The JSM Mail Handler indefinitely creates duplicate tickets from the same incoming email when using Microsoft Graph API

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

    

Summary

The Jira Service Management (JSM) Mail Handler indefinitely creates duplicate tickets (every minute) from the same incoming email when using the Microsoft Graph API protocol.

(warning) Note that this knowledge article only applies to the Jira Service Management Mail Handler (which is configured in Project Settings > Email Requests within the Service Management project configuration page). This article does not apply to the Jira Mail handler (which is configured in ⚙ > System > Incoming email).

Environment

Any JSM Server/Data Center version that supports the Microsoft Graph API protocol (any version from 5.8.0).

Diagnosis

  • An Oauth 2.0 integration with Microsoft Azure was configured in Jira in ⚙ > Applications > Application Links, using the scopes below:

    Mail.Read
offline_access


  • A JSM Mail Handler is configured in a JSM project in the page Project Settings > Email Requests, using:
    • the Oauth 2.0 integration (application link) as the Authentication Method 
    • Microsoft Graph API as the Email Protocol 

  • The incoming mail from which duplicate JSM tickets are created is showing a UNREAD in the mailbox, while normally it should be showing as READ after the JSM Mail Handler fetched it

  • Checking the atlassian-jira-outgoing-mail.log file, the following error is thrown:

    2023-08-17 09:16:10,092+0000 ERROR [] Caesium-1-1 ServiceRunner     [c.a.m.msgraph.service.MicrosoftGraphMailClient] com.microsoft.graph.http.GraphServiceException: Error code: ErrorAccessDenied
    Error message: Access is denied. Check credentials and try again.
    
    PATCH https://graph.microsoft.com/v1.0/me/messages/AQMkADM3YmQ0YzVhLTM1OWUtNDcyMC1hNTZmLWI3Zjc1YTk2ZDdjMgBGAAAD4hSFaEE82kOv1JwYnHQy4wcAiSIr3Jn400OgmvpULnZxLQAAAgEMAAAAiSIr3Jn400OgmvpULnZxLQACKVngAQAAAA==
    SdkVersion : graph-java/v5.42.0
    [...]
    
    403 : Forbidden
    [...]
    
    [Some information was truncated for brevity, enable debug logging for more details]


Cause

When using the scope Mail.Read, the JSM Mail Handler is not granted with the write permission for the mailbox it's pulling emails from. As a result, it is not allowed to mark the emails from that mailbox as READ. Because of that, whenever the JSM Mail Handler goes back to the mailbox, it sees that the same email is still showing as UNREAD, and then fetches it and processes it again, thinking that it is a new email. Since the mail handler is running once per minute, a new duplicate ticket is created indefinitely every minute from the same email.

Solution

The solution consists in granting the Mail Handler with both the read and write permissions, by following the steps below:

  • In the Application Link to Azure that is configured in Jira, use the scope Mail.ReadWrite instead of the the scope Mail.Read (in addition to offline_access): 
  • Also, in the registered app in Azure, make sure that the delegated permission Mail.ReadWrite (in addition to offline_access) is added to the API Permission section:
     


Last modified on Aug 23, 2023

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.