OAuth2 Authorizations in Email This Issue App in Jira Instance
Deprecation of Basic authentication in Exchange Online
In September 2021, Microsoft announced that effective October 1, 2022 they will begin disabling Basic authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. SMTP Auth will also be disabled if it is not being used.
We’re removing the ability to use Basic authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows, and Mac.
We’re also disabling SMTP AUTH in all tenants in which it’s not being used.
This decision requires customers to move from apps that use basic authentication to apps that use Modern authentication. Modern authentication (OAuth 2.0 token-based authorization) has many benefits and improvements that help mitigate the issues in basic authentication.
As a result, I have decided to prepare a documentation for current users of Email This Issue add on/app in Jira Instance with Basic Authentication still configured.
- Before starting with the app registration, you need to have a Microsoft365 account and you should also check whether you have an active Exchange Online license (aka “subscription”) otherwise, you will run into issues during the authorization process.
- Now you can visit this link to access the Azure Active Directory of your M365 Tenant or directly from the Admin Center.
- Create a new app registration and take note of the client Id
In the Redirect URI section, select Web from the dropdown, then copy+paste the Callback URL from the OAuth2 Credentials dialog as the URI value. As this URI is specific to your Jira instance, it is important to copy the URL from the Email This Issue app into this page as a URI of another Jira instance cannot be reused.
- API Permissions (scopes) need to be granted for the application
Remove the default api permission before adding the required ones
Then continue to add the following API Permissions under Microsoft Graph in Delegated Permissions
OpenId permissions: offline_ access & openid
Mail: Mail.Read, Mail.ReadBasic, Mail.ReadWrite & Mail.Send
and finally EWS: EWS.AccessAsUser.All (follow steps here https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth#configure-for-delegated-authentication for this specifically if you run into any error)
Additionally, grant these API permissions admin consent ( Advisable)
- Go ahead and Generate Client Secret (set the expiration to never expire) then take note of the secret value because you may be unable to retrieve it once you leave that blade.
- Finally put together the client Id, secret value, authorization endpoint and token endpoint for the next step. The endpoints can be gotten from the overview blade of the registered app.
To create a new one go to SETTINGS → OAuth2 Credentials → + Add
Populate the details with the values gotten from the previous steps above
- To connect to an email service using OAuth2, after specifying the OAuth Credential and Username, you must start the authorization process by clicking the Authorization button.
Then follow the prompt to allow and accept the app permission request
- You should get an Authorized successfully prompt, then go ahead to test connection first, and you should get another prompt with The connection is working, then you can save it.
If you have followed this steps accordingly, you should have a working connection for incoming mail, you can repeat procedure for outgoing mail connection.
At this point you can go ahead to explore with all the feature Email This Issue has to offer.