The JSM Mail Handler fails to be configured successfully when using Microsoft Graph API
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
The Jira Service Management (JSM) Mail Handler fails to be configured successfully in a JSM project in Project Settings > Email Requests: after configuring it with Microsoft Graph API as the Email Protocol, the mail handler shows a red Failed status.
Note that this knowledge article only applies to the Jira Service Management Mail Handler (which is configured in Project Settings > Email Requests within the Service Management project configuration page). This article does not apply to the Jira Mail handler (which is configured in ⚙ > System > Incoming email).
Environment
Any JSM Server/Data Center version that supports the Microsoft Graph API protocol (any version from 5.8.0).
Diagnosis
Diagnosis for Root Cause 1
- The mail server is coming from a "regular Microsoft account" (Non Government Community Cloud account)
An Oauth 2.0 integration with Microsoft Azure is configured in Jira in ⚙ > Applications > Application Links, using scopes that contains the Microsoft Domain, for example:
https://graph.microsoft.com/Mail.ReadWrite https://graph.microsoft.com/offline_access- A JSM Mail Handler is configured in a JSM project in the page Project Settings > Email Requests, using:
- the Oauth 2.0 integration (application link) as the Authentication Method
- Microsoft Graph API as the Email Protocol
Checking the atlassian-jira-incoming-mail.log file, the following error is thrown:
2023-08-16 14:58:26,225+0000 ERROR [] Caesium-1-4 ServiceRunner Exception when MailPullerWorker pulls emails: com.atlassian.jira.internal.mail.processor.feature.puller.MailPullerWorkerException: java.io.IOException: com.microsoft.graph.http.GraphServiceException: Error code: InvalidAuthenticationToken Error message: Access token validation failure. Invalid audience. GET https://graph.microsoft.com/v1.0/me/mailFolders/inbox/messages?%24filter=isRead%20eq%20false%20and%20receivedDateTime%20ge%202023-08-16T14%3A21%3A15.880Z&%24orderBy=receivedDateTime%20asc&%24top=10&%24select=id SdkVersion : graph-java/v5.42.0 401 : Unauthorized [...] [Some information was truncated for brevity, enable debug logging for more details] at com.atlassian.jira.internal.mail.processor.feature.puller.MailPullerWorker.lambda$pullEmailForConnection$3(MailPullerWorker.java:150) [jira-email-processor-plugin-5.10.1-REL-0002.jar:?] at io.atlassian.fugue.Either$Left.fold(Either.java:586) [fugue-5.0.0.jar:?] at com.atlassian.jira.internal.mail.processor.feature.puller.MailPullerWorker.pullEmailForConnection(MailPullerWorker.java:148) [jira-email-processor-plugin-5.10.1-REL-0002.jar:?] at com.atlassian.jira.internal.mail.processor.feature.puller.MailPullerWorker.pullMailFromAllValidChannels(MailPullerWorker.java:107) [jira-email-processor-plugin-5.10.1-REL-0002.jar:?] at com.atlassian.jira.internal.mail.processor.feature.puller.MailPullerService.run(MailPullerService.java:33) [jira-email-processor-plugin-5.10.1-REL-0002.jar:?] at com.atlassian.jira.internal.mail.processor.services.MailPullerExecutor.run(MailPullerExecutor.java:29) [jira-email-processor-plugin-5.10.1-REL-0002.jar:?] at com.atlassian.jira.internal.mail.processor.services.AbstractMailExecutor.execute(AbstractMailExecutor.java:45) [jira-email-processor-plugin-5.10.1-REL-0002.jar:?] at com.atlassian.jira.internal.mail.processor.services.MailJobRunner.runJob(MailJobRunner.java:35) [jira-email-processor-plugin-5.10.1-REL-0002.jar:?] at com.atlassian.scheduler.core.JobLauncher.runJob(JobLauncher.java:134) [?:?] at com.atlassian.scheduler.core.JobLauncher.launchAndBuildResponse(JobLauncher.java:106) [?:?] at com.atlassian.scheduler.core.JobLauncher.launch(JobLauncher.java:90) [?:?] at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.launchJob(CaesiumSchedulerService.java:435) [?:?] at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.executeClusteredJob(CaesiumSchedulerService.java:430) [?:?] at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.executeClusteredJobWithRecoveryGuard(CaesiumSchedulerService.java:454) [?:?] at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.executeQueuedJob(CaesiumSchedulerService.java:382) [?:?] at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.executeJob(SchedulerQueueWorker.java:66) [?:?] at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.executeNextJob(SchedulerQueueWorker.java:60) [?:?] at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.run(SchedulerQueueWorker.java:35) [?:?] at java.base/java.lang.Thread.run(Thread.java:829) [?:?] Caused by: java.io.IOException: com.microsoft.graph.http.GraphServiceException: Error code: InvalidAuthenticationToken Error message: Access token validation failure. Invalid audience. GET https://graph.microsoft.com/v1.0/me/mailFolders/inbox/messages?%24filter=isRead%20eq%20false%20and%20receivedDateTime%20ge%202023-08-16T14%3A21%3A15.880Z&%24orderBy=receivedDateTime%20asc&%24top=10&%24select=id SdkVersion : graph-java/v5.42.0 401 : Unauthorized [...] [Some information was truncated for brevity, enable debug logging for more details] ... 