System requirements
Steps to set up Office 365 modern authentication for BlackBerry Dynamics apps
Enable modern authentication for the Mail service in BEMS
Enable modern authentication for the Connect and Presence services in BEMS
- Configure Skype for Business Online for the Connect service
  - Obtain an Azure app ID for the Connect client
- Configure Skype for Business Online for the Presence service
Obtain an Azure app ID for the BEMS-Connect, BEMS-Presence, and BEMS-Docs component service
Enable modern authentication for the Docs service in BEMS
Configure BlackBerry Work for iOS and Android app settings for Office 365 modern authentication
Configure BlackBerry Work for Windows and macOS app settings for Office 365 modern authentication
- Obtain an Azure app ID for BlackBerry Work for Windows and macOS
Configure BlackBerry Notes and BlackBerry Tasks app settings for Office 365 modern authentication
- Obtain an Azure app ID for BlackBerry Tasks and BlackBerry Notes
Add the BEMS instance to the Good Enterprise Services and BlackBerry Work entitlement app
Additional configuration options
- Configure single sign-on for BlackBerry Access in BlackBerry UEM
- Configure alternate login and Office 365 resource URLs
Troubleshooting

Authentication fails when email address and UPN do not match

By default, users authenticate using their email address when they use modern authentication. In most environments, the user’s email address and username in Azure AD are the same and authentication is successful. In hybrid environments, the username attribute in Azure is synchronized from the UPN value from Active Directory. This requires the users' email address and UPN values to match for authentication to be successful.

In some environments, users' email addresses and UPN values do not match. In this scenario, authentication will fail because the authentication token returned to the client from Azure is identified as being for the wrong user and is rejected.

The following client versions provide support for administrators to allow users to authenticate using the UPN instead of their email addresses:

BlackBerry Work for iOS

version 2.19 or later

BlackBerry Work for Android

version 2.19 or later

BlackBerry Notes for Android

version 2.19 or later

BlackBerry Notes for iOS

version 2.19 or later

BlackBerry Tasks for Android

version 2.19 or later

BlackBerry Tasks for iOS

version 2.19 or later

BlackBerry Connect

for

Android

version 2.8.2 or later

BlackBerry Connect

for

iOS

version 2.8.2 or later

For instructions about how to enable users to use UPN to authenticate, see Allow users to use the UPN to authenticate to Microsoft Exchange Online.

For instructions about how to configure

BEMS

to use an alternate email address to authenticate to

BEMS-Docs

, see Enable the use of an alternate email address to authenticate to BEMS-Docs.

If users are running earlier versions of the client in your environment, the user email addresses and UPN values match. If these values do not match, modern authentication will fail because the token being returned from

Azure

does not match the email address of the

BlackBerry Dynamics

app.

Microsoft

recommends that the email address and UPN match. For more information, visit https://support.blackberry.com/community/s/article/50721 to read article 000050721.

Section:

Troubleshooting