Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry Work 3.1
  3. BlackBerry Work, Notes, and Tasks Administration Guide for BlackBerry UEM
  4. Obtain an Azure app ID for the 

Obtain an 
Azure
 app ID for the 

To grant permissions, you must use an account with tenant administrator permissions. 
  1. Sign in to portal.azure.com.
  2. In the left column, click 
    Azure Active Directory
    .
  3. Click 
    App registrations
    .
  4. Click 
    New registration
    .
  5. In the 
    Name
     field, enter a name for the app. For example, AzureAppIDforBEMS.
  6. Select a supported account type.  
  7. In the 
    Redirect URI
     drop-down list, select 
    Web
     and enter 
    https://localhost:8443
    .
  8. Click 
    Register
    .
  9. Record the 
    Application (client) ID
  10. In the 
    Manage
     section, click 
    API permissions
    .
  11. Click 
    Add a permission
  12. In the 
    Select an API
     section, click 
    APIs my organization uses
  13. If your environment is configured for 
    Azure
    -IP, search for and click 
    Microsoft Information Protection Sync Service
    . Set the following permission:
    • In delegated permissions, select the 
      Read all unified policies a user has access to
       checkbox (
      UnifiedPolicy > UnifiedPolicy.User.Read
      ). 
  14. Click 
    Add permissions
    .
  15. Click 
    Add a permission
    .
  16. Complete one or more of the following tasks:
    Service
    Permissions
    If you configure 
    BEMS-Docs
     to use 
    Microsoft SharePoint Online
     or 
    Microsoft OneDrive for Business
    1. Search for and click 
      SharePoint
      .
    2. Set the following permissions:
      • In application permissions, clear all of the permissions.
        1. Click 
          Application permissions
          .
        2. Click expand all. Make sure that all options are cleared.
      • In delegated permissions, select the 
        Read and write items and item lists in all site collections
         checkbox.  None. Clear the check boxes for all options.
      • Delegated permissions
         Select the 
        Read and write items and lists in all site collections
         checkbox. (
        AllSite > AllSites.Manage
        )
    3. Click 
      Add permissions
      .
    If you use 
    Microsoft Azure
    -IP
    1. Click 
      Microsoft Graph
      . If 
      Microsoft Graph
       is not listed, add 
      Microsoft Graph
    2. Set the following permissions:
      • In application permissions, select the 
        Read directory data
         checkbox (
        Directory > Directory.Read.All
        ).
      • In delegated permissions, select the 
        Read directory data
         checkbox (
        Directory > Directory.Read.All
        ).
    3. Click 
      Update permissions
      .
  17. Wait a few minutes, then click 
    Grant admin consent
    . Click 
    Yes
    .
    This step requires tenant administrator privileges.
  18. To allow autodiscovery to function as expected, set the authentication permissions. Complete the following steps:
    1. In the 
      Manage
       section, click 
      Authentication
      .
    2. Under the 
      Implicit grant
       section, select the 
      ID Tokens
       checkbox.
    3. In the 
      Default client type
      , select 
      No
    4. Click 
      Save
  19. Define the scope and trust for this API. In the 
    Manage
     section, click 
    Expose an API
    . Complete the following tasks.
    Task
    Steps
    Add a scope
    The scope restricts access to data and functionality protected by the API.
    1. Click 
      Add a scope
    2. Click 
      Save and continue
      .
    3. Complete the following fields and settings:
      • Scope name: Provide a unique name for the scope. 
      • Who can consent: Click 
        Admins and user
        .
      • Admin consent display name: Enter a descriptive name. 
      • Admin consent description: Enter a description for the scope.
      • State: Click 
        Enabled
        . By default, the state is enabled.   
    4. Click 
      Add Scope
      .
    Add a client application 
    Authorizing a client application indicates that the API trusts the application and users shouldn't be prompted for consent.
    1. Click 
      Add a client application
    2. In the 
      Client ID
       field, enter the client ID that you recorded in step 9 above. 
    3. Select the 
      Authorized scopes
       checkbox to specify the token type that is returned by the service.
    4. Click 
      Add application
      .  
  20. In the 
    Manage
     section, click 
    Certificates & secrets
     and add a client secret. Complete the following steps:
    1. Click 
      New client secret
      .
    2. In the 
      Description
       field, enter a key description up to a maximum of 16 characters including spaces. 
    3. Set an expiration date (for example, In 1 year, In 2 years, Never expires).  
    4. Click 
      Add
      .
    5. Copy the key 
      Value
      The Value is available only when you create it. You cannot access it after you leave the page.