OAuth tokens of email account are disappearing when opening "Manage Token" pageSummaryStarting from October 13th, 2020 Microsoft deprecated basic authentication for Office365 email account so user needs to use OAuth 2.0 for authentication for their Office365 email accounts. This is documented in KB0781513. Sometimes user can see both the access and refresh tokens are removed when open "Manage Token" page from their email account. This normally happens when there is outage on Microsoft Office365 side. On ServiceNow platform, there are two important OOTB (Out-Of-The-Box) scheduled jobs to maintain the OAuth tokens for any email account using OAuth 2.0 authentication mechanism. 1. Scheduled job "Refresh Email Access Token" This scheduled job is actually running repetitively (once every 3 minutes) to call another scheduled script "Refresh Email Access Token" to refresh access token for all OAuth 2.0 based email accounts in the 'sys_email_account' table. Please refer to below screenshot. Here is what the function 'checkAndRefreshAccessToken' does in script include 'EmailOAuthHelper': a. It firstly goes through from sys_email_account.LIST table and for each email account with OAuth2 profile configured it grabs both the Access Token and Refresh Token for validation. Below is the script doing this between line 56~64. ===================================== if (grEmailAccount.getValue("authentication") != "oauth2" ) return false; var accountMsg = grEmailAccount.getValue("name"); if (!accountMsg) accountMsg = grEmailAccount.getUniqueValue(); accountMsg = "Account=\"" + accountMsg + "\""; var token = this.getToken(grEmailAccount.getUniqueValue(), grEmailAccount.getValue('oauth_profile')); ===================================== b. Once token is retrieved from this email account, it will first check if Access Token is expired. If not, then it does nothing. Below is the script logic between line 65~69. ===================================== var accessToken = token.getAccessToken(); if (accessToken) { if (!this.isExpired(token.getExpiresIn(), 300)) return; } ===================================== c. It will continue to check if Refresh Token is valid (expired or missing). If it is invalid then manual token authorisation will be needed which means customer needs to open the Email Account page and use "Authorize Email Account Access" UI action to obtain both the new access and new refresh tokens. Below is the script logic between line 71~79. ===================================== if (!token.getRefreshToken()) { gs.error("No OAuth refresh token for active email account. Manual reauthorization required. " + accountMsg); return; } if (this.isExpired(token.getRefreshTokenExpiresIn(), 0)) { gs.error("OAuth refresh token for active email account is expired. Manual reauthorization required. " + accountMsg); return; } ===================================== d. If Refresh Token is valid and only Access Token is expired then system will run below script (line 81~82) to automatically refresh the Access Token for this email account. Please be aware Refresh Token normally has longer lifespan than Access Token, customer can set it to maximum 90 days for Refresh Token issued from MS Azure. ===================================== gs.info("Refreshing oauth access token for email. " + accountMsg); this.refreshAccessToken(grEmailAccount.getUniqueValue(), grEmailAccount.getValue('oauth_profile'), token); ===================================== 2. Scheduled job "Clean Expired OAuth Credentials" This scheduled job is running once per day to check all expired tokens in the 'oauth_credential' table and delete them. By default all the tokens expired for 4 hours will be deleted by the scheduled job automatically. The default expiration (4 hours) is defined in system property 'com.snc.platform.security.oauth.hours.expired.credential.is.kept' and can be modified according to users business requirement. If there is any outage happens on Microsoft Office365 side which is not resolved before the "Next action" time for this scheduled job so all the expired tokens would be deleted on the instance. The "Refresh Email Access Token" scheduled job will retrieve new access token automatically once the outage is over. This is expect behavior on the instance.Related LinksAny instance using OAuth 2.0 authentication based email accounts