When you enable Microsoft Azure Active Directory (AAD) Multi-Factor Authentication (MFA), you must then reconfigure K2 because switching MFA on or off invalidates all cached refresh tokens. This means that the tokens K2 cached are no longer valid and must be reissued by Azure. This includes cached user tokens and the K2 service account token.


To reconfigure K2 blackpearl 4.7 so that the service account's OAuth refresh token is valid, follow these steps:

  1. Open K2 Management
  2. Browse to Authentication > OAuth > Tokens
  3. Delete the Microsoft Online token associated with the identity of the K2 service account and the one used to run the Registration Wizard, if different
  4. Browse to the SharePoint app catalog's Site Contents page and click K2 blackpearl for SharePoint
  5. In the Administration section of the app settings page, click the Registration Wizard link and run the configuration again

You must follow these steps any time you turn MFA on or off, and for each app catalog in your environment. If you have K2 Five (which uses an App Only token for the service account) you do not need to follow these steps.

Advanced Troubleshooting

If the resolution above does not work, you can delete the service account's token using the following SQL script. To do this, copy the script below, replacing DENALLIX\K2Service with the FQN of your service account, and run the script on the K2 database.

DELETE [K2].[Authorization].[OAuthIdentity] FROM [K2].[Authorization].[OAuthIdentity]

INNER JOIN [K2].[HostServer].[SecurityCredentialCache]

       ON [K2].[Authorization].[OAuthIdentity].PrimaryCredentialID=[K2].[HostServer].[SecurityCredentialCache].PrimaryCredential

WHERE [K2].[HostServer].[SecurityCredentialCache].UserName = 'DENALLIX\K2Service'