channels here , and creating custom links using OAth 2.0 Configuration here. Kind regards, Alex Jira Service Management, Data Center & Server

            Garan Williams added a comment -

            I also would like to see much quicker movement on this issue. Per the Exchange Team Blog, Microsoft will be disabling Basic Authentication across all tenants on October 1st, 2022 with no opt-out being accepted. You can opt-out before that date, but on October 1st, they will begin to ignore that opt-out and disable Basic Authentication.

            https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-september-2021-update/bc-p/2782230 

            From that post: "Today, we are announcing that, effective October 1, 2022, we will begin to permanently disable Basic Auth in all tenants, regardless of usage, with the exception of SMTP Auth."

            Garan Williams added a comment - I also would like to see much quicker movement on this issue. Per the Exchange Team Blog, Microsoft will be disabling Basic Authentication across all tenants on October 1st, 2022 with no opt-out being accepted. You can opt-out before that date, but on October 1st, they will begin to ignore that opt-out and disable Basic Authentication. https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-september-2021-update/bc-p/2782230   From that post: " Today, we are announcing that, effective October 1, 2022, we will begin to permanently disable Basic Auth in all tenants, regardless of usage, with the exception of SMTP Auth."

            it added a comment -

            Has there been any movement with this issue?  I see it's Gathering Interest.  We're interested.  Seeing this issue in JSM 4.20.1 as well.

            it added a comment - Has there been any movement with this issue?  I see it's Gathering Interest.  We're interested.  Seeing this issue in JSM 4.20.1 as well.

              Unassigned Unassigned
              rbaldasso Rodrigo Baldasso
              Votes:
              14 Vote for this issue
              Watchers:
              20 Start watching this issue

                Created:
                Updated:
                Resolved: