Integrating OAuth 2.0 for Microsoft Accounts on Jira

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

On Jira Data Center, email configuration pages show the warning: "This authentication method is deprecated, you should use OAuth 2.0 instead."

Diagnosis

On service management project settings page, click Email Requests and there is a warning that says "This authentication method is deprecated, you should use OAuth 2.0 instead. Learn more". Elsewhere, under system menu on Jira administration, click Incoming Mail, then Add Mail Server and select Password (basic authentication) from Authentication method. This shows a warning "We recommend selecting OAuth to authenticate to this mail server. Basic authentication using only a password is planned to be deprecated by Microsoft and Google. Learn more".

Cause

Google and Microsoft are planning to disable using password as an authentication method. Once this method is disabled, you will not be able to connect to your Gmail or Microsoft Exchange Online. This means you wouldn’t be able to use these providers (Gmail, Microsoft Exchange Online) to let users create issues and comments from emails if you were authenticating using basic auth. To fix this, you need to configure the OAuth 2.0 integration with these providers, and then update the configuration of your mail servers.

Solution

Configure OAuth 2.0 integration and select it as your authentication method (learn more about Integrating with OAuth 2.0). It involves setting up an application registration at the provider side and integrating the same on Jira.The steps below are for the integration of Microsoft accounts on Jira and it provides a general guidance to the app registration on Microsoft as well. Microsoft specific steps may get changed and at this time of writing this KB article, the relevant Microsoft link is here.

Before you begin

You need to ensure the following:

  • Running Jira applications over SSL or HTTPS. If it doesn’t, you will not be able to configure OAuth 2.0.

  • Configuring the base URL. This is important as the redirect URL you’ll need to provide is based on Jira’s base URL.

  • Port 443 needs to be open for outgoing and incoming connections since the OAuth 2.0 authentication uses https connections.

  • IMAP or POP port (depending on the connection protocol) needs to be open for outgoing connections.

ℹ️ You can use the same OAuth2 configuration to authenticate all the users if you have multiple mail servers. This applies if the users are from the same tenant or the enterprise app is setup for multi-tenant. Otherwise, you would need to have an additional OAuth2 configuration.

Create OAuth 2.0 Integration for Microsoft

From Jira v8.22 onwards, the OAuth 2.0 Integration has been moved from global Jira administration "System" menu to "Application Links" menu. The Jira specific steps are explained in this documentation page for Jira version above 8.22 and in this documentation page for Jira version below 8.22. The steps are common from #2 onwards.

1. Add a New Integration

For Jira versions above 8.22.0.

  • In the upper-right corner of the screen, select Administration > Applications.

  • Under the Integrations (the left-side panel), select Application links.

  • Select Create link.

  • In a new dialog that opens, select External application, and then choose Outgoing as the direction. Do not get confused by the selection of Outgoing here - Jira acts as a client to the application and hence, the outgoing is selected even for Incoming mail server.

(Auto-migrated image: description temporarily unavailable)

For Jira versions below 8.22.0.

  • In the upper-right corner of the screen, select Administration > System.

  • Under the OAuth 2.0 (the left-side panel), select Add New Integration.

2. Configure your Integration

For this integration, choose Microsoft as the service provider and some fields will be pre-filled for you. Enter a friendly name for the integration and click Copy at the Redirect URL field.

3. Register your external application on Microsoft.

The content on this page relates to platforms which are not supported by JIRA. Consequently, Atlassian cannot guarantee providing any support for it. Please be aware that this material is provided for your information only and using it is done so at your own risk.

Different providers might have different requirements related to the redirect URL. For example, Google doesn't allow it to be a private IP address. Make sure you provide an external URL (for example, of a load balancer for Jira Data Center).

  • Login to "https://portal.azure.com/"

  • From the left menu, select Azure Active Directory. Click on App registrations

  • Click on New registration

  • Pick up a friendly name so it will be easier to identify

  • Under the "Supported account types" section, let's choose "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)"

  • Under the "Redirect URI" section, let's pick up Web and insert the URL from the step 2 above

  • Click on Register

4. Configure API permissions and grant permissions on Microsoft.

  • Click on API permissions

  • Click on Add a permission

  • Click on Microsoft Graph

  • Select Delegated permissions

  • Search and select the following permissions:

IMAP.AccessAsUser.All or POP.AccessAsUser.All (depending on the protocol you would like to use) and offline_access. Also, add the scope https://outlook.office.com/SMTP.Send if you need to use this integration to be used in outgoing authentication (SMTP).

To learn more about scopes, see detailed information from Microsoft.

  • Click on Add permissions

  • Click on Grant admin consent for XXXX

5. Create certificate and secrets.

  • Click on Certificates & secrets

  • Click on New client secret

  • Choose a description and expiration date and click Add

  • Take note of the Value generated (this will be used as the "Client secret" at Jira). Copy the value and keep it for use on Jira.

  • At the left side, click on Overview

  • Take note of the Application (client) ID (this will be used as the "Client ID" at Jira). Copy the value and keep it for use on Jira.

6. Provide remaining application details on Jira

  • Provide the remaining details. Here you can find descriptions for all the fields.

Name

Description

Client ID

The client ID that's generated by the external application after registering Jira’s Redirect URL (from step #5 above). This is the public identifier of the application.

Client secret

The client secret that's generated by the external application after registering Jira’s Redirect URL (from step #5 above). This is the shared secret between Jira and the application, which ensures the authorization is secure.

Scopes

The required OAuth 2.0 scopes (permissions) that control what Jira can do in the external application. You need to specify different scopes for email servers. When you paste these scopes, it asks you on a pop up to create the scope. Click create.

For Microsoft, the scopes will vary depending on your Microsoft account type:

If you're using non-GCC (Government Community Cloud) accounts, we recommend the following scopes: -

- https://outlook.office.com/IMAP.AccessAsUser.All (for IMAP)

- https://outlook.office.com/POP.AccessAsUser.All (for POP3)

- https://outlook.office.com/SMTP.Send (for SMTP outgoing)

- offline_access

For GCC accounts, use:

- https://outlook.office365.com/IMAP.AccessAsUser.All (for IMAP)

- https://outlook.office365.com/POP.AccessAsUser.All (for POP3)

- https://outlook.office365.com/SMTP.Send (for SMTP outgoing)

- offline_access

For GCC High accounts, use:

- https://outlook.office365.us/IMAP.AccessAsUser.All (for IMAP)

- https://outlook.office365.us/POP.AccessAsUser.All (for POP3)

- offline_access

For more information about scopes available in Microsoft, see the detailed information at the Microsoft site.

Authorization endpoint

The HTTPS URL where authorization to use OAuth 2.0 is started (pre-filled).

Token endpoint

The HTTPS URL where refresh token requests are sent. As OAuth 2.0 tokens have an expiry, Jira will periodically update the token (pre-filled).

Redirect URL

The Redirect URL that must be registered in the external application to obtain its client ID and client secret. This redirects the authentication flow back to Jira (pre-filled).

ℹ️ You can run connectivity test at this Microsoft Link with the email account ID you'll be using on Jira. The test should return a successful result and if not, reach out to your Exchange admin to grant necessary permissions to the account. ( This may not work for GCC High )

7. Save your Integration

  • After you save the configuration, it will appear on the application links menu (for Jira above v8.22) or under OAuth 2.0 on Jira administration system menu (for Jira below v8.22).

  • Click Test connection to make sure the connection works. Once connection is tested successfully, you will be able to select this newly created integration when configuring mail servers or Jira Service Management email channels.

Test OAuth Integrations

  • When configuring "Email Settings" under project settings, you can select newly created OAuth 2.0 under the authentication method.

  • When configuring "Incoming Mail" under Jira global system administration menu, click "Add Mail Server" and you can select newly created OAuth 2.0 under the authentication method.

  • When configuring "Outgoing Mail" Jira global system administration menu, click "Configure new SMTP mail server". Under the "Service Provider" field, pick up Microsoft Exchange Online / Outlook (IMAP). At the "Authentication method" field, select the newly created OAuth 2.0. Remember to add scope https://outlook.office365.com/SMTP.Send for outgoing mail.

    ⚠️ OAuth 2.0 for SMTP outgoing mail servers is supported only in Jira 9.2 and above.

ℹ️ For troubleshooting OAuth2.0 integration issues with Jira global mail handlers or Jira Service Management mail handlers, please refer to our troubleshooting guide

Updated on April 2, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community