19 more Caused by: com.microsoft.graph.http.GraphServiceException: Error code: InvalidAuthenticationToken Error message: Access token validation failure. Invalid audience. GET https://graph.microsoft.com/v1.0/me/mailFolders/inbox/messages?%24filter=isRead%20eq%20false%20and%20receivedDateTime%20ge%202023-08-16T14%3A21%3A15.880Z&%24orderBy=receivedDateTime%20asc&%24top=10&%24select=id SdkVersion : graph-java/v5.42.0 401 : Unauthorized [...] [Some information was truncated for brevity, enable debug logging for more details] at com.microsoft.graph.http.GraphServiceException.createFromResponse(GraphServiceException.java:419) [microsoft-graph-core-2.0.14.jar:?] at com.microsoft.graph.http.GraphServiceException.createFromResponse(GraphServiceException.java:378) [microsoft-graph-core-2.0.14.jar:?] at com.microsoft.graph.http.CoreHttpProvider.handleErrorResponse(CoreHttpProvider.java:512) [microsoft-graph-core-2.0.14.jar:?] at com.microsoft.graph.http.CoreHttpProvider.processResponse(CoreHttpProvider.java:442) [microsoft-graph-core-2.0.14.jar:?] at com.microsoft.graph.http.CoreHttpProvider.sendRequestInternal(CoreHttpProvider.java:408) [microsoft-graph-core-2.0.14.jar:?] at com.microsoft.graph.http.CoreHttpProvider.send(CoreHttpProvider.java:225) [microsoft-graph-core-2.0.14.jar:?] at com.microsoft.graph.http.CoreHttpProvider.send(CoreHttpProvider.java:202) [microsoft-graph-core-2.0.14.jar:?] at com.microsoft.graph.http.BaseCollectionRequest.send(BaseCollectionRequest.java:103) [microsoft-graph-core-2.0.14.jar:?] at com.microsoft.graph.http.BaseEntityCollectionRequest.get(BaseEntityCollectionRequest.java:78) [microsoft-graph-core-2.0.14.jar:?] at com.atlassian.mail.msgraph.service.MicrosoftGraphMailClient.lambda$getMessages$2(MicrosoftGraphMailClient.java:86) [atlassian-msgraph-mail-1.0.4.jar:?] at com.atlassian.mail.msgraph.service.MicrosoftGraphMailClient.lambda$executeGraphClientRequest$12(MicrosoftGraphMailClient.java:193) [atlassian-msgraph-mail-1.0.4.jar:?] at io.atlassian.fugue.Checked.now(Checked.java:107) [fugue-5.0.0.jar:?] at com.atlassian.mail.msgraph.service.MicrosoftGraphMailClient.executeGraphClientRequest(MicrosoftGraphMailClient.java:193) [atlassian-msgraph-mail-1.0.4.jar:?] at com.atlassian.mail.msgraph.service.MicrosoftGraphMailClient.getMessages(MicrosoftGraphMailClient.java:80) [atlassian-msgraph-mail-1.0.4.jar:?] at com.atlassian.mail.msgraph.service.MicrosoftGraphMailService.pullMessages(MicrosoftGraphMailService.java:50) [atlassian-msgraph-mail-1.0.4.jar:?] ... 17 more
Diagnosis for Root Cause 2
- The mail server is coming from a GCC account (Government Community Cloud account)
An Oauth 2.0 integration with Microsoft Azure is already configured in Jira in ⚙ > Applications > Application Links, using the right scopes:
Mail.ReadWrite offline_access- A JSM Mail Handler is configured in a JSM project in the page Project Settings > Email Requests, using:
- the Oauth 2.0 integration (application link) as the Authentication Method
- Microsoft Graph API as the Email Protocol
The following error can be seen in the Jira application logs when testing the Mail Handler configuration:
GraphServiceException: Error code: InvalidAuthenticationToken Error message: Access token validation failure. Invalid audience. GET https://graph.microsoft.com/v1.0/me/mailFolders/inbox/messages?%24filter=isRead%20eq%20false%20and%20receivedDateTime%20ge%201970-01-01T00%3A00%3A00.000Z&%24orderBy=receivedDateTime%20asc&%24top=10&%24select=id SdkVersion : graph-java/v5.42.0 401 : Unauthorized [...] [Some information was truncated for brevity, enable debug logging for more details]
Root Causes
Root Cause 1
The scopes used in the Application Link configuration are using an incorrect syntax. The Microsoft Graph API domain should not be part of the scopes. The right scopes to use are:
Mail.ReadWrite
offline_accessRoot Cause 2
The Mail Server is using a GCC (Government Community Cloud) account. In such case, the JSM Mail Handler should be pulling emails using the domain graph.microsoft.us for the MS Graph UI protocol instead of graph.microsoft.com (for the non GCC accounts).
Due to the feature limitation around the JSM Mail Handler, this functionality only supports non GCC accounts as the domain is hardcoded to graph.microsoft.com. This feature limitation is tracked in the Feature Request JSDSERVER-14090 - Getting issue details... STATUS .
Solution
Solution for Root Cause 1
The solution consists in using the right scopes (without the Microsoft domain) in the Application link configuration as shown in the screenshot below:
Mail.ReadWrite
offline_access
Solution for Root Cause 2
There is unfortunately no known solution at the moment. For now, we recommend voting and watching the feature request https://jira.atlassian.com/browse/JSDSERVER-14090, in order to increase its chance to be added to the future product roadmap.