Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry Work 3.0
  3. Configuring Office 365 Modern Authentication for BlackBerry Dynamics Apps
  4. Configure BEMS to communicate with the Microsoft Exchange Server or Microsoft Office 365

Configure 
BEMS
 to communicate with the 
Microsoft Exchange Server
 or 
Microsoft Office 365

You must allow 
BEMS
 to authenticate to 
Microsoft Exchange Server
 or 
Microsoft Office 365
 to access users’ mailboxes and send notifications to users’ devices when new email is received on the device.
  1. In the 
    BlackBerry Enterprise Mobility Server Dashboard
    , under 
    BlackBerry Services Configuration
    , click 
    Mail
    .
  2. Click 
    Microsoft Exchange
  3. In the 
    Select Authentication type
     section, select an authentication type based on your environment and complete the associated tasks to allow 
    BEMS
     to communicate with the 
    Microsoft Exchange Server
     or 
    Microsoft Office 365
    :
    Authentication type
    Environment
    Description
    Task
    Integrated
    Microsoft Exchange Server
     on-premises
    This option uses 
    Windows
     authentication credentials to authenticate to the 
    Microsoft Exchange Server
    .
    No additional actions are required.
    Credential
    • Microsoft Exchange Server
       on-premises
    • Microsoft Office 365
    This option uses the 
    BEMS
     username and password to authenticate to the 
    Microsoft Exchange Server
     or 
    Microsoft Office 365
    .
    1. In the 
      Username
       field, enter the username of the 
      BEMS
       service account.
      • For 
        Microsoft Office 365
        , enter the service account's User Principal Name (UPN).
      • For on-premises 
        Microsoft Exchange Server
        , use the format <
        domain
        >\<
        username
        >. 
    2. In the 
      Password
       field, enter the password for the service account.
    Client Certificate
    • Microsoft Exchange Server
       on-premises
    • Microsoft Office 365
    This option uses a client certificate to allow the 
    BEMS
     service account to authenticate to the 
    Microsoft Exchange Server
     or 
    Microsoft Office 365
    .
    1. For the 
      Upload PFX file
      , click 
      Choose File
       and select the client certificate file. For instructions on obtaining the .PFX file, see Associate a certificate with the Azure app ID for BEMS
    2. In the 
      Enter PFX file Password
       field, enter the password for the client certificate. 
  4. Optional, in a 
    Microsoft Office 365
     environment that uses Credential or Client certificate authentication, do the following to enable Modern Authentication: 
    1. Select the 
      Enable Modern Authentication
       checkbox.
    2. In the 
      Authentication Authority
       field, enter the Authentication Server URL that 
      BEMS
       accesses and retrieve the OAuth token for authentication with 
      Microsoft Office 365
       (for example, https://login.microsoftonline.com/<
      tenantname
      >). By default, the field is prepopulated with https://login.microsoftonline.com/common.
    3. In the 
      Client Application ID
       field, enter one of the following 
      Azure
       app IDs depending on the authentication type you selected: one of the following. 
    4. In the 
      Server Name
       field, enter the FQDN of the 
      Microsoft Office 365
       server. By default, the field is prepopulated with https://outlook.office365.com.
    5. Optionally, select the 
      Use Credentials if Modern Authentication fails
       check box to allow 
      BEMS
       to communicate with 
      Microsoft Office 365
       in the event that 
      BEMS
       can't access the modern authentication source. When you select this check box, you must provide the 
      BEMS
       service account credentials. 
    When you configure Modern Authentication, all nodes use the specified configuration. 
  5. Under the 
    Autodiscover and Exchange Options
     section, complete one of the following actions: 
    Task
    Steps
    Override Autodiscover URL
    If you select to override the autodiscover process, 
    BEMS
     uses the override URL to obtain user information from the 
    Microsoft Exchange Server
     or 
    Microsoft Office 365
    . For more information about best practices when enabling autodiscover, see Best practice: Enabling autodiscovery.
    1. Select the 
      Override Autodiscover URL
       checkbox. 
    2. In the 
      Autodiscover URL
       Override Autodiscover field, type the autodiscover endpoint (for example, https://autodiscover<
      domain
      >.com/autodiscover/autodiscover.svc).
    Autodiscover and 
    Microsoft Exchange Server
     options 
    1. Select the 
      Swap ordering of <
      domain.com
      >/autodiscover and autodiscover. <
      domain.com
      >/autodiscover
       check box to assist in resolving the autodiscover URL. Consider selecting this option if the order results in timeouts or other failures. 
    2. Optionally, modify the 
      TCP Connect timeout for Autodiscover url (milliseconds)
       field as required to prevent failures when autodiscovery takes too long. By default, the timeout is set to 120000. The recommended timeout for the Autodiscover url is between 5000 milliseconds (5 seconds) and 120000 milliseconds (120 seconds). 
    3. By default, the 
      Enable SCP record lookup
       checkbox is selected. If you clear the checkbox, 
      BEMS
       does not perform a 
      Microsoft Active Directory
       lookup of Autodiscover URLs. This option is not available when Override Autodiscover URL is selected. 
    4. Optionally, select the 
      Use SSL connection when doing SCP lookup
       check box to allow 
      BEMS
       to communicate with the 
      Microsoft Active Directory
       using SSL. If you enable this feature, you must import the 
      Microsoft Active Directory
       certificate to each computer that hosts an instance of 
      BEMS
      . This option is not available when Override Autodiscover URL is selected.
    5. By default the 
      Enforce SSL Certificate validation when communicating with Microsoft Exchange and LDAP server
       check box is selected. If you clear this setting and use an un-trusted certificate, then the connection to the on-premises 
      Microsoft Exchange Server
       fails. 
    6. By default, the 
      Allow HTTP redirection and DNS SRV record
       check box is selected. If you clear the checkbox, you disable HTTP Redirection and DNS SRV record lookups for retrieving the Autodiscover URL when discovering users for 
      BlackBerry Work
      Push Notifications
    7. Optionally, select the 
      Force re-autodiscover of user on all Microsoft Exchange errors
       checkbox to force 
      BEMS
       to perform the autodiscover again for the user when the 
      Microsoft Exchange Server
       or 
      Microsoft Office 365
       returns an error message.
  6. In the 
    End User Email Address
     field, type an email address to test connectivity to the 
    Microsoft Exchange Server
     or 
    Microsoft Office 365
     using the service account. Click 
    Test
    . You can delete the email address after you complete the test.
    If the service account is correctly configured and the test fails, 
    BEMS
     is attempting to communicate with an 
    Microsoft Exchange Server
     that is not using a trusted SSL Certificate. If your 
    Microsoft Exchange Server
     is not set up to use a trusted SSL certificate, see Importing CA Certificates for BEMS.
  7. Click 
    Save
If you selected 
Client Certificate
 authentication, you can view the certificate information. Click 
Mail
. The following certificate information is displayed:
  • Subject
  • Issuer
  • Validation period
  • Serial number