Failure to connect to Office365 mail box due to AADSTS700003: Device object was not found in the tenant
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
An already configured O365 mailbox suddenly stops working in Jira (sending or receiving emails), and accessing the "Email requests" section of the project settings displays a "We couldn't connect to your mail server" error message.
Environment
- Jira Data Center configured with an O365 mailbox through OAuth 2.0 Authentication.
Diagnosis
The main Jira logs show a "failure to refresh the OAuth token" due to Azure's "AADSTS700003: Device object was not found in the tenant '...' directory" error.
The Jira mail logs only show an Authentication failure due to invalid credentials.
Atlassian-jira.log:
2023-12-14 10:57:44,326-0500 Caesium-1-1 WARN anonymous [c.a.j.i.m.p.feature.oauth.MailOAuthServiceImpl] Recoverable exception fetching OAuth token
com.atlassian.oauth2.client.api.storage.token.exception.RecoverableTokenException: An error has occurred while refreshing OAuth token
..
Caused by: com.atlassian.oauth2.client.api.lib.token.TokenServiceException: AADSTS700003: Device object was not found in the tenant 'xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx' directory. Trace ID: xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx Correlation ID: xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx Timestamp: 2023-12-14 15:57:44ZAtlassian-incoming/outgoing-mail.log:
2023-12-12 00:44:21,790-0500 ERROR [] Caesium-1-3 ServiceRunner Messaging Error when MailPullerWorker pulls emails from XXXXXXXX@XXXXXXXX.XXX: null
javax.mail.AuthenticationFailedException
at com.sun.mail.pop3.POP3Store.protocolConnect(POP3Store.java:193) [jakarta.mail-1.6.5-atlassian-2.jar:1.6.5-atlassian-2]
at javax.mail.Service.connect(Service.java:342) [jakarta.mail-1.6.5-atlassian-2.jar:1.6.5-atlassian-2]
at javax.mail.Service.connect(Service.java:222) [jakarta.mail-1.6.5-atlassian-2.jar:1.6.5-atlassian-2]
at javax.mail.Service.connect(Service.java:243) [jakarta.mail-1.6.5-atlassian-2.jar:1.6.5-atlassian-2]
...
2023-12-13 10:50:24,299-0500 ERROR [] http-nio-8080-exec-32 url: /rest/servicedesk/1/servicedesk/XXX/incomingemail/oauth/validateandsaveflow/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx; user: XXXXXXXXXX XXXXXXXXXX 650x10246922x1 15cmg5h 10.16.74.67,172.24.12.108 /rest/servicedesk/1/servicedesk/AP/incomingemail/oauth/validateandsaveflow/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx Unable to connect to the server at outlook.office365.com due to the following exception:
javax.mail.AuthenticationFailedException: Authentication failure: unknown user name or bad password.
at com.sun.mail.pop3.POP3Store.protocolConnect(POP3Store.java:193) [jakarta.mail-1.6.5-atlassian-2.jar:1.6.5-atlassian-2]
at javax.mail.Service.connect(Service.java:342) [jakarta.mail-1.6.5-atlassian-2.jar:1.6.5-atlassian-2]
at javax.mail.Service.connect(Service.java:222) [jakarta.mail-1.6.5-atlassian-2.jar:1.6.5-atlassian-2]Review the sign-in logs for the mailbox on Azure, we can see further details on the identified error:
Azure sign-in logs:
Sign-in error code: 700003
Failure reason:
Device object was not found in the tenant '(tenantName)' directory.
Additional Details:
Invalid grant due to the following reasons:
- Requested SAML 2.0 assertion has invalid Subject Confirmation Method
- Application On-Behalf-Of flow is not supported on V2
- Primary refresh token is not signed with session key
- Invalid external refresh token
- The access grant was obtained for a different tenantCause
The failure here occurs due to a security fix on Microsoft's side, which causes tokens to be invalidated, thus preventing the proper login. In such cases, resetting credentials/generating a new set of tokens seems to have fixed the problem.
References:
- Stack Overflow post - "AADSTS700003: Device object was not found in the tenant"
- Microsoft Forum - Dataset can't refresh because "Device object was not found in the tenant"
Microsoft Entra authentication and authorization error codes also suggest that this error code indicates that the provided token may be invalid and recommends getting a new authorization code from the /authorize endpoint.
| Error Code | Description | Client Action |
|---|---|---|
| invalid_grant | Some of the authentication material (auth code, refresh token, access token, PKCE challenge) was invalid, unparseable, missing, or otherwise unusable. | Try a new request to the /authorize endpoint to get a new authorization code. Consider reviewing and validating that app's use of the protocols. |
Solution
When faced with the "AADSTS700003: Device object was not found in the tenant" error, it is recommended to reset the credentials or re-create the OAuth tokens on Microsoft's end and then re-apply the new credentials/token settings on Jira